Mailing List Archive

Hi there,

On Wed, 28 Apr 2021, Robert Kudyba wrote:

> Since the signature name has .UNOFFICIAL and starts with MBL I believe
> that's Malware Block List. I've submitted a sample to fp (at)
> malwarepatrol.net. Is more than one sample needed? I'm posting here to let
> others know and as they don't appear to acknowledge nor reply.

I can't help you with anything related to Malwarepatrol.

> Why don't these come up?
>
> sigtool --find-sigs MBL_85256034*|sigtool --decode-sigs
> sigtool --find-sigs MBL_85256034|sigtool --decode-sigs
> sigtool --find-sigs MBL_85256034.UNOFFICIAL|sigtool --decode-sigs

As per the documentation I would write all those as

sigtool --find-sigs=MBL...

but I find that they seem to work without the '=' and that's a little
surprising to me. I don't know why you're not seeing the output that
you expect, maybe sigtool isn't looking where you think it's looking,
or what you think is there isn't there?

Also, you need to be careful with special characters like '*', which
generally need to be hidden from the shell either by 'quoting' or by
'escaping' them - otherwise the shell may expand them before handing
the (now probably useless) command to your utility. So I'd write

sigtool --find-sigs='MBL_85256034*' | sigtool --decode-sigs

> I also see multiple signature whitelists with some duplication:
> /var/lib/clamav/securiteinfo.ign2
> /var/lib/clamav/sigwhitelist.ign2
> /var/lib/clamav-unofficial-sigs/dbs-si/securiteinfo.ign2
> /var/lib/clamav-unofficial-sigs/dbs-ss/sigwhitelist.ign2
>
> That should be ok?

The duplication? Shouldn't be a problem. Small efficiency loss.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

On Wed, Apr 28, 2021 at 4:25 PM Robert Kudyba <rkudyba@fordham.edu> wrote:

> ...
> sigtool --find-sigs MBL_85256034*|sigtool --decode-sigs
>

... and remember that --find-sigs takes a REGEX not a glob so perhaps you
meant "MBL_85256034.*", although sigtools checks the entire entry so
searching for 'MBL_85256034' is sufficient.

On 28 April 2021 15:25:32 Robert Kudyba <rkudyba@fordham.edu> wrote:
> Since the signature name has .UNOFFICIAL and starts with MBL I believe
> that's Malware Block List. I've submitted a sample to fp (at)
> malwarepatrol.net. Is more than one sample needed? I'm posting here to let
> others know and as they don't appear to acknowledge nor reply.

Hi...

This issue has cropped up lots of times unfortunately (search the list archive)

This is on their blog:

https://www.malwarepatrol.net/block-lists-protect-against-ransomware-infections/

They really should have a main block list with Google drive links in...
and a separate one for the whole Google drive domain (for people that don't
mind the high FP's)

This hasn't been fixed as far as I can see since 2018-ish...

Obviously there are script tweaks to remove Google drive sigs before moving
to the ClamAV database folder...

... Or just stop using them and save yourself the headache.

Their sig name changes each time too, otherwise I could add a sig to the
unofficial mirrors to stop it.

When you report the issue to them make sure you report the blocked domain
as drive dot Google dot com etc. as the normal text domain might get
blocked using their own signatures.

Sorry I can't help much more.

Cheers,

Steve
Twitter: @sanesecurity

Hi,

Robert Kudyba <rkudyba@fordham.edu> writes:

> [1:multipart/alternative Hide]
>
>
> [1/1:text/plain Show]
>
>
> [1/2:text/html Hide Save:noname (3kB)]
>
> Since the signature name has .UNOFFICIAL and starts with MBL I believe that's Malware Block List. I've
> submitted a sample to fp (at) malwarepatrol.net. Is more than one sample needed? I'm posting here to let
> others know and as they don't appear to acknowledge nor reply.

I contacted thenm once and te reply was in the line that thy considered
that the risk was real enough to keep the rule(s).

As I am updating ClamAV unofficial with the clamav-unofficial-sigs.sh
script, I wrote a hook that removes any drive.google.doc from the
signature (there are/were at least 3 entries).

As I wrote the hook, I can modify it in the future to fit my needs, so it
is not wasted time.

I can share the script.

Best regards,

Olivier

>
> Why don't these come up?
>
> sigtool --find-sigs MBL_85256034*|sigtool --decode-sigs
> sigtool --find-sigs MBL_85256034|sigtool --decode-sigs
> sigtool --find-sigs MBL_85256034.UNOFFICIAL|sigtool --decode-sigs
>
> I also see multiple signature whitelists with some duplication:
> /var/lib/clamav/securiteinfo.ign2
> /var/lib/clamav/sigwhitelist.ign2
> /var/lib/clamav-unofficial-sigs/dbs-si/securiteinfo.ign2
> /var/lib/clamav-unofficial-sigs/dbs-ss/sigwhitelist.ign2
>
> That should be ok?
>
> I've seen this reported here before, e.g.,
> https://clamav-users.clamav.narkive.com/mqj2qe6y/malwarepatrol-false-positive and
> https://clamav-users.clamav.narkive.com/5QYf5SQW/mbl-17713260-false-positive
>
> [2:text/plain Hide]
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

--

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

I'd like the script and in our case the link starts with docs.google.com

On Wed, Apr 28, 2021, 10:43 PM Olivier via clamav-users <
clamav-users@lists.clamav.net> wrote:

> Hi,
>
> Robert Kudyba <rkudyba@fordham.edu> writes:
>
> > [1:multipart/alternative Hide]
> >
> >
> > [1/1:text/plain Show]
> >
> >
> > [1/2:text/html Hide Save:noname (3kB)]
> >
> > Since the signature name has .UNOFFICIAL and starts with MBL I believe
> that's Malware Block List. I've
> > submitted a sample to fp (at) malwarepatrol.net. Is more than one
> sample needed? I'm posting here to let
> > others know and as they don't appear to acknowledge nor reply.
>
> I contacted thenm once and te reply was in the line that thy considered
> that the risk was real enough to keep the rule(s).
>
> As I am updating ClamAV unofficial with the clamav-unofficial-sigs.sh
> script, I wrote a hook that removes any drive.google.doc from the
> signature (there are/were at least 3 entries).
>
> As I wrote the hook, I can modify it in the future to fit my needs, so it
> is not wasted time.
>
> I can share the script.
>
> Best regards,
>
> Olivier
>
> >
> > Why don't these come up?
> >
> > sigtool --find-sigs MBL_85256034*|sigtool --decode-sigs
> > sigtool --find-sigs MBL_85256034|sigtool --decode-sigs
> > sigtool --find-sigs MBL_85256034.UNOFFICIAL|sigtool --decode-sigs
> >
> > I also see multiple signature whitelists with some duplication:
> > /var/lib/clamav/securiteinfo.ign2
> > /var/lib/clamav/sigwhitelist.ign2
> > /var/lib/clamav-unofficial-sigs/dbs-si/securiteinfo.ign2
> > /var/lib/clamav-unofficial-sigs/dbs-ss/sigwhitelist.ign2
> >
> > That should be ok?
> >
> > I've seen this reported here before, e.g.,
> >
> https://urldefense.proofpoint.com/v2/url?u=https-3A__clamav-2Dusers.clamav.narkive.com_mqj2qe6y_malwarepatrol-2Dfalse-2Dpositive&d=DwICAg&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=KhBuIVsvfs5eqh3J98L6ty_bMZSro_LkgwbCQWFzCWI&s=6tCDXT_YVJu-MkGcpYo2ALyUNCBZcYdjQOuu9h1VefM&e=
> and
> >
> https://urldefense.proofpoint.com/v2/url?u=https-3A__clamav-2Dusers.clamav.narkive.com_5QYf5SQW_mbl-2D17713260-2Dfalse-2Dpositive&d=DwICAg&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=KhBuIVsvfs5eqh3J98L6ty_bMZSro_LkgwbCQWFzCWI&s=KMcxrU5RpN6SA57PjUQsvl9GL8c4Hj5IrYHxdYYrqzw&e=
> >
> > [2:text/plain Hide]
> >
> >
> > _______________________________________________
> >
> > clamav-users mailing list
> > clamav-users@lists.clamav.net
> >
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.clamav.net_mailman_listinfo_clamav-2Dusers&d=DwICAg&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=KhBuIVsvfs5eqh3J98L6ty_bMZSro_LkgwbCQWFzCWI&s=qYk_rum7Qgxzc3SMXv3y-sIqiPNggyxaTUZv8WMPzac&e=
> >
> >
> > Help us build a comprehensive ClamAV guide:
> >
> https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_vrtadmin_clamav-2Dfaq&d=DwICAg&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=KhBuIVsvfs5eqh3J98L6ty_bMZSro_LkgwbCQWFzCWI&s=Ga3hycovx2zHfpkqkvDfpqDjlh65VAwU5EURxyItqZ8&e=
> >
> >
> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.clamav.net_contact.html-23ml&d=DwICAg&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=KhBuIVsvfs5eqh3J98L6ty_bMZSro_LkgwbCQWFzCWI&s=tFiu7fSA8X_CruKhzeg7NKZ-GPDRv-iyINn2cc9-Wro&e=
>
> --
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.clamav.net_mailman_listinfo_clamav-2Dusers&d=DwICAg&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=KhBuIVsvfs5eqh3J98L6ty_bMZSro_LkgwbCQWFzCWI&s=qYk_rum7Qgxzc3SMXv3y-sIqiPNggyxaTUZv8WMPzac&e=
>
>
> Help us build a comprehensive ClamAV guide:
>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_vrtadmin_clamav-2Dfaq&d=DwICAg&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=KhBuIVsvfs5eqh3J98L6ty_bMZSro_LkgwbCQWFzCWI&s=Ga3hycovx2zHfpkqkvDfpqDjlh65VAwU5EURxyItqZ8&e=
>
>
> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.clamav.net_contact.html-23ml&d=DwICAg&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=KhBuIVsvfs5eqh3J98L6ty_bMZSro_LkgwbCQWFzCWI&s=tFiu7fSA8X_CruKhzeg7NKZ-GPDRv-iyINn2cc9-Wro&e=
>

Robert,

In the configuration file user.conf for ClamAV-unofficial-sig, I set the
following variable:

clamd_reload_opt="/usr/local/bin/clamav-unofficial-sigs-post.pl"

And the script is attached below.

Best regards,

Olivier

How would you make this work for docs.google.com as well?

the following regex corresponds to https://drive.google.com
next if /^MBL_\d+:0:\*:68747470733a2f2f64726976652e676f6f676c652e636f6d$/;


On Thu, Apr 29, 2021, 12:25 AM Olivier <Olivier.Nicole@cs.ait.ac.th> wrote:

> Robert,
>
> In the configuration file user.conf for ClamAV-unofficial-sig, I set the
> following variable:
>
> clamd_reload_opt="/usr/local/bin/clamav-unofficial-sigs-post.pl"
>
> And the script is attached below.
>
> Best regards,
>
> Olivier
>
> --
>

Robert Kudyba <rkudyba@fordham.edu> writes:

> [1:text/plain Show]
>
>
> [2:text/html Hide Save:noname (3kB)]
>
> How would you make this work for docs.google.com as well?
>
> the following regex corresponds to https://drive.google.com
> next if /^MBL_\d+:0:\*:68747470733a2f2f64726976652e676f6f676c652e636f6d$/;

If I remember correctly (I am at home and I have nothing to check), the
URL is encoded in base64 so it should be:
68747470733a2f2f646f637s2e676f6f676c652e636f6d

But you better double check :)

Olivier

>
> On Thu, Apr 29, 2021, 12:25 AM Olivier <Olivier.Nicole@cs.ait.ac.th> wrote:
>
> Robert,
>
> In the configuration file user.conf for ClamAV-unofficial-sig, I set the
> following variable:
>
> clamd_reload_opt="/usr/local/bin/clamav-unofficial-sigs-post.pl"
>
> And the script is attached below.
>
> Best regards,
>
> Olivier
>
> --
>

--

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

>
> > How would you make this work for docs.google.com as well?
> >
> > the following regex corresponds to
> https://urldefense.proofpoint.com/v2/url?u=https-3A__drive.google.com&d=DwIBAg&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=rEXlMfZlmblv9Z7-T3igLJxWqr_PGyZY9iAcmjGZlI8&s=WpPUlXqGbkNw_lGZL2cge923JMkot3sLI36an1salO4&e=
> > next if
> /^MBL_\d+:0:\*:68747470733a2f2f64726976652e676f6f676c652e636f6d$/;
>
> If I remember correctly (I am at home and I have nothing to check), the
> URL is encoded in base64 so it should be:
> 68747470733a2f2f646f637s2e676f6f676c652e636f6d
>
> But you better double check :)


From your comments in the script:

> the following regex corresponds to https://drive.google.com


When I use an online base64 converter that ends up
being aHR0cHM6Ly9kcml2ZS5nb29nbGUuY29t

But what I'm asking for is to also include an "OR" to catch
https://docs.google.com (note the 'docs', not 'drive')

Hi there,

On Thu, 29 Apr 2021, Olivier via clamav-users wrote:
> Robert Kudyba <rkudyba@fordham.edu> writes:
>
>> How would you make this work for docs.google.com as well?
>>
>> the following regex corresponds to https://drive.google.com
>> next if /^MBL_\d+:0:\*:68747470733a2f2f64726976652e676f6f676c652e636f6d$/;
>
> If I remember correctly (I am at home and I have nothing to check), the
> URL is encoded in base64 ...

This is plain hexadecimal representation of the individual characters,
not Base64 encoding.

> ... so it should be:
> 68747470733a2f2f646f637s2e676f6f676c652e636f6d

The character 's' is not in the range [0-9a-f] which are normally used
to represent hexadecimal numbers.

ASCII hex

h 68
t 74
t 74
p 70
s 73
: 3a

# the following regex corresponds to https://drive.google.com
next if /^MBL_\d+:0:\*:68747470733a2f2f64726976652e676f6f676c652e636f6d$/;

# the following regex corresponds to https://docs.google.com
next if /^MBL_\d+:0:\*:68747470733a2f2f646f63732e676f6f676c652e636f6d$/;

You could do better with a regex, see the excellent Perl documentation.

See also

https://www.clamav.net/documents/body-based-signature-content-format

for writing signatures and for example

man ascii

for more information about hexadecimal representation of characters.

Be careful with this stuff, it's easy to shoot yourself in the foot.
Look carefully at what's happening. The script does try to log things
and you can easily extend that - you might need to look at for example

man syslog

HTH

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

>
> On Thu, 29 Apr 2021, Olivier via clamav-users wrote:
> > Robert Kudyba <rkudyba@fordham.edu> writes:
> >
> >> How would you make this work for docs.google.com as well?
> >>
> >> the following regex corresponds to
> https://urldefense.proofpoint.com/v2/url?u=https-3A__drive.google.com&d=DwICAg&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=SkwoZXN0BGYwxD3l5CHHiEWxkW3gsgDkyyRFxanK24E&s=s750n2M4VDb8ZyWHaPUG_1uRE3SwKLylqFvjoCuh4No&e=
> >> next if
> /^MBL_\d+:0:\*:68747470733a2f2f64726976652e676f6f676c652e636f6d$/;
> >
> > If I remember correctly (I am at home and I have nothing to check), the
> > URL is encoded in base64 ...
>
> This is plain hexadecimal representation of the individual characters,
> not Base64 encoding.
>
> > ... so it should be:
> > 68747470733a2f2f646f637s2e676f6f676c652e636f6d
>
> The character 's' is not in the range [0-9a-f] which are normally used
> to represent hexadecimal numbers.
>
> ASCII hex
>
> h 68
> t 74
> t 74
> p 70
> s 73
> : 3a
>
> # the following regex corresponds to
> https://urldefense.proofpoint.com/v2/url?u=https-3A__drive.google.com&d=DwICAg&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=SkwoZXN0BGYwxD3l5CHHiEWxkW3gsgDkyyRFxanK24E&s=s750n2M4VDb8ZyWHaPUG_1uRE3SwKLylqFvjoCuh4No&e=
> next if /^MBL_\d+:0:\*:68747470733a2f2f64726976652e676f6f676c652e636f6d$/;
>
> # the following regex corresponds to
> https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.google.com&d=DwICAg&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=SkwoZXN0BGYwxD3l5CHHiEWxkW3gsgDkyyRFxanK24E&s=koxwoqL0T012SCZYRi1RC-KrEQTjHA2KJ2z-GDUv9iM&e=
> next if /^MBL_\d+:0:\*:68747470733a2f2f646f63732e676f6f676c652e636f6d$/;
>
> You could do better with a regex, see the excellent Perl documentation.
>

So what's the syntax to use || (or) with this? Something like this?

next if /^MBL_\d+:0:\*:68747470733a2f2f64726976652e676f6f676c652e636f6d$/ ||
/^MBL_\d+:0:\*:68747470733a2f2f646f63732e676f6f676c652e636f6d$/;

Robert Kudyba <rkudyba@fordham.edu> writes:


> >> next if /^MBL_\d+:0:\*:68747470733a2f2f64726976652e676f6f676c652e636f6d$/;
> next if /^MBL_\d+:0:\*:68747470733a2f2f646f63732e676f6f676c652e636f6d$/;
>
> You could do better with a regex, see the excellent Perl documentation.
>
> So what's the syntax to use || (or) with this? Something like this?
>
> next if /^MBL_\d+:0:\*:68747470733a2f2f64726976652e676f6f676c652e636f6d$/ ||
> /^MBL_\d+:0:\*:68747470733a2f2f646f63732e676f6f676c652e636f6d$/;

I would make it more simple:

next if /^MBL_\d+:0:\*:123.../;
next if /^MBL_\d+:0:\*:abc.../;
next if /^MBL_\d+:0:\*:097.../;

That way you can comment on each individual line what they code for and
if you need to remove one test, you only need to comment out the
corresponding line without messing up with the regex or the condition.

This script is only run once each time you update the ClamAV unofficial
signatures and each test is run once per line, that makes not much sense
to try to optimize the run time of the script.

Olivier
>
> [2:text/plain Hide]
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

--

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

>
> > >> next if
> /^MBL_\d+:0:\*:68747470733a2f2f64726976652e676f6f676c652e636f6d$/;
> > next if /^MBL_\d+:0:\*:68747470733a2f2f646f63732e676f6f676c652e636f6d$/;
> >
> > You could do better with a regex, see the excellent Perl documentation.
> >
> > So what's the syntax to use || (or) with this? Something like this?
> >
> > next if
> /^MBL_\d+:0:\*:68747470733a2f2f64726976652e676f6f676c652e636f6d$/ ||
> > /^MBL_\d+:0:\*:68747470733a2f2f646f63732e676f6f676c652e636f6d$/;
>
> I would make it more simple:
>
> next if /^MBL_\d+:0:\*:123.../;
> next if /^MBL_\d+:0:\*:abc.../;
> next if /^MBL_\d+:0:\*:097.../;
>
> That way you can comment on each individual line what they code for and
> if you need to remove one test, you only need to comment out the
> corresponding line without messing up with the regex or the condition.
>
> This script is only run once each time you update the ClamAV unofficial
> signatures and each test is run once per line, that makes not much sense
> to try to optimize the run time of the script.
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.clamav.net_contact.html-23ml&d=DwICAg&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=SsqblzFL21e02P_StWI7nrmXTqvf4Thz1uodGnB1SK0&s=M_HSsvRdNHZqkdz3-w7BhocJHpATmvqb77AcoRPjGYc&e=>


Excellent thanks, no error(s) when I just ran it manually. Is there a
sigtool command I can use to check that it worked? I can compare this
against another server that I have yet to install this.

Hi there,

On Thu, 29 Apr 2021, Robert Kudyba wrote:

> ... no error(s) when I just ran it manually.

There are lots of things in the script which look likely to cause
issues, so I'd have expected something:

1. Is your Perl interpreter in /usr/local/bin/? It's often in usr/bin/.

2. The environment is likely to be different when the script runs via
freshclam from when it runs at the command line, and it's usually bad
form in scripts to rely on the environment anyway, so in any script of
this kind I'd use full paths to executables. For example on my system
these would be

/bin/chown
/usr/bin/logger
and
/usr/local/bin/clamdscan

but what are they on yours? I'd also use full paths everywhere else
instead of relative paths. Things can go wrogn ervy kuiqly.

3. What is uid 110 on your system? On my clamd server it's 'sshd'.
This means that if I were to run it as root as it is, the script would
change ownership of the modified files to the wrong user (which would
break future updates unless root did them) and for other users fail.

4. People store the ClamAV databases in different places. The script
makes assumptions about them, have you changed them in the script to
suit your system, or do you have or have you the needed directories?
/var/db/clamav-unofficial-sigs/post-control/
/var/db/clamav/

5. The script does no error checking at all. It's good practice in
scripts to check the return values of functions which provide them,
such as 'chdir', 'link', 'unlink', 'chown' and (especially) 'open'.

> Is there a sigtool command I can use to check that it worked? I can
> compare this against another server that I have yet to install this.

sigtool --find-sigs <deleted_signature_name>

should give you an idea of what's happened.

As I warned already, do be careful with this stuff.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

>
> 1. Is your Perl interpreter in /usr/local/bin/? It's often in usr/bin/.
>

Thanks I saw that after the fact, indeed /usr/bin in Fedora

2. The environment is likely to be different when the script runs via
> freshclam from when it runs at the command line, and it's usually bad
> form in scripts to rely on the environment anyway, so in any script of
> this kind I'd use full paths to executables. For example on my system
> these would be
>
> /bin/chown
> /usr/bin/logger
> and
> /usr/local/bin/clamdscan
>
> but what are they on yours? I'd also use full paths everywhere else
> instead of relative paths. Things can go wrogn ervy kuiqly.
>

/usr/bin for the all 3

> 3. What is uid 110 on your system? On my clamd server it's 'sshd'.
> This means that if I were to run it as root as it is, the script would
> change ownership of the modified files to the wrong user (which would
> break future updates unless root did them) and for other users fail.
>

Yes caught those after the fact and updated the script accordingly

4. People store the ClamAV databases in different places. The script
> makes assumptions about them, have you changed them in the script to
> suit your system, or do you have or have you the needed directories?
> /var/db/clamav-unofficial-sigs/post-control/
> /var/db/clamav/
>

Different on ours:
/var/lib/clamav-unofficial-sigs/dbs-mbl/

And I went ahead and created
/var/lib/clamav-unofficial-sigs/dbs-mbl/post-control

and not sure why we have a test dir:

/var/lib/clamav-unofficial-sigs/test

5. The script does no error checking at all. It's good practice in
> scripts to check the return values of functions which provide them,
> such as 'chdir', 'link', 'unlink', 'chown' and (especially) 'open'.
>

Anything off the top of your head I can add?

> Is there a sigtool command I can use to check that it worked? I can
> > compare this against another server that I have yet to install this.
>
> sigtool --find-sigs <deleted_signature_name>
>
> should give you an idea of what's happened.


The signature does not exist when I run this command.

On Thu, 2021-04-29 at 16:22 +0100, G.W. Haywood via clamav-users wrote:
>
> 3. What is uid 110 on your system? On my clamd server it's 'sshd'.
> This means that if I were to run it as root as it is, the script would
> change ownership of the modified files to the wrong user (which would
> break future updates unless root did them) and for other users fail.
>

If you're lucky. The clamav user can replace those files with
sym/hardlinks to take over any file on the system.



_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

"G.W. Haywood via clamav-users" <clamav-users@lists.clamav.net> writes:

> Hi there,
>
> On Thu, 29 Apr 2021, Robert Kudyba wrote:
>
>> ... no error(s) when I just ran it manually.
>
> There are lots of things in the script which look likely to cause
> issues, so I'd have expected something:
>
> 1. Is your Perl interpreter in /usr/local/bin/? It's often in usr/bin/.

This is FreeBSD, perl is not into the system anymore, so it belongs to /usr/local.

>
> 2. The environment is likely to be different when the script runs via
> freshclam from when it runs at the command line,

It is not run by freshclam but by clamav-unofficial-sigs.sh.

> and it's usually bad
> form in scripts to rely on the environment anyway, so in any script of
> this kind I'd use full paths to executables. For example on my system
> these would be
>
> /bin/chown
> /usr/bin/logger
> and
> /usr/local/bin/clamdscan

Agreed, but the script was written in hast to solve a pressent issue, so
I had not been that careful.

Note chown is the Perl function and logger should have been written
using some Perl module, but I was in a hurry :)

>
> but what are they on yours? I'd also use full paths everywhere else
> instead of relative paths. Things can go wrogn ervy kuiqly.
>
> 3. What is uid 110 on your system? On my clamd server it's 'sshd'.
> This means that if I were to run it as root as it is, the script would
> change ownership of the modified files to the wrong user (which would
> break future updates unless root did them) and for other users fail.

110:110 is the anti-virus user (for historical reason, I was running
Kaspersky for FreeBSD at some stage and the user was hard coded in the anti-cirus).

> 4. People store the ClamAV databases in different places. The script
> makes assumptions about them, have you changed them in the script to
> suit your system, or do you have or have you the needed directories?
> /var/db/clamav-unofficial-sigs/post-control/
> /var/db/clamav/

That is all FreeBSD standard places.

> 5. The script does no error checking at all. It's good practice in
> scripts to check the return values of functions which provide them,
> such as 'chdir', 'link', 'unlink', 'chown' and (especially) 'open'.

Agreed too. I usually do it when I have time. Though Perl is pretty
resilient if a file is missing :)

>
>> Is there a sigtool command I can use to check that it worked? I can
>> compare this against another server that I have yet to install this.
>
> sigtool --find-sigs <deleted_signature_name>
>
> should give you an idea of what's happened.
>
> As I warned already, do be careful with this stuff.

The script is provided as is, people are welcome to modify and twist as
they see fit :)

Best regards,

Olivier

--

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml