[Clamav-devel] Issue with FP only on 0.103.1

Mark Allan markjallan at gmail.com
Mon Mar 8 23:00:23 UTC 2021 

Hi Andrew,

Thanks for letting me know it's been dropped now. I was creating the ign2 file almost identically, except for using double >> instead of single as I already have dozens of lines in there.

I see you have it without the .{} suffix. I tried both with it and without and it wasn't working, ie
	echo "BC.Img.Exploit.CVE_2018_4891-6453673-2" >> ignored.ign2
	echo "BC.Img.Exploit.CVE_2018_4891-6453673-2.{}" >> ignored.ign2

Are you saying the .{} is no longer required to ignore bytecode signatures?

Thanks again
Mark

> On 8 Mar 2021, at 5:44 pm, Andrew Williams <awillia2 at sourcefire.com> wrote:
> 
> Thanks for reporting this Mark.  The signature has been dropped and a new
> bytecode.cvd released.
> 
> I was able to have the bytecode signature be ignored by creating the .ign2
> file as follows and then moving it into the ClamAV signature directory:
> `echo "BC.Img.Exploit.CVE_2018_4891-6453673-2" > test.ign2`.  Can you
> elaborate on how you are creating the .ign2 file?
> 
> Thanks again,
> 
> -Andrew
> 
> On Thu, Mar 4, 2021 at 11:16 AM Mark Allan <markjallan at gmail.com> wrote:
> 
>> Looks like we have another one!
>>        BC.Img.Exploit.CVE_2018_4891-6453673-2
>> 
>> This is generating loads of FPs as well.
>> 
>> Curiously (and sorry for listing two issues in one email) adding a
>> bytecode signature name (with the .{} suffix) to an ign2 file appears to
>> have no effect. Any thoughts why this might be?
>> 
>> Best regards,
>> Mark
>> 
>>> On 16 Feb 2021, at 3:06 am, Micah Snyder (micasnyd) <micasnyd at cisco.com>
>> wrote:
>>> 
>>> It looks like BC.Img.Exploit.CVE_2017_11255-6335669-1 suffered the same
>> lack of proper FP testing as the other TIFF signature, likely for the same
>> reasons.  After some time reviewing it, I agree that
>> BC.Img.Exploit.CVE_2017_11255-6335669-1 should be dropped.  This bytecode
>> signature has a relatively high probability to FP on TIFF files that don't
>> include a ColorMap in the IFD header(s), which is also fairly common.
>> Reworking the signature would is probably not worth the effort considering
>> the CVE is from 2017.
>>> 
>>> It should be dropped in the update tomorrow morning.
>>> 
>>> Thanks for reaching out Mark.
>>> 
>>> Regards,
>>> Micah
>>> 
>>>> -----Original Message-----
>>>> From: clamav-devel <clamav-devel-bounces at lists.clamav.net> On Behalf Of
>>>> Micah Snyder (micasnyd)
>>>> Sent: Monday, February 15, 2021 11:36 AM
>>>> To: ClamAV Development <clamav-devel at lists.clamav.net>
>>>> Subject: Re: [Clamav-devel] Issue with FP only on 0.103.1
>>>> 
>>>> Oh, sorry I misread your email.  Needed more coffee.  You were asking
>> about
>>>> a different signature: BC.Img.Exploit.CVE_2017_11255-6335669-1
>>>> Will investigate.
>>>> 
>>>> -Micah
>>>> 
>>>>> -----Original Message-----
>>>>> From: clamav-devel <clamav-devel-bounces at lists.clamav.net> On Behalf
>>>>> Of Micah Snyder (micasnyd)
>>>>> Sent: Monday, February 15, 2021 10:28 AM
>>>>> To: ClamAV Development <clamav-devel at lists.clamav.net>
>>>>> Subject: Re: [Clamav-devel] Issue with FP only on 0.103.1
>>>>> 
>>>>> Hi Mark,
>>>>> 
>>>>> TL;DR:  The type detection mismatch is fixed in the current daily +
>> 0.103.1.
>>>>> The issue was with the signature.  We didn't know about it because of
>>>>> the mismatch.  You should've found that the offending signature was
>>>>> dropped on Saturday morning.
>>>>> 
>>>>> Details:
>>>>> 
>>>>> 0.103.1 introduced CL_TYPE_TIFF and changed TIFF file type recognition
>>>>> from:
>>>>> 0:0:49492a00:TIFF Little Endian:CL_TYPE_ANY:CL_TYPE_GRAPHICS
>>>>> 0:0:4d4d:TIFF Big Endian:CL_TYPE_ANY:CL_TYPE_ GRAPHICS
>>>>> to:
>>>>> 0:0:49492a00:TIFF Little Endian:CL_TYPE_ANY:CL_TYPE_TIFF
>>>>> 0:0:4d4d:TIFF Big Endian:CL_TYPE_ANY:CL_TYPE_TIFF
>>>>> 
>>>>> When FTM signatures are loaded from daily.cvd, it overrides the
>>>>> built-in FTM signatures.  So it turns out that daily's FTM file had
>>>>> been missing the original CL_TYPE_GRAPHICS detection of TIFF files all
>>>>> this time, which would've been required for Target:5 signatures to
>>>>> alert on TIFF files.  As a result, the signature in question "worked"
>>>>> in testing (with a single LDB file, using built-in FTM), but never
>>>>> worked in worked during FP testing or in production (with a daily CVD
>> file).
>>>>> 
>>>>> When we added this to daily.ftm to support 0.103.1:
>>>>> 0:0:49492a00:TIFF Little Endian:CL_TYPE_ANY:CL_TYPE_TIFF:122
>>>>> 0:0:4d4d:TIFF Big Endian:CL_TYPE_ANY:CL_TYPE_TIFF:122
>>>>> ... all of a sudden a signature which was written for TIFF files
>>>>> started alerting on TIFF files (as it should've) because the new
>>>>> CL_TYPE_TIFF also alerts on
>>>>> Target:5 (graphics) types.  We never added the CL_TYPE_GRAPHICS
>>>>> variant for 0.103.0 and prior, which is why it appeared to be an issue
>> with
>>>> 0.103.1.
>>>>> Perhaps we should?  I'll ask MRT about it.
>>>>> 
>>>>> Anyways, this is basically a reminder that we need to make sure daily
>>>>> FTM and libclamav's FTM are in sync.
>>>>> 
>>>>> -Micah
>>>>> 
>>>>> 
>>>>>> -----Original Message-----
>>>>>> From: clamav-devel <clamav-devel-bounces at lists.clamav.net> On Behalf
>>>>>> Of Mark Allan
>>>>>> Sent: Saturday, February 13, 2021 3:35 PM
>>>>>> To: ClamAV Development <clamav-devel at lists.clamav.net>
>>>>>> Subject: Re: [Clamav-devel] Issue with FP only on 0.103.1
>>>>>> 
>>>>>> Thanks. I've just found another one too
>>>>>> 
>>>>>>   BC.Img.Exploit.CVE_2017_11255-6335669-1
>>>>>> 
>>>>>> It's triggering on a file that's been part of macOS for many years.
>>>>>> It's also a tiff file. I can submit this as well if necessary?
>>>>>> 
>>>>>> Out of interest, is the type detection mismatch something that can
>>>>>> be fixed in daily.cvd or can I patch libclamav/filetypes_int.h to
>>>>>> revert it to what it was at 0.103.0?
>>>>>> 
>>>>>> Mark
>>>>>> 
>>>>>>> On 12 Feb 2021, at 5:23 am, Micah Snyder (micasnyd)
>>>>>> <micasnyd at cisco.com> wrote:
>>>>>>> 
>>>>>>> It appears to me to be an issue with the signature which is only
>>>>>>> evident in
>>>>>> 0.103.1 now that we're matching TIFFs with Target:5 signatures, like
>>>>>> this
>>>>> one.
>>>>>>> 
>>>>>>> There was apparently a mismatch for TIFF file type detection
>>>>>>> between the
>>>>>> file type magic signatures built-in to libclamav
>>>>>> (libclamav/filetypes_int.h) and the .ftm sigs shipped with daily.cvd
>>>>>> (which override the internal ones when loaded).
>>>>>>> 
>>>>>>> I'll ask to have the signature dropped and re-evaluated.
>>>>>>> 
>>>>>>> -Micah
>>>>>>> 
>>>>>>>> -----Original Message-----
>>>>>>>> From: clamav-devel <clamav-devel-bounces at lists.clamav.net> On
>>>>>>>> Behalf Of Micah Snyder (micasnyd)
>>>>>>>> Sent: Thursday, February 11, 2021 8:27 PM
>>>>>>>> To: ClamAV Development <clamav-devel at lists.clamav.net>
>>>>>>>> Subject: Re: [Clamav-devel] Issue with FP only on 0.103.1
>>>>>>>> 
>>>>>>>> Thank you Mark! We'll take a look.
>>>>>>>> 
>>>>>>>> -Micah
>>>>>>>> 
>>>>>>>>> -----Original Message-----
>>>>>>>>> From: clamav-devel <clamav-devel-bounces at lists.clamav.net> On
>>>>>> Behalf
>>>>>>>>> Of Mark Allan
>>>>>>>>> Sent: Thursday, February 11, 2021 3:54 PM
>>>>>>>>> To: ClamAV Development <clamav-devel at lists.clamav.net>
>>>>>>>>> Subject: Re: [Clamav-devel] Issue with FP only on 0.103.1
>>>>>>>>> 
>>>>>>>>> Hi Micah,
>>>>>>>>> 
>>>>>>>>> Yes of course! I've just uploaded a zip file (Archive.zip) to
>>>>>>>>> the FP page on clamav.net
>>>>>>>>>        MD5 (Archive.zip) = 45229d954a884a1e03aba15b9f42168a
>>>>>>>>> 
>>>>>>>>> Regards
>>>>>>>>> Mark
>>>>>>>>> 
>>>>>>>>>> On 11 Feb 2021, at 7:12 pm, Micah Snyder (micasnyd)
>>>>>>>>> <micasnyd at cisco.com> wrote:
>>>>>>>>>> 
>>>>>>>>>> Hi Mark,
>>>>>>>>>> 
>>>>>>>>>> Do you think you could share a sample or two with me to test.
>>>>>>>>>> I'm really
>>>>>>>>> curious what changed and would like to debug each version with a
>>>>>>>>> sample or two.
>>>>>>>>>> 
>>>>>>>>>> -Micah
>>>>>>>>>> 
>>>>>>>>>>> -----Original Message-----
>>>>>>>>>>> From: clamav-devel <clamav-devel-bounces at lists.clamav.net> On
>>>>>>>>>>> Behalf Of Mark Allan
>>>>>>>>>>> Sent: Monday, February 8, 2021 3:04 AM
>>>>>>>>>>> To: ClamAV Development <clamav-devel at lists.clamav.net>
>>>>>>>>>>> Subject: [Clamav-devel] Issue with FP only on 0.103.1
>>>>>>>>>>> 
>>>>>>>>>>> Hi all,
>>>>>>>>>>> 
>>>>>>>>>>> It looks like the additional image file type support in
>>>>>>>>>>> 0.103.1 has introduced an issue with a particular signature
>>>>>>>>>>> which has been in the database since 2018
>>>>>>>>>>> 
>>>>>>>>>>>      Img.Exploit.CVE_2018_4904-6449838-0
>>>>>>>>>>> 
>>>>>>>>>>> It's flagging up thousands of known-good files. As far as I
>>>>>>>>>>> can tell, they're all TIFF files.
>>>>>>>>>>> 
>>>>>>>>>>> I've added that signature to an ign2 file for now, but I'm
>>>>>>>>>>> wondering if there's something else that's maybe amiss
>>>>>>>>>>> somewhere either with the signature or the 0.103.1 update?
>>>>>>>>>>> 
>>>>>>>>>>> Best regards,
>>>>>>>>>>> Mark
>>>>>>>>>>> 
>>>>>>>>>>> _______________________________________________
>>>>>>>>>>> 
>>>>>>>>>>> clamav-devel mailing list
>>>>>>>>>>> clamav-devel at lists.clamav.net
>>>>>>>>>>> https://lists.clamav.net/mailman/listinfo/clamav-devel
>>>>>>>>>>> 
>>>>>>>>>>> Please submit your patches to our Github:
>>>>>>>>>>> https://github.com/Cisco- Talos/clamav-devel/pulls
>>>>>>>>>>> 
>>>>>>>>>>> Help us build a comprehensive ClamAV guide:
>>>>>>>>>>> https://github.com/vrtadmin/clamav-faq
>>>>>>>>>>> 
>>>>>>>>>>> http://www.clamav.net/contact.html#ml
>>>>>>>>>> _______________________________________________
>>>>>>>>>> 
>>>>>>>>>> clamav-devel mailing list
>>>>>>>>>> clamav-devel at lists.clamav.net
>>>>>>>>>> https://lists.clamav.net/mailman/listinfo/clamav-devel
>>>>>>>>>> 
>>>>>>>>>> Please submit your patches to our Github:
>>>>>>>>>> https://github.com/Cisco-Talos/clamav-devel/pulls
>>>>>>>>>> 
>>>>>>>>>> Help us build a comprehensive ClamAV guide:
>>>>>>>>>> https://github.com/vrtadmin/clamav-faq
>>>>>>>>>> 
>>>>>>>>>> http://www.clamav.net/contact.html#ml
>>>>>>>>> 
>>>>>>>>> _______________________________________________
>>>>>>>>> 
>>>>>>>>> clamav-devel mailing list
>>>>>>>>> clamav-devel at lists.clamav.net
>>>>>>>>> https://lists.clamav.net/mailman/listinfo/clamav-devel
>>>>>>>>> 
>>>>>>>>> Please submit your patches to our Github:
>>>>>>>>> https://github.com/Cisco- Talos/clamav-devel/pulls
>>>>>>>>> 
>>>>>>>>> Help us build a comprehensive ClamAV guide:
>>>>>>>>> https://github.com/vrtadmin/clamav-faq
>>>>>>>>> 
>>>>>>>>> http://www.clamav.net/contact.html#ml
>>>>>>>> _______________________________________________
>>>>>>>> 
>>>>>>>> clamav-devel mailing list
>>>>>>>> clamav-devel at lists.clamav.net
>>>>>>>> https://lists.clamav.net/mailman/listinfo/clamav-devel
>>>>>>>> 
>>>>>>>> Please submit your patches to our Github:
>>>>>>>> https://github.com/Cisco- Talos/clamav-devel/pulls
>>>>>>>> 
>>>>>>>> Help us build a comprehensive ClamAV guide:
>>>>>>>> https://github.com/vrtadmin/clamav-faq
>>>>>>>> 
>>>>>>>> http://www.clamav.net/contact.html#ml
>>>>>>> _______________________________________________
>>>>>>> 
>>>>>>> clamav-devel mailing list
>>>>>>> clamav-devel at lists.clamav.net
>>>>>>> https://lists.clamav.net/mailman/listinfo/clamav-devel
>>>>>>> 
>>>>>>> Please submit your patches to our Github:
>>>>>>> https://github.com/Cisco-Talos/clamav-devel/pulls
>>>>>>> 
>>>>>>> Help us build a comprehensive ClamAV guide:
>>>>>>> https://github.com/vrtadmin/clamav-faq
>>>>>>> 
>>>>>>> http://www.clamav.net/contact.html#ml
>>>>>> 
>>>>>> _______________________________________________
>>>>>> 
>>>>>> clamav-devel mailing list
>>>>>> clamav-devel at lists.clamav.net
>>>>>> https://lists.clamav.net/mailman/listinfo/clamav-devel
>>>>>> 
>>>>>> Please submit your patches to our Github: https://github.com/Cisco-
>>>>>> Talos/clamav-devel/pulls
>>>>>> 
>>>>>> Help us build a comprehensive ClamAV guide:
>>>>>> https://github.com/vrtadmin/clamav-faq
>>>>>> 
>>>>>> http://www.clamav.net/contact.html#ml
>>>>> _______________________________________________
>>>>> 
>>>>> clamav-devel mailing list
>>>>> clamav-devel at lists.clamav.net
>>>>> https://lists.clamav.net/mailman/listinfo/clamav-devel
>>>>> 
>>>>> Please submit your patches to our Github: https://github.com/Cisco-
>>>>> Talos/clamav-devel/pulls
>>>>> 
>>>>> Help us build a comprehensive ClamAV guide:
>>>>> https://github.com/vrtadmin/clamav-faq
>>>>> 
>>>>> http://www.clamav.net/contact.html#ml
>>>> _______________________________________________
>>>> 
>>>> clamav-devel mailing list
>>>> clamav-devel at lists.clamav.net
>>>> https://lists.clamav.net/mailman/listinfo/clamav-devel
>>>> 
>>>> Please submit your patches to our Github: https://github.com/Cisco-
>>>> Talos/clamav-devel/pulls
>>>> 
>>>> Help us build a comprehensive ClamAV guide:
>>>> https://github.com/vrtadmin/clamav-faq
>>>> 
>>>> http://www.clamav.net/contact.html#ml
>>> _______________________________________________
>>> 
>>> clamav-devel mailing list
>>> clamav-devel at lists.clamav.net
>>> https://lists.clamav.net/mailman/listinfo/clamav-devel
>>> 
>>> Please submit your patches to our Github:
>> https://github.com/Cisco-Talos/clamav-devel/pulls
>>> 
>>> Help us build a comprehensive ClamAV guide:
>>> https://github.com/vrtadmin/clamav-faq
>>> 
>>> http://www.clamav.net/contact.html#ml
>> 
>> _______________________________________________
>> 
>> clamav-devel mailing list
>> clamav-devel at lists.clamav.net
>> https://lists.clamav.net/mailman/listinfo/clamav-devel
>> 
>> Please submit your patches to our Github:
>> https://github.com/Cisco-Talos/clamav-devel/pulls
>> 
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>> 
>> http://www.clamav.net/contact.html#ml
>> 
> _______________________________________________
> 
> clamav-devel mailing list
> clamav-devel at lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-devel
> 
> Please submit your patches to our Github: https://github.com/Cisco-Talos/clamav-devel/pulls
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

More information about the clamav-devel mailing list