eedev
commented
3 years ago I have the same problem on my 19.0.3 instance, I have one infected file that is an old .mbox Gmail export infected with Win.Malware.Locky-2938. It has been for a very very long time.
Since last update, I now have many files reported with the same Win.Malware.Locky-2938 but I've scanned them individually with ClamAV and VirusTotal and they are not infected.
I think @bpatath nailed it.
xkill
Steps to reproduce
Expected behaviour
Only one file, the one with the virus, should be logged
Actual behaviour
All files scanned after the one with the virus are logged with the exact same virus. We can verify that those others files are virus-free because when debug logs are enabled, the clamav response is OK. Also, the clamav logs contain only one virus found line.
Cause
I've already tried to track the origin of the issue. @icewind1991, in cc8501edbd2062c60aa7c1b46ca3f069419a1b90, you've changed from instantiating a new scanner at each
ScannerFactory->getScanner()to instantiating one scanner and always returning the same. Correct me if I'm wrong, I am really not familiar with dependency injection and containers.But there should be one scanner instance per file. Using the same scanner multiple times for files is considering as sending different parts of a same file. As soon as one part is infected, this status will be saved and always returned by the scanner. This means that all files scanned after an infected one will have the same status as the infected one.
The two solutions would be :
ScannerBaseworks to allow reusing one instance for multiple files. We could, e.g. add ainitScannerForNewFilethat would drop previous status, and have it be called byBackgroundScanner. Willing to do a PR.161, #163, #164 might be related to this.