search

nextcloud / files_antivirus

👾 Antivirus app for Nextcloud Files
https://apps.nextcloud.com/apps/files_antivirus
GNU Affero General Public License v3.0
84 stars 35 forks source link

Server /tmp FileSystem gets 100% full due to CLAMSCAN/ClamAV write tmp-files with huge sizes into (xlm_macro) > 20GB #185

Closed Githopp192 closed 3 years ago

Githopp192 commented 3 years ago

Actual behaviour

Issue: For any unknown reason the /tmp directory will be written 100% full by clamscan and this in a very short time (about 40GB !!!) 1GB in 15 secs !!

Server several times crashed to due to /tmp 100% FULL. clamscan will write some kind of those files --> "18G Jan 24 23:47 xlm_macros.61ee7f7b64"

Some days before this behave a notification appeared (sent to the Admin) "User is "x" may be infected with ransomware and is asking for your help".

AV-Clamscan Full SCan on a mirrored Storage does not show any infection.

Steps to reproduce

When starting ClamAV AV - this behave will repeated one or two times a day (= Server/SQL/Nextcloud CRASH)

Expected behaviour

ClamAV should not be able not kill the Nextcloud Instance/Server. There needs to be an option in Nextcloud to set a maximum Limit ClamAV should be allowed to write into the / any tmp directory.

Client configuration details

--------------------------------

Windows 10

CLAMAV configuration details

--------------------------------

    "files_antivirus": {
        "av_cmd_options": "",
        "av_host": "localhost",
        "av_infected_action": "delete",
        "av_max_file_size": "104857600",
        "av_mode": "socket",
        "av_path": "\/usr\/bin\/clamscan",
        "av_port": "3310",
        "av_socket": "\/var\/run\/clamd.scan\/clamd.sock",
        "av_stream_max_length": "10485760",
        "enabled": "no",
        "installed_version": "3.1.2",
        "types": "filesystem,dav"

},

cat /etc/systemd/system/multi-user.target.wants/clamd@scan.service [Unit] Description = clamd scanner (%i) daemon Documentation=man:clamd(8) man:clamd.conf(5) https://www.clamav.net/documents/ After = syslog.target nss-lookup.target network.target

[Service] Type = forking ExecStart = /usr/sbin/clamd -c /etc/clamd.d/%i.conf

Reload the database

ExecReload=/bin/kill -USR2 $MAINPID Restart = on-failure TimeoutStartSec=700

[Install] WantedBy = multi-user.target

Checking configuration files in /etc

Config file: clamd.d/scan.conf

LogFile = "/var/log/clamd.scan" LogFileMaxSize = "2097152" LogTime = "yes" LogVerbose = "yes" LogRotate = "yes" ExtendedDetectionInfo = "yes" LocalSocket = "/var/run/clamd.scan/clamd.sock" StreamMaxLength = "52428800" MaxDirectoryRecursion = "20" VirusEvent = "/root/scripts/virus_found.sh "VIRUS ALERT: %v"" User = "clamscan"

Config file: freshclam.conf

LogFileMaxSize = "2097152" LogTime = "yes" LogSyslog = "yes" LogVerbose = "yes" UpdateLogFile = "/var/log/freshclam.log" DatabaseMirror = "db.ch.clamav.net"

mail/clamav-milter.conf not found

Software settings

Version: 0.103.0 Optional features supported: MEMPOOL IPv6 AUTOIT_EA06 BZIP2 LIBXML2 PCRE2 ICONV JSON

Database information

Database directory: /var/lib/clamav main.cvd: version 59, sigs: 4564902, built on Mon Nov 25 14:56:15 2019 bytecode.cvd: version 331, sigs: 94, built on Thu Sep 19 18:12:33 2019 daily.cld: version 26060, sigs: 4166932, built on Mon Jan 25 13:28:03 2021 Total number of signatures: 8731928

Platform information

uname: Linux 4.18.0-240.10.1.el8_3.x86_64 #1 SMP Mon Jan 18 17:05:51 UTC 2021 x86_64 OS: linux-gnu, ARCH: x86_64, CPU: x86_64 zlib version: 1.2.11 (1.2.11), compile flags: a9 platform id: 0x0a2179790800000000080301

Build information

GNU C: 8.3.1 20191121 (Red Hat 8.3.1-5) (8.3.1) CPPFLAGS: -I/usr/include/libprelude CFLAGS: -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 CXXFLAGS: -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection LDFLAGS: -Wl,-z,relro -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,--as-needed -lprelude Configure: '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--localstatedir=/var' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--enable-milter' '--disable-clamav' '--disable-static' '--disable-zlib-vcheck' '--disable-unrar' '--enable-id-check' '--enable-dns' '--with-dbdir=/var/lib/clamav' '--with-group=clamupdate' '--with-user=clamupdate' '--disable-rpath' '--disable-silent-rules' '--enable-clamdtop' '--enable-prelude' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CXXFLAGS=-O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,--as-needed' 'CFLAGS=-O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig' sizeof(void*) = 8 Engine flevel: 121, dconf: 121

Linux 4.18.0-240.10.1.el8_3.x86_64 x86_64 x86_64 glibc-2.28-127.el8.x86_64 zlib-1.2.11-16.el8_2.x86_64 How to reproduce the problem :

start clamd@scan.service - clamd scanner (scan) daemon - wait some hours root 53309 0.0 0.0 12112 1000 pts/0 S+ 22:46 0:00 grep clamd

CLAMAV issue Details

--------------------------------

/var/run/clamd.scan/clamd.sock Stream Length : 10485760 bytes File size limit for periodic background scans, -1 means no limit:104857600 bytes When infected files are found during a background scan:Delete file

Issue: For any unknown reason the /tmp directory will be written 100% full - and this in a very short time (about 40GB !!!) 1GB in 15 secs !!

drwx------ 3 clamscan clamscan 62 Jan 24 23:41 20210124_234111-scantem.1c52ff6324 -rw------- 1 clamscan clamscan 4880384 Jan 24 23:41 clamav-a851a6285a769ab5c343e0f56351758f.tmp drwx------ 3 clamscan clamscan 62 Jan 24 23:40 20210124_234010-scantem.09310957bc -rw------- 1 clamscan clamscan 4208128 Jan 24 23:40 clamav-46ec629b291f6fa83fffd2e14cb491b6.tmp -rw------- 1 clamscan clamscan 4.1M Jan 24 23:40 clamav-46ec629b291f6fa83fffd2e14cb491b6.tmp

[root@serverlog]# ls -alth /tmp/20210124_234010-scantem.09310957bc total 18G -rw------- 1 clamscan clamscan 18G Jan 24 23:47 xlm_macros.61ee7f7b64 drwxrwxrwt. 8 root root 4.0K Jan 24 23:45 .. drwx------ 3 clamscan clamscan 62 Jan 24 23:40 . drwx------ 2 clamscan clamscan 132 Jan 24 23:40 ole2-tmp.25cf530c3b

Configuration:

ClamAV 0.103.0/26060/Mon Jan 25 13:28:03 2021

Server configuration details

--------------------------------

Version: Intel(R) Xeon(R) E-2136 CPU @ 3.30GHz Max Speed : 4300 MHz Current Speed: 3300 MHz Memory: 16GB

Operating System: CentOS Linux release 8.3.2011

Upstream OS : Derived from Red Hat Enterprise Linux 8.3

Webserver: Apache/2.4.37 (centos)

Database: mysql 10.3.27-MariaDB,

PHP version: PHP Version => 7.4.14

[PHP Modules] apcu bcmath bz2 calendar Core ctype curl date dom exif fileinfo filter ftp gd gettext gmp hash iconv igbinary imagick intl json ldap libsmbclient libxml mbstring memcached msgpack mysqli mysqlnd openssl pcntl pcre PDO pdo_mysql pdo_sqlite Phar posix readline redis Reflection session shmop SimpleXML smbclient sockets sodium SPL sqlite3 standard sysvmsg sysvsem sysvshm tokenizer xml xmlreader xmlwriter xsl Zend OPcache zip zlib [Zend Modules] Zend OPcache

Nextcloud: - version: 20.0.6.1

Updated from an older Nextcloud/ownCloud or fresh install:

Where did you install Nextcloud from:

Signing status:

Login as admin user into your Nextcloud and access http://example.com/index.php/settings/integrity/failed paste the results here.

No errors have been found.

{ "system": { "memcache.distributed": "\OC\Memcache\Redis", "memcache.locking": "\OC\Memcache\Redis", "memcache.local": "\OC\Memcache\APCu", "filelocking.enabled": true, "redis": { "host": "REMOVED SENSITIVE VALUE", "timeout": 1.5, "password": "REMOVED SENSITIVE VALUE" }, "instanceid": "REMOVED SENSITIVE VALUE", "passwordsalt": "REMOVED SENSITIVE VALUE", "secret": "REMOVED SENSITIVE VALUE", "trusteddomains": [ ], "datadirectory": "REMOVED SENSITIVE VALUE", "htaccess.RewriteBase": "\/", "overwriteprotocol": "https", "dbtype": "mysql", "version": "20.0.6.1", "dbname": "REMOVED SENSITIVE VALUE", "dbhost": "REMOVED SENSITIVE VALUE", "dbport": "", "dbtableprefix": "oc", "mysql.utf8mb4": true, "dbuser": "REMOVED SENSITIVE VALUE", "dbpassword": "REMOVED SENSITIVE VALUE", "installed": true, "maintenance": false, "theme": "", "loglevel": 2, "updater.release.channel": "stable", "auth.bruteforce.protection.enabled": true, "check_for_working_htaccess": true, "mail_from_address": "REMOVED SENSITIVE VALUE", "mail_smtpmode": "smtp", "mail_smtpauthtype": "LOGIN", "mail_domain": "REMOVED SENSITIVE VALUE", "mail_smtpsecure": "tls", "mail_smtpauth": 1, "mail_smtpname": "REMOVED SENSITIVE VALUE", "mail_smtppassword": "REMOVED SENSITIVE VALUE", "mail_smtphost": "REMOVED SENSITIVE VALUE", "session_lifetime": 1200, "session_keepalive": false, "logfile": "\/media\/log\/nextcloud.log", "knowledgebaseenabled": false, "log_rotate_size": 3145728, "mail_sendmailmode": "smtp", "app_install_overwrite": [ "passman", "dicomviewer",

Enabled:

Githopp192 commented 3 years ago

NOTE -->

https://blog.clamav.net/2020/09/clamav-01030-released.html

There might be a bug in Verson 103, because there is a new XLM Macro Detection method introduced:

Added Excel 4.0 (XLM) macro detection and extraction support. Significantly improved VBA detection and extraction as well. Work courtesy of Jonas Zaddach. This support not yet added to sigtool, as the VBA extraction feature in sigtool is separate from the one used for scanning and will still need to be updated or replaced in the future.

rullzer commented 3 years ago

This really sounds like a clamav bug. As we just pipe the data to clamav to have it scanned. if clamav is doing something bad then NC can't fix that.

Githopp192 commented 3 years ago

yes, you're right - but anyway - it's good to have this tracked here, that other people can see it and might be aware of it. In the meantime i wrote a mail to “Jonas Zaddach” (Cisco), to get this fixed.

Githopp192 commented 3 years ago

in the meantime i did setup AV via (ClamAV exectuable -> /usr/bin/clamscan & it seems to work .. tested EICAR .. but here, user does get only "unknown error" but no virus message ?!

ScreenShot1432

But the log recognized the Virus -->

OCA\DAV\Connector\Sabre\Exception\UnsupportedMediaType: Virus Win.Test.EICAR_HDB-1 is detected in the file. Upload cannot be completed.