Giters

Cisco-Talos / clamav

ClamAV - Documentation is here: https://docs.clamav.net

Home Page:https://www.clamav.net/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

False negative due to container cache bug

elceef opened this issue · comments

commented

Describe the bug

Logical signatures that have conditions on a Container type or Intermediates types may not match if the target file is processed (normalized, extracted additional data) and scanned outside of the container first, and cached as clean.

How to reproduce the problem

$ sudo clamdscan -V
ClamAV 1.0.5

With the following proof-of-concept signatures matching string <input inside container:

HtmlContainerTestSig;Engine:81-255,Container:CL_TYPE_ZIP,Target:3;0;3c696e70757420
#HtmlIntermediatesTestSig;Engine:81-255,Intermediates:CL_TYPE_ZIP,Target:3;0;3c696e70757420

ZIP archive can't be detected anymore after the HTML file was scanned and cached as clean.

$ cat sample.html 
<html>
<body>
<input type="password" />
</body>
</html>
$ zip sample.zip sample.html
  adding: sample.html (deflated 18%)
$ sudo clamdscan --fdpass /tmp/sample.zip --no-summary
/tmp/sample.zip: HtmlContainerTestSig.UNOFFICIAL FOUND
$ sudo clamdscan --fdpass /tmp/sample.html --no-summary
/tmp/sample.html: OK
$ sudo clamdscan --fdpass /tmp/sample.zip --no-summary
/tmp/sample.zip: OK

Attachments

Attaching samples and logical signatures demonstrated above for convenience.
files.zip