Ransomware recovery endless loading

[boina]

Hello all and thank you very much for app!!!

The issue that I have is that wen I go the Ransomware tab it appears as loading (or scanning maybe) all the time. I include a screenshot of it. The same happens if I click on scan.

I'm using nextcloud 16.0.0 in a raspberry pi running and up to date archlinux install.

Thanks a lot, José.

[ilovemilk]

Hi José
thanks for reporting your issue.
I will try to reproduce your problems in the next days. Are there any error messages in the Nextcloud logs?

Best regards
Matthias

[boina]

Hi José
thanks for reporting your issue.
I will try to reproduce your problems in the next days. Are there any error messages in the Nextcloud logs?

Best regards
Matthias

Hello Matthias,

Here there is more information on the system:

OS: Archlinux
System: Raspberry pi 3
nextcloud: 16.0.0.9
php: 7.3.5

Database:
Type: mysql
Version: 10.3.14
Size: 330,3 MB

and this is the error log that I could trace related to the ransomware protection app as seen in the administrator page.
nextcloud_ransomware.txt

Regards, José.

[ilovemilk]

Hi José

I tried my best to reproduce your issue with my Raspberry Pi Zero but I couldn't.

Can you post the web developer console logs? You can get them if you go to your Ransomware recovery app and press F12 in your browser. Maybe this can clarify the problems.

Best regards
Matthias

[pixelplumber]

Hello, I have hit the same symptoms on two different univention installs of nextcloud. Their NC Version is 15.0.8, Ransomware Protection Version 0.5.2

In the console when loading the ransomware recovery page from the top menu the error console has 404:

The requested URL /ocs/v2.php/apps/ransomware_detection/api/v1/get-debug-mode was not found on this server.

In the network requests tab the call to https:///nextcloud/apps/files/ then seems to hang indefinitely in a waiting state while the spinner rotates onscreen as in the first screenshot.

[ilovemilk]

Hi pixelplumber

Thanks alot for the additional information this helps tracking the error down!
I will try to fix this in the next few days.

Matthias

[TomW80]

Hello,

I have the same problem.
I'm using Nextcloud 16.0.3 on a Synology NAS.
Is there already a fix for it?

Tom

[ilovemilk]

Hi,

I hadn't much time to investigate the problem because we are reworking the whole app to use machine learning for a better detection rate.

Something came to my mind today: How many file operations do you have in your database?
You can check with SELECT COUNT (*dbprefix*ransomware_detection) FROM *dbname*; where you replace dbprefix and dbname with accordingly to you setup.

Thanks!

[TomW80]

Hello ilovemilk,

The check with SELECT COUNT(*) FROM oc_ransomware_detection gives 655 entries.

Tom

[loxK]

I have the same issue seems related to scripts not loading. Every other app I use have no issue at all. Most javascripts are showing as blocked in the browser console.

[sualko]

@loxK can you post a screenshot of your js console? Is there a error message regarding those blocked scripts?

[loxK]

There isn't much

[TomW80]

I see in Firefox 69.0.1 this:

Content Security Policy: Die Einstellungen der Seite haben das Laden einer Ressource auf inline blockiert ("script-src").

[pmetras]

Similar problem here with NextCloud 16.

In Firefox (linux) console:

In Chromium (linux) console:

[ilovemilk]

I think I have figured out the problem but I will have to confirm it first. I think the problem is that the app collects to much data and doesn't remove any data by itself without interaction of the user. This results to a large database table and the view can't list all the data because of a missing pagination.

I will try to produce a large database but if somebody of you could just drop the content of the table oc_ransomware_detection and check if it's working again that would be great! :) Attention after dropping the content you will loose the all the results.

[pmetras]

I dropped the oc_ransomware_detection table content and accessed the page but I've still the same problem with the spinning icon and Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”). error in the console:

[e-alfred]

It seems like there are two separate issues at hand:

• The app needs to modify CSP settings (see https://docs.nextcloud.com/server/15/developer_manual/api/OCP/AppFramework/Http/ContentSecurityPolicy.html?highlight=allow%20unsafe%20eval)

• The app needs to be able to process huge amounts of files (some instances have a lot of files which will reult in a huge table size)

[loxK]

@ilovemilk why closing the issue is still there in lastest version

[ilovemilk]

There will be a new release in the next week with a complete rework of the App. The frontend is now implemented with VueJs instead of JQuery with a complete new UX design. The app internally is reworked to be more structured and uses an OpenAPI REST interface.

So this problem will be resolved with the new release. I just need some time to write some FAQ and app description to tackle some other issues, finish the build process and test the application with real malware samples.

I you want I can reopen the issue until the new release is out! :)

[ilovemilk]

I just release a new version and I hope this solves the problem! :)

[loxK]

Thanks heaps! It is fixed for me, first time seeing that app running! [happy dance]

[ilovemilk]

I really happy this is solved after such long time! :) I'm closing this for now.

[TomW80]

Hello,

Unfortunately, the problem still exists with me.
I am using Nextcloud 18.0.6 on a Synology NAS

I see the following error:

Uninitialized string offset: 0 at /volume1/web/nextcloud/lib/private/Files/Node/Node.php#307
Undefined index: dirname at /volume1/web/nextcloud/apps/ransomware_detection/lib/Monitor.php#260

[ilovemilk]

Thanks for the report.

This concrete error should help :)

[ilovemilk]

It looks like you create a directory which doesn't have path? Can you tell what you are doing? What directory you are creating?

[TomW80]

I have seen the following error, but the other error message of the ransomware has been coming for some time.

[ransomware_detection] Fatal: File Not Found /Backup/ProgramData/Mein Büro/Dokumente/1/Artikel/Art.Nr 11303

DELETE /nextcloud/remote.php/dav/files/*/Backup/ProgramData/Mein%20B%C3%BCro/Dokumente/1/Artikel/Art.Nr%2011303
from 192.168.. by *** at 2020-12-09T22:33:18+00:00

[ilovemilk]

Thanks I try to recreate the scenario! :)

[ilovemilk]

So I tried to recreate the problems:

Uninitialized string offset: 0 at /volume1/web/nextcloud/lib/private/Files/Node/Node.php#307
Undefined index: dirname at /volume1/web/nextcloud/apps/ransomware_detection/lib/Monitor.php#260

The path you mentioned I your comment doesn't relate to this issue. This can only pop up if the path is empty so I will add a check for this and improve the debug output! :)

[ransomware_detection] Fatal: File Not Found /Backup/ProgramData/Mein Büro/Dokumente/1/Artikel/Art.Nr 11303

DELETE /nextcloud/remote.php/dav/files/*/Backup/ProgramData/Mein%20B%C3%BCro/Dokumente/1/Artikel/Art.Nr%2011303
from 192.168.. by *** at 2020-12-09T22:33:18+00:00

Can you confirm that the file exist?

[TomW80]

The file or folder is created shortly and then deleted again immediately.

[jefferyyjhsu]

I am also seeing similar issue even updating to NC 20.0.4.
The app list on the server.

/usr/bin/php /config/www/nextcloud/occ app:list
Enabled:

• accessibility: 1.6.0
• activity: 2.13.4
• bruteforcesettings: 2.0.1
• cloud_federation_api: 1.3.0
• comments: 1.10.0
• contactsinteraction: 1.1.0
• dashboard: 7.0.0
• dav: 1.16.2
• federatedfilesharing: 1.10.2
• federation: 1.10.1
• files: 1.15.0
• files_external: 1.11.1
• files_pdfviewer: 2.0.1
• files_rightclick: 0.17.0
• files_sharing: 1.12.1
• files_trashbin: 1.10.1
• files_versions: 1.13.0
• files_videoplayer: 1.9.0
• firstrunwizard: 2.9.0
• keeweb: 0.6.4
• logreader: 2.5.0
• lookup_server_connector: 1.8.0
• nextcloud_announcements: 1.9.0
• notifications: 2.8.0
• oauth2: 1.8.0
• password_policy: 1.10.1
• photos: 1.2.1
• previewgenerator: 3.1.0
• privacy: 1.4.0
• provisioning_api: 1.10.0
• ransomware_detection: 0.10.0
• ransomware_protection: 1.8.0
• recommendations: 0.8.0
• serverinfo: 1.10.0
• settings: 1.2.0
• sharebymail: 1.10.0
• support: 1.3.0
• survey_client: 1.8.0
• suspicious_login: 3.2.1
• systemtags: 1.10.0
• text: 3.1.0
• theming: 1.11.0
• twofactor_backupcodes: 1.9.0
• twofactor_totp: 5.0.0
• unsplash: 1.1.7
• updatenotification: 1.10.0
• user_status: 1.0.1
• viewer: 1.4.0
• weather_status: 1.0.0
• workflowengine: 2.2.0
  Disabled:
• admin_audit
• encryption
• files_external_gdrive
• user_ldap

When I click on the Ransomware Detection on top, it will only show a spinning circle and then the current page will be reloaded.

Is my situation related to this ticket?

Thanks!

One side question, when I try to run app code check I get the following errors.

/usr/bin/php /config/www/nextcloud/occ app:check-code ransomware_detection
An unhandled exception has been thrown:
Error: Undefined constant 'T_DOUBLE_COLON' in /config/www/nextcloud/3rdparty/nikic/php-parser/lib/PhpParser/Lexer.php:385
Stack trace:
#0 /config/www/nextcloud/3rdparty/nikic/php-parser/lib/PhpParser/Lexer.php(38): PhpParser\Lexer->createTokenMap()
#1 /config/www/nextcloud/3rdparty/nikic/php-parser/lib/PhpParser/Lexer/Emulative.php(39): PhpParser\Lexer->__construct(Array)
#2 /config/www/nextcloud/3rdparty/nikic/php-parser/lib/PhpParser/ParserFactory.php(23): PhpParser\Lexer\Emulative->__construct()
#3 /config/www/nextcloud/lib/private/App/CodeChecker/CodeChecker.php(60): PhpParser\ParserFactory->create(3)
#4 /config/www/nextcloud/core/Command/App/CheckCode.php(95): OC\App\CodeChecker\CodeChecker->__construct(Object(OC\App\CodeChecker\StrongComparisonCheck), true)
#5 /config/www/nextcloud/3rdparty/symfony/console/Command/Command.php(255): OC\Core\Command\App\CheckCode->execute(Object(Symfony\Component\Console\Input\ArgvInput), Object(Symfony\Component\Console\Output\ConsoleOutput))
#6 /config/www/nextcloud/3rdparty/symfony/console/Application.php(1000): Symfony\Component\Console\Command\Command->run(Object(Symfony\Component\Console\Input\ArgvInput), Object(Symfony\Component\Console\Output\ConsoleOutput))
#7 /config/www/nextcloud/3rdparty/symfony/console/Application.php(271): Symfony\Component\Console\Application->doRunCommand(Object(OC\Core\Command\App\CheckCode), Object(Symfony\Component\Console\Input\ArgvInput), Object(Symfony\Component\Console\Output\ConsoleOutput))
#8 /config/www/nextcloud/3rdparty/symfony/console/Application.php(147): Symfony\Component\Console\Application->doRun(Object(Symfony\Component\Console\Input\ArgvInput), Object(Symfony\Component\Console\Output\ConsoleOutput))
#9 /config/www/nextcloud/lib/private/Console/Application.php(215): Symfony\Component\Console\Application->run(Object(Symfony\Component\Console\Input\ArgvInput), Object(Symfony\Component\Console\Output\ConsoleOutput))
#10 /config/www/nextcloud/console.php(100): OC\Console\Application->run()
#11 /config/www/nextcloud/occ(11): require_once('/config/www/nex...')
#12 {main}

[ilovemilk]

Hey thanks for reporting. The app in version 0.10.0 is just a empty application with no functionality. This due to a critical bug in the recovery for the safety of the users until it's fixed. I recommand disabling the app until a bugfix is released! :)

For more information see #56.