[clamav-users] recently noted that scanning firefox browser cache reports many errors

[mum laris]

Hi.

On 08/10/20 12:34, G.W. Haywood via clamav-users wrote:
> Hi there,
>
> On Thu, 8 Oct 2020, mum laris via clamav-users wrote:
>
>> thanks for your quick answer.
>
> Er, my answer is below.  On a mailing list, check the subject lines. :)
>
So thanks twice!

>> Attached required report.
>
> On a quick glance I wonder why clamconf didn't find freshclam.conf.
> Are you running freshclam? 
At least daily. but I understand your point, so may be I'd like to check 
if "clam-tk" (or something like that), is available now between my repos.
> You might want to enable the 'encrypted'
> alerts for archives etc. as encrypted douments which contain malware
> seem to be much more common recently but it's mostly Windows malware.

That's the point. This is my roaming profile (I use firefox sync), so it 
runs upon all my devices (android, Windows and Linux).

A good way to keep bookmarks, passwords and plugins synchronized.

And a way to carry malware from other platforms here too...

anyway, You are suggesting to? from manual I see:

--heuristic-alerts[=yes(*)/no]

so these kind of files haven't to be yet detected and managed autonously?

>
> Earlier On Thu, 8 Oct 2020, mum laris via clamav-users wrote:
>
>> Just to better understand, I've recently noted that cache scanning
>> of my firefox browser reports many errors like this:
>> ...
>> Can't parse data ERROR
>
> This could be one of those cases where ClamAV leads you on a dance to
> no purpose.  You might get more information if you try scanning the
> file with debugging and verbose logging enabled, but it's not certain
> to give you an answer.  Some of the error reporting in ClamAV could be
> improved, it's an on-going development task but it will take time.
>
> [...]
>
> Having said that there might not be any fault in ClamAV.  Random data
> can appear to a file classifier to be more or less any type of file.
> It might just be that ClamAV is being unavoidably confused by a chunk
> of random data which resembles something it isn't.  The chances might
> be small, but they're not zero.  Browsers in particular have a habit
> of storing huge numbers of files which most of us would have trouble
> identifying.  Much of the time the files are written speculatively to
> local storage 'just in case' they might be used again, but never are.
>
> It might even be a filesystem or system error, although I'm not sure
> how likely that is without more information.  I'd expect there to be
> other indications of that sort of thing.  What's the storage device?
> Is it near its best-before date?  Are you familiar with 'fsck'?
>
ssd partition:

# fsck.ext4 -nv /dev/sdaX

e2fsck 1.43.8 (1-Jan-2018)
Warning!  /dev/sdaX is mounted.
Warning: skipping journal recovery because doing a read-only filesystem 
check.

/dev/sdaX: clean, 545729/6553600 files, 21748990/26214400 blocks

moreover I have to say that after first checks and before write in this 
mailing-list, I've completely cleared cache.

scans after this points were "clean" of errors.

after restarting using firefox, errors back!

>> I've checked and it's a regular file. But it's content isn't a plain
>> text file.
>
> It could be almost anything.  You can use the 'file' utility for more
> information.  It might be a compressed file or something like that and
> it might be broken.  Anything as bloated and complex as the graphical
> browsers of the 21st century is almost expected to leave broken files
> lying around the filesystem when it trips over its own great big feet.
>
file FF13A1C7B9A4E5C26BE58596DF7F58E6CCB3F19F
FF13A1C7B9A4E5C26BE58596DF7F58E6CCB3F19F: gzip compressed data, from Unix
>> I'm almost sure not happened before...
>
> Maybe it's happening now because of an update to the browser version.
> Maybe it's because you updated ClamAV or changed its configuration, or
> changed something else.  If it is just an odd log message now and then
> I'd ignore it unless I had time on my hands to investigate.  If it's a
> lot more than that then it might tell you that something needs fixing,
> but it would need some investigation.  You could put some files on a
> file sharing site and post a link here to see if anyone wants to take
> up the challenge but if you do that, please make sure that you won't
> be posting anything you want to keep private.
>
explained what's happened before, so please let me know if You think 
further analysis' needed.


> Some browsers will store gigabytes of junk for years.  You can tell
> them to delete the cache, or restrict the size of the cache, which
> will at least mean it takes a lot less time to scan.  You could tell
> ClamAV not to scan it, but as it might be one of the more likely
> places on the system to find threats, if you're concerned about them I
> wouldn't want to go so far as that.
>
> As long as your system - and particularly your browser - is kept up to
> date with security patches, and you're sensible about where and what
> you browse, and if the storage devices etc. are generally healthy, you
> shouldn't need to worry too much.  Most of the alerts from ClamAV will
> either be false alarms, warnings about exceeding some limit or other,
> or for Windows things to which a Linux box is immune.  If ClamAV does
> find something in the browser cache which is a threat to your browser,
> it's probably already too late to stop it doing its nasty work.
>
So you're no more relaxing my thoughts...

cheers,

M.