Mailing List Archive

Hi,

https://www.mail-archive.com/clamav-users@lists.clamav.net/msg51769.html

It's the same situation. Vir is detected, but file is "clean", you can
see it in summary.

S pozdravem
Petr Jurášek

Dne 31. 03. 22 v 10:55 Matus UHLAR - fantomas napsal(a):
> Hello,
>
> I have received a file that is not detected by clamdscan, but is by
> clamscan:
>
> % clamdscan /home/uhlar/intamldeosreitlu.xls
> /home/uhlar/intamldeosreitlu.xls: OK
>
> % clamscan /home/uhlar/intamldeosreitlu.xls
> /home/uhlar/intamldeosreitlu.xls: Doc.Downloader.Qbot03222-9942295-0
> FOUND
> /home/uhlar/intamldeosreitlu.xls: OK
>
> file permissions seem not to be the problem (file is publicly readable)
>
> This is debian 11 installation, I have regenerated clamd.conf via
> "dpkg-reconfigure clamav-daemon" and I can't find out which options to
> change to make clamdscan detect the file.
>
> Does anyone have the idea?
>

On 31.03.22 11:02, Petr Jur??ek via clamav-users wrote:
>https://www.mail-archive.com/clamav-users@lists.clamav.net/msg51769.html
>
>It's the same situation. Vir is detected, but file is "clean", you can
>see it in summary.

looks like that. I completely missed it.

% clamscan intamldeosreitlu.xls
/home/uhlar/intamldeosreitlu.xls: Doc.Downloader.Qbot03222-9942295-0 FOUND
/home/uhlar/intamldeosreitlu.xls: OK

Infected files: 0

% clamscan -z intamldeosreitlu.xls
/home/uhlar/intamldeosreitlu.xls: Doc.Downloader.Qbot03222-9942295-0 FOUND
/home/uhlar/intamldeosreitlu.xls: Doc.Downloader.Qbot03222-9942295-0 FOUND

Infected files: 1

funny that -z option causes clamdscan to find the file in subsqeuent scana:

% clamdscan intamldeosreitlu.xls
/home/uhlar/intamldeosreitlu.xls: OK

Infected files: 0

% clamdscan -z intamldeosreitlu.xls
/home/uhlar/intamldeosreitlu.xls: Doc.Downloader.Qbot03222-9942295-0 FOUND
/home/uhlar/intamldeosreitlu.xls: Doc.Downloader.Qbot03222-9942295-0 FOUND

Infected files: 1

% clamdscan intamldeosreitlu.xls
/home/uhlar/intamldeosreitlu.xls: Doc.Downloader.Qbot03222-9942295-0 FOUND
/home/uhlar/intamldeosreitlu.xls: Doc.Downloader.Qbot03222-9942295-0 FOUND

Infected files: 2



>Dne 31. 03. 22 v 10:55 Matus UHLAR - fantomas napsal(a):
>>I have received a file that is not detected by clamdscan, but is by
>>clamscan:
>>
>>% clamdscan /home/uhlar/intamldeosreitlu.xls
>>/home/uhlar/intamldeosreitlu.xls: OK
>>
>>% clamscan /home/uhlar/intamldeosreitlu.xls
>>/home/uhlar/intamldeosreitlu.xls: Doc.Downloader.Qbot03222-9942295-0
>>FOUND
>>/home/uhlar/intamldeosreitlu.xls: OK
>>
>>file permissions seem not to be the problem (file is publicly readable)
>>
>>This is debian 11 installation, I have regenerated clamd.conf via
>>"dpkg-reconfigure clamav-daemon" and I can't find out which options
>>to change to make clamdscan detect the file.

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Windows found: (R)emove, (E)rase, (D)elete

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

On Thu, 31 Mar 2022, Matus UHLAR - fantomas wrote:

> Hello,
>
> I have received a file that is not detected by clamdscan, but is by clamscan:
>
> % clamdscan /home/uhlar/intamldeosreitlu.xls
> /home/uhlar/intamldeosreitlu.xls: OK
>
> % clamscan /home/uhlar/intamldeosreitlu.xls
> /home/uhlar/intamldeosreitlu.xls: Doc.Downloader.Qbot03222-9942295-0 FOUND
> /home/uhlar/intamldeosreitlu.xls: OK
>
> file permissions seem not to be the problem (file is publicly readable)
>
> This is debian 11 installation, I have regenerated clamd.conf via
> "dpkg-reconfigure clamav-daemon" and I can't find out which options to change
> to make clamdscan detect the file.
>
> Does anyone have the idea?

Do
clamscan --version
and
clamdscan --version
report the same ?

I have had freshclam update the database, so clamscan sees the new
definitions, and then clamd fail to reload the new definitions, so
clamdscan still uses the old ones :-(

--
Andrew C. Aitchison Kendal, UK
andrew@aitchison.me.uk

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hi,

yes, same version:
# clamscan --version
ClamAV 0.103.5/26498/Thu Mar 31 10:19:05 2022
# clamdscan --version
ClamAV 0.103.5/26498/Thu Mar 31 10:19:05 2022

But file isn't detected by clamscan - both (clamscan/clamdscan) reports,
that file is clean. Only clamscan write some debug with virus detection,
or detect it with -z.

Petr

Dne 31. 03. 22 v 12:37 Andrew C Aitchison napsal(a):
>
> On Thu, 31 Mar 2022, Matus UHLAR - fantomas wrote:
>
>> Hello,
>>
>> I have received a file that is not detected by clamdscan, but is by
>> clamscan:
>>
>> % clamdscan /home/uhlar/intamldeosreitlu.xls
>> /home/uhlar/intamldeosreitlu.xls: OK
>>
>> % clamscan /home/uhlar/intamldeosreitlu.xls
>> /home/uhlar/intamldeosreitlu.xls: Doc.Downloader.Qbot03222-9942295-0
>> FOUND
>> /home/uhlar/intamldeosreitlu.xls: OK
>>
>> file permissions seem not to be the problem (file is publicly readable)
>>
>> This is debian 11 installation, I have regenerated clamd.conf via
>> "dpkg-reconfigure clamav-daemon" and I can't find out which options
>> to change to make clamdscan detect the file.
>>
>> Does anyone have the idea?
>
> Do
>       clamscan --version
> and
>       clamdscan --version
> report the same ?
>
> I have had freshclam update the database, so clamscan sees the new
> definitions, and then clamd fail to reload the new definitions, so
> clamdscan still uses the old ones :-(
>

>On 31.03.22 11:02, Petr Jur??ek via clamav-users wrote:
>>https://www.mail-archive.com/clamav-users@lists.clamav.net/msg51769.html
>>
>>It's the same situation. Vir is detected, but file is "clean", you
>>can see it in summary.

On 31.03.22 12:18, Matus UHLAR - fantomas wrote:
>looks like that. I completely missed it.


FYI
https://github.com/Cisco-Talos/clamav/issues/521


--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Support bacteria - they're the only culture some people have.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Matus UHLAR - fantomas wrote:
> On 31.03.22 11:02, Petr Jur??ek via clamav-users wrote:
>> https://www.mail-archive.com/clamav-users@lists.clamav.net/msg51769.html
>>
>> It's the same situation. Vir is detected, but file is "clean", you can
>> see it in summary.
>
> looks like that. I completely missed it.

[snip mix-n-match results]

*nods* I've been trying to coherently describe the sets of interactions
for a bug report, but it's not making a lot of sense from the outside.

From the sets of files I've come across, I've found the following.

Component files as left by clamscan --leave-temps are not always matched
correctly.

Both hash and pattern signatures for various component files will do one of:

- Work correctly:

$ clamscan -d foo.hdb nastyfile.xls
nastyfile.xls: foosig.UNOFFICIAL FOUND
[...]
Infected files: 1

- Match/don't-match with two result lines and "Infected files: 0"
$ clamscan -d foo.hdb nastyfile.xls
nastyfile.xls: foosig.UNOFFICIAL FOUND
nastyfile.xls: OK
[...]
Infected files: 0

Most prevalent on this series of files, creating pretty much any
signature for the component/fragment file that appears to always extract
as e3af082cc2ec644830a69ddafe5abe31_1, and which the "file" utility tags
as "Applesoft BASIC program data".

- Double-match with multiple result lines listing the same signature:
$ clamscan -d foo.hdb --allmatch nastyfile.xls
nastyfile.xls: foosig.UNOFFICIAL FOUND
nastyfile.xls: foosig.UNOFFICIAL FOUND
[...]
Infected files: 1

This case also covers having *multiple* different signatures - either of
the same type or different types - that should each match different
files from --leave-temps.

- Don't match at all:
$ clamscan -d foo.hdb nastyfile.xls
nastyfile.xls: OK
[...]
Infected files: 0

This case usually happens for signatures based on what appears to be a
generated datastructure reference file, xlm_macros.[hash], however I'm
pretty sure one of the other extracted files from --leave-temps did the
same thing.

===

Blind brute-force pattern (.ndb) signatures on the raw file appear to
match OK.

At this point I've just fallen back to brute-force pattern signatures,
generated from multiple samples by a script that runs sigtool --hex-dump
on each one, filters out mismatched bytes, and compacts long runs of
mismatched bytes to {nn}. These are grossly oversized signatures (~~1K
characters), but they work.

-kgd


_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml