search

Cisco-Talos / clamav

ClamAV - Documentation is here: https://docs.clamav.net
https://www.clamav.net/
GNU General Public License v2.0
4.34k stars 699 forks source link

Massive false positives Heuristics.OLE2.ContainsMacros.XLM #423

Closed maxbritov closed 7 months ago

maxbritov commented 2 years ago

Describe the bug

A lot of xls files reported as Heuristics.OLE2.ContainsMacros.XLM

Example (work with >=LO 7.1):

LibreOffice 7.2.5.2.0 20(Build:2)

$ touch test.ods

$ loffice --calc --convert-to xls test.ods
convert test.ods -> test.xls using filter : MS Excel 97

$ clamscan -V
ClamAV 0.104.2/26421/Thu Jan 13 12:37:33 2022

$ clamscan -v --alert-macros test.xls 
Loading:    15s, ETA:   0s [========================>]    8.60M/8.60M sigs       
Compiling:   3s, ETA:   0s [========================>]       41/41 tasks 

Scanning test.xls
test.xls: Heuristics.OLE2.ContainsMacros.XLM FOUND

----------- SCAN SUMMARY -----------
Known viruses: 8603193
Engine version: 0.104.2
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 18.828 sec (0 m 18 s)
Start Date: 2022:01:13 16:00:18
End Date:   2022:01:13 16:00:37
maxbritov commented 2 years ago

Here is TOP40 2022 from amavisd+clamav:

clamscan --scan-ole2 --alert-macros  `ls -1t |head -40`
Loading:    28s, ETA:   0s [========================>]    9.18M/9.18M sigs       
Compiling:   6s, ETA:   0s [========================>]       41/41 tasks 

amavishome/quarantine/virus-xHbaALqwva1f: Heuristics.OLE2.ContainsMacros.XLM FOUND
amavishome/quarantine/virus-SqEPWNU7zvQX: Heuristics.OLE2.ContainsMacros.XLM FOUND
amavishome/quarantine/virus-l6q6AesRdcqC: Heuristics.OLE2.ContainsMacros.XLM FOUND
amavishome/quarantine/virus-n3G_wH763jx7: Heuristics.OLE2.ContainsMacros.XLM FOUND
amavishome/quarantine/virus-CKbQ4ViKFILy: Heuristics.OLE2.ContainsMacros.XLM FOUND
amavishome/quarantine/virus-saEZPp6fB3gG: Heuristics.OLE2.ContainsMacros.XLM FOUND
amavishome/quarantine/virus-eNXQEar6rDpY: Heuristics.OLE2.ContainsMacros.XLM FOUND
amavishome/quarantine/virus-IYhFJEmLwG08: Heuristics.OLE2.ContainsMacros.XLM FOUND
amavishome/quarantine/virus-wsw8Wx5JmODS: Heuristics.OLE2.ContainsMacros.XLM FOUND
amavishome/quarantine/virus-J7-qiyjzT0Zc: Heuristics.OLE2.ContainsMacros.XLM FOUND
amavishome/quarantine/virus-Vr5gkTtkdysi: Heuristics.OLE2.ContainsMacros.XLM FOUND
amavishome/quarantine/virus-NaCKKvATdUFa: Heuristics.OLE2.ContainsMacros.XLM FOUND
amavishome/quarantine/virus-cuig-I_aMk2v: Heuristics.OLE2.ContainsMacros.XLM FOUND
amavishome/quarantine/virus-DrWrkIdbORcl: Heuristics.OLE2.ContainsMacros.XLM FOUND
amavishome/quarantine/virus-4RQ7mtbrparA: Heuristics.OLE2.ContainsMacros.XLM FOUND
amavishome/quarantine/virus-BSCrdvHPAnp8: Heuristics.OLE2.ContainsMacros.XLM FOUND
amavishome/quarantine/virus-AEoBMR8y8V0y: Heuristics.OLE2.ContainsMacros.XLM FOUND
amavishome/quarantine/virus-ffjSeAcYTNb5: Heuristics.OLE2.ContainsMacros.XLM FOUND
amavishome/quarantine/virus-WgVdNfFAwwkH: Heuristics.OLE2.ContainsMacros.XLM FOUND
amavishome/quarantine/virus-K_2bmAzyaDND: Heuristics.OLE2.ContainsMacros.XLM FOUND
amavishome/quarantine/virus-F_nh0_z2ajwj: Heuristics.OLE2.ContainsMacros.XLM FOUND
amavishome/quarantine/virus-GtXt0fPTM1I9: Heuristics.OLE2.ContainsMacros.XLM FOUND
amavishome/quarantine/virus-6KkY8jpy2ieA: Heuristics.OLE2.ContainsMacros.XLM FOUND
amavishome/quarantine/virus-YyRWV5nC2GnZ: Heuristics.OLE2.ContainsMacros.XLM FOUND
amavishome/quarantine/virus-62BBMU9MzRCj: Heuristics.OLE2.ContainsMacros.XLM FOUND
amavishome/quarantine/virus-oHZoSg1fq1_C: Heuristics.OLE2.ContainsMacros.XLM FOUND
amavishome/quarantine/virus-yqB3BcLtKzqi: Heuristics.OLE2.ContainsMacros.XLM FOUND
amavishome/quarantine/virus-9ssdUZr1ASI0: Heuristics.OLE2.ContainsMacros.XLM FOUND
amavishome/quarantine/virus-hKK0sINqruKo: Heuristics.OLE2.ContainsMacros.XLM FOUND
amavishome/quarantine/virus-8jO8YRj3WAom: Heuristics.OLE2.ContainsMacros.VBA FOUND
amavishome/quarantine/virus-TUOV9GwMW3qZ: Heuristics.OLE2.ContainsMacros.XLM FOUND
amavishome/quarantine/virus-RdUm8tyjTqN6: Heuristics.OLE2.ContainsMacros.XLM FOUND
amavishome/quarantine/virus-ixKZkTZ7N4Rx: Heuristics.OLE2.ContainsMacros.XLM FOUND
amavishome/quarantine/virus-EsQyd6ykVy0S: Heuristics.OLE2.ContainsMacros.XLM FOUND
amavishome/quarantine/virus-sjFMYpD9_Qjs: Heuristics.OLE2.ContainsMacros.XLM FOUND
amavishome/quarantine/virus-iPJIDw8DUC3D: Heuristics.OLE2.ContainsMacros.XLM FOUND
amavishome/quarantine/virus-t4FHC9Z-O48G: OK
amavishome/quarantine/virus-k9h3q2tBRNhS: Heuristics.OLE2.ContainsMacros.XLM FOUND
amavishome/quarantine/virus-JccRTjd-aG_c: Heuristics.OLE2.ContainsMacros.VBA FOUND
amavishome/quarantine/virus-GAA_Ch9LMKy2: Heuristics.OLE2.ContainsMacros.XLM FOUND

----------- SCAN SUMMARY -----------
Known viruses: 9182955
Engine version: 0.104.2
Scanned directories: 0
Scanned files: 40
Infected files: 39
Data scanned: 18.90 MB
Data read: 20.36 MB (ratio 0.93:1)
Time: 46.404 sec (0 m 46 s)
Start Date: 2022:01:14 16:38:33
End Date:   2022:01:14 16:39:19
micahsnyder commented 2 years ago

This user also reported XLM macro detection false positives in the old bugzilla: https://bugzilla.clamav.net/show_bug.cgi?id=12844 We haven't investigated yet.

m-lw commented 2 years ago

I've analyzed one case of this in 0.104.2 using the attached Arrow.xls, which is an xls file containing just an arrow. The problem is that cli_ole2_tempdir_scan_xlm is called when has_xlm is false and has_image is true: https://github.com/Cisco-Talos/clamav/blob/0fe0b79b94d900b8fbf0ce435b39d560f3c22e4d/libclamav/scanners.c#L2598 This causes XML macro detection even when there are none. Arrow.xls

ripatil commented 1 year ago

@maxbritov with which version of the clamav is this fix milestoned ?

ragusaa commented 7 months ago

This appears to be working, please re-open if you are still having issues.