Mailing List Archive

[clamav-users] PUA - Category List, invalid URL in config sample! Packer Category?
Problem 1 - Link in Config Sample is 404!



According to the current clamd.conf.sample:

# See https://github.com/vrtadmin/clamav-faq/blob/master/faq/faq-pua.md
for the complete list of PUA categories.





Problem 2 - What PUA Category covers "Win.Packer.Borland." ?



PUA.Win.Packer.BorlandCpp-8 FOUND

PUA.Win.Packer.BorlandDelphi-12 FOUND



Without a valid, complete list of categories and how they relate to the
signature names, what's a user to do?



My config file already excludes:



ExcludePUA Packed

ExcludePUA Downloader



And adding "Packer" (and restarting ClamD) will NOT exclude the above
"Packer" !?
Re: [clamav-users] PUA - Category List, invalid URL in config sample! Packer Category? [ In reply to ]
Hello Andy,

> My config file already excludes:
>
> ExcludePUA Packed
>
> ExcludePUA Downloader
>
> And adding “Packer” (and restarting ClamD) will NOT exclude the above
> “Packer” !?

Should work :
ExcludePUA PUA.Win.Packer.BorlandCpp-8
ExcludePUA PUA.Win.Packer.BorlandDelphi-12


--
Cordialement / Best regards,

Arnaud Jacques
Gérant de SecuriteInfo.com

Téléphone : +33-(0)3.60.47.09.81
E-mail : aj@securiteinfo.com
Site web : https://www.securiteinfo.com
Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286
Twitter : @SecuriteInfoCom
Writing signatures for ClamAV antivirus since 2006
_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat
[clamav-users] PUA - Category List, invalid URL in config sample! Packer Category? [ In reply to ]
Dear Arnaud,

Unfortunately, while will specifying "Win.Packer" or even "PUA.Win.Packer" will APPEAR to work, the program logic in ExcludePUA is completely faulty (almost arbitrary).

Yes, it WILL exclude those two - but the problem is, it will exclude GENERICALLY EVERYTHING ELSE (e.g., ALL "Win" or ALL "PUA") - in which case you might as well turn off the entire PUA feature!

I finally remembered that I had been down this exact rabbit hole years ago - and found this bug report:
https://bugzilla.clamav.net/show_bug.cgi?id=12632#c5

It seems the entire PUA feature is a step-child - by now, not even the config sample and documentation are current. Maybe its time to pull the plug on it, if no one is taking ownership to making it work?

(Yes, I realize the answer is to just "contribute" the fixes myself - but that assumes that every ClamAV user is also a C++ programmer, which I am not.)

Best Regards,
Andy

-----Original Message-----
From: Arnaud Jacques <webmaster@securiteinfo.com>
Sent: Friday, November 18, 2022 11:33 AM
To: ClamAV users ML <clamav-users@lists.clamav.net>
Subject: Re: [clamav-users] PUA - Category List, invalid URL in config sample! Packer Category?

Hello Andy,

> My config file already excludes:
>
> ExcludePUA Packed
>
> ExcludePUA Downloader
>
> And adding “Packer” (and restarting ClamD) will NOT exclude the above
> “Packer” !?

Should work :
ExcludePUA PUA.Win.Packer.BorlandCpp-8
ExcludePUA PUA.Win.Packer.BorlandDelphi-12


--
Cordialement / Best regards,

Arnaud Jacques
Gérant de SecuriteInfo.com

Téléphone : +33-(0)3.60.47.09.81
E-mail : aj@securiteinfo.com
Site web : https://www.securiteinfo.com
Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286
Twitter : @SecuriteInfoCom
Writing signatures for ClamAV antivirus since 2006



_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] PUA - Category List, invalid URL in config sample! Packer Category? [ In reply to ]
Hi there,

On Sat, 19 Nov 2022, Andy Schmidt via clamav-users wrote:

> Unfortunately, while will specifying "Win.Packer" or even "PUA.Win.Packer" will APPEAR to work, the program logic in ExcludePUA is completely faulty (almost arbitrary).
>
> Yes, it WILL exclude those two - but the problem is, it will exclude GENERICALLY EVERYTHING ELSE (e.g., ALL "Win" or ALL "PUA") - in which case you might as well turn off the entire PUA feature!
>
> I finally remembered that I had been down this exact rabbit hole years ago - and found this bug report:
> https://bugzilla.clamav.net/show_bug.cgi?id=12632#c5
>
> It seems the entire PUA feature is a step-child - by now, not even the config sample and documentation are current. Maybe its time to pull the plug on it, if no one is taking ownership to making it work?
>
> (Yes, I realize the answer is to just "contribute" the fixes myself - but that assumes that every ClamAV user is also a C++ programmer, which I am not.)

The problem in the currently released code is that a 'category' turns
out to be only the second piece of a string made up of potentially
several dot-separated pieces. It needs more granularity.

Try replacing the function cli_chkpua() in .../libclamav/readdb.c with this:

8<----------------------------------------------------------------------
static int cli_chkpua(const char *signame, const char *pua_cats, unsigned int options)
{
// 2022.11.20 == GWH == "Categories" are dot-separated strings.
// The string in the 'pua_cats' argument contains the PUA "categories" which are to be (depending on the configuration) included or excluded.
// The category name in 'cat' is to be the string between the first and last dots in the signature string held in the 'signame' argument.
// We will extract the category thus defined from the string in 'signame' and then look for this category within in the string in pua_cats.
char cat[32], *cat_pt, *pt1, *pt2, *endsig;
const char *sig;
int ret;

cli_dbgmsg("cli_chkpua: Checking signature [%s]\n", signame);

if (strncmp(signame, "PUA.", 4)) {
cli_dbgmsg("Skipping signature %s - no PUA prefix\n", signame);
return 1;
}
sig = signame + 3;
if (!(pt1 = strchr(sig + 1, '.'))) { // pt1 points to the FIRST dot in the string in 'signame' if there is one, else NULL.
cli_dbgmsg("Skipping signature %s - bad syntax\n", signame);
return 1;
}
if ( (pt2 = strrchr(sig + 1, '.')) != pt1 ) { // pt2 points to the LAST dot in the string in 'signame' if there is one, else NULL.
cli_dbgmsg("Signature has at least three dots [%s]\n", signame); // If they happen to be the same dot, there are only two of them in the signature.
}
// else {
// cli_dbgmsg("Seems signature only has two dots [%s]\n", signame);
// }
if ((unsigned int)(pt1 - sig + 2) > sizeof(cat)) {
cli_dbgmsg("Skipping signature %s - too long category name, length approaching %d characters\n", signame, (unsigned int)(pt1 - sig + 2) );
return 1;
}
// else {
// cli_dbgmsg("Allowing signature %s; OK length category name, length approaching %d characters\n", signame, (unsigned int)(pt1 - sig + 2) );
// }
if ((unsigned int)(pt2 - sig + 2) > sizeof(cat)) {
cli_dbgmsg("Skipping signature %s - too long category name, length approaching %d characters\n", signame, (unsigned int)(pt2 - sig + 2));
return 1;
}
// else {
// cli_dbgmsg("Allowing signature %s; OK length category name, length approaching %d characters\n", signame, (unsigned int)(pt2 - sig + 2));
// }

endsig = strrchr(sig, '.');
strncpy(cat, sig, strlen(sig) - strlen(endsig) + 1); // Put in 'cat' the string between the first and last dots in sig, including the dots.
cat[strlen(sig) - strlen(endsig) + 1] = 0;
cat_pt = strstr(pua_cats, cat); // Find if cat exists in pua_cats.
// cli_dbgmsg("cli_chkpua: pua_cats=[%s]\n", pua_cats );
// cli_dbgmsg("cli_chkpua: signame=[%s]\n", signame );
cli_dbgmsg("cli_chkpua: cat=[%s]\n", cat );
cli_dbgmsg("cli_chkpua: sig=[%s]\n", sig );
// cli_dbgmsg("cli_chkpua: endsig=[%s]\n", endsig );
// cli_dbgmsg("cli_chkpua: cat_pt=[%s]\n", cat_pt ? cat_pt : "null");
// cli_dbgmsg("cli_chkpua: pt1=[%s]\n", pt1 ? pt1 : "null" );
// cli_dbgmsg("cli_chkpua: pt2=[%s]\n", pt2 ? pt2 : "null" );
if (options & CL_DB_PUA_INCLUDE)
ret = cat_pt ? 0 : 1;
else
ret = cat_pt ? 1 : 0;

if (ret)
cli_dbgmsg("Skipping PUA signature %s - excluded category %s\n", signame, cat);
return ret;
}
8<----------------------------------------------------------------------

No promises, but it's loaded the DB OK here. Please feel free to
correct mistakes in this and push to Github or whatever.

HTH

--

73,
Ged.
_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] PUA - Category List, invalid URL in config sample! Packer Category? [ In reply to ]
GWH>> Try replacing the function cli_chkpua() in .../libclamav/readdb.c with
<<
GWH>> Please feel free to correct mistakes in this and push to Github or
whatever. <<

Thanks G.W. for looking into it and testing a potential fix.
Unfortunately, I'm not running a self-compiled version, but rather one of
the "canned" (Windows) binaries and don't have a development environment set
up, nor would I know anything about Github, or pushing anything.

Hopefully, someone of the ClamAV team is reading along and will take your
kind contribution under advisement for the benefit of this product.

Best Regards
Andy

-----Original Message-----
From: G.W. Haywood <clamav@jubileegroup.co.uk>

Try replacing the function cli_chkpua() in .../libclamav/readdb.c with...

...

No promises, but it's loaded the DB OK here. Please feel free to correct
mistakes in this and push to Github or whatever.

HTH



_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] PUA - Category List, invalid URL in config sample! Packer Category? [ In reply to ]
I cleaned up the code and prepared a PR to assist. Currently in draft and
comments are welcome. The code seems reasonable to my eyes.

https://github.com/Cisco-Talos/clamav/pull/780

On Tue, Nov 22, 2022 at 2:26 PM Andy Schmidt via clamav-users <
clamav-users@lists.clamav.net> wrote:

> GWH>> Try replacing the function cli_chkpua() in .../libclamav/readdb.c
> with
> <<
> GWH>> Please feel free to correct mistakes in this and push to Github or
> whatever. <<
>
> Thanks G.W. for looking into it and testing a potential fix.
> Unfortunately, I'm not running a self-compiled version, but rather one of
> the "canned" (Windows) binaries and don't have a development environment
> set
> up, nor would I know anything about Github, or pushing anything.
>
> Hopefully, someone of the ClamAV team is reading along and will take your
> kind contribution under advisement for the benefit of this product.
>
> Best Regards
> Andy
>
> -----Original Message-----
> From: G.W. Haywood <clamav@jubileegroup.co.uk>
>
> Try replacing the function cli_chkpua() in .../libclamav/readdb.c with...
>
> ...
>
> No promises, but it's loaded the DB OK here. Please feel free to correct
> mistakes in this and push to Github or whatever.
>
> HTH
>
>
>
> _______________________________________________
>
> Manage your clamav-users mailing list subscription / unsubscribe:
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
>
> https://docs.clamav.net/#mailing-lists-and-chat
>
Re: [clamav-users] PUA - Category List, invalid URL in config sample! Packer Category? [ In reply to ]
Thank you Shawn, for taking this on!



I don’t know if you were following –

The second, related “bug” is with the clamd config sample that currently ships with the product: The stated URL to the PUA exclusion categories is invalid (HTTP 404).



From: Shawn Iverson <shawniverson@gmail.com>
Sent: Wednesday, November 23, 2022 8:49 AM
To: ClamAV users ML <clamav-users@lists.clamav.net>
Cc: Andy Schmidt <Andy_Schmidt@hm-software.com>; clamav@jubileegroup.co.uk
Subject: Re: [clamav-users] PUA - Category List, invalid URL in config sample! Packer Category?



I cleaned up the code and prepared a PR to assist. Currently in draft and comments are welcome. The code seems reasonable to my eyes.



https://github.com/Cisco-Talos/clamav/pull/780
Re: [clamav-users] PUA - Category List, invalid URL in config sample! Packer Category? [ In reply to ]
Looks like there's a copy here. I wonder if the example should link here
instead?

https://github.com/Soldie/clamav-faq-antivirus/blob/master/faq/faq-pua.md

On Wed, Nov 23, 2022 at 9:02 AM Andy Schmidt via clamav-users <
clamav-users@lists.clamav.net> wrote:

> Thank you Shawn, for taking this on!
>
>
>
> I don’t know if you were following –
>
> The second, related “bug” is with the clamd config sample that currently
> ships with the product: The stated URL to the PUA exclusion categories is
> invalid (HTTP 404).
>
>
>
> *From:* Shawn Iverson <shawniverson@gmail.com>
> *Sent:* Wednesday, November 23, 2022 8:49 AM
> *To:* ClamAV users ML <clamav-users@lists.clamav.net>
> *Cc:* Andy Schmidt <Andy_Schmidt@hm-software.com>;
> clamav@jubileegroup.co.uk
> *Subject:* Re: [clamav-users] PUA - Category List, invalid URL in config
> sample! Packer Category?
>
>
>
> I cleaned up the code and prepared a PR to assist. Currently in draft and
> comments are welcome. The code seems reasonable to my eyes.
>
>
>
> https://github.com/Cisco-Talos/clamav/pull/780
>
>
> _______________________________________________
>
> Manage your clamav-users mailing list subscription / unsubscribe:
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
>
> https://docs.clamav.net/#mailing-lists-and-chat
>
Re: [clamav-users] PUA - Category List, invalid URL in config sample! Packer Category? [ In reply to ]
I think having a working URL is better than a non-working. Thank you!



Of course, the information on that page is just as outdated (hypothetical) as the previous link had been.



According to the information supplied 2 years ago, here a list of actually used signature prefixes:

https://bugzilla.clamav.net/show_bug.cgi?id=12632#c2

which of course are wildly different from the “official” category list.



There is a complete disconnect between theory and reality with the entire PUA feature on every front.



From: Shawn Iverson <shawniverson@gmail.com>
Sent: Wednesday, November 23, 2022 9:29 AM
To: ClamAV users ML <clamav-users@lists.clamav.net>
Cc: Andy_Schmidt@hm-software.com
Subject: Re: [clamav-users] PUA - Category List, invalid URL in config sample! Packer Category?



Looks like there's a copy here. I wonder if the example should link here instead?



https://github.com/Soldie/clamav-faq-antivirus/blob/master/faq/faq-pua.md
Re: [clamav-users] PUA - Category List, invalid URL in config sample! Packer Category? [ In reply to ]
I think the ClamAV project should consider hosting an official and updated
list in a repo of their own.

On Wed, Nov 23, 2022 at 10:24 AM Andy Schmidt via clamav-users <
clamav-users@lists.clamav.net> wrote:

> I think having a working URL is better than a non-working. Thank you!
>
>
>
> Of course, the information on *that* page is just as outdated
> (hypothetical) as the previous link had been.
>
>
>
> According to the information supplied 2 years ago, here a list of *actually
> used* signature prefixes:
>
> https://bugzilla.clamav.net/show_bug.cgi?id=12632#c2
>
> which of course are wildly different from the *“official”* category list.
>
>
>
> There is a complete disconnect between theory and reality with the entire
> PUA feature on every front.
>
>
>
> *From:* Shawn Iverson <shawniverson@gmail.com>
> *Sent:* Wednesday, November 23, 2022 9:29 AM
> *To:* ClamAV users ML <clamav-users@lists.clamav.net>
> *Cc:* Andy_Schmidt@hm-software.com
> *Subject:* Re: [clamav-users] PUA - Category List, invalid URL in config
> sample! Packer Category?
>
>
>
> Looks like there's a copy here. I wonder if the example should link here
> instead?
>
>
>
> https://github.com/Soldie/clamav-faq-antivirus/blob/master/faq/faq-pua.md
>
>
> _______________________________________________
>
> Manage your clamav-users mailing list subscription / unsubscribe:
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
>
> https://docs.clamav.net/#mailing-lists-and-chat
>