Closed maxbritov closed 7 months ago
Here is TOP40 2022 from amavisd+clamav:
clamscan --scan-ole2 --alert-macros `ls -1t |head -40`
Loading: 28s, ETA: 0s [========================>] 9.18M/9.18M sigs
Compiling: 6s, ETA: 0s [========================>] 41/41 tasks
amavishome/quarantine/virus-xHbaALqwva1f: Heuristics.OLE2.ContainsMacros.XLM FOUND
amavishome/quarantine/virus-SqEPWNU7zvQX: Heuristics.OLE2.ContainsMacros.XLM FOUND
amavishome/quarantine/virus-l6q6AesRdcqC: Heuristics.OLE2.ContainsMacros.XLM FOUND
amavishome/quarantine/virus-n3G_wH763jx7: Heuristics.OLE2.ContainsMacros.XLM FOUND
amavishome/quarantine/virus-CKbQ4ViKFILy: Heuristics.OLE2.ContainsMacros.XLM FOUND
amavishome/quarantine/virus-saEZPp6fB3gG: Heuristics.OLE2.ContainsMacros.XLM FOUND
amavishome/quarantine/virus-eNXQEar6rDpY: Heuristics.OLE2.ContainsMacros.XLM FOUND
amavishome/quarantine/virus-IYhFJEmLwG08: Heuristics.OLE2.ContainsMacros.XLM FOUND
amavishome/quarantine/virus-wsw8Wx5JmODS: Heuristics.OLE2.ContainsMacros.XLM FOUND
amavishome/quarantine/virus-J7-qiyjzT0Zc: Heuristics.OLE2.ContainsMacros.XLM FOUND
amavishome/quarantine/virus-Vr5gkTtkdysi: Heuristics.OLE2.ContainsMacros.XLM FOUND
amavishome/quarantine/virus-NaCKKvATdUFa: Heuristics.OLE2.ContainsMacros.XLM FOUND
amavishome/quarantine/virus-cuig-I_aMk2v: Heuristics.OLE2.ContainsMacros.XLM FOUND
amavishome/quarantine/virus-DrWrkIdbORcl: Heuristics.OLE2.ContainsMacros.XLM FOUND
amavishome/quarantine/virus-4RQ7mtbrparA: Heuristics.OLE2.ContainsMacros.XLM FOUND
amavishome/quarantine/virus-BSCrdvHPAnp8: Heuristics.OLE2.ContainsMacros.XLM FOUND
amavishome/quarantine/virus-AEoBMR8y8V0y: Heuristics.OLE2.ContainsMacros.XLM FOUND
amavishome/quarantine/virus-ffjSeAcYTNb5: Heuristics.OLE2.ContainsMacros.XLM FOUND
amavishome/quarantine/virus-WgVdNfFAwwkH: Heuristics.OLE2.ContainsMacros.XLM FOUND
amavishome/quarantine/virus-K_2bmAzyaDND: Heuristics.OLE2.ContainsMacros.XLM FOUND
amavishome/quarantine/virus-F_nh0_z2ajwj: Heuristics.OLE2.ContainsMacros.XLM FOUND
amavishome/quarantine/virus-GtXt0fPTM1I9: Heuristics.OLE2.ContainsMacros.XLM FOUND
amavishome/quarantine/virus-6KkY8jpy2ieA: Heuristics.OLE2.ContainsMacros.XLM FOUND
amavishome/quarantine/virus-YyRWV5nC2GnZ: Heuristics.OLE2.ContainsMacros.XLM FOUND
amavishome/quarantine/virus-62BBMU9MzRCj: Heuristics.OLE2.ContainsMacros.XLM FOUND
amavishome/quarantine/virus-oHZoSg1fq1_C: Heuristics.OLE2.ContainsMacros.XLM FOUND
amavishome/quarantine/virus-yqB3BcLtKzqi: Heuristics.OLE2.ContainsMacros.XLM FOUND
amavishome/quarantine/virus-9ssdUZr1ASI0: Heuristics.OLE2.ContainsMacros.XLM FOUND
amavishome/quarantine/virus-hKK0sINqruKo: Heuristics.OLE2.ContainsMacros.XLM FOUND
amavishome/quarantine/virus-8jO8YRj3WAom: Heuristics.OLE2.ContainsMacros.VBA FOUND
amavishome/quarantine/virus-TUOV9GwMW3qZ: Heuristics.OLE2.ContainsMacros.XLM FOUND
amavishome/quarantine/virus-RdUm8tyjTqN6: Heuristics.OLE2.ContainsMacros.XLM FOUND
amavishome/quarantine/virus-ixKZkTZ7N4Rx: Heuristics.OLE2.ContainsMacros.XLM FOUND
amavishome/quarantine/virus-EsQyd6ykVy0S: Heuristics.OLE2.ContainsMacros.XLM FOUND
amavishome/quarantine/virus-sjFMYpD9_Qjs: Heuristics.OLE2.ContainsMacros.XLM FOUND
amavishome/quarantine/virus-iPJIDw8DUC3D: Heuristics.OLE2.ContainsMacros.XLM FOUND
amavishome/quarantine/virus-t4FHC9Z-O48G: OK
amavishome/quarantine/virus-k9h3q2tBRNhS: Heuristics.OLE2.ContainsMacros.XLM FOUND
amavishome/quarantine/virus-JccRTjd-aG_c: Heuristics.OLE2.ContainsMacros.VBA FOUND
amavishome/quarantine/virus-GAA_Ch9LMKy2: Heuristics.OLE2.ContainsMacros.XLM FOUND
----------- SCAN SUMMARY -----------
Known viruses: 9182955
Engine version: 0.104.2
Scanned directories: 0
Scanned files: 40
Infected files: 39
Data scanned: 18.90 MB
Data read: 20.36 MB (ratio 0.93:1)
Time: 46.404 sec (0 m 46 s)
Start Date: 2022:01:14 16:38:33
End Date: 2022:01:14 16:39:19
This user also reported XLM macro detection false positives in the old bugzilla: https://bugzilla.clamav.net/show_bug.cgi?id=12844 We haven't investigated yet.
I've analyzed one case of this in 0.104.2 using the attached Arrow.xls, which is an xls file containing just an arrow. The problem is that cli_ole2_tempdir_scan_xlm
is called when has_xlm
is false and has_image
is true:
https://github.com/Cisco-Talos/clamav/blob/0fe0b79b94d900b8fbf0ce435b39d560f3c22e4d/libclamav/scanners.c#L2598
This causes XML macro detection even when there are none.
Arrow.xls
@maxbritov with which version of the clamav is this fix milestoned ?
This appears to be working, please re-open if you are still having issues.
Describe the bug
A lot of xls files reported as Heuristics.OLE2.ContainsMacros.XLM
Example (work with >=LO 7.1):