search

nextcloud / files_antivirus

👾 Antivirus app for Nextcloud Files
https://apps.nextcloud.com/apps/files_antivirus
GNU Affero General Public License v3.0
88 stars 36 forks source link

Infected file detected and deleted, "Only log" option being ignored #148

Open GAS85 opened 4 years ago

GAS85 commented 4 years ago

Steps to reproduce

  1. Set ClamAV to only log detected files: grafik
  2. Create test txt file with content as per here https://en.wikipedia.org/wiki/EICAR_test_file
  3. See that file was detected and deleted grafik

Expected behaviour

File has being logged, admin notified.

Actual behaviour

Log only option being ignored.

Server configuration

Operating system: Ubuntu 18.04

Web server: Apache/2.4.41

Database: mysql Ver 15.1 Distrib 10.1.44-MariaDB

PHP version: 7.3.16

Nextcloud version: 18.0.3

Where did you install Nextcloud from: Official

List of activated apps:

Enabled:
  - accessibility: 1.4.0
  - activity: 2.11.0
  - admin_audit: 1.8.0
  - audioplayer: 2.10.0
  - bruteforcesettings: 1.6.0
  - calendar: 2.0.3
  - checksum: 0.4.4
  - cloud_federation_api: 1.1.0
  - comments: 1.8.0
  - data_request: 1.5.0
  - dav: 1.14.0
  - deck: 0.8.2
  - drawio: 0.9.5
  - federatedfilesharing: 1.8.0
  - federation: 1.8.0
  - files: 1.13.1
  - files_antivirus 2.3.0
  - files_automatedtagging: 1.8.2
  - files_external: 1.9.0
  - files_mindmap: 0.0.21
  - files_pdfviewer: 1.7.0
  - files_retention: 1.7.0
  - files_rightclick: 0.15.2
  - files_sharing: 1.10.1
  - files_trashbin: 1.8.0
  - files_versions: 1.11.0
  - files_videoplayer: 1.7.0
  - firstrunwizard: 2.7.0
  - flowupload: 0.1.8
  - gpxpod: 4.2.1
  - keeweb: 0.6.2
  - logreader: 2.3.0
  - lookup_server_connector: 1.6.0
  - mail: 1.3.2
  - maps: 0.1.6
  - nextcloud_announcements: 1.7.0
  - notes: 3.2.0
  - notifications: 2.6.0
  - oauth2: 1.6.0
  - ocdownloader: 1.7.6
  - password_policy: 1.8.0
  - phonetrack: 0.6.2
  - photos: 1.0.0
  - polls: 1.3.0
  - previewgenerator: 2.3.0
  - privacy: 1.2.0
  - provisioning_api: 1.8.0
  - radio: 0.6.6
  - recommendations: 0.6.0
  - serverinfo: 1.8.0
  - settings: 1.0.0
  - sharebymail: 1.8.0
  - spreed: 8.0.7
  - survey_client: 1.6.0
  - systemtags: 1.8.0
  - text: 2.0.0
  - theming: 1.9.0
  - twofactor_backupcodes: 1.7.0
  - twofactor_totp: 4.1.3
  - unsplash: 1.1.5
  - updatenotification: 1.8.0
  - viewer: 1.2.0
  - weather: 1.7.1
  - workflowengine: 2.0.0
Disabled:
  - encryption
  - impersonate
  - sharerenamer
  - support
  - user_ldap

Nextcloud configuration:

{
    "system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": {
            "0": "***REMOVED SENSITIVE VALUE***",
            "2": "***REMOVED SENSITIVE VALUE***"
        },
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "overwrite.cli.url": "https:\/\/***REMOVED SENSITIVE VALUE***\/nextcloud",
        "dbtype": "mysql",
        "version": "18.0.3.0",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "filesystem_check_changes": 0,
        "memcache.local": "\\OC\\Memcache\\APCu",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "memcache.distributed": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 6379,
            "timeout": 1.5
        },
        "mail_smtpmode": "smtp",
        "mail_smtpauthtype": "LOGIN",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "maintenance": false,
        "theme": "",
        "logfile": "\/***REMOVED SENSITIVE VALUE***\/nextcloud.log",
        "loglevel": 1,
        "trashbin_retention_obligation": "14, auto",
        "versions_retention_obligation": "14, auto",
        "data-fingerprint": "***REMOVED SENSITIVE VALUE***",
        "enable_previews": true,
        "enabledPreviewProviders": [
            "OC\\Preview\\PNG",
            "OC\\Preview\\JPEG",
            "OC\\Preview\\GIF",
            "OC\\Preview\\BMP",
            "OC\\Preview\\XBitmap",
            "OC\\Preview\\Movie",
            "OC\\Preview\\PDF",
            "OC\\Preview\\MP3",
            "OC\\Preview\\TXT",
            "OC\\Preview\\MarkDown"
        ],
        "preview_max_x": 1920,
        "preview_max_y": 1080,
        "auth.bruteforce.protection.enabled": true,
        "simpleSignUpLink.shown": false,
        "mail_smtpsecure": "tls",
        "mail_smtpauth": 1,
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "587",
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "twofactor_enforced": "true",
        "twofactor_enforced_groups": [
            "admin"
        ],
        "twofactor_enforced_excluded_groups": [],
        "has_rebuilt_cache": true,
        "updater.release.channel": "stable",
        "app_install_overwrite": [
            "keeweb",
            "radio"
        ]
    }
}

Nextcloud log (data/owncloud.log)

{"reqId":"Gt7Vps8HTaH9lR2gFYWi","level":2,"time":"2020-04-28T08:53:27+00:00","remoteAddr":"1.1.1.1.","user":"USER","app":"files_antivirus","method":"GET","url":"/index.php/apps/text/session/create?fileId=4638250&filePath=%2FNew+text+document.txt&guestName=null&forceRecreate=false","message":"Infected file deleted. Eicar-Signature Account: USER Path: appdata_XXXXX/text/documents/4638250","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0) Gecko/20100101 Firefox/73.0","version":"18.0.3.0","id":"5ea7f038c1bc4"}
harveyche commented 4 years ago

I have the same issue. Infected file is deleted even when "only log" is selected.

AetherCollective commented 4 years ago

I have the same issue. I posted my logs for this issue in the mentioned link above

cedjo commented 2 years ago

any update on this issue? I have the same with version 4.0.0 Thanks

AndyScherzinger commented 1 year ago

cc @icewind1991 for feedback

devi69 commented 2 months ago

Could it be that the files were added from the web UI? Is there a possibility that this option only works during background scans? :When infected files are found during a background scan