search

nextcloud / files_antivirus

👾 Antivirus app for Nextcloud Files
https://apps.nextcloud.com/apps/files_antivirus
GNU Affero General Public License v3.0
84 stars 35 forks source link

Virus detected while Response :: stream: OK #164

Closed markuman closed 2 years ago

markuman commented 3 years ago

The file is scanned during background scan. Clamav response with Response :: stream: OK, but the logs throws then a "level": 4 error and classify it with Infected file found (during background scan) PUA.Doc.Packed.EncryptedDoc-6563700-0.

It's unclear where this comes from. When I transfer that file to another nextcloud host (same setup, same nextcloud version, same clamav version), it doesn't throw a level 4 error.
Maybe there is a concurrency error?

[
  {
    "reqId": "4u789jcqK1fvARdwcqDE",
    "level": 0,
    "time": "2020-09-08T10:40:22+00:00",
    "remoteAddr": "",
    "user": "--",
    "app": "files_antivirus",
    "method": "",
    "url": "--",
    "message": "Scanning file with fileid: 10151",
    "userAgent": "--",
    "version": "19.0.2.2"
  },
  {
    "reqId": "4u789jcqK1fvARdwcqDE",
    "level": 0,
    "time": "2020-09-08T10:40:22+00:00",
    "remoteAddr": "",
    "user": "--",
    "app": "files_antivirus",
    "method": "",
    "url": "--",
    "message": "Scan started File: 10151 Account: nextclouduser Path: /nextclouduser/files/photos/san francisco.jpg",
    "userAgent": "--",
    "version": "19.0.2.2"
  },
  {
    "reqId": "4u789jcqK1fvARdwcqDE",
    "level": 0,
    "time": "2020-09-08T10:40:22+00:00",
    "remoteAddr": "",
    "user": "--",
    "app": "files_antivirus",
    "method": "",
    "url": "--",
    "message": "Scan is done File: 10151 Account: nextclouduser Path: /nextclouduser/files/photos/san francisco.jpg",
    "userAgent": "--",
    "version": "19.0.2.2"
  },
  {
    "reqId": "4u789jcqK1fvARdwcqDE",
    "level": 0,
    "time": "2020-09-08T10:40:22+00:00",
    "remoteAddr": "",
    "user": "--",
    "app": "files_antivirus",
    "method": "",
    "url": "--",
    "message": "Response :: stream: OK\n",
    "userAgent": "--",
    "version": "19.0.2.2"
  },
  {
    "reqId": "4u789jcqK1fvARdwcqDE",
    "level": 4,
    "time": "2020-09-08T10:40:22+00:00",
    "remoteAddr": "",
    "user": "--",
    "app": "files_antivirus",
    "method": "",
    "url": "--",
    "message": "Infected file found (during background scan) PUA.Doc.Packed.EncryptedDoc-6563700-0 File: 10151 Account: nextclouduser Path: /nextclouduser/files/photos/san francisco.jpg",
    "userAgent": "--",
    "version": "19.0.2.2"
  }
]
kesselb commented 2 years ago

Does this error still occur?

markuman commented 2 years ago

Dunno, we disabled it because of too many false-positiv findings.

kesselb commented 2 years ago

All right. I think the false positive case when the previous file were infected recently. Feel free to give it a try ;)