[clamav-users] clamscan/clamdscan with -z option

Micah Snyder (micasnyd) micasnyd at cisco.com
Thu Feb 14 20:40:52 UTC 2019 

Paul,

I know what you mean.  We had encountered this type of behavior when we were adding the byte-compare signature feature and we initially put in a change (specific to byte-compare) to prevent the 2nd scan from occurring.  We ended up reverting that change when we realized that we really needed to scan both the raw and parsed data (https://github.com/Cisco-Talos/clamav-devel/commit/fa3f8914a6963700bfc070becb5d18c4bd63e9e6).

If you put in a bug on Bugzilla and attach the file, I'll step through it in a debugger to see if it's doing what I think it's doing.

Regards,
-Micah

On 2/14/19, 3:32 PM, "clamav-users on behalf of Paul" <clamav-users-bounces at lists.clamav.net on behalf of paul at netpresto.co.uk> wrote:

    Hi Micah
    
    I can code to handle this but basing handling code  on "appears to 
    behaviour"  is far from an ideal start.
    
    The multiple matches on test/clam.mail from the clamav 101.1 sources 
    with  Clamav.Test.File-6 reported twice sure looks like a bug to me.
    
    Regards Paul
    
    On 14/02/2019 19:46, Micah Snyder (micasnyd) wrote:
    > Paul,
    >
    > You may be seeing cases where a signature match of the raw file also matches the file after it has been:
    > * normalized (for html or other text files)
    > * extracted (eg uncompressed archives or archives where compression has little effect)
    > * or otherwise parsed (eg where a signature written to match on a subcomponent/buffer in the file and the signature also matches on the whole file because it is very lenient about the offset).
    >
    > Is there a particular problem with seeing duplicate matches on a file?
    >
    > -Micah
    >
    > Micah Snyder
    > ClamAV Development
    > Talos
    > Cisco Systems, Inc.
    >   
    >
    > On 2/14/19, 2:09 PM, "clamav-users on behalf of Kris Deugau" <clamav-users-bounces at lists.clamav.net on behalf of kdeugau at vianet.ca> wrote:
    >
    >      Paul wrote:
    >      > Hi
    >      >
    >      > I have been looking at using the -z option on either clamdscan or
    >      > clamscan and stumbled onto some odd behavior.
    >      >
    >      > This is with version 101.1. 101.0 also behaves the same.
    >      
    >      
    >      > Take 2 paultest-010E110713-000 is constructed from test/clam.mail with
    >      > the addition of a line of text to the text/plain part of clam.mail which
    >      > triggers SecuriteInfo.com.Spam-48198.UNOFFICIAL FOUND
    >      >
    >      > paule at larch:~# clamscan  -z /var/lib/quarantine/paultest-010E110713-000
    >      > /var/lib/quarantine/paultest-010E110713-000: Clamav.Test.File-6 FOUND
    >      > /var/lib/quarantine/paultest-010E110713-000:
    >      > SecuriteInfo.com.Spam-48198.UNOFFICIAL FOUND
    >      > /var/lib/quarantine/paultest-010E110713-000: Clamav.Test.File-6 FOUND
    >      > /var/lib/quarantine/paultest-010E110713-000:
    >      > SecuriteInfo.com.Spam-48198.UNOFFICIAL FOUND
    >      
    >      
    >      > Anyway to prevent the duplicate signature hits being displayed.
    >      
    >              -z, --allmatch
    >                     After a match, continue scanning within the file for
    >      additional matches.
    >      
    >      .... don't use -z?  There's no way I know of to specify which signature
    >      takes precedence during a single scan, so if you're continuing after
    >      you've found a match, I would call it reasonable that you also want to
    >      know all of the signatures that matched.  If you only want to report one
    >      signature, then continuing to scan the file seems to be a waste.
    >      
    >      If you want to separately report hits from subsets of signatures, you'll
    >      probably need to store them in different directories, and use the -d option:
    >      
    >              -d FILE/DIR, --database=FILE/DIR
    >                     Load virus database from FILE or load all virus database
    >      files from DIR.
    >      
    >      to run multiple, independent scans with each subset of signatures.  This
    >      way you can pick which set to check in which order, and skip further
    >      processing as desired based on the results.
    >      
    >      -kgd
    >      _______________________________________________
    >      clamav-users mailing list
    >      clamav-users at lists.clamav.net
    >      http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
    >      
    >      
    >      Help us build a comprehensive ClamAV guide:
    >      https://github.com/vrtadmin/clamav-faq
    >      
    >      http://www.clamav.net/contact.html#ml
    >      
    >
    > _______________________________________________
    > clamav-users mailing list
    > clamav-users at lists.clamav.net
    > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
    >
    >
    > Help us build a comprehensive ClamAV guide:
    > https://github.com/vrtadmin/clamav-faq
    >
    > http://www.clamav.net/contact.html#ml
    _______________________________________________
    clamav-users mailing list
    clamav-users at lists.clamav.net
    http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
    
    
    Help us build a comprehensive ClamAV guide:
    https://github.com/vrtadmin/clamav-faq
    
    http://www.clamav.net/contact.html#ml

More information about the clamav-users mailing list