search

Cisco-Talos / clamav

ClamAV - Documentation is here: https://docs.clamav.net
https://www.clamav.net/
GNU General Public License v2.0
4.43k stars 706 forks source link

False negative due to container cache bug #1221

Open elceef opened 7 months ago

elceef commented 7 months ago

Describe the bug

Logical signatures that have conditions on a Container type or Intermediates types may not match if the target file is processed (normalized, extracted additional data) and scanned outside of the container first, and cached as clean.

How to reproduce the problem

$ sudo clamdscan -V
ClamAV 1.0.5

With the following proof-of-concept signatures matching string <input inside container:

HtmlContainerTestSig;Engine:81-255,Container:CL_TYPE_ZIP,Target:3;0;3c696e70757420
#HtmlIntermediatesTestSig;Engine:81-255,Intermediates:CL_TYPE_ZIP,Target:3;0;3c696e70757420

ZIP archive can't be detected anymore after the HTML file was scanned and cached as clean.

$ cat sample.html 
<html>
<body>
<input type="password" />
</body>
</html>
$ zip sample.zip sample.html
  adding: sample.html (deflated 18%)
$ sudo clamdscan --fdpass /tmp/sample.zip --no-summary
/tmp/sample.zip: HtmlContainerTestSig.UNOFFICIAL FOUND
$ sudo clamdscan --fdpass /tmp/sample.html --no-summary
/tmp/sample.html: OK
$ sudo clamdscan --fdpass /tmp/sample.zip --no-summary
/tmp/sample.zip: OK

Attachments

Attaching samples and logical signatures demonstrated above for convenience. files.zip