Mailing List Archive

[clamav-users] CVE_2021_4034-9951522 false positives on node executables
Hi,

about a month ago I reported a possible false positive on nodejs executables and related files [1]. After checking with Jotti’s Virus Scan and Virustotal, I also (twice) submitted the files to the ClamAV website as false positives [2].

I haven’t received a notification after the false positive submissions and, meanwhile, newer versions of nodejs are still reported as being infected.

What else can I do to verify that this is indeed a false positive?

Best,
Viktor

[1] https://lists.clamav.net/pipermail/clamav-users/2022-June/012717.html
[2] https://www.clamav.net/reports/fp
_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] CVE_2021_4034-9951522 false positives on node executables [ In reply to ]
Hi there,

On Mon, 1 Aug 2022, Viktor Rosenfeld via clamav-users wrote:

> about a month ago I reported a possible false positive on nodejs
> executables and related files [1]. After checking with Jotti’s Virus
> Scan and Virustotal, I also (twice) submitted the files to the
> ClamAV website as false positives [2].
>
> I haven’t received a notification after the false positive
> submissions and, meanwhile, newer versions of nodejs are still
> reported as being infected.
>
> What else can I do to verify that this is indeed a false positive?
>
> Best,
> Viktor
>
> [1] https://lists.clamav.net/pipermail/clamav-users/2022-June/012717.html
> [2] https://www.clamav.net/reports/fp

If this is indeed a false positive, given the popularity of node.js
I'm a little surprised that you're still seeing ClamAV hits as I'd
have expected the ClamAV signature team to be onto it fairly promptly.

The signature database has the facility to whitelist falsely flagged
files using a digest. These are propagated with the 'daily' updates.
Are you sure that your signature database is up to date? What version
of 'daily' do you have?

If you can post an example file somewhere for me to download I can
take a look at it. (Alternatively post a link to where you got the
file, AND the MD5 digest of the file that ClamAV is flagging so that
we all know that we're looking at the same thing.)

Micah, may we have an authoritative opinion on the use of the virusdb
mailing list to report things like this? I feel sure that a while ago
in one of your messages to this list you gave an email alternative to
the Web form for FP submissions. If indeed such a message exists (and
I haven't found it) I can't remember what that alternative might be.

--

73,
Ged.
_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] CVE_2021_4034-9951522 false positives on node executables [ In reply to ]
I downloaded and installed both current versions of Node.js 16.16.0 LTS & 18.7.0 from <https://nodejs.org/en/ <https://nodejs.org/en/>> and no infected files were found.

-Al-
--
ClamXAV user

On Mon, Aug 01, 2022 at 02:50 AM, Viktor Rosenfeld via clamav-users wrote:
> Hi,
>
> about a month ago I reported a possible false positive on nodejs executables and related files [1]. After checking with Jotti’s Virus Scan and Virustotal, I also (twice) submitted the files to the ClamAV website as false positives [2].
>
> I haven’t received a notification after the false positive submissions and, meanwhile, newer versions of nodejs are still reported as being infected.
>
> What else can I do to verify that this is indeed a false positive?
>
> Best,
> Viktor
>
> [1] https://lists.clamav.net/pipermail/clamav-users/2022-June/012717.html <https://lists.clamav.net/pipermail/clamav-users/2022-June/012717.html>
> [2] https://www.clamav.net/reports/fp <https://www.clamav.net/reports/fp>
Re: [clamav-users] CVE_2021_4034-9951522 false positives on node executables [ In reply to ]
Hi,

Is it possible that the infected file is only found in arm64 versions? When I go to https://nodejs.org/en/ <https://nodejs.org/en/>, it prompts me to download files for x64. However, I am on an Apple Air M1 and I just verified that the installed node binary is an arm64 executable.

Cheers,
Viktor

> Am 01.08.2022 um 15:24 schrieb Al Varnell <alvarnell@mac.com>:
>
> I downloaded and installed both current versions of Node.js 16.16.0 LTS & 18.7.0 from <https://nodejs.org/en/ <https://nodejs.org/en/>> and no infected files were found.
>
> -Al-
> --
> ClamXAV user
>
> On Mon, Aug 01, 2022 at 02:50 AM, Viktor Rosenfeld via clamav-users wrote:
>> Hi,
>>
>> about a month ago I reported a possible false positive on nodejs executables and related files [1]. After checking with Jotti’s Virus Scan and Virustotal, I also (twice) submitted the files to the ClamAV website as false positives [2].
>>
>> I haven’t received a notification after the false positive submissions and, meanwhile, newer versions of nodejs are still reported as being infected.
>>
>> What else can I do to verify that this is indeed a false positive?
>>
>> Best,
>> Viktor
>>
>> [1] https://lists.clamav.net/pipermail/clamav-users/2022-June/012717.html <https://lists.clamav.net/pipermail/clamav-users/2022-June/012717.html>
>> [2] https://www.clamav.net/reports/fp <https://www.clamav.net/reports/fp>
Re: [clamav-users] CVE_2021_4034-9951522 false positives on node executables [ In reply to ]
Hi Ged,

> Am 01.08.2022 um 12:20 schrieb G.W. Haywood <clamav@jubileegroup.co.uk <mailto:clamav@jubileegroup.co.uk>>:
>
> The signature database has the facility to whitelist falsely flagged
> files using a digest. These are propagated with the 'daily' updates.
> Are you sure that your signature database is up to date? What version
> of 'daily' do you have?

I always run freshclam bevor clamscan. See the output below.

22:51 hesk@kenny:~ $ freshclam
ClamAV update process started at Mon Aug 1 22:51:52 2022
daily.cld database is up-to-date (version: 26615, sigs: 1992518, f-level: 90, builder: raynman)
main.cvd database is up-to-date (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr)
bytecode.cvd database is up-to-date (version: 333, sigs: 92, f-level: 63, builder: awillia2)
22:51 hesk@kenny:~ $ clamscan /opt/homebrew/Cellar/node/18.7.0/bin/node
Loading: 7s, ETA: 0s [========================>] 8.62M/8.62M sigs
Compiling: 2s, ETA: 0s [========================>] 41/41 tasks

/opt/homebrew/Cellar/node/18.7.0/bin/node: Osx.Exploit.CVE_2021_4034-9951522-1 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 8624548
Engine version: 0.105.1
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 40.39 MB
Data read: 37.92 MB (ratio 1.06:1)
Time: 10.480 sec (0 m 10 s)
Start Date: 2022:08:01 22:52:20
End Date: 2022:08:01 22:52:30


> If you can post an example file somewhere for me to download I can
> take a look at it. (Alternatively post a link to where you got the
> file, AND the MD5 digest of the file that ClamAV is flagging so that
> we all know that we're looking at the same thing.)

I’m using Homebrew to install nodejs. Below is the curl command that downloads the file (taken from debug output) and the MD5 hash.

curl --disable --cookie /dev/null --globoff --show-error --user-agent Homebrew/3.5.6-73-ge217fd3\ \(Macintosh\;\ arm64\ Mac\ OS\ X\ 12.5\)\ curl/7.79.1 --header Accept-Language:\ en --fail --progress-bar --retry 3 --location --remote-time --output node--18.7.0.arm64_monterey.bottle.tar.gz https://pkg-containers.githubusercontent.com/ghcr1/blobs/sha256:5bc3bbc7796679a30ef86748accee8170fad11bccea0fcc1fc129f2a51b4b6fa\?se=2022-08-01T21\%3A05\%3A00Z\&sig=4J7BjIWzJ12h4lS5\%2FBL8zdhsYKLZFPS1j\%2BX4iWgdQ3s\%3D\&sp=r\&spr=https\&sr=b\&sv=2019-12-12 <https://pkg-containers.githubusercontent.com/ghcr1/blobs/sha256:5bc3bbc7796679a30ef86748accee8170fad11bccea0fcc1fc129f2a51b4b6fa/?se=2022-08-01T21\%3A05\%3A00Z\&sig=4J7BjIWzJ12h4lS5\%2FBL8zdhsYKLZFPS1j\%2BX4iWgdQ3s\%3D\&sp=r\&spr=https\&sr=b\&sv=2019-12-12>

MD5 (node/18.7.0/bin/node) = bd689141b74bf1c9d897d25aa6878a85

Cheers,
Viktor
Re: [clamav-users] CVE_2021_4034-9951522 false positives on node executables [ In reply to ]
That's the only thing I can think of. I had node 18.6.0 and I'm running
ClamAV 0.105.0. That detected the node binary as having the same virus.
However, when I upload and scan the binary with VirusTotal, their install
of ClamAV does not detect it.

Similarly, after I upgraded to node 18.7.0, my local install of ClamAV
still detected it with the same virus. And, again, when I uploaded it to
VirusTotal, it came back as clean.

Running clamscan with --leave-temps and setting a --tempdir, I get no
temporary files left behind.

Additionally, using the 'strings' command to get any/all ASCII strings from
the binary (yes, I know it doesn't always help) doesn't show anything...

That being said, the signature does seem to be poorly written and likely to
catch lots of false positives...

It's looking for more than one occurrence of "/usr/bin/pkexec" *and*
CMDTOEXECUTE=
*and* NOTTY= *and* NOTTY_PORT= *and* GCONV_PATH= ...
OR more than 3 occurrences of the "Unable to" messages (any of them) ...
OR more than 1 occurrence of the woody paths or 'payload.so'

VIRUS NAME: Osx.Exploit.CVE_2021_4034-9951522-1
TDB: Engine:91-255,Target:9
LOGICAL EXPRESSION: (0&1&2&3&4)>1|(5|6|7|8)>3|(9|10|11)>1
* SUBSIG ID 0
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
/usr/bin/pkexec
* SUBSIG ID 1
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
CMDTOEXECUTE=
* SUBSIG ID 2
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
NOTTY=
* SUBSIG ID 3
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
NOTTY_PORT=
* SUBSIG ID 4
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
GCONV_PATH=
* SUBSIG ID 5
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
Unable to execute pkexec
* SUBSIG ID 6
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
Unable to write payload
* SUBSIG ID 7
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
Unable to make tmp dir
* SUBSIG ID 8
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
Unable to write gconv module
* SUBSIG ID 9
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
/Users/woody/Downloads/vul/poc-cve-2021-4034-main/exploit.go
* SUBSIG ID 10
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
/Users/woody/Downloads/vul/poc-cve-2021-4034-main/payload/payload.go
* SUBSIG ID 11
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
payload.so

And it's that last one that is triggering the virus detection...
lothlorien:~$ grep -a payload.so node
ArrayPrototypeIndexOf(payload.sources, originalSourcePath);
if (payload.sourcesContent?.[sourceContentIndex]) {
source = payload.sourcesContent[sourceContentIndex];

There are no occurrences of sub-signatures 0 through 10... but there are 3
occurrences of sub-signature 11 and the way that the logical expression is
written, that's enough to trigger the detection.

--Maarten



On Tue, Aug 2, 2022 at 4:12 PM Viktor Rosenfeld via clamav-users <
clamav-users@lists.clamav.net> wrote:

> Hi,
>
> Is it possible that the infected file is only found in arm64 versions?
> When I go to https://nodejs.org/en/, it prompts me to download files for
> x64. However, I am on an Apple Air M1 and I just verified that the
> installed node binary is an arm64 executable.
>
> Cheers,
> Viktor
>
> Am 01.08.2022 um 15:24 schrieb Al Varnell <alvarnell@mac.com>:
>
> I downloaded and installed both current versions of Node.js 16.16.0 LTS &
> 18.7.0 from <https://nodejs.org/en/> and no infected files were found.
>
> -Al-
> --
> ClamXAV user
>
> On Mon, Aug 01, 2022 at 02:50 AM, Viktor Rosenfeld via clamav-users wrote:
>
> Hi,
>
> about a month ago I reported a possible false positive on nodejs
> executables and related files [1]. After checking with Jotti’s Virus Scan
> and Virustotal, I also (twice) submitted the files to the ClamAV website as
> false positives [2].
>
> I haven’t received a notification after the false positive submissions
> and, meanwhile, newer versions of nodejs are still reported as being
> infected.
>
> What else can I do to verify that this is indeed a false positive?
>
> Best,
> Viktor
>
> [1] https://lists.clamav.net/pipermail/clamav-users/2022-June/012717.html
> [2] https://www.clamav.net/reports/fp
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
>
> https://docs.clamav.net/#mailing-lists-and-chat
>
Re: [clamav-users] CVE_2021_4034-9951522 false positives on node executables [ In reply to ]
Hi Viktor,

On Tue, 2 Aug 2022, Viktor Rosenfeld via clamav-users wrote:

> 22:51 hesk@kenny:~ $ clamscan /opt/homebrew/Cellar/node/18.7.0/bin/node
> Loading: 7s, ETA: 0s [========================>] 8.62M/8.62M sigs
> Compiling: 2s, ETA: 0s [========================>] 41/41 tasks
>
> /opt/homebrew/Cellar/node/18.7.0/bin/node: Osx.Exploit.CVE_2021_4034-9951522-1 FOUND
> ...

> On Tue, 2 Aug 2022, G.W.Haywood via clamav-users wrote:
> ...
> > If you can post ... a link to where you got the file, AND the MD5 ...
>
> I?m using Homebrew to install nodejs. Below is the curl command that downloads ...

After several attempts using variations of your curl command I failed
to grab the file, so I took the tarballs (like Al - in fact I grabbed
three, the 16.x ARM and X64 versions and the 18.x ARM version) from
https://nodejs.org and simply unpacked them to a scratch directory to
scan them. The results are different from yours, see below.

On Tue, 2 Aug 2022, Viktor Rosenfeld via clamav-users wrote:

> MD5 (node/18.7.0/bin/node) = bd689141b74bf1c9d897d25aa6878a85

I didn't get the same MD5 for the file

6b8627f0b1327ffee606314125862e27 node-v18.7.0-darwin-arm64/bin/node

so I wonder what's up there. As it isn't the same file that you have
I didn't bother to scan it, but see below for 'strings' etc.

On Tue, 2 Aug 2022, Maarten Broekman via clamav-users wrote:

> Additionally, using the 'strings' command to get any/all ASCII
> strings from the binary (yes, I know it doesn't always help) doesn't
> show anything...

I don't see the same result at all:

8<----------------------------------------------------------------------
$ strings ./node-v18.7.0-darwin-arm64/bin/node | perl -ne 'if(/[a-zA-Z]{5,}/){print;}' | head -n 10
__PAGEZERO
__stubs
__stub_helper
__cstring
__const
__ustring
__oslogstring
__unwind_info
__eh_frame
__DATA_CONST
8<----------------------------------------------------------------------

Lots of strings in there.

A clamd scan of the entire directory tree found this:

node-v16.16.0-darwin-arm64/lib/node_modules/npm/node_modules/imurmurhash/imurmurhash.min.js: PUA.Win.Trojan.Xored-1 FOUND
node-v16.16.0-darwin-x64/lib/node_modules/npm/node_modules/imurmurhash/imurmurhash.min.js: PUA.Win.Trojan.Xored-1 FOUND
node-v18.7.0-darwin-arm64/lib/node_modules/npm/node_modules/imurmurhash/imurmurhash.min.js: PUA.Win.Trojan.Xored-1 FOUND

As you can see we run with 'PUA' signatures enabled, see

https://docs.clamav.net/faq/faq-misc.html?highlight=false%20positive#what-is-pua-i-get-a-lot-of-false-positives-named-pua

and e.g. the clamscan and clamd.conf 'man' pages for more about PUAs.

This is PUA.Win.Trojan.Xored-1 (it's in 'daily'):

8<----------------------------------------------------------------------
$ sigtool --find-sigs 'PUA.Win.Trojan.Xored-1' | sigtool --decode-sigs
VIRUS NAME: PUA.Win.Trojan.Xored-1
TARGET TYPE: HTML
OFFSET: *
DECODED SIGNATURE:
charcodeat({WILDCARD_ANY_STRING(LENGTH<=5)})^
8<----------------------------------------------------------------------

It's just looking for the string 'charcodeat(X)' where X is a string
of 5 or fewer characters. Pretty generic, I'm amazed that we don't
see more FPs than we do from that source.

The three files in which this is found are identical in the three archives:

8<----------------------------------------------------------------------
$ md5sum .../*/imurmurhash.min.js
52d2eb410de1c9e0758ef562289289fa node-v16.16.0-darwin-arm64/lib/node_modules/npm/node_modules/imurmurhash/imurmurhash.min.js
52d2eb410de1c9e0758ef562289289fa node-v16.16.0-darwin-x64/lib/node_modules/npm/node_modules/imurmurhash/imurmurhash.min.js
52d2eb410de1c9e0758ef562289289fa node-v18.7.0-darwin-arm64/lib/node_modules/npm/node_modules/imurmurhash/imurmurhash.min.js

$ grep -ci charcodeat ./node-v18.7.0-darwin-arm64/lib/node_modules/npm/node_modules/imurmurhash/imurmurhash.min.js
1
8<----------------------------------------------------------------------

You can easily create your own FP entries in the database, see the
documentation at

https://docs.clamav.net/manual/Signatures/AllowLists.html

When I scanned a tree using vanilla 'clamscan', nothing was found:

$ ./clamscan -ro node-v18.7.0-darwin-arm64
node-v18.7.0-darwin-arm64/bin/npm: Symbolic link
node-v18.7.0-darwin-arm64/bin/npx: Symbolic link
node-v18.7.0-darwin-arm64/bin/corepack: Symbolic link
node-v18.7.0-darwin-arm64/lib/node_modules/npm/node_modules/node-gyp/gyp/pylib/gyp/generator/__init__.py: Empty file
node-v18.7.0-darwin-arm64/lib/node_modules/npm/node_modules/smart-buffer/docs/ROADMAP.md: Empty file
node-v18.7.0-darwin-arm64/lib/node_modules/npm/.npmrc: Empty file

----------- SCAN SUMMARY -----------
Known viruses: 8812460
Engine version: 0.103.7
Scanned directories: 954
Scanned files: 4118
Infected files: 0
...

These archives are from 100 to 150 megabytes of code and other junk.

As the PUA signature is so generic, it would almost be surprising if
something was NOT found. If the archive comes from a reliable source,
and it's been checked to make sure that it hasn't been tampered with,
and it's more than a few days old, scans will already have been done
all over the world, with at least a dozen scanners other than ClamAV.
So unless you have your own speciality signatures I think scanning it
again will most likely be pointless. In any case the probability of
finding something really nasty is small, because if the bad actor is
the least bit competent it will be very well hidden. One example of
the sort of threat you might want to worry about:

https://www.theregister.com/2022/07/25/nodejs_prototype_pollution/

If I were going to use this stuff, that would give me pause.

HTH

--

73,
Ged.
_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] CVE_2021_4034-9951522 false positives on node executables [ In reply to ]
Apologies... when I said that 'strings' didn't show anything, I meant that
it didn't show anything related to the signature... the only thing I found
in the strings output was the presence of "payload.sources":

$ strings node | grep payload.so
ArrayPrototypeIndexOf(payload.sources, originalSourcePath);
if (payload.sourcesContent?.[sourceContentIndex]) {
source = payload.sourcesContent[sourceContentIndex];

None of the other substrings from the signature were found in the node
binary.

Unfortunately, the way the signature is written *any* presence of
"payload.so" will trigger the signature...

--Maarten

On Wed, Aug 3, 2022 at 9:32 AM G.W. Haywood via clamav-users <
clamav-users@lists.clamav.net> wrote:

> Hi Viktor,
>
> On Tue, 2 Aug 2022, Viktor Rosenfeld via clamav-users wrote:
>
> > 22:51 hesk@kenny:~ $ clamscan /opt/homebrew/Cellar/node/18.7.0/bin/node
> > Loading: 7s, ETA: 0s [========================>] 8.62M/8.62M
> sigs
> > Compiling: 2s, ETA: 0s [========================>] 41/41 tasks
> >
> > /opt/homebrew/Cellar/node/18.7.0/bin/node:
> Osx.Exploit.CVE_2021_4034-9951522-1 FOUND
> > ...
>
> > On Tue, 2 Aug 2022, G.W.Haywood via clamav-users wrote:
> > ...
> > > If you can post ... a link to where you got the file, AND the MD5 ...
> >
> > I’m using Homebrew to install nodejs. Below is the curl command that
> downloads ...
>
> After several attempts using variations of your curl command I failed
> to grab the file, so I took the tarballs (like Al - in fact I grabbed
> three, the 16.x ARM and X64 versions and the 18.x ARM version) from
> https://nodejs.org and simply unpacked them to a scratch directory to
> scan them. The results are different from yours, see below.
>
> On Tue, 2 Aug 2022, Viktor Rosenfeld via clamav-users wrote:
>
> > MD5 (node/18.7.0/bin/node) = bd689141b74bf1c9d897d25aa6878a85
>
> I didn't get the same MD5 for the file
>
> 6b8627f0b1327ffee606314125862e27 node-v18.7.0-darwin-arm64/bin/node
>
> so I wonder what's up there. As it isn't the same file that you have
> I didn't bother to scan it, but see below for 'strings' etc.
>
> On Tue, 2 Aug 2022, Maarten Broekman via clamav-users wrote:
>
> > Additionally, using the 'strings' command to get any/all ASCII
> > strings from the binary (yes, I know it doesn't always help) doesn't
> > show anything...
>
> I don't see the same result at all:
>
> 8<----------------------------------------------------------------------
> $ strings ./node-v18.7.0-darwin-arm64/bin/node | perl -ne
> 'if(/[a-zA-Z]{5,}/){print;}' | head -n 10
> __PAGEZERO
> __stubs
> __stub_helper
> __cstring
> __const
> __ustring
> __oslogstring
> __unwind_info
> __eh_frame
> __DATA_CONST
> 8<----------------------------------------------------------------------
>
> Lots of strings in there.
>
> A clamd scan of the entire directory tree found this:
>
> node-v16.16.0-darwin-arm64/lib/node_modules/npm/node_modules/imurmurhash/imurmurhash.min.js:
> PUA.Win.Trojan.Xored-1 FOUND
> node-v16.16.0-darwin-x64/lib/node_modules/npm/node_modules/imurmurhash/imurmurhash.min.js:
> PUA.Win.Trojan.Xored-1 FOUND
> node-v18.7.0-darwin-arm64/lib/node_modules/npm/node_modules/imurmurhash/imurmurhash.min.js:
> PUA.Win.Trojan.Xored-1 FOUND
>
> As you can see we run with 'PUA' signatures enabled, see
>
>
> https://docs.clamav.net/faq/faq-misc.html?highlight=false%20positive#what-is-pua-i-get-a-lot-of-false-positives-named-pua
>
> and e.g. the clamscan and clamd.conf 'man' pages for more about PUAs.
>
> This is PUA.Win.Trojan.Xored-1 (it's in 'daily'):
>
> 8<----------------------------------------------------------------------
> $ sigtool --find-sigs 'PUA.Win.Trojan.Xored-1' | sigtool --decode-sigs
> VIRUS NAME: PUA.Win.Trojan.Xored-1
> TARGET TYPE: HTML
> OFFSET: *
> DECODED SIGNATURE:
> charcodeat({WILDCARD_ANY_STRING(LENGTH<=5)})^
> 8<----------------------------------------------------------------------
>
> It's just looking for the string 'charcodeat(X)' where X is a string
> of 5 or fewer characters. Pretty generic, I'm amazed that we don't
> see more FPs than we do from that source.
>
> The three files in which this is found are identical in the three archives:
>
> 8<----------------------------------------------------------------------
> $ md5sum .../*/imurmurhash.min.js
> 52d2eb410de1c9e0758ef562289289fa
> node-v16.16.0-darwin-arm64/lib/node_modules/npm/node_modules/imurmurhash/imurmurhash.min.js
> 52d2eb410de1c9e0758ef562289289fa
> node-v16.16.0-darwin-x64/lib/node_modules/npm/node_modules/imurmurhash/imurmurhash.min.js
> 52d2eb410de1c9e0758ef562289289fa
> node-v18.7.0-darwin-arm64/lib/node_modules/npm/node_modules/imurmurhash/imurmurhash.min.js
>
> $ grep -ci charcodeat
> ./node-v18.7.0-darwin-arm64/lib/node_modules/npm/node_modules/imurmurhash/imurmurhash.min.js
> 1
> 8<----------------------------------------------------------------------
>
> You can easily create your own FP entries in the database, see the
> documentation at
>
> https://docs.clamav.net/manual/Signatures/AllowLists.html
>
> When I scanned a tree using vanilla 'clamscan', nothing was found:
>
> $ ./clamscan -ro node-v18.7.0-darwin-arm64
> node-v18.7.0-darwin-arm64/bin/npm: Symbolic link
> node-v18.7.0-darwin-arm64/bin/npx: Symbolic link
> node-v18.7.0-darwin-arm64/bin/corepack: Symbolic link
> node-v18.7.0-darwin-arm64/lib/node_modules/npm/node_modules/node-gyp/gyp/pylib/gyp/generator/__init__.py:
> Empty file
> node-v18.7.0-darwin-arm64/lib/node_modules/npm/node_modules/smart-buffer/docs/ROADMAP.md:
> Empty file
> node-v18.7.0-darwin-arm64/lib/node_modules/npm/.npmrc: Empty file
>
> ----------- SCAN SUMMARY -----------
> Known viruses: 8812460
> Engine version: 0.103.7
> Scanned directories: 954
> Scanned files: 4118
> Infected files: 0
> ...
>
> These archives are from 100 to 150 megabytes of code and other junk.
>
> As the PUA signature is so generic, it would almost be surprising if
> something was NOT found. If the archive comes from a reliable source,
> and it's been checked to make sure that it hasn't been tampered with,
> and it's more than a few days old, scans will already have been done
> all over the world, with at least a dozen scanners other than ClamAV.
> So unless you have your own speciality signatures I think scanning it
> again will most likely be pointless. In any case the probability of
> finding something really nasty is small, because if the bad actor is
> the least bit competent it will be very well hidden. One example of
> the sort of threat you might want to worry about:
>
> https://www.theregister.com/2022/07/25/nodejs_prototype_pollution/
>
> If I were going to use this stuff, that would give me pause.
>
> HTH
>
> --
>
> 73,
> Ged.
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
>
> https://docs.clamav.net/#mailing-lists-and-chat
>