search

Cisco-Talos / clamav

ClamAV - Documentation is here: https://docs.clamav.net
https://www.clamav.net/
GNU General Public License v2.0
4.21k stars 686 forks source link

clamdscan --multipass --fdpass reports "(null) FOUND" files #402

Closed jonasmalacofilho closed 5 months ago

jonasmalacofilho commented 2 years ago

Describe the bug

clamdscan --multiscan --fdpass reports some files as detected with (null).

How to reproduce the problem

This happens with a lot of files, but one example is the Python 3.10.1 installer for 64-bit Windows.

$ wget https://www.python.org/ftp/python/3.10.1/python-3.10.1-amd64.exe
$ echo '0e1c3a6ee3a05b5c4cd3d43fce8311a1  python-3.10.1-amd64.exe' | md5sum -c -
python-3.10.1-amd64.exe: OK
$ ls -l python-3.10.1-amd64.exe
-rw-r--r-- 1 jonas jonas 28179056 Dec 16 22:23 python-3.10.1-amd64.exe

Using the default limits, the file is detected with (null).

$ clamdscan --multiscan --fdpass --verbose python-3.10.1-amd64.exe
/home/jonas/Downloads/python-3.10.1-amd64.exe: (null) FOUND

----------- SCAN SUMMARY -----------
Infected files: 1
Time: 0.000 sec (0 m 0 s)
Start Date: 2021:12:16 22:50:15
End Date:   2021:12:16 22:50:15

Replacing --fdpass with --stream prevents the (null) issue and reveals that the file exceeds the MaxScanSize limit (and it would also exceed the MaxFileSize limit):

$ clamdscan --multiscan --stream --verbose python-3.10.1-amd64.exe
/home/jonas/Downloads/python-3.10.1-amd64.exe: Heuristics.Limits.Exceeded.MaxScanSize FOUND

----------- SCAN SUMMARY -----------
Infected files: 1
Time: 12.091 sec (0 m 12 s)
Start Date: 2021:12:16 22:51:21
End Date:   2021:12:16 22:51:33

However, It is interesting to observe that clamdscan --multiscan --fdpass does report some other files as exceeding the MaxScanSize limit:

$ clamdscan --multiscan --fdpass --verbose
...
/home/jonas/Downloads/win64Binaries.zip: Heuristics.Limits.Exceeded.MaxScanSize FOUND
...

Also, daemon-less clamscan works without issues, even though the file was previously reported to exceed MaxScanSize, and is over 25 MB (and both limits haven't been changed from their default values):

$ clamscan --verbose python-3.10.1-amd64.exe
Loading:     9s, ETA:   0s [========================>]    8.58M/8.58M sigs       
Compiling:   1s, ETA:   0s [========================>]       41/41 tasks 

Scanning /home/jonas/Downloads/python-3.10.1-amd64.exe
/home/jonas/Downloads/python-3.10.1-amd64.exe: OK

----------- SCAN SUMMARY -----------
Known viruses: 8583548
Engine version: 0.104.1
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.00 MB
Data read: 26.87 MB (ratio 0.00:1)
Time: 10.674 sec (0 m 10 s)
Start Date: 2021:12:16 22:52:12
End Date:   2021:12:16 22:52:23
$ clamconf -n
Checking configuration files in /etc/clamav

Config file: clamd.conf
-----------------------
AlertExceedsMax = "yes"
LogFile = "/var/log/clamav/clamd.log"
LogTime = "yes"
PidFile = "/run/clamav/clamd.pid"
TemporaryDirectory = "/tmp"
LocalSocket = "/run/clamav/clamd.ctl"
MaxThreads = "12"
User = "clamav"

Config file: freshclam.conf
---------------------------
PidFile = "/run/clamav/freshclam.pid"
UpdateLogFile = "/var/log/clamav/freshclam.log"
DatabaseMirror = "database.clamav.net"

Config file: clamav-milter.conf
-------------------------------
LogFile = "/var/log/clamav/clamav-milter.log"
LogTime = "yes"
PidFile = "/run/clamav/clamav-milter.pid"
TemporaryDirectory = "/tmp"
User = "clamav"

Software settings
-----------------
Version: 0.104.1
Optional features supported: MEMPOOL AUTOIT_EA06 BZIP2 LIBXML2 PCRE2 ICONV JSON RAR 

Database information
--------------------
Database directory: /var/lib/clamav
main.cvd: version 62, sigs: 6647427, built on Thu Sep 16 09:32:42 2021
bytecode.cvd: version 333, sigs: 92, built on Mon Mar  8 12:21:51 2021
daily.cvd: version 26389, sigs: 1951385, built on Thu Dec 16 03:02:49 2021
Total number of signatures: 8598904

Platform information
--------------------
uname: Linux 5.15.7-arch1-1 #1 SMP PREEMPT Wed, 08 Dec 2021 14:33:16 +0000 x86_64
OS: Linux, ARCH: x86_64, CPU: x86_64
zlib version: 1.2.11 (1.2.11), compile flags: a9
platform id: 0x0a218d8d08000000000b0100

Build information
-----------------
GNU C: 11.1.0 (11.1.0)
sizeof(void*) = 8
Engine flevel: 141, dconf: 141

Attachments

ncs1 commented 10 months ago

Still happens in ClamAV 1.0.2/27091

ragusaa commented 5 months ago

I just tested this with our current main, and it appears to be resolved. I am going to close, but please re-open if you encounter it again.

Thanks, Andy