[clamav-users] CVE_2021_4034-9951522 false positives on node executables
Viktor Rosenfeld
24hesk at gmail.com
Tue Aug 2 20:12:17 UTC 2022
Hi Ged,
> Am 01.08.2022 um 12:20 schrieb G.W. Haywood <clamav at jubileegroup.co.uk <mailto:clamav at jubileegroup.co.uk>>:
>
> The signature database has the facility to whitelist falsely flagged
> files using a digest. These are propagated with the 'daily' updates.
> Are you sure that your signature database is up to date? What version
> of 'daily' do you have?
I always run freshclam bevor clamscan. See the output below.
22:51 hesk at kenny:~ $ freshclam
ClamAV update process started at Mon Aug 1 22:51:52 2022
daily.cld database is up-to-date (version: 26615, sigs: 1992518, f-level: 90, builder: raynman)
main.cvd database is up-to-date (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr)
bytecode.cvd database is up-to-date (version: 333, sigs: 92, f-level: 63, builder: awillia2)
22:51 hesk at kenny:~ $ clamscan /opt/homebrew/Cellar/node/18.7.0/bin/node
Loading: 7s, ETA: 0s [========================>] 8.62M/8.62M sigs
Compiling: 2s, ETA: 0s [========================>] 41/41 tasks
/opt/homebrew/Cellar/node/18.7.0/bin/node: Osx.Exploit.CVE_2021_4034-9951522-1 FOUND
----------- SCAN SUMMARY -----------
Known viruses: 8624548
Engine version: 0.105.1
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 40.39 MB
Data read: 37.92 MB (ratio 1.06:1)
Time: 10.480 sec (0 m 10 s)
Start Date: 2022:08:01 22:52:20
End Date: 2022:08:01 22:52:30
> If you can post an example file somewhere for me to download I can
> take a look at it. (Alternatively post a link to where you got the
> file, AND the MD5 digest of the file that ClamAV is flagging so that
> we all know that we're looking at the same thing.)
I’m using Homebrew to install nodejs. Below is the curl command that downloads the file (taken from debug output) and the MD5 hash.
curl --disable --cookie /dev/null --globoff --show-error --user-agent Homebrew/3.5.6-73-ge217fd3\ \(Macintosh\;\ arm64\ Mac\ OS\ X\ 12.5\)\ curl/7.79.1 --header Accept-Language:\ en --fail --progress-bar --retry 3 --location --remote-time --output node--18.7.0.arm64_monterey.bottle.tar.gz https://pkg-containers.githubusercontent.com/ghcr1/blobs/sha256:5bc3bbc7796679a30ef86748accee8170fad11bccea0fcc1fc129f2a51b4b6fa\?se=2022-08-01T21\%3A05\%3A00Z\&sig=4J7BjIWzJ12h4lS5\%2FBL8zdhsYKLZFPS1j\%2BX4iWgdQ3s\%3D\&sp=r\&spr=https\&sr=b\&sv=2019-12-12 <https://pkg-containers.githubusercontent.com/ghcr1/blobs/sha256:5bc3bbc7796679a30ef86748accee8170fad11bccea0fcc1fc129f2a51b4b6fa/?se=2022-08-01T21\%3A05\%3A00Z\&sig=4J7BjIWzJ12h4lS5\%2FBL8zdhsYKLZFPS1j\%2BX4iWgdQ3s\%3D\&sp=r\&spr=https\&sr=b\&sv=2019-12-12>
MD5 (node/18.7.0/bin/node) = bd689141b74bf1c9d897d25aa6878a85
Cheers,
Viktor
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20220802/75b44a8c/attachment.htm>
More information about the clamav-users
mailing list