search

Cisco-Talos / clamav

ClamAV - Documentation is here: https://docs.clamav.net
https://www.clamav.net/
GNU General Public License v2.0
4.25k stars 687 forks source link

File Marked as False Positive Continues Reporting As Infected #219

Open byronmccollum opened 3 years ago

byronmccollum commented 3 years ago

Describe the bug

I have two files that are false positives, both have been added to the false positives list, but one continues to report as infected. The file in question can be found here.

How to reproduce the problem

~ # cat /data/false-positives.fp 
de66275016ef3ab8f3c47d173e0f9b1c:15526:933160.yaml
52d2eb410de1c9e0758ef562289289fa:1894:imurmurhash.min.js

~ # md5sum *
de66275016ef3ab8f3c47d173e0f9b1c  933160.yaml
52d2eb410de1c9e0758ef562289289fa  imurmurhash.min.js

~ # clamdscan --fdpass *
/root/933160.yaml: PUA.Win.Tool.Packed-186 FOUND
/root/imurmurhash.min.js: OK

----------- SCAN SUMMARY -----------
Infected files: 1
Time: 0.009 sec (0 m 0 s)
Start Date: 2021:07:21 16:05:23
End Date:   2021:07:21 16:05:23
Checking configuration files in /etc/clamav

Config file: clamd.conf
-----------------------
LogFile = "/var/log/clamav/clamd.log"
LogTime = "yes"
PidFile = "/run/lock/clamd.pid"
TemporaryDirectory = "/tmp"
DatabaseDirectory = "/data"
LocalSocket = "/run/clamav/clamd.sock"
TCPSocket = "3310"
TCPAddr = "0.0.0.0"
MaxDirectoryRecursion = "30"
Foreground = "yes"
User = "clamav"
DetectPUA = "yes"
ExcludePUA = "NetTool", "PWTool"
MaxScanSize = "157286400"
MaxFileSize = "31457280"
MaxRecursion = "30"
MaxFiles = "15000"
MaxPartitions = "128"
MaxIconsPE = "200"
PCREMatchLimit = "10000"
PCRERecMatchLimit = "10000"
DisableCertCheck = "yes"

Config file: freshclam.conf
---------------------------
LogTime = "yes"
LogSyslog = "yes"
PidFile = "/run/lock/freshclam.pid"
DatabaseDirectory = "/data"
UpdateLogFile = "/var/log/clamav/freshclam.log"
DatabaseMirror = "database.clamav.net"
*** SafeBrowsing is DEPRECATED ***

Config file: clamav-milter.conf
-------------------------------
LogFile = "/var/log/clamav/milter.log"
LogTime = "yes"
PidFile = "/run/lock/clamav-milter.pid"
User = "clamav"
ClamdSocket = "unix:/run/clamav/clamd.sock", "unix:/run/clamav/clamd.sock", "unix:/run/clamav/clamd.sock", "unix:/run/clamav/clamd.sock", "unix:/run/clamav/clamd.sock"
MilterSocket = "inet:7357"

Software settings
-----------------
Version: 0.104.0-devel-20210518
Optional features supported: MEMPOOL AUTOIT_EA06 BZIP2 LIBXML2 PCRE2 ICONV JSON RAR 

Database information
--------------------
Database directory: /data
main.cvd: version 61, sigs: 6607162, built on Thu Jul 15 02:39:10 2021
[3rd Party] ignore_list.ign2: 1 sig 
[3rd Party] false-positives.fp: 4 sigs
bytecode.cvd: version 333, sigs: 92, built on Mon Mar  8 15:21:51 2021
daily.cld: version 26239, sigs: 1963068, built on Wed Jul 21 08:19:54 2021
Total number of signatures: 8570327

Platform information
--------------------
uname: Linux 4.19.150+ #1 SMP Tue Nov 24 07:54:23 PST 2020 x86_64
OS: Linux, ARCH: x86_64, CPU: x86_64
zlib version: 1.2.11 (1.2.11), compile flags: a9
platform id: 0x0a21828208000000000a0201

Build information
-----------------
GNU C: 10.2.1 20201203 (10.2.1)
sizeof(void*) = 8
Engine flevel: 130, dconf: 130
micahsnyder commented 3 years ago

Thanks for the report @byronmccollum

I tested this and found that it worked okay in 0.103.2 but as with your experience, the .fp signature for 933160.yaml was not effective in 0.104.0-rc.

CyberCr33p commented 2 years ago

I have the same or similar issue in FreeBSD with this file ( https://termbin.com/mrudj ) but also with other files. I believe that .fp file is ignored.

ClamAV 0.103.3/26309/Fri Oct 1 12:03:53 2021

Whitelist is loaded:

LibClamAV debug: /var/db/clamav/cretaforce.fp loaded

md5 web357framework.class.php MD5 (web357framework.class.php) = 5927dcd98c1d9f6a06d50d58598713d5

grep 5927dcd98c1d9f6a06d50d58598713d5 cretaforce.fp 5927dcd98c1d9f6a06d50d58598713d5:13436:web357framework.class.php

clamscan web357framework.class.php /home/www/cretaftp/2/web357framework.class.php: {HEX}CretaForce.else.if.filter.json.decode.file.get.contents.UNOFFICIAL FOUND

----------- SCAN SUMMARY ----------- Known viruses: 8588436 Engine version: 0.103.3 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 0.02 MB Data read: 0.01 MB (ratio 1.67:1) Time: 14.343 sec (0 m 14 s) Start Date: 2021:10:02 00:19:13 End Date: 2021:10:02 00:19:28

CyberCr33p commented 2 years ago

Finally I had to sigtool --html-normalise the file first. So ignore my previous message.