search

nextcloud / files_antivirus

đź‘ľ Antivirus app for Nextcloud Files
https://apps.nextcloud.com/apps/files_antivirus
GNU Affero General Public License v3.0
84 stars 35 forks source link

Background scan detecting file scanned after an infected file as also infected. #202

Closed ghost closed 3 years ago

ghost commented 3 years ago

Steps to reproduce

  1. Using latest version 3.2.1
  2. Upload infected file to Nextcloud
  3. Enable antivirus and wait for background scan

Expected behaviour

Only the uploaded known infected file should be detected as infected in logs.

Actual behaviour

The infected file and what I assume is the very next file scanned are both detected as infected.

Server configuration

Operating system: Alpine Linux 3.13 Arm64

Web server: Nginx 1.18.0

Database: PostgreSQL 13.3

PHP version: PHP 7.4.21

Nextcloud version: 20.0.12

Where did you install Nextcloud from: Alpine Linux Repositories

List of activated apps:

/usr/share/webapps/nextcloud # sudo -u nginx php occ app:list
Enabled:
  - bruteforcesettings: 2.2.0
  - cloud_federation_api: 1.3.0
  - contactsinteraction: 1.1.0
  - dav: 1.16.2
  - federatedfilesharing: 1.10.2
  - files: 1.15.0
  - files_antivirus: 3.2.1
  - logreader: 2.5.0
  - lookup_server_connector: 1.8.0
  - oauth2: 1.8.0
  - provisioning_api: 1.10.0
  - settings: 1.2.0
  - twofactor_backupcodes: 1.9.0
  - viewer: 1.4.0
  - workflowengine: 2.2.0
Disabled:

Nextcloud configuration:

/usr/share/webapps/nextcloud # sudo -u nginx php occ config:list system
{
    "system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "***REMOVED SENSITIVE VALUE***",
            "***REMOVED SENSITIVE VALUE***"
        ],
        "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "pgsql",
        "version": "20.0.12.1",
        "overwrite.cli.url": "https:\/\/192.168.1.120",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "memcache.local": "\\OC\\Memcache\\APCu",
        "mail_smtpmode": "sendmail",
        "mail_sendmailmode": "pipe",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "theme": "",
        "loglevel": "2",
        "maintenance": false
    }
}

Client configuration

Browser: Chrome Version 92.0.4515.131 (Official Build) (64-bit)

Operating system: Ubuntu 20.04.2 LTS

Logs

Nextcloud log (data/owncloud.log)

{"reqId":"SpeK7yNfeD9nXumgvMfw","level":4,"time":"2021-08-13T22:20:22+00:00","remoteAddr":"","user":"--","app":"files_antivirus","method":"","url":"--","message":"Infected file found (during background scan) Win.Malware.Aa93a15d-6745814-0 File: 2966 Account: deand Path: /deand/files/Pinkbike Photos & Videos/p4pb2417061.jpg","userAgent":"--","version":"20.0.12.1","id":"6117893318cfc"}
{"reqId":"SpeK7yNfeD9nXumgvMfw","level":4,"time":"2021-08-13T22:20:22+00:00","remoteAddr":"","user":"--","app":"files_antivirus","method":"","url":"--","message":"Infected file found (during background scan) Win.Malware.Aa93a15d-6745814-0 File: 6771 Account: deand Path: /deand/files/Windows_Loader_v2.2.1.zip","userAgent":"--","version":"20.0.12.1","id":"6117893318d7b"}

Clamav log

Fri Aug 13 22:56:07 2021 -> SelfCheck: Database status OK.
Fri Aug 13 23:10:45 2021 -> SelfCheck: Database status OK.
Fri Aug 13 23:20:22 2021 -> instream(local): Win.Malware.Aa93a15d-6745814-0 FOUND
Fri Aug 13 23:20:45 2021 -> SelfCheck: Database status OK.
Fri Aug 13 23:30:47 2021 -> SelfCheck: Database status OK.
Fri Aug 13 23:40:47 2021 -> SelfCheck: Database status OK.

Comments

I can see issue #167 and pull #169 seem to be aimed at resolving this and predate the current release by someway but the issue still exists. I have turned off deleting for infected files found during background scan for the time being as this would result in files being deleted unnecessarily.

If I am not mistaken and pull #169 is included in the latest release could this be the result of some sort of concurrency issue?