Clamby showing false positives when scanning from attachment temp file location

[gregorybilello]

I'm not certain if this is a repeat of https://github.com/kobaltz/clamby/issues/9

I configured Clamby with ClamAV in a local environment, and didn't experience any issues.

However, when attempting to configure Clamby and ClamAV in a production environment, I'm experiencing an issue where the Clamby#safe? method returns false for all files and Clamby#virus? method returns true for all files.

My production environment is running Ubuntu 16.05.5 LTS, and ClamAV, clamd, and freshclam have been installed and configured properly, to my knowledge.

irb(main):001:0> Clamby::Command.clamscan_version
ClamAV 0.102.1
=> true

$ ps aux | grep clamd
clamav   26428  3.3 21.3 1073956 864960 ?      Ssl  16:06   1:13 /usr/sbin/clamd --foreground=true

Per ClamAV documentation, clamd is running under the "clamav" user. I'm not sure if this is how the daemon should be configured to work with Clamby or not.

/config/initializers/clamby.rb

Clamby.configure({
  :check => false,
  :daemonize => true,
  :error_clamscan_missing => false,
  :error_file_missing => false,
  :error_file_virus => false,
  :fdpass => true
})

When I check any file, even files contained in my Rails application, Clamby returns that all are viruses:

Example:

irb(main):001:0> test_path = "#{Rails.root}/README.md"
=> "/home/deploy/rails_app/README.md"
irb(main):002:0> Clamby.safe?(test_path)
=> false
irb(main):003:0> Clamby.virus?(test_path)
=> true

Additionally, clamd.conf and freshclam.conf have been configured properly:

clamd.conf
# Comment or remove the line below.
# Example
...
# TCP port address.
# Default: no
TCPSocket 3310

freshclam.conf
# Comment or remove the line below.
# Example

freshclam is also properly configured and updated:

$ freshclam
ClamAV update process started at Thu Dec 12 16:50:23 2019
daily.cld database is up to date (version: 25661, sigs: 2046351, f-level: 63, builder: raynman)
main.cvd database is up to date (version: 59, sigs: 4564902, f-level: 60, builder: sigmgr)
bytecode.cvd database is up to date (version: 331, sigs: 94, f-level: 63, builder: anvilleg)

Any help would be appreciated, as I'm not sure what's going wrong here between the various components involved.

Thanks.

[gregorybilello]

Just to provide some additional information, it appears this issue has something to do with the clamd daemon, as Clamby works just fine with daemonize: false in the configuration, although the check takes a little too long to be a viable solution.

irb(main):001:0> Clamby.config
=> {:check=>true, :daemonize=>false, :config_file=>nil, :error_clamscan_missing=>false, :error_clamscan_client_error=>false, :error_file_missing=>false, :error_file_virus=>false, :fdpass=>true, :stream=>false, :output_level=>"medium", :executable_path_clamscan=>"clamscan", :executable_path_clamdscan=>"clamdscan", :executable_path_freshclam=>"freshclam"}
irb(main):002:0> path = "#{Rails.root}/README.md"
=> "/home/deploy/rails_app/README.md"
irb(main):003:0> Clamby.virus?(path)
ClamAV 0.102.1/25661/Thu Dec 12 09:47:42 2019
/home/deploy/rails_app/README.md: OK
=> false
irb(main):004:0> Clamby.safe?(path)
ClamAV 0.102.1/25661/Thu Dec 12 09:47:42 2019
/home/deploy/rails_app/README.md: OK
=> true

[gregorybilello]

Interesting development as I continue working on this.

Updating clamd.conf to comment in TCPAddr 127.0.0.1 and restarting the clamd daemon actually allowed Clamby to work while testing files in the Rails console.

However, uploaded files appear to still always return as a virus.

I'm scanning the file on upload from the attachment #tempfile#path location:

attachment = params[:attachment]
path = attachment.tempfile.path
Clamby.virus?(path)
=> true

[gregorybilello]

One final note: I was still experiencing the above issue where scanning the file from the Rails default upload temp file location still always results in Clamby showing all files as viruses.

However, taking the file and writing it to some other location and then scanning it will render accurate results according to the tests I've done recently.

As examples, the following were both done with a file that is known to not be a virus:

The following doesn't appear to work:

attachment = params[:attachment]
path = attachment.tempfile.path
Clamby.virus?(path)
=> true

In the above example, all files return as true when #virus?(path) is called.

However, this solution does work:

attachment = params[:attachment]
path = "#{Rails.root}/attachment.original_filename"
File.open(path, "wb") { |file| file.write(attachment.read) }
Clamby.virus?(path)
=> false

In this example, the file after being saved was correctly identified as safe.

[gregorybilello]

This issue has changed, so I've changed the name accordingly.

For my purposes, I've corrected the initial issue and I've gotten everything working in my production environment, but I've kept this open, as I'm not sure if this is intended behavior or not. Clamby is still showing false positives for me when scanning from attachment temp location when a form is submitted.

Feel free to close this issue if this is intended behavior.

[kobaltz]

This seems a bit similar to https://github.com/kobaltz/clamby/issues/26

Regardless, what is your upload mechanism; carrierwave, activestorage, refile, etc?

[brotherjack]

@kobaltz I have noticed the same behavior as @gregorybilello. I'm using ActiveStorage.

[kobaltz]

Thanks @brotherjack I'll look into this a bit

[johnksawers]

I'm seeing it with CarrierWave also. The file writing workaround posted above didn't fix the problem for me, but what did fix the problem was setting stream: true in the config. I'll take success where I find it :-).

Also: setting daemonize: false worked but as expected added 16 seconds to every upload while clamscan booted up, so was suboptimal