[Clamav-devel] Bug with .fp file being ignored

Micah Snyder (micasnyd) micasnyd at cisco.com
Wed Jul 17 11:54:00 EDT 2019 

Thanks for tracking this down Mark.  Sorry we didn’t respond earlier.  It has been a crazy couple weeks over here.  Will take a look at the issue and your patches soon.

-Micah

Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.



From: clamav-devel <clamav-devel-bounces at lists.clamav.net> on behalf of Mark Allan <markjallan at gmail.com>
Reply-To: ClamAV Development <clamav-devel at lists.clamav.net>
Date: Wednesday, July 17, 2019 at 11:38 AM
To: ClamAV Development <clamav-devel at lists.clamav.net>
Subject: Re: [Clamav-devel] Bug with .fp file being ignored

OK, so tracking this one down took longer than I like to admit!

The issue seems to have crept in with commits 3e42216cc and 28afc94c3 back in April/May 2017.

Attached are patches for devel/HEAD as well as the stable 0.101.2

Tests show that the issue is fixed and doesn't appear to introduce any false negatives.....however, it does produce a duplicate output line - one listed the infection found, and the second line (honouring the FP file) saying "OK".  The "infected files" count is correct - see output below.

Does anyone know how to fix that duplicate output?

Cheers
Mark

virus-2009-04-13-id0007662101.zip: Osx.Worm.Leap-2 FOUND
virus-2009-04-13-id0007662101.zip: OK

----------- SCAN SUMMARY -----------
Known viruses: 6168730
Engine version: 0.101.2
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.02 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 33.865 sec (0 m 33 s)



> On 12 Jul 2019, at 11:07 pm, Mark Allan <markjallan at gmail.com> wrote:
>
> Hi,
>
> I think there's a bug with ClamAV not honouring the contents of a .fp file within the database directory.
>
> I've tested 0.101.2 as well as previous versions of ClamAV going back to 0.99.4 and the issue seems to have appeared as of 0.100.0 onwards.
>
> To re-create the issue:
>
> Find a zip file which you know reports an infection when scanned.
> Use sigtool --md5 to generate an FP sig of the zip file and save it in a <filename>.fp file in the databse directory.
> Use clamscan to scan the file and see that it still reports the file as being infected.
>
>
> The output from clamscan --debug shows the .fp file is being loaded, but it just doesn't seem to be being honoured for some reason.
>
> I see the same thing when I build ClamAV on macOS as well as when using the apt-get distribution on Ubuntu 18.04
>
> Lastly, it only appears to be an issue with archive filetypes eg .zip, .dmg etc. Simple files are excluded as expected - similarly, if you generate an FP sig of a simple file and put that file within an archive, it correctly gets excluded.
>
> I'll clone the source from Git on Monday and have a dig through it myself to see if I can fix the bug, but thought I'd mention it here in case someone's already on it, or at least knows where I can start looking!
>
> Cheers
> Mark
_______________________________________________

clamav-devel mailing list
clamav-devel at lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-devel

Please submit your patches to our Bugzilla: http://bugzilla.clamav.net

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

More information about the clamav-devel mailing list