Cisco-Talos / clamav

ClamAV - Documentation is here: https://docs.clamav.net
https://www.clamav.net/
GNU General Public License v2.0
4.49k stars 709 forks source link

Windows clamscan UNC path #839

Open Sanesecurity opened 1 year ago

Sanesecurity commented 1 year ago

Tested with... Clamscan 64 bit v1.0.1

clamscan --database=foxhole_filename.cdb v:\infected --remove

Loading: 0s, ETA: 0s [========================>] 3.28K/3.28K sigs Compiling: 0s, ETA: 0s [========================>] 10/10 tasks

\?\UNC\email\c$\infected\I01d6333fcd4805cf.DAT: Sanesecurity.Foxhole.Rar_fs2670.UNOFFICIAL FOUND

win32_openat: Failed to open file '?'. Error: 0xc000003b ioStatusBlock: 0x0 traverse_to: Failed open ? traverse_unlink: Failed to open file descriptor for target directory!

Drive v: is just a mapped drive letter....

net use v:

Local name V: Remote name \email\c$

So, while you can scan a mapped drive... It won't remove the file...

So scanning a network drive and using --copy or --move to quarantine files will be an issue.

Interestingly clamscan v0.99.4 works fine... displays v:\infected etc.

micahsnyder commented 1 year ago

Interesting problem!

So scanning a network drive and using --copy or --move to quarantine files will be an issue.

I agree.

Interestingly clamscan v0.99.4 works fine... displays v:\infected etc.

The code changed a bit since then to try to make sure weren't being tricked by symlinks into removing the wrong file, like a system file or something. I suppose there is a bug there now with regards to UNC path support.

Sanesecurity commented 1 year ago

0.102.2 scans ok and correct path v:\vpop3\

0.102.4 Cant' scan : WARNING: Can't open file UNC\email\c$\VPOP3\

0.103.0 Scan's but shows \?\UNC\email\c$\VPOP3\

I'm guessing:

https://github.com/Cisco-Talos/clamav/commits/6eebecc3034a630b105437fc63c0b8bbd95ec191/libclamav/others_common.c

https://github.com/Cisco-Talos/clamav/commit/b589762814cf618eb79453282db25146673f18a0

Other info found:

problem with GetFileInformationByHandleEx - that it return only file path inside filesystem - without device name (or driver letter if want) - if this is ok - can and better use this api. if we need full path with device - need use GetFinalPathNameByHandle

Other code:

https://stackoverflow.com/questions/31439011/getfinalpathnamebyhandle-result-without-prepended

plumlis commented 9 months ago

same here. Scans ok but can't remove file.