Mailing List Archive

Bug with .fp file being ignored
Hi,

I think there's a bug with ClamAV not honouring the contents of a .fp file
within the database directory.

I've tested 0.101.2 as well as previous versions of ClamAV going back to
0.99.4 and the issue seems to have appeared as of 0.100.0 onwards.

To re-create the issue:

Find a zip file which you know reports an infection when scanned.
Use sigtool --md5 to generate an FP sig of the zip file and save it in a
<filename>.fp file in the databse directory.
Use clamscan to scan the file and see that it still reports the file as
being infected.


The output from clamscan --debug shows the .fp file is being loaded, but it
just doesn't seem to be being honoured for some reason.

I see the same thing when I build ClamAV on macOS as well as when using the
apt-get distribution on Ubuntu 18.04

Lastly, it only appears to be an issue with archive filetypes eg .zip, .dmg
etc. Simple files are excluded as expected - similarly, if you generate an
FP sig of a simple file and put that file within an archive, it correctly
gets excluded.

I'll clone the source from Git on Monday and have a dig through it myself
to see if I can fix the bug, but thought I'd mention it here in case
someone's already on it, or at least knows where I can start looking!

Cheers
Mark
_______________________________________________

clamav-devel mailing list
clamav-devel@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-devel

Please submit your patches to our Bugzilla: http://bugzilla.clamav.net

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: Bug with .fp file being ignored [ In reply to ]
OK, so tracking this one down took longer than I like to admit!

The issue seems to have crept in with commits 3e42216cc and 28afc94c3 back in April/May 2017.

Attached are patches for devel/HEAD as well as the stable 0.101.2

Tests show that the issue is fixed and doesn't appear to introduce any false negatives.....however, it does produce a duplicate output line - one listed the infection found, and the second line (honouring the FP file) saying "OK". The "infected files" count is correct - see output below.

Does anyone know how to fix that duplicate output?

Cheers
Mark

virus-2009-04-13-id0007662101.zip: Osx.Worm.Leap-2 FOUND
virus-2009-04-13-id0007662101.zip: OK

----------- SCAN SUMMARY -----------
Known viruses: 6168730
Engine version: 0.101.2
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.02 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 33.865 sec (0 m 33 s)
Re: Bug with .fp file being ignored [ In reply to ]
Thanks for tracking this down Mark. Sorry we didn’t respond earlier. It has been a crazy couple weeks over here. Will take a look at the issue and your patches soon.

-Micah

Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.



From: clamav-devel <clamav-devel-bounces@lists.clamav.net> on behalf of Mark Allan <markjallan@gmail.com>
Reply-To: ClamAV Development <clamav-devel@lists.clamav.net>
Date: Wednesday, July 17, 2019 at 11:38 AM
To: ClamAV Development <clamav-devel@lists.clamav.net>
Subject: Re: [Clamav-devel] Bug with .fp file being ignored

OK, so tracking this one down took longer than I like to admit!

The issue seems to have crept in with commits 3e42216cc and 28afc94c3 back in April/May 2017.

Attached are patches for devel/HEAD as well as the stable 0.101.2

Tests show that the issue is fixed and doesn't appear to introduce any false negatives.....however, it does produce a duplicate output line - one listed the infection found, and the second line (honouring the FP file) saying "OK". The "infected files" count is correct - see output below.

Does anyone know how to fix that duplicate output?

Cheers
Mark

virus-2009-04-13-id0007662101.zip: Osx.Worm.Leap-2 FOUND
virus-2009-04-13-id0007662101.zip: OK

----------- SCAN SUMMARY -----------
Known viruses: 6168730
Engine version: 0.101.2
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.02 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 33.865 sec (0 m 33 s)



> On 12 Jul 2019, at 11:07 pm, Mark Allan <markjallan@gmail.com> wrote:
>
> Hi,
>
> I think there's a bug with ClamAV not honouring the contents of a .fp file within the database directory.
>
> I've tested 0.101.2 as well as previous versions of ClamAV going back to 0.99.4 and the issue seems to have appeared as of 0.100.0 onwards.
>
> To re-create the issue:
>
> Find a zip file which you know reports an infection when scanned.
> Use sigtool --md5 to generate an FP sig of the zip file and save it in a <filename>.fp file in the databse directory.
> Use clamscan to scan the file and see that it still reports the file as being infected.
>
>
> The output from clamscan --debug shows the .fp file is being loaded, but it just doesn't seem to be being honoured for some reason.
>
> I see the same thing when I build ClamAV on macOS as well as when using the apt-get distribution on Ubuntu 18.04
>
> Lastly, it only appears to be an issue with archive filetypes eg .zip, .dmg etc. Simple files are excluded as expected - similarly, if you generate an FP sig of a simple file and put that file within an archive, it correctly gets excluded.
>
> I'll clone the source from Git on Monday and have a dig through it myself to see if I can fix the bug, but thought I'd mention it here in case someone's already on it, or at least knows where I can start looking!
>
> Cheers
> Mark
_______________________________________________

clamav-devel mailing list
clamav-devel@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-devel

Please submit your patches to our Bugzilla: http://bugzilla.clamav.net

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
_______________________________________________

clamav-devel mailing list
clamav-devel@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-devel

Please submit your patches to our Bugzilla: http://bugzilla.clamav.net

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml