Test with virus test file generates multiple detection errors in unrelated files

[caguiar]

Steps to reproduce

1. Put eicar.com in nextcloud user directory (using Nextcloud client).

Expected behaviour

The background scan job should detect the "infected file" such as: [files_antivirus] Erro: Infected file found (during background scan) Win.Test.EICAR_HDB-1 File: 74374896 Account: 97C5B7E0-4380-41D7-B203-5EC3195AD4CC Path: /97C5B7E0-4380-41D7-B203-5EC3195AD4CC/files/Virus test files/eicar.com

Actual behaviour

The background scan job reports hundreds of files with the same "virus signature" such as: [files_antivirus] Erro: Infected file found (during background scan) Win.Test.EICAR_HDB-1 File: 73456834 Account: 97C5B7E0-4380-41D7-B203-5EC3195AD4CC Path: /97C5B7E0-4380-41D7-B203-5EC3195AD4CC/files/ASSINATURAS/Declaracao_de_inexistencia_de_conflito_de_interesses_38243_693316_funcoes_procedimento.doc.docx

Server configuration

Operating system: uBuntu 22.04

Web server: Apache2 2.4.52

Database: mysql-server-8.0 8.0.37

PHP version: php8.1 8.1.12

Nextcloud version: (see Nextcloud admin page) 29.0.2

Where did you install Nextcloud from:

List of activated apps: Enabled:

• activity: 2.21.1
• admin_audit: 1.19.0
• assistant: 1.0.9
• checksum: 1.2.4
• circles: 29.0.0-dev
• cloud_federation_api: 1.12.0
• comments: 1.19.0
• contactsinteraction: 1.10.0
• dashboard: 7.9.0
• dav: 1.30.1
• deck: 1.13.0
• drawio: 3.0.2
• federatedfilesharing: 1.19.0
• federation: 1.19.0
• files: 2.1.0
• files_accesscontrol: 1.19.1
• files_antivirus: 5.5.4
• files_downloadlimit: 2.0.0
• files_external: 1.21.0
• files_fulltextsearch: 29.0.0
• files_pdfviewer: 2.10.0
• files_reminders: 1.2.0
• files_sharing: 1.21.0
• files_trashbin: 1.19.0
• files_versions: 1.22.0
• firstrunwizard: 2.18.0
• forms: 4.2.4
• fulltextsearch: 29.0.0
• fulltextsearch_elasticsearch: 29.0.1
• groupfolders: 17.0.1
• integration_deepl: 1.1.3
• integration_openai: 2.0.1
• issuetemplate: 0.7.0
• logreader: 2.14.0
• lookup_server_connector: 1.17.0
• nextcloud_announcements: 1.18.0
• notifications: 2.17.0
• oauth2: 1.17.0
• onlyoffice: 9.2.2
• password_policy: 1.19.0
• photos: 2.5.0
• privacy: 1.13.0
• provisioning_api: 1.19.0
• quota_warning: 1.19.0
• recommendations: 2.1.0
• related_resources: 1.4.0
• serverinfo: 1.19.0
• settings: 1.12.0
• sharebymail: 1.19.0
• sharelisting: 1.2.0
• spreed: 19.0.2
• support: 1.12.0
• survey_client: 1.17.0
• systemtags: 1.19.0
• text: 3.10.0
• theming: 2.4.0
• thesearchpage: 1.2.7
• twofactor_backupcodes: 1.18.0
• twofactor_totp: 11.0.0-dev
• updatenotification: 1.19.1
• user_ldap: 1.20.0
• user_status: 1.9.0
• viewer: 2.3.0
• weather_status: 1.9.0
• workflowengine: 2.11.0 Disabled:
• approval: 1.3.0 (installed 1.3.0)
• bruteforcesettings: 2.9.0 (installed 2.0.1)
• encryption: 2.17.0
• extract: 1.3.6 (installed 1.3.6)
• maps: 1.4.0 (installed 1.4.0)
• recognize: 7.0.0 (installed 7.0.0)
• suspicious_login: 7.0.0
• user_usage_report: 1.13.0 (installed 1.13.0)

Nextcloud configuration: { "system": { "instanceid": "REMOVED SENSITIVE VALUE", "passwordsalt": "REMOVED SENSITIVE VALUE", "datadirectory": "REMOVED SENSITIVE VALUE", "dbtype": "mysql", "version": "29.0.2.2", "dbname": "REMOVED SENSITIVE VALUE", "dbhost": "REMOVED SENSITIVE VALUE", "dbtableprefix": "oc_", "dbuser": "REMOVED SENSITIVE VALUE", "dbpassword": "REMOVED SENSITIVE VALUE", "installed": true, "loglevel": 2, "log_rotate_size": 104857600, "ldapIgnoreNamingRules": false, "theme": "", "maintenance": false, "maintenance_window_start": 1, "trusted_domains": [ "nextcloud.arditi.pt", "cloud.arditi.pt", "owncloud.arditi.pt" ], "mail_domain": "REMOVED SENSITIVE VALUE", "mail_smtpmode": "smtp", "mail_from_address": "REMOVED SENSITIVE VALUE", "secret": "REMOVED SENSITIVE VALUE", "allow_local_remote_servers": true, "trashbin_retention_obligation": "auto,60", "versions_retention_obligation": "auto", "memcache.local": "\OC\Memcache\APCu", "memcache.locking": "\OC\Memcache\Redis", "redis": { "host": "REMOVED SENSITIVE VALUE", "port": 6379 }, "updatechecker": false, "singleuser": false, "ldapProviderFactory": "\OCA\User_LDAP\LDAPProviderFactory", "overwrite.cli.url": "https:\/\/cloud.arditi.pt", "mail_smtphost": "REMOVED SENSITIVE VALUE", "default_phone_region": "PT", "twofactor_enforced": "false", "twofactor_enforced_groups": [], "twofactor_enforced_excluded_groups": [], "mysql.utf8mb4": true, "app_install_overwrite": [ "extract", "sharelisting", "groupfolders", "issuetemplate" ] } }

Client configuration

Browser: Firefox

Operating system: Mac OS

Logs

Nextcloud log (data/owncloud.log)

{"reqId":"KH6QOcqN74SyheyP10XO","level":3,"time":"2024-06-17T12:25:04+00:00","remoteAddr":"","user":"--","app":"files_antivirus","method":"","url":"--","message":"Infected file found (during background scan) Win.Test.EICAR_HDB-1 File: 74374896 Account: 97C5B7E0-4380-41D7-B203-5EC3195AD4CC Path: /97C5B7E0-4380-41D7-B203-5EC3195AD4CC/files/Virus test files/eicar.com","userAgent":"--","version":"29.0.2.2","data":{"app":"files_antivirus"}} {"reqId":"KH6QOcqN74SyheyP10XO","level":3,"time":"2024-06-17T12:25:05+00:00","remoteAddr":"","user":"--","app":"files_antivirus","method":"","url":"--","message":"Infected file found (during background scan) Win.Test.EICAR_HDB-1 File: 372553 Account: D2EC5F2B-8633-4735-A829-1E878CD910BC Path: /D2EC5F2B-8633-4735-A829-1E878CD910BC/files/ARDITI_2016/CIVITAS-DESTINATIONS (local)/backups-manter/CIVITUR PROPOSAL_H2020TOPIC MG5.5.-2015 - Backup/2nd Stage/calcular_monthly_rate_ARDITI_22092015.xlsx","userAgent":"--","version":"29.0.2.2","data":{"app":"files_antivirus"}} {"reqId":"KH6QOcqN74SyheyP10XO","level":3,"time":"2024-06-17T12:25:05+00:00","remoteAddr":"","user":"--","app":"files_antivirus","method":"","url":"--","message":"Infected file found (during background scan) Win.Test.EICAR_HDB-1 File: 67234714 Account: 82FC82A3-391D-4D9F-8626-93C8185C0A5E Path: /82FC82A3-391D-4D9F-8626-93C8185C0A5E/files/Documents/Vanessa/CON P\u00daB DOS SERVI\u00c7OS E ESCOLAS/Machico/comunica\u00e7\u00f5es/comunica\u00e7\u00e3o 25 10 17.docx","userAgent":"--","version":"29.0.2.2","data":{"app":"files_antivirus"}} {"reqId":"KH6QOcqN74SyheyP10XO","level":3,"time":"2024-06-17T12:25:05+00:00","remoteAddr":"","user":"--","app":"files_antivirus","method":"","url":"--","message":"Infected file found (during background scan) Win.Test.EICAR_HDB-1 File: 372998 Account: D2EC5F2B-8633-4735-A829-1E878CD910BC Path: /D2EC5F2B-8633-4735-A829-1E878CD910BC/files/ARDITI_2016/CIVITAS-DESTINATIONS (local)/backups-manter/CIVITUR PROPOSAL_H2020TOPIC MG5.5.-2015 - Backup/docs_v\u00e1rios/Sintra. Portugal Mobility Services for Tourists Eltis_files/css9fsv4JS-crzuaScPV-8Ga5FZdJ7rEfX0A-U-NpYbXs.css","userAgent":"--","version":"29.0.2.2","data":{"app":"files_antivirus"}}

And the list goes on and on.

Insert your Nextcloud log here

#### Browser log

Insert your browser log here, this could for example include:

a) The javascript console log b) The network log c) ...

[kesselb]

Caused by https://github.com/nextcloud/files_antivirus/commit/a864119a150b6035c049b0ef6711c9458b0a8c09#diff-fef93b10df7e905ff9951ccdf7793f9072e6a5afca34bb1ce050d63d1e32ece1R49

[caguiar]

I would say that this is a dangerous issue since if the configuration is set for "Delete files", it deletes an unknown number of files. This did happen to me, fortunately, I do have backups. Hope the new version with the fix is released soon.