Open Sanesecurity opened 1 year ago
micahsnyder
commented
1 year ago Interesting problem!
So scanning a network drive and using --copy or --move to quarantine files will be an issue.
I agree.
Interestingly clamscan v0.99.4 works fine... displays v:\infected etc.
The code changed a bit since then to try to make sure weren't being tricked by symlinks into removing the wrong file, like a system file or something. I suppose there is a bug there now with regards to UNC path support.
Sanesecurity
commented
1 year ago 0.102.2 scans ok and correct path v:\vpop3\
0.102.4 Cant' scan : WARNING: Can't open file UNC\email\c$\VPOP3\
0.103.0 Scan's but shows \?\UNC\email\c$\VPOP3\
I'm guessing:
https://github.com/Cisco-Talos/clamav/commit/b589762814cf618eb79453282db25146673f18a0
Other info found:
problem with GetFileInformationByHandleEx - that it return only file path inside filesystem - without device name (or driver letter if want) - if this is ok - can and better use this api. if we need full path with device - need use GetFinalPathNameByHandle
Other code:
https://stackoverflow.com/questions/31439011/getfinalpathnamebyhandle-result-without-prepended
plumlis
commented
8 months ago same here. Scans ok but can't remove file.
Tested with... Clamscan 64 bit v1.0.1
clamscan --database=foxhole_filename.cdb v:\infected --remove
Loading: 0s, ETA: 0s [========================>] 3.28K/3.28K sigs Compiling: 0s, ETA: 0s [========================>] 10/10 tasks
\?\UNC\email\c$\infected\I01d6333fcd4805cf.DAT: Sanesecurity.Foxhole.Rar_fs2670.UNOFFICIAL FOUND
win32_openat: Failed to open file '?'. Error: 0xc000003b ioStatusBlock: 0x0 traverse_to: Failed open ? traverse_unlink: Failed to open file descriptor for target directory!
Drive v: is just a mapped drive letter....
net use v:
Local name V: Remote name \email\c$
So, while you can scan a mapped drive... It won't remove the file...
So scanning a network drive and using --copy or --move to quarantine files will be an issue.
Interestingly clamscan v0.99.4 works fine... displays v:\infected etc.