[Clamav-devel] Bug with .fp file being ignored

Mark Allan markjallan at gmail.com
Wed Jul 17 11:37:23 EDT 2019 

OK, so tracking this one down took longer than I like to admit!

The issue seems to have crept in with commits 3e42216cc and 28afc94c3 back in April/May 2017.

Attached are patches for devel/HEAD as well as the stable 0.101.2 

Tests show that the issue is fixed and doesn't appear to introduce any false negatives.....however, it does produce a duplicate output line - one listed the infection found, and the second line (honouring the FP file) saying "OK".  The "infected files" count is correct - see output below.

Does anyone know how to fix that duplicate output?

Cheers
Mark

virus-2009-04-13-id0007662101.zip: Osx.Worm.Leap-2 FOUND
virus-2009-04-13-id0007662101.zip: OK

----------- SCAN SUMMARY -----------
Known viruses: 6168730
Engine version: 0.101.2
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.02 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 33.865 sec (0 m 33 s)


-------------- next part --------------
A non-text attachment was scrubbed...
Name: fix_devel_head.patch
Type: application/octet-stream
Size: 1117 bytes
Desc: not available
URL: <https://lists.clamav.net/pipermail/clamav-devel/attachments/20190717/6a716d87/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fix_101_2.patch
Type: application/octet-stream
Size: 1178 bytes
Desc: not available
URL: <https://lists.clamav.net/pipermail/clamav-devel/attachments/20190717/6a716d87/attachment-0001.obj>
-------------- next part --------------


> On 12 Jul 2019, at 11:07 pm, Mark Allan <markjallan at gmail.com> wrote:
> 
> Hi,
> 
> I think there's a bug with ClamAV not honouring the contents of a .fp file within the database directory.
> 
> I've tested 0.101.2 as well as previous versions of ClamAV going back to 0.99.4 and the issue seems to have appeared as of 0.100.0 onwards.
> 
> To re-create the issue:
> 
> Find a zip file which you know reports an infection when scanned.
> Use sigtool --md5 to generate an FP sig of the zip file and save it in a <filename>.fp file in the databse directory.
> Use clamscan to scan the file and see that it still reports the file as being infected.
> 
> 
> The output from clamscan --debug shows the .fp file is being loaded, but it just doesn't seem to be being honoured for some reason.
> 
> I see the same thing when I build ClamAV on macOS as well as when using the apt-get distribution on Ubuntu 18.04
> 
> Lastly, it only appears to be an issue with archive filetypes eg .zip, .dmg etc. Simple files are excluded as expected - similarly, if you generate an FP sig of a simple file and put that file within an archive, it correctly gets excluded.
> 
> I'll clone the source from Git on Monday and have a dig through it myself to see if I can fix the bug, but thought I'd mention it here in case someone's already on it, or at least knows where I can start looking!
> 
> Cheers
> Mark

More information about the clamav-devel mailing list