Closed fbarre96 closed 7 years ago
I think your plugins are out of date can you please run:
$ malice plugin update --all
Actually, hmm, it looks like AVG is timing out. So all malice plugins run independently as well, so you can try:
$ docker run --rm -v `pwd`:/malware malice/avg --timeout 300 --table evil.malware
Which will run the AVG plugin by itself and increase the default timeout to 300 secs.
It looks like however it is taking just the avg daemon more that 30secs to just start which I have never seen on my test machine... I need to update that plugin so that the CLI arg for timeout also affects the starting of the daemon, but that is strange that it would take so long.
It looks like you have a LOT of stopped containers too, you might want to run:
$ docker rm `docker ps --no-trunc --filter "status=exited" -q`
to clear them out.
You might want to go into `~/.malice/plugins.toml and disable the VT and totalhash plugins as you need API keys for them to work.
Can also try running the avast plugin by itself like this:
$ docker run --rm -v /path/to/malware:/malware:ro malice/avast -V --table FILE
And show me the output it should have DEBUG output (because of the -V
flag is set) and show me why there is an index out of range error happening.
Thank you!
The reason that I think exiftool is failing is that actually libmagic is failing because it is taking a long time to finish and there is a race condition happening. Either that is a pretty cool piece of malware or your machine is very slow?
UPDATE: your machine should be fine from seeing the specs up above, so I think that malware is prety cool 😎
This is all great to know however, as I usually test with the same 4 pieces of malware and know that there are edge cases I haven't seen yet. Thank you for letting me know 👍
are those two scans? I don 't understand why there is two NSRL and shadow server outputs? As well as a failed libmagic and a successful one?
So !
The malware (downloaded here http://openmalware.org/search.cgi?search=Lady) MD5: 65bb7a968098bb6b3d62e7edf7cdae39 SHA1: 012d4de9f1439348d89dae0e3a2d1ddaf33f31ac SHA256: b9bfb323d15ad4669781cb93e3c8f01fd2ad37b60d77c43fbe57b0942fbc0598 OCID: 321376031 Original Filename: Virus.DOS.Lady.873 Added: 2007-01-15 16:35:31.175765
I deleted all exited dockers (thx for the command)
All plugins were up to date
I ran avg and avast standalone with 300 timeout, and it worked fine for both (except that avast say it is not infected but that is another story..)
It was only one scan.
I ran a full scan again with
docker run --rm -v /var/run/docker.sock:/var/run/docker.sock -v pwd
:/malice/samples malice/engine scan malware.exe
I get the same output as before except for avg shows result. (avast still bugging ='( )
I think I'll just write a little script to run this two plugins apart from the others.
@fbarre96 are you saying that Avast was still failing? If so can you post the output with the -V
flag set?
Field | Value |
---|---|
Name | malice |
Path | /usr/local/bin/malice |
Size | 16.85 MB |
MD5 | d198cccd47ffd98c99ca61a97e9d7328 |
SHA1 | 98e32660543eb0a084956e3aea52a538b295c4b9 |
SHA256 | 5232dbfbba82e68b5c09a7b943dc4aad0ab7baae50a2eac10cac57dcdfe9731e |
panic: runtime error: index out of range
goroutine 1 [running]: panic(0x85cde0, 0xc420014090) /usr/local/go/src/runtime/panic.go:500 +0x1a1 main.ParseAvastOutput(0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ...) /go/src/github.com/maliceio/malice-avast/scan.go:119 +0x575 main.AvScan(0x78, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0) /go/src/github.com/maliceio/malice-avast/scan.go:84 +0x2b9 main.main.func3(0xc420082780, 0x0, 0x0) /go/src/github.com/maliceio/malice-avast/scan.go:318 +0x17f github.com/urfave/cli.HandleAction(0x83fe00, 0xc4200154a0, 0xc420082780, 0x0, 0x0) /go/src/github.com/urfave/cli/app.go:485 +0xd4 github.com/urfave/cli.(*App).Run(0xc42007cb60, 0xc42000c330, 0x3, 0x3, 0x0, 0x0) /go/src/github.com/urfave/cli/app.go:259 +0x74f main.main() /go/src/github.com/maliceio/malice-avast/scan.go:357 +0x78f
Field | Value |
---|---|
Mime | application/x-executable |
Description | ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, not stripped |
98304:wc8KFQPNyXsulgYpbX7KvKi8KIm95+UKNun+is:wc8KFQPNyXsuOYpbLKvKHKIm9MZk+is
Field | Value |
---|---|
error | context deadline exceeded |
Infected | Result | Engine | Updated |
---|---|---|---|
false | 4.6.5.141 | 20170129 |
time="2017-02-10T09:41:24Z" level=fatal msg="Command /etc/init.d/avgd timed out." category=av path="/malware/5232dbfbba82e68b5c09a7b943dc4aad0ab7baae50a2eac10cac57dcdfe9731e" plugin=avg
Rule | Description | Offset | Data | Tags |
---|---|---|---|---|
embedded_win_api | A non-Windows executable contains win32 API functions names | 7793322 | WriteFile | |
maldoc_suspicious_strings | 7793162 | ReadFile | ||
PEiD_00055_Alias_PIX_Vivid_IMG_Graphicsformat | [Alias PIX/Vivid IMG Graphics format] | 5811753 | �� 0 P | |
PEiD_02402_UPolyX_V01____Delikon | [UPolyX V0.1 -> Delikon] | 5154234 | ���� |
Infected | Result | Engine | Updated |
---|---|---|---|
false | 1.1 | 20170129 |
time="2017-02-10T09:41:51Z" level=fatal msg="Command /opt/f-secure/fsav/bin/fsav timed out." category=av path="/malware/5232dbfbba82e68b5c09a7b943dc4aad0ab7baae50a2eac10cac57dcdfe9731e" plugin=fsecure
Infected | Result | Engine | Updated |
---|---|---|---|
false |
Infected | Result | Engine | Updated |
---|---|---|---|
false |
time="2017-02-10T09:42:01Z" level=fatal msg="Command savscan timed out." category=av path="/malware/5232dbfbba82e68b5c09a7b943dc4aad0ab7baae50a2eac10cac57dcdfe9731e" plugin=sophos
Here the scan I did today
I have added the ability for each malice plugin to respect the MALICE_TIMEOUT
env var. So you should be able to export MALICE_TIMEOUT=600
and have all plugins now have a 10min timeout in place.
you might have to reinstall malice and make sure you remove the old ~/.malice
folder or at least the ~/.malice/plugin.toml
file so the new one will have the env flags.
I am going to work on the ability to upgrade configs automatically soon.
Output of
go version
:Output of
docker version
:Output of
docker info
:Additional environment details (AWS, VirtualBox, physical, Docker For Mac, Docker Toolbox, docker-machine, etc.): I'm running on a real machine, quite slow but quick enough for my needs.
Steps to reproduce the issue:
Describe the results you received: Sorted in time, I have all those plugins that fail. Avast, totalhash,Exiftools, NSRL, avg
File
NSRL Database
ShadowServer
2017/02/07 13:47:52 cannot open; magic mime db is already open
Comodo
panic: runtime error: index out of range
goroutine 1 [running]: panic(0x85cde0, 0xc420014090) /usr/local/go/src/runtime/panic.go:500 +0x1a1 main.ParseAvastOutput(0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ...) /go/src/github.com/maliceio/malice-avast/scan.go:119 +0x575 main.AvScan(0x78, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0) /go/src/github.com/maliceio/malice-avast/scan.go:84 +0x2b9 main.main.func3(0xc42008a780, 0x0, 0x0) /go/src/github.com/maliceio/malice-avast/scan.go:318 +0x17f github.com/urfave/cli.HandleAction(0x83fe00, 0xc4200154a0, 0xc42008a780, 0x0, 0x0) /go/src/github.com/urfave/cli/app.go:485 +0xd4 github.com/urfave/cli.(*App).Run(0xc42007cea0, 0xc42000c330, 0x3, 0x3, 0x0, 0x0) /go/src/github.com/urfave/cli/app.go:259 +0x74f main.main() /go/src/github.com/maliceio/malice-avast/scan.go:357 +0x78f
F-PROT
time="2017-02-07T13:48:19Z" level=fatal msg="Please supply a valid #totalhash user/key with the flags '--user' and '--key'" time="2017-02-07T13:48:19Z" level=fatal msg="Please supply a valid MALICE_VT_API key with the flag '--api'."
Magic
SSDeep
24:kT5IyR8dK0LhNqB9sIBzHMb5Js1io1fGOwRQ1O4TulnUxm:kRRF0feBjwU1HuJoTQ
TRiD
Exiftool
Yara
ShadowServer
time="2017-02-07T13:48:14Z" level=fatal msg="Please supply a valid SHA1 hash to query NSRL with."
Floss
Decoded Strings
No Strings
Stack Strings
No Strings
F-Secure
time="2017-02-07T13:48:53Z" level=fatal msg="Command /etc/init.d/avgd timed out." category=av path="/malware/b9bfb323d15ad4669781cb93e3c8f01fd2ad37b60d77c43fbe57b0942fbc0598" plugin=avg
Bitdefender
Sophos
ClamAV
Describe the results you expected: I would like to have at least avast and/or avg working =)
Additional information you deem important (e.g. issue happens only occasionally): Issue happens every time (Exiftools seems to work from time to time) Thank you =)