search

Cisco-Talos / clamav

ClamAV - Documentation is here: https://docs.clamav.net
https://www.clamav.net/
GNU General Public License v2.0
4.27k stars 692 forks source link

PUA Exlusions option does not work when multiple categories are provided #1299

Open luborpetr opened 3 months ago

luborpetr commented 3 months ago

Problem

I am using clamdscan --multiscan to scan our infrastructure with the DetectPUA flag enabled. Recently, we've encountered several false positives for Potentially Unwanted Applications (PUAs) in the Win category. To address this, I added ExcludePUA Win to clamd.conf. However, it appears that this option is being ignored, as the scan continues to flag certain files as PUAs.

Wed Jul  3 09:47:10 2024 -> /var/log/appx/684220/audit_logs_2024-06-06.log.gz: PUA.Win.Exploit.CVE_2012_1461-1 FOUND

Also when I try to run clamscan like below, the scanner is ignoring exlusions unless there is only one category set

clamscan --detect-pua=yes --exclude-pua=Win --exclude-pua=NetTool /var/log/appx/684220/audit_logs_2024-06-06.log.gz
Loading:    22s, ETA:   0s [========================>]    8.71M/8.71M sigs       
Compiling:   5s, ETA:   0s [========================>]       41/41 tasks 

/var/log/appx/684220/audit_logs_2024-06-06.log.gz: PUA.Win.Exploit.CVE_2012_1461-1 FOUND

I also tried:


clamscan --detect-pua=yes --exclude-pua=Win,NetTool  /var/log/appx/684220/audit_logs_2024-06-06.log.gz
Loading:    21s, ETA:   0s [========================>]    8.71M/8.71M sigs       
Compiling:   6s, ETA:   0s [========================>]       41/41 tasks 

/var/log/appx/684220/audit_logs_2024-06-06.log.gz: PUA.Win.Exploit.CVE_2012_1461-1 FOUND

It works fine if only one PUA category set:

clamscan --detect-pua=yes --exclude-pua=Win /var/log/appx/684220/audit_logs_2024-06-06.log.gz
Loading:    20s, ETA:   0s [========================>]    8.70M/8.70M sigs       
Compiling:   5s, ETA:   0s [========================>]       41/41 tasks 

/var/log/appx/684220/audit_logs_2024-06-06.log.gz: OK

Configuration

Runtime environment

Clamd options

Config file: clamd.conf
-----------------------
LogFile = "/logs/clamav.log"
LogTime = "yes"
PidFile = "/run/clamd.pid"
TemporaryDirectory = "/tmp"
DatabaseDirectory = "/data"
LocalSocket = "/tmp/clamd.sock"
TCPSocket = "3310"
ExcludePath = "^/host-fs/dev", "^/host-fs/sys", "^/host-fs/var/lib/docker", "^/proc", "^/dev", "^/sys", "^/host-fs/proc", "^/host-fs/var/lib/containerd", "^/host-fs/run/containerd", "^/host-fs/home/kubernetes/containerized_mounter/rootfs", "^/host-fs/var/lib/kubelet/", "^/host-fs/var/log/containers", "^/host-fs/var/log/pods", "^/host-fs/run/docker/", "/fstab~cifs/", "^/host-fs/mnt/stateful_partition/"
MaxDirectoryRecursion = "20"
Foreground = "yes"
DetectPUA = "yes"
ExcludePUA = "NetTool", "PWTool", "Win"
!!! MaxScanSize: UNKNOWN INTERNAL TYPE !!!
MaxFileSize = "31457280"
MaxRecursion = "10"
MaxFiles = "15000"
MaxEmbeddedPE = "10485760"
MaxHTMLNormalize = "10485760"
MaxHTMLNoTags = "2097152"
MaxScriptNormalize = "5242880"
MaxPartitions = "128"
MaxIconsPE = "200"
PCREMatchLimit = "10000"
PCRERecMatchLimit = "10000"
DisableCertCheck = "yes"

Config file: freshclam.conf
---------------------------
LogTime = "yes"
LogSyslog = "yes"
LogVerbose = "yes"
PidFile = "/tmp/freshclam.pid"
DatabaseDirectory = "/data"
UpdateLogFile = "/proc/1/fd/1"
DatabaseOwner = "root"
DatabaseMirror = "database.clamav.net"
HTTPProxyServer = "dc-proxy-balancer-haproxy.proxy.svc.cluster.local"
HTTPProxyPort = "3128"

clamav-milter.conf not found

Software settings
-----------------
Version: 1.2.2
Optional features supported: MEMPOOL AUTOIT_EA06 BZIP2 LIBXML2 PCRE2 ICONV JSON RAR 

Database information
--------------------
Database directory: /data
main.cvd: version 62, sigs: 6647427, built on Thu Sep 16 12:32:42 2021
bytecode.cvd: version 335, sigs: 86, built on Tue Feb 27 15:37:24 2024
daily.cld: version 27324, sigs: 2063752, built on Tue Jul  2 08:40:44 2024
Total number of signatures: 8711265