A few months ago one of our team observed that adding ign2 entries for bytecode signatures (BC.* signatures) can be confusing. They added these notes in a new task in our Jira:
It looks like bytecode sigs used to need to be allowlisted via ign2 files with entries like the following:
BC.Img.Exploit.CVE_2018_4891-6453673-2.{}
'{}' corresponded to an empty 'VirusName', but for BC sigs that use non-empty ones it would need to be allowlisted as:
BC.Img.Exploit.CVE_2018_4891-6453673-2.
{VirusNames}
This commit makes it so that signatures can be allowlisted with just `BC.Img.Exploit.CVE_2018_4891-6453673-2` in the ign2 file:
https://github.com/Cisco-Talos/clamav-devel/commit/b2f59861ee1a53c113fd37fe9378f739cc012042 The downsides with this approach are:
- backward compatibility was not preserved, so any existing .ign2 sigs people had for bytecode rules likely stopped working
- it's no longer possible to allowlist specific VirusNames from within a bytecode sig
- currently, bytecode sigs that match with a VirusName will show up as BC.Img.Exploit.CVE_2018_4891-6453673-2.VirusName for the detection name, but the corresponding ign2 entry would have to be `BC.Img.Exploit.CVE_2018_4891-6453673-2`
If we get a chance, we should address some or all of these.
We should definitely document the current behavior and limitations for bytecode signature entries on
https://docs.clamav.net/manual/Signatures/AllowLists.html?highlight=fp#file-allow-lists Orion if you're interested in helping with the docs, the equivalent page is here:
https://github.com/Cisco-Talos/clamav-documentation/blob/main/src/manual/Signatures/AllowLists.md -Micah
> -----Original Message-----
> From: clamav-users <clamav-users-bounces@lists.clamav.net> On Behalf Of
> Orion Poplawski via clamav-users
> Sent: Wednesday, July 21, 2021 12:35 PM
> To: eric-list@truenet.com; ClamAV users ML <clamav-
> users@lists.clamav.net>
> Cc: Orion Poplawski <orion@nwra.com>
> Subject: Re: [clamav-users] Cannot ignore BC.Gif.Exploit.Agent-
> 1425366.Agent
>
> Looks like "BC.Gif.Exploit-1425366" finally did the trick. Thanks. Is this kind of
> thing documented anywhere?
>
> On 7/21/21 12:33 PM, eric-list@truenet.com wrote:
> > Orion,
> >
> > Did you keep .Agent at the end of the whitelist?
> > It should just be BC.Gif.Exploit.Agent-1425366.
> >
> > I scanned the tar balls at gnome.org and didn't find anything though, but
> maybe you got it from somewhere else.
> >
> > Sincerely,
> >
> > Eric Tykwinski
> > TrueNet, Inc.
> > P: 610-429-8300
> >
> > -----Original Message-----
> > From: clamav-users <clamav-users-bounces@lists.clamav.net> On Behalf
> > Of Orion Poplawski via clamav-users
> > Sent: Wednesday, July 21, 2021 1:48 PM
> > To: ClamAV users ML <clamav-users@lists.clamav.net>
> > Cc: Orion Poplawski <orion@nwra.com>
> > Subject: [clamav-users] Cannot ignore
> > BC.Gif.Exploit.Agent-1425366.Agent
> >
> > clamav is reporting BC.Gif.Exploit.Agent-1425366.Agent for a gif
> > inside of the
> > gdk-pixbuf2 tarball. I've tried adding it do our local whitelist.ign2 file, but
> that doesn't appear to take effect. Any way to ignore this definition?
> >
> > Thanks,
> > Orion
> >
> > --
> > Orion Poplawski
> > IT Systems Manager 720-772-5637
> > NWRA, Boulder/CoRA Office FAX: 303-415-9702
> > 3380 Mitchell Lane orion@nwra.com
> > Boulder, CO 80301 https://www.nwra.com/
> >
> >
> >
>
>
> --
> Orion Poplawski
> IT Systems Manager 720-772-5637
> NWRA, Boulder/CoRA Office FAX: 303-415-9702
> 3380 Mitchell Lane orion@nwra.com
> Boulder, CO 80301 https://www.nwra.com/
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
smime.p7s (3.76 KB)