search

rfxn / linux-malware-detect

Linux Malware Detection (LMD)
http://www.rfxn.com/projects/linux-malware-detect/
GNU General Public License v2.0
1.18k stars 228 forks source link

rfxn.yara clamav error and a false positive on openssl tls1.h #345

Open odlevakp opened 4 years ago

odlevakp commented 4 years ago

Seems latest rfxn database identifies openssl-1.1.1c/include/openssl/tls1.h as YARA.php_malware_hexinject.UNOFFICIAL.

To replicate:

mkdir /tmp/scan
cd /tmp/scan

wget https://anaconda.org/conda-forge/openssl/1.1.1c/download/linux-64/openssl-1.1.1c-h516909a_0.tar.bz2
tar xf openssl-1.1.1c-h516909a_0.tar.bz2

rm -f /var/lib/clamav/rfxn.*

Plain clamscan without rfxn db:

clamscan --infected -r /tmp/scan/

----------- SCAN SUMMARY -----------
Known viruses: 6528659
Engine version: 0.101.4
Scanned directories: 13
Scanned files: 141
Infected files: 0
Data scanned: 15.05 MB
Data read: 7.91 MB (ratio 1.90:1)
Time: 64.451 sec (1 m 4 s)

Checked include/openssl/tls1.h with virustotal, clean. 

lmd --update-sigs --force

clamscan --infected -r /tmp/scan/
LibClamAV Error: yyerror(): /var/lib/clamav/rfxn.yara line 8955 undefined identifier "is__elf"
LibClamAV Warning: cli_loadyara: failed to parse or load 1 yara rules from file /var/lib/clamav/rfxn.yara, successfully loaded 784 rules.
/tmp/scan/include/openssl/tls1.h: YARA.php_malware_hexinject.UNOFFICIAL FOUND
/tmp/scan/openssl-1.1.1c-h516909a_0.tar.bz2: YARA.php_malware_hexinject.UNOFFICIAL FOUND

----------- SCAN SUMMARY -----------
Known viruses: 6544233
Engine version: 0.101.4
Scanned directories: 13
Scanned files: 141
Infected files: 2
Data scanned: 6.74 MB
Data read: 7.91 MB (ratio 0.85:1)
Time: 65.160 sec (1 m 5 s)

There is also a clamav error regarding rfxn.yara.

philm commented 4 years ago

Seems like a regression related to https://github.com/rfxn/linux-malware-detect/issues/309.

We are observing the same issue in every environment that has a copy of the openssl tls1.h header file (e.g. "node-v10.0.0/deps/openssl/openssl/include/openssl/tls1.h").

odlevakp commented 4 years ago

Since this is still an issue and I am seeing a lot of false positives (in my case anaconda / tensorflow) on backend servers that have no PHP, simplest for me was to put it into ignore_sigs.

cat /usr/local/maldetect/ignore_sigs
{YARA}php_malware_hexinject
f00dog-x300 commented 3 years ago

Seeing the same issue. I think it started showing up after installation of maldet.

santiagodemierre commented 2 years ago

Getting this now:

FILE HIT LIST: {HEX}php.gzbase64.inject.452 : /home/yo/maldetect-1.6.4/files/clean/gzbase64.inject.unclassed {HEX}php.cmdshell.antichat.201 : /home/yo/maldetect-1.6.4/files/sigs/rfxn.yara

Just installed yesterday... false positive or real hit?