search

Cisco-Talos / clamav

ClamAV - Documentation is here: https://docs.clamav.net
https://www.clamav.net/
GNU General Public License v2.0
4.49k stars 709 forks source link

What's the meaning of 'LibClamAV Warning: crtmgr_rsa_verify: verification failed: fp_exptmod failed with 1' win7 x64 v105 #604

Closed ggaussling closed 2 years ago

ggaussling commented 2 years ago

Hi,

I issued this cmd line

clamscan --recursive c:\

sometimes I get this warning: LibClamAV Warning: crtmgr_rsa_verify: verification failed: fp_exptmod failed with 1

I don't know if this is harmless, and where does it come from.

This link here is the only appearance on the net, I was able to find:

>> Random Trash/John Titor und Weltlinien • Zeit;Reisen.mp4: OK

LibClamAV Warning: crtmgr_rsa_verify: verification failed: fp_exptmod failed with 1
>> Random Trash/CUDA/cuda_10.0.130_win10_network.exe: OK

http://webcache.googleusercontent.com/search?q=cache:gQqfY4JsG6kJ:https://uraniumhexafluori.de/ClamAV/&hl=de&gl=de&strip=1&vwsrc=0 Memento: https://web.archive.org/web/20220531130349/https://uraniumhexafluori.de/ClamAV/

e.g.

C:\Users\Mich24\Downloads\naps2-6.1.2-setup.exe: OK
LibClamAV Warning: crtmgr_rsa_verify: verification failed: fp_exptmod failed with 1
LibClamAV Warning: crtmgr_rsa_verify: verification failed: fp_exptmod failed with 1
C:\Users\Mich24\Downloads\Nextcloud-3.4.4-x64.msi: OK
C:\Users\Mich24\Downloads\npp.8.3.3.Installer.x64.exe: OK
C:\Users\Mich24\Downloads\Player Setup.exe: Win.Trojan.Softpulse-519 FOUND
LibClamAV Warning: crtmgr_rsa_verify: verification failed: fp_exptmod failed with 1
LibClamAV Warning: crtmgr_rsa_verify: verification failed: fp_exptmod failed with 1
LibClamAV Warning: crtmgr_rsa_verify: verification failed: fp_exptmod failed with 1
C:\Users\Mich24\Downloads\ProcessExplorer.zip: OK

Hardware:

Lenovo IdeaPad N581
Intel(R) Core(TM) i5-3210M CPU @ 2.50GHz
Intel Ivy Bridge rev. 09
Intel HM76 rev. 04
4 GBytes DDR3 RAM 798.7 MHz (1:6)
HDD: ST500LM012 HN-M500MBB, 465.8GB, 5400RPM, SATA AHCI

freshclam.log:

--------------------------------------
daily database available for download (remote version: 26557)
daily.cvd updated (version: 26557, sigs: 1985004, f-level: 90, builder: raynman)
main database available for download (remote version: 62)
main.cvd updated (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr)
bytecode database available for download (remote version: 333)
bytecode.cvd updated (version: 333, sigs: 92, f-level: 63, builder: awillia2)
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. Alle Rechte vorbehalten.

C:\Windows\system32>clamconf > C:\Programme\ClamAV\clamconf.txt

clamconf.txt


C:\Windows\system32>clamconf -n
Checking configuration files in C:\Program Files\ClamAV

Config file: clamd.conf
-----------------------
LogFile = "C:\Programme\ClamAV\clamd.log"
PidFile = "C:\Programme\ClamAV\clamd.pid"
DatabaseDirectory = "C:\Programme\ClamAV\database"
TCPSocket = "3310"
TCPAddr = "localhost"

Config file: freshclam.conf
---------------------------
PidFile = "C:\Programme\ClamAV\freshclam.pid"
DatabaseDirectory = "C:\Programme\ClamAV\database"
UpdateLogFile = "C:\Programme\ClamAV\freshclam.log"
DatabaseMirror = "database.clamav.net"
NotifyClamd = "C:\Programme\ClamAV\clamd.conf"

clamav-milter.conf not found

Software settings
-----------------
Version: 0.105.0
Optional features supported: MEMPOOL AUTOIT_EA06 BZIP2 LIBXML2 PCRE2 JSON RAR

Database information
--------------------
Database directory: C:\Programme\ClamAV\database
bytecode.cvd: version 333, sigs: 92, built on Mon Mar  8 16:21:51 2021
daily.cvd: version 26557, sigs: 1985004, built on Mon May 30 10:05:44 2022
main.cvd: version 62, sigs: 6647427, built on Thu Sep 16 14:32:42 2021
Total number of signatures: 8632523

Platform information
--------------------
uname: Microsoft Windows 6.1 SP1.0 Build 7601
OS: Windows, ARCH: AMD64, CPU: AMD64
zlib version: 1.2.12 (1.2.12), compile flags: 65
platform id: 0x10259696080000000000077c

Build information
-----------------
Microsoft Visual C++: (0.7.124)
sizeof(void*) = 8
Engine flevel: 150, dconf: 150

C:\Windows\system32>```
ggaussling commented 2 years ago

regarding my observations, I think, it might got to do with temporarily unavailable resources of my computer. Maybe the scanned item needs more ressources, or other processes are using those off. It may loops on the item, until the ressources are available again?

micahsnyder commented 2 years ago

@ggaussling Do you see this issue every time you scan Nextcloud-3.4.4-x64.msi and ProcessExplorer.zip? It could be a clamav bug. If you can share a link to these files I can give it a try on my machine.

qs5779 commented 2 years ago

I started seeing this error regularly in my periodic scan jobs, beginning a few weeks ago.

micahsnyder commented 2 years ago

@qs5779 did you upgrade clamav to a new version a few weeks ago, or are there files new to your system in the past few weeks that trigger this warning?

qs5779 commented 2 years ago

[2022-05-13T06:26:52-0400] [ALPM] upgraded clamav (0.104.2-1 -> 0.105.0-1) was my last upgrade. I am not 100% sure, but that is about the time I started seeing the message. My job scans a specific list of directories one at a time, and it seems to output the warning for each recursive scan.

micahsnyder commented 2 years ago

Apologies for the delayed reply @qs5779. I'm seeing the same issue as well with many signed files. I'll add a task to our Jira to investigate.

SokolInTheCloud commented 2 years ago

I got the same issue. Windows 7 x64 sp1 in VirtualBox. I have tried clamscan 0.105.0 both x86 and x64 versions, for files and memory scan.

tuchaVshortah commented 2 years ago

Got the same issue. Manjaro Linux with the 5.18.5-lqx1-1-lqx kernel (Liquorix), ClamAV 0.105.0.

jeb2112 commented 2 years ago

I am seeing this message. I have just built clamav from the github source, version 1.0.0, my first time using it. I have Ubuntu 19.10 5.3.0-64-generic

unixdigest commented 2 years ago

Same issue on Arch Linux ClamAV 0.105.0-1.

LibClamAV Warning: crtmgr_rsa_verify: verification failed: fp_exptmod failed with 1
LibClamAV Warning: crtmgr_rsa_verify: verification failed: fp_exptmod failed with 1
LibClamAV Warning: crtmgr_rsa_verify: verification failed: fp_exptmod failed with 1
...
servusdei2018 commented 2 years ago

Same issue, Arch linux, 5.15 kernel x86_64.

piot commented 2 years ago

Got the same issue, Manjaro 5.15.59-1 x86_64

damienlmc commented 2 years ago

Il faut utiliser le --nocerts pour enlever l'erreur, cependant cette dernière n'impacte pas votre scan.

ndonathan commented 2 years ago

Fresh install of ClamAV on MacOS with brew and getting same error.

foto-andreas commented 2 years ago

Fresh install with ClamAV Package from Download Page on MacOS: Same error.

civanakbas commented 2 years ago

Same issue. Arch Linux 5.15.61-1-lts kernel with ClamAv 0.105.0

simulanics commented 2 years ago

Fresh install for Windows 11 - "LibClamAV Warning: crtmgr_rsa_verify: verification failed: fp_exptmod failed with 1"

** Only seeing this error on Microsoft .Net created files (ie CSharp); and not all of them, just some. (Try Microsoft.HTTP.Net.dll or Microsoft.Versioning, System.Net.HTTP, System.Diagnostics., System.Threading.dll, WindowBase.dll, or any another .NET framework file or compiled EXE)

Appears that the codesigning for .NET file on Windows is triggering this error. Other platforms, cannot attest, unless they are cross-platform .Net Core files causing the issue?

micahsnyder commented 2 years ago

Hi all. I have an update. I investigated this and found the issue has to do with certificate verification for trusting authenticode signed executables. The ability to trust executables signed by trusted publishers was added in 0.105 development, but was subsequently broken when upgrading the vendored TomsFastMath library for fast floating point math. Specifically, it appears to happen when the executable is signed by a trusted certificate when clamav is determining if the signature can be trusted.

For context, we have a number of rules for trusted certificates in our daily database right now, most of which are for Microsoft code signing certificates. So you're probably seeing this message when scanning Microsoft-signed programs.

So the good news is that this bug's only adverse affect is that files which could have been trusted are instead fully scanned.

While working on improvements to the allmatch feature, I included a test to verify that the certificate trust feature works, which is when I realized the origin of this bug. I've kept the test, and have marked it as "expected failure": https://github.com/Cisco-Talos/clamav/pull/684/commits/0f5aeb7fe2939a6be1d34086c9b14c5b1f99e772#diff-4fffe0ac06fa6a2638d7264c4df60286cd139248cfca5ec19e5dca63b789d021R123-R160
Once we fix this issue, that test should pass.

I don't have an ETA for fixing this issue, however. One of my teammates is expected to work on this in the coming weeks.