False Positive Win.Dropper.Miner-7086571-0

[Happyfeet01]

Today i looked at my Cloud Activities and i see many many Files there are indexed as " Win.Dropper.Miner-7086571-0" Some .exe files and many .DNG , *.jpg Files made with my Smartphone.

I Think its false positive.

Nextcloud Log:

Infected  file found (during background scan) Win.Dropper.Miner-7086571-0 File:  22665 Account: lars Path:  /lars/files/Photos/RAW/2018/11/IMG_20181129_123047.dng |  
-- | --

Infected file found (during background scan) Win.Dropper.Miner-7086571-0 File: 22598 Account: lars Path: /lars/files/Videos/Nussknacker_und_Mausekoenig_S08E02_15.12.25_15-00_ard_60_TVOON_DE.mpg.HD.avi

Infected file found (during background scan) Win.Dropper.Miner-7086571-0 File: 22595 Account: lars Path: /lars/files/Videos/160321_kudamm_teil2_kud_436k_p5v12.3gp

and many files more.....

How can i check if these files really infected. or can i set the files on a whitelist?

[markuman]

@Happyfeet01 this it the last message where the rules are already applied. You need to grep the first message from your nextcloud.log. The first level will be 0. On that message you can add custom rules.

E.g.

 {
    "reqId": "pva8wPXXBN75sRbArOHw",
    "level": 0,
    "time": "2020-09-08T10:09:32+00:00",
    "remoteAddr": "172.18.0.3",
    "user": "m",
    "app": "files_antivirus",
    "method": "PUT",
    "url": "/remote.php/webdav/tmp/eicarcom2.zip",
    "message": "Response :: stream: Win.Test.EICAR_HDB-1 FOUND\n",
    "userAgent": "Mozilla/5.0 (X11; Linux x86_64; rv:79.0) Gecko/20100101 Firefox/79.0",
    "version": "19.0.2.2"
  }

[Happyfeet01]

Thanks

[Happyfeet01]

I get only this one Fatal error message @markuman

[markuman]

@Happyfeet01 are you sure?
One background scan (for one file) looks like this here.
Where the 4th message is the clamav response ("message": "Response :: stream: OK\n",) and the 5th (last) message is a result based on rules. So in general, I believe my example is a bug #164 , but I'm there must be more log lines for one scanned file on your server.

[
  {
    "reqId": "Lza1DrEpm1OFiXvyH2R9",
    "level": 0,
    "time": "2020-09-08T11:20:15+00:00",
    "remoteAddr": "",
    "user": "--",
    "app": "files_antivirus",
    "method": "",
    "url": "--",
    "message": "Scanning file with fileid: 10151",
    "userAgent": "--",
    "version": "19.0.2.2"
  },
  {
    "reqId": "Lza1DrEpm1OFiXvyH2R9",
    "level": 0,
    "time": "2020-09-08T11:20:15+00:00",
    "remoteAddr": "",
    "user": "--",
    "app": "files_antivirus",
    "method": "",
    "url": "--",
    "message": "Scan started File: 10151 Account: nextclouduser Path: /nextclouduser/files/photos/san francisco.jpg",
    "userAgent": "--",
    "version": "19.0.2.2"
  },
  {
    "reqId": "Lza1DrEpm1OFiXvyH2R9",
    "level": 0,
    "time": "2020-09-08T11:20:15+00:00",
    "remoteAddr": "",
    "user": "--",
    "app": "files_antivirus",
    "method": "",
    "url": "--",
    "message": "Scan is done File: 10151 Account: nextclouduser Path: /nextclouduser/files/photos/san francisco.jpg",
    "userAgent": "--",
    "version": "19.0.2.2"
  },
  {
    "reqId": "Lza1DrEpm1OFiXvyH2R9",
    "level": 0,
    "time": "2020-09-08T11:20:15+00:00",
    "remoteAddr": "",
    "user": "--",
    "app": "files_antivirus",
    "method": "",
    "url": "--",
    "message": "Response :: stream: OK\n",
    "userAgent": "--",
    "version": "19.0.2.2"
  },
  {
    "reqId": "Lza1DrEpm1OFiXvyH2R9",
    "level": 4,
    "time": "2020-09-08T11:20:15+00:00",
    "remoteAddr": "",
    "user": "--",
    "app": "files_antivirus",
    "method": "",
    "url": "--",
    "message": "Infected file found (during background scan) PUA.Doc.Packed.EncryptedDoc-6563700-0 File: 10151 Account: nextclouduser Path: /nextclouduser/files/photos/san francisco.jpg",
    "userAgent": "--",
    "version": "19.0.2.2"
  }
]

[kesselb]

Does this error still occur? I think we fixed some of those issues recently.