Mailing List Archive

Hi there,

On Mon, 26 Apr 2021, Haukur Valgeirsson via clamav-users wrote:

> I am setting up daily scanning and was figuring out how to whitelist based on
> file signatures, and decided to use the eicar test files to tune the
> settings.  Used 'sigtool --md5 eicarcom2.zip > falsepossigs.fp' to create the
> sig to whitelist and proceeded to run test scans and the results were a
> little surprising:

Given your description of what you did I'd struggle to reproduce it.
Please give full details of how you are running the scans, the exact
unaltered output as you see it, and the output of 'clamconf -n'.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Sorry, adding more details for reproducability.

My original idea was to use maldet, which uses clamscan so whitelisting
and path exclusions need to happen in clamav, they don't seem to be
passed on to clamscan.

Environment: 4.19.0-10-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24)
x86_64 GNU/Linux

The script clamcars.sh (attached) downloads, whitelists, scans and puts
the results in "result_<filename>" for each of the eicar files. I can
repeat with debug output redirected into the file if it helps.

I am using "clamscan" (used apt-get install clamav) not the daemon
(clamdscan), so I do not seem to have clamconf:

# clamscan --version
ClamAV 0.103.2/26152/Mon Apr 26 06:04:28 2021

Would it help you to look into this if I installed the daemon scanner
and repeated the test?

The only config I was able to locate is below.

Thanks.

Haukur


====

# cat /etc/clamav/freshclam.conf
# Automatically created by the clamav-freshclam postinst
# Comments will get lost when you reconfigure the clamav-freshclam package

DatabaseOwner clamav
UpdateLogFile /var/log/clamav/freshclam.log
LogVerbose false
LogSyslog false
LogFacility LOG_LOCAL6
LogFileMaxSize 0
LogRotate true
LogTime true
Foreground false
Debug false
MaxAttempts 5
DatabaseDirectory /var/lib/clamav
DNSDatabaseInfo current.cvd.clamav.net
ConnectTimeout 30
ReceiveTimeout 0
TestDatabases yes
ScriptedUpdates yes
CompressLocalDatabase no
Bytecode true
NotifyClamd /etc/clamav/clamd.conf
# Check for new database 24 times a day
Checks 24
DatabaseMirror db.local.clamav.net
DatabaseMirror database.clamav.net


On 26.4.2021 13:42, G.W. Haywood via clamav-users wrote:
> Hi there,
>
> On Mon, 26 Apr 2021, Haukur Valgeirsson via clamav-users wrote:
>
>> I am setting up daily scanning and was figuring out how to whitelist
>> based on file signatures, and decided to use the eicar test files to
>> tune the settings.  Used 'sigtool --md5 eicarcom2.zip >
>> falsepossigs.fp' to create the sig to whitelist and proceeded to run
>> test scans and the results were a little surprising:
>
> Given your description of what you did I'd struggle to reproduce it.
> Please give full details of how you are running the scans, the exact
> unaltered output as you see it, and the output of 'clamconf -n'.
>

Uhm... now this is strange.

When I run the script I wrote, it behaves as one would expect (md5 sum
must match the file, md5 from eicar.com covers eicar.com.txt too, but
not the zips and the md5 from zips only covers the zip that it was
generated from).

then I reran with the falsepos file only containing the md5 sum from
eicarcom2.zip

# cat /var/lib/clamav/maldet_ignore_sigs.fp
e4968ef99266df7c9a1f0637d2389dab:308:eicarcom2.zip

then it seems to whitelist eicar.com as well as itself???

# clamscan .
When run /usr/local/maldetect/testfolder/clamcars.sh: OK
/usr/local/maldetect/testfolder/eicar.com.txt:
{HEX}EICAR.TEST.3.UNOFFICIAL FOUND
/usr/local/maldetect/testfolder/eicar_com.zip:
{HEX}EICAR.TEST.3.UNOFFICIAL FOUND
/usr/local/maldetect/testfolder/eicarcom2.zip: OK
/usr/local/maldetect/testfolder/eicar.com: OK
/usr/local/maldetect/testfolder/result_eicar.com: OK
/usr/local/maldetect/testfolder/result_eicar.com.txt: OK
/usr/local/maldetect/testfolder/result_eicar_com.zip: OK
/usr/local/maldetect/testfolder/result_eicarcom2.zip: OK
/usr/local/maldetect/testfolder/.clamcars.sh.swp: OK

----------- SCAN SUMMARY -----------

Known viruses: 8539062
Engine version: 0.103.2
Scanned directories: 1
Scanned files: 10
Infected files: 2
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 42.336 sec (0 m 42 s)
Start Date: 2021:04:26 10:14:50
End Date:   2021:04:26 10:15:33


and just to test again, I scan another folder, only containing the eicar
files:

# ll /home/haukurv/www/testfiles
total 16
-rw-r--r-- 1 haukurv haukurv  68 Apr 26 05:30 eicar.com
-rw-r--r-- 1 haukurv haukurv 308 Apr 26 05:30 eicarcom2.zip
-rw-r--r-- 1 haukurv haukurv  68 Apr 26 05:30 eicar.com.txt
-rw-r--r-- 1 haukurv haukurv 184 Apr 26 05:30 eicar_com.zip


# clamscan /home/haukurv/www/testfiles
/home/haukurv/www/testfiles/eicar.com: {HEX}EICAR.TEST.3.UNOFFICIAL FOUND
/home/haukurv/www/testfiles/eicarcom2.zip: OK
/home/haukurv/www/testfiles/eicar.com.txt: OK
/home/haukurv/www/testfiles/eicar_com.zip: OK

----------- SCAN SUMMARY -----------
Known viruses: 8539062
Engine version: 0.103.2
Scanned directories: 1
Scanned files: 4
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 32.812 sec (0 m 32 s)
Start Date: 2021:04:26 10:29:16

End Date:   2021:04:26 10:29:48


I am getting a little bit confused here :-s

reg. Haukur


On 26.4.2021 15:04, Haukur Valgeirsson via clamav-users wrote:
> Sorry, adding more details for reproducability.
>
> My original idea was to use maldet, which uses clamscan so
> whitelisting and path exclusions need to happen in clamav, they don't
> seem to be passed on to clamscan.
>
> Environment: 4.19.0-10-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24)
> x86_64 GNU/Linux
>
> The script clamcars.sh (attached) downloads, whitelists, scans and
> puts the results in "result_<filename>" for each of the eicar files. I
> can repeat with debug output redirected into the file if it helps.
>
> I am using "clamscan" (used apt-get install clamav) not the daemon
> (clamdscan), so I do not seem to have clamconf:
>
> # clamscan --version
> ClamAV 0.103.2/26152/Mon Apr 26 06:04:28 2021
>
> Would it help you to look into this if I installed the daemon scanner
> and repeated the test?
>
> The only config I was able to locate is below.
>
> Thanks.
>
> Haukur
>
>
> ====
>
> # cat /etc/clamav/freshclam.conf
> # Automatically created by the clamav-freshclam postinst
> # Comments will get lost when you reconfigure the clamav-freshclam
> package
>
> DatabaseOwner clamav
> UpdateLogFile /var/log/clamav/freshclam.log
> LogVerbose false
> LogSyslog false
> LogFacility LOG_LOCAL6
> LogFileMaxSize 0
> LogRotate true
> LogTime true
> Foreground false
> Debug false
> MaxAttempts 5
> DatabaseDirectory /var/lib/clamav
> DNSDatabaseInfo current.cvd.clamav.net
> ConnectTimeout 30
> ReceiveTimeout 0
> TestDatabases yes
> ScriptedUpdates yes
> CompressLocalDatabase no
> Bytecode true
> NotifyClamd /etc/clamav/clamd.conf
> # Check for new database 24 times a day
> Checks 24
> DatabaseMirror db.local.clamav.net
> DatabaseMirror database.clamav.net
>
>
> On 26.4.2021 13:42, G.W. Haywood via clamav-users wrote:
>> Hi there,
>>
>> On Mon, 26 Apr 2021, Haukur Valgeirsson via clamav-users wrote:
>>
>>> I am setting up daily scanning and was figuring out how to whitelist
>>> based on file signatures, and decided to use the eicar test files to
>>> tune the settings. Used 'sigtool --md5 eicarcom2.zip >
>>> falsepossigs.fp' to create the sig to whitelist and proceeded to run
>>> test scans and the results were a little surprising:
>>
>> Given your description of what you did I'd struggle to reproduce it.
>> Please give full details of how you are running the scans, the exact
>> unaltered output as you see it, and the output of 'clamconf -n'.
>>
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

Hi again.

Now I am getting really confused. I repeated the tests but now scanning
the eicar files in different directories in the same scan. I compiled
the file list into a file that I read into an array in bash and pass to
clamscan. The results differ between directories, even if the files in
them are identical (confirmed with diff).

The modified script is attached (clamcars2.sh), the file read in
(testfiles.txt) is just a list of full path to the files. The results
are in clamscan_eicar_test.txt, each part begins with the filename being
md5 sum whitelisted.

Any help very much appreciated!

Best regards,

Haukur

On 26.4.2021 15:30, Haukur Valgeirsson via clamav-users wrote:
>
> Uhm... now this is strange.
>
> When I run the script I wrote, it behaves as one would expect (md5 sum
> must match the file, md5 from eicar.com covers eicar.com.txt too, but
> not the zips and the md5 from zips only covers the zip that it was
> generated from).
>
> then I reran with the falsepos file only containing the md5 sum from
> eicarcom2.zip
>
> # cat /var/lib/clamav/maldet_ignore_sigs.fp
> e4968ef99266df7c9a1f0637d2389dab:308:eicarcom2.zip
>
> then it seems to whitelist eicar.com as well as itself???
>
> # clamscan .
> When run /usr/local/maldetect/testfolder/clamcars.sh: OK
> /usr/local/maldetect/testfolder/eicar.com.txt:
> {HEX}EICAR.TEST.3.UNOFFICIAL FOUND
> /usr/local/maldetect/testfolder/eicar_com.zip:
> {HEX}EICAR.TEST.3.UNOFFICIAL FOUND
> /usr/local/maldetect/testfolder/eicarcom2.zip: OK
> /usr/local/maldetect/testfolder/eicar.com: OK
> /usr/local/maldetect/testfolder/result_eicar.com: OK
> /usr/local/maldetect/testfolder/result_eicar.com.txt: OK
> /usr/local/maldetect/testfolder/result_eicar_com.zip: OK
> /usr/local/maldetect/testfolder/result_eicarcom2.zip: OK
> /usr/local/maldetect/testfolder/.clamcars.sh.swp: OK
>
> ----------- SCAN SUMMARY -----------
>
> Known viruses: 8539062
> Engine version: 0.103.2
> Scanned directories: 1
> Scanned files: 10
> Infected files: 2
> Data scanned: 0.00 MB
> Data read: 0.00 MB (ratio 0.00:1)
> Time: 42.336 sec (0 m 42 s)
> Start Date: 2021:04:26 10:14:50
> End Date:   2021:04:26 10:15:33
>
>
> and just to test again, I scan another folder, only containing the
> eicar files:
>
> # ll /home/haukurv/www/testfiles
> total 16
> -rw-r--r-- 1 haukurv haukurv  68 Apr 26 05:30 eicar.com
> -rw-r--r-- 1 haukurv haukurv 308 Apr 26 05:30 eicarcom2.zip
> -rw-r--r-- 1 haukurv haukurv  68 Apr 26 05:30 eicar.com.txt
> -rw-r--r-- 1 haukurv haukurv 184 Apr 26 05:30 eicar_com.zip
>
>
> # clamscan /home/haukurv/www/testfiles
> /home/haukurv/www/testfiles/eicar.com: {HEX}EICAR.TEST.3.UNOFFICIAL FOUND
> /home/haukurv/www/testfiles/eicarcom2.zip: OK
> /home/haukurv/www/testfiles/eicar.com.txt: OK
> /home/haukurv/www/testfiles/eicar_com.zip: OK
>
> ----------- SCAN SUMMARY -----------
> Known viruses: 8539062
> Engine version: 0.103.2
> Scanned directories: 1
> Scanned files: 4
> Infected files: 1
> Data scanned: 0.00 MB
> Data read: 0.00 MB (ratio 0.00:1)
> Time: 32.812 sec (0 m 32 s)
> Start Date: 2021:04:26 10:29:16
>
> End Date:   2021:04:26 10:29:48
>
>
> I am getting a little bit confused here :-s
>
> reg. Haukur
>
>
> On 26.4.2021 15:04, Haukur Valgeirsson via clamav-users wrote:
>> Sorry, adding more details for reproducability.
>>
>> My original idea was to use maldet, which uses clamscan so
>> whitelisting and path exclusions need to happen in clamav, they don't
>> seem to be passed on to clamscan.
>>
>> Environment: 4.19.0-10-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24)
>> x86_64 GNU/Linux
>>
>> The script clamcars.sh (attached) downloads, whitelists, scans and
>> puts the results in "result_<filename>" for each of the eicar files.
>> I can repeat with debug output redirected into the file if it helps.
>>
>> I am using "clamscan" (used apt-get install clamav) not the daemon
>> (clamdscan), so I do not seem to have clamconf:
>>
>> # clamscan --version
>> ClamAV 0.103.2/26152/Mon Apr 26 06:04:28 2021
>>
>> Would it help you to look into this if I installed the daemon scanner
>> and repeated the test?
>>
>> The only config I was able to locate is below.
>>
>> Thanks.
>>
>> Haukur
>>
>>
>> ====
>>
>> # cat /etc/clamav/freshclam.conf
>> # Automatically created by the clamav-freshclam postinst
>> # Comments will get lost when you reconfigure the clamav-freshclam
>> package
>>
>> DatabaseOwner clamav
>> UpdateLogFile /var/log/clamav/freshclam.log
>> LogVerbose false
>> LogSyslog false
>> LogFacility LOG_LOCAL6
>> LogFileMaxSize 0
>> LogRotate true
>> LogTime true
>> Foreground false
>> Debug false
>> MaxAttempts 5
>> DatabaseDirectory /var/lib/clamav
>> DNSDatabaseInfo current.cvd.clamav.net
>> ConnectTimeout 30
>> ReceiveTimeout 0
>> TestDatabases yes
>> ScriptedUpdates yes
>> CompressLocalDatabase no
>> Bytecode true
>> NotifyClamd /etc/clamav/clamd.conf
>> # Check for new database 24 times a day
>> Checks 24
>> DatabaseMirror db.local.clamav.net
>> DatabaseMirror database.clamav.net
>>
>>
>> On 26.4.2021 13:42, G.W. Haywood via clamav-users wrote:
>>> Hi there,
>>>
>>> On Mon, 26 Apr 2021, Haukur Valgeirsson via clamav-users wrote:
>>>
>>>> I am setting up daily scanning and was figuring out how to
>>>> whitelist based on file signatures, and decided to use the eicar
>>>> test files to tune the settings. Used 'sigtool --md5 eicarcom2.zip
>>>> > falsepossigs.fp' to create the sig to whitelist and proceeded to
>>>> run test scans and the results were a little surprising:
>>>
>>> Given your description of what you did I'd struggle to reproduce it.
>>> Please give full details of how you are running the scans, the exact
>>> unaltered output as you see it, and the output of 'clamconf -n'.
>>>
>>
>>
>> _______________________________________________
>>
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

Now the plot thickens.

Sorry for the "spam", but I am just trying to convey useful information.

I tested a bunch of quarantined php injections. Whitelisting each of
these worked exactly as expected, only the whitelisted file was "clean"
(md5 checksum whitelisting). Then I used one of these files, made a
renamed copy as well as a zipped version and a double zipped version in
which case whitelisting any of these whitelisted all the others too.

So this hard-to-predict behavior seems to only apply in some cases (ex:
eicar).

Should I file a bugreport on this?

Best regards,

Haukur

On 27.4.2021 09:54, Haukur Valgeirsson via clamav-users wrote:
>
> Hi again.
>
> Now I am getting really confused. I repeated the tests but now
> scanning the eicar files in different directories in the same scan. I
> compiled the file list into a file that I read into an array in bash
> and pass to clamscan. The results differ between directories, even if
> the files in them are identical (confirmed with diff).
>
> The modified script is attached (clamcars2.sh), the file read in
> (testfiles.txt) is just a list of full path to the files. The results
> are in clamscan_eicar_test.txt, each part begins with the filename
> being md5 sum whitelisted.
>
> Any help very much appreciated!
>
> Best regards,
>
> Haukur
>
> On 26.4.2021 15:30, Haukur Valgeirsson via clamav-users wrote:
>>
>> Uhm... now this is strange.
>>
>> When I run the script I wrote, it behaves as one would expect (md5
>> sum must match the file, md5 from eicar.com covers eicar.com.txt too,
>> but not the zips and the md5 from zips only covers the zip that it
>> was generated from).
>>
>> then I reran with the falsepos file only containing the md5 sum from
>> eicarcom2.zip
>>
>> # cat /var/lib/clamav/maldet_ignore_sigs.fp
>> e4968ef99266df7c9a1f0637d2389dab:308:eicarcom2.zip
>>
>> then it seems to whitelist eicar.com as well as itself???
>>
>> # clamscan .
>> When run /usr/local/maldetect/testfolder/clamcars.sh: OK
>> /usr/local/maldetect/testfolder/eicar.com.txt:
>> {HEX}EICAR.TEST.3.UNOFFICIAL FOUND
>> /usr/local/maldetect/testfolder/eicar_com.zip:
>> {HEX}EICAR.TEST.3.UNOFFICIAL FOUND
>> /usr/local/maldetect/testfolder/eicarcom2.zip: OK
>> /usr/local/maldetect/testfolder/eicar.com: OK
>> /usr/local/maldetect/testfolder/result_eicar.com: OK
>> /usr/local/maldetect/testfolder/result_eicar.com.txt: OK
>> /usr/local/maldetect/testfolder/result_eicar_com.zip: OK
>> /usr/local/maldetect/testfolder/result_eicarcom2.zip: OK
>> /usr/local/maldetect/testfolder/.clamcars.sh.swp: OK
>>
>> ----------- SCAN SUMMARY -----------
>>
>> Known viruses: 8539062
>> Engine version: 0.103.2
>> Scanned directories: 1
>> Scanned files: 10
>> Infected files: 2
>> Data scanned: 0.00 MB
>> Data read: 0.00 MB (ratio 0.00:1)
>> Time: 42.336 sec (0 m 42 s)
>> Start Date: 2021:04:26 10:14:50
>> End Date:   2021:04:26 10:15:33
>>
>>
>> and just to test again, I scan another folder, only containing the
>> eicar files:
>>
>> # ll /home/haukurv/www/testfiles
>> total 16
>> -rw-r--r-- 1 haukurv haukurv  68 Apr 26 05:30 eicar.com
>> -rw-r--r-- 1 haukurv haukurv 308 Apr 26 05:30 eicarcom2.zip
>> -rw-r--r-- 1 haukurv haukurv  68 Apr 26 05:30 eicar.com.txt
>> -rw-r--r-- 1 haukurv haukurv 184 Apr 26 05:30 eicar_com.zip
>>
>>
>> # clamscan /home/haukurv/www/testfiles
>> /home/haukurv/www/testfiles/eicar.com: {HEX}EICAR.TEST.3.UNOFFICIAL FOUND
>> /home/haukurv/www/testfiles/eicarcom2.zip: OK
>> /home/haukurv/www/testfiles/eicar.com.txt: OK
>> /home/haukurv/www/testfiles/eicar_com.zip: OK
>>
>> ----------- SCAN SUMMARY -----------
>> Known viruses: 8539062
>> Engine version: 0.103.2
>> Scanned directories: 1
>> Scanned files: 4
>> Infected files: 1
>> Data scanned: 0.00 MB
>> Data read: 0.00 MB (ratio 0.00:1)
>> Time: 32.812 sec (0 m 32 s)
>> Start Date: 2021:04:26 10:29:16
>>
>> End Date:   2021:04:26 10:29:48
>>
>>
>> I am getting a little bit confused here :-s
>>
>> reg. Haukur
>>
>>
>> On 26.4.2021 15:04, Haukur Valgeirsson via clamav-users wrote:
>>> Sorry, adding more details for reproducability.
>>>
>>> My original idea was to use maldet, which uses clamscan so
>>> whitelisting and path exclusions need to happen in clamav, they
>>> don't seem to be passed on to clamscan.
>>>
>>> Environment: 4.19.0-10-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24)
>>> x86_64 GNU/Linux
>>>
>>> The script clamcars.sh (attached) downloads, whitelists, scans and
>>> puts the results in "result_<filename>" for each of the eicar files.
>>> I can repeat with debug output redirected into the file if it helps.
>>>
>>> I am using "clamscan" (used apt-get install clamav) not the daemon
>>> (clamdscan), so I do not seem to have clamconf:
>>>
>>> # clamscan --version
>>> ClamAV 0.103.2/26152/Mon Apr 26 06:04:28 2021
>>>
>>> Would it help you to look into this if I installed the daemon
>>> scanner and repeated the test?
>>>
>>> The only config I was able to locate is below.
>>>
>>> Thanks.
>>>
>>> Haukur
>>>
>>>
>>> ====
>>>
>>> # cat /etc/clamav/freshclam.conf
>>> # Automatically created by the clamav-freshclam postinst
>>> # Comments will get lost when you reconfigure the clamav-freshclam
>>> package
>>>
>>> DatabaseOwner clamav
>>> UpdateLogFile /var/log/clamav/freshclam.log
>>> LogVerbose false
>>> LogSyslog false
>>> LogFacility LOG_LOCAL6
>>> LogFileMaxSize 0
>>> LogRotate true
>>> LogTime true
>>> Foreground false
>>> Debug false
>>> MaxAttempts 5
>>> DatabaseDirectory /var/lib/clamav
>>> DNSDatabaseInfo current.cvd.clamav.net
>>> ConnectTimeout 30
>>> ReceiveTimeout 0
>>> TestDatabases yes
>>> ScriptedUpdates yes
>>> CompressLocalDatabase no
>>> Bytecode true
>>> NotifyClamd /etc/clamav/clamd.conf
>>> # Check for new database 24 times a day
>>> Checks 24
>>> DatabaseMirror db.local.clamav.net
>>> DatabaseMirror database.clamav.net
>>>
>>>
>>> On 26.4.2021 13:42, G.W. Haywood via clamav-users wrote:
>>>> Hi there,
>>>>
>>>> On Mon, 26 Apr 2021, Haukur Valgeirsson via clamav-users wrote:
>>>>
>>>>> I am setting up daily scanning and was figuring out how to
>>>>> whitelist based on file signatures, and decided to use the eicar
>>>>> test files to tune the settings.  Used 'sigtool --md5
>>>>> eicarcom2.zip > falsepossigs.fp' to create the sig to whitelist
>>>>> and proceeded to run test scans and the results were a little
>>>>> surprising:
>>>>
>>>> Given your description of what you did I'd struggle to reproduce it.
>>>> Please give full details of how you are running the scans, the exact
>>>> unaltered output as you see it, and the output of 'clamconf -n'.
>>>>
>>>
>>>
>>> _______________________________________________
>>>
>>> clamav-users mailing list
>>> clamav-users@lists.clamav.net
>>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>>
>>>
>>> Help us build a comprehensive ClamAV guide:
>>> https://github.com/vrtadmin/clamav-faq
>>>
>>> http://www.clamav.net/contact.html#ml
>>
>> _______________________________________________
>>
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

Hi there,

On Mon, 26 Apr 2021, Haukur Valgeirsson via clamav-users wrote:

> The only config I was able to locate is below.
> ...
> # cat /etc/clamav/freshclam.conf
> ...
> NotifyClamd /etc/clamav/clamd.conf

This seems to be saying you have a clamd.conf, otherwise freshclam
wouldn't be able to find it and I'd expect it to give an error. If
you do have a clamd.conf but don't have a clamd running I'd expect
freshclam to throw an error when it tried to contact clamd to tell
it to update its databases.

On Tue, 27 Apr 2021, Haukur Valgeirsson via clamav-users wrote:

> Now the plot thickens.

:/

> Sorry for the "spam", but I am just trying to convey useful information.
> ...

Don't apologize, useful information is good. :)

Mostly I'm responding to let you know that I'm still here, but also to
say some of what you've said seems to me as if it might be expected
behaviour. I haven't been able to look at the issues carefully, but I
will unless someone beats me to it.

What I mean by expected behaviour is that if you whitelist something
by means of the digest of its uncompressed form, then the scanner sees
it in compressed form, the scanner will uncompress it automatically -
and then find that it's whitelisted.

But you seem to be saying that things change when you move files
around in the filesystem, and other things (for example things like
directory/filesystem/size/scan/whatever restrictions) being equal, I
don't see why there should be any difference in behaviour when the
scan target is moved so I'd like to look into that when I have time.

> Should I file a bugreport on this?

I'd think that's quite reasonable. :)

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Thanks for the reply :-)

I will poke at this a little more and try to be as detailed as I can
then file a bugreport.

Will add a few inline replies here too.

On 27.4.2021 16:09, G.W. Haywood via clamav-users wrote:
>
> This seems to be saying you have a clamd.conf, otherwise freshclam
> wouldn't be able to find it and I'd expect it to give an error. If
> you do have a clamd.conf but don't have a clamd running I'd expect
> freshclam to throw an error when it tried to contact clamd to tell
> it to update its databases.
I am not using clamd, I installed clamav using apt and it did not
install clamdscan, but clamscan and freshclam, so I dod not find any
clamd.conf.
> Mostly I'm responding to let you know that I'm still here,

Thanks for that :-)

> What I mean by expected behaviour is that if you whitelist something
> by means of the digest of its uncompressed form, then the scanner sees
> it in compressed form, the scanner will uncompress it automatically -
> and then find that it's whitelisted.
Yes, usually... not always, which is what I found confusing. I can think
of reasons of why you might not want this to be the case though (packing
malicious code so you can send it for analysis for example). If you pack
a malicious file on its own (i.e. nothing else in the archive) this
makes sense, but I have not checked what happens if you pack a malicious
file with clean files, might do that to get more data :-)
> But you seem to be saying that things change when you move files
> around in the filesystem, and other things (for example things like
> directory/filesystem/size/scan/whatever restrictions) being equal, I
> don't see why there should be any difference in behaviour when the
> scan target is moved so I'd like to look into that when I have time.
Yes I did see that behavior but only when using the eicar test files,
not when using php injected malware as sample, then everything worked
exactly as I expected (including uncompressed file also whitelising zip
and vice versa).
> Should I file a bugreport on this?
>
> I'd think that's quite reasonable. :)

On it! :-)

Haukur

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml