False negative due to container cache bug
elceef opened this issue · comments
Marcin Ulikowski commented
Describe the bug
Logical signatures that have conditions on a Container
type or Intermediates
types may not match if the target file is processed (normalized, extracted additional data) and scanned outside of the container first, and cached as clean.
How to reproduce the problem
$ sudo clamdscan -V
ClamAV 1.0.5
With the following proof-of-concept signatures matching string <input
inside container:
HtmlContainerTestSig;Engine:81-255,Container:CL_TYPE_ZIP,Target:3;0;3c696e70757420
#HtmlIntermediatesTestSig;Engine:81-255,Intermediates:CL_TYPE_ZIP,Target:3;0;3c696e70757420
ZIP archive can't be detected anymore after the HTML file was scanned and cached as clean.
$ cat sample.html
<html>
<body>
<input type="password" />
</body>
</html>
$ zip sample.zip sample.html
adding: sample.html (deflated 18%)
$ sudo clamdscan --fdpass /tmp/sample.zip --no-summary
/tmp/sample.zip: HtmlContainerTestSig.UNOFFICIAL FOUND
$ sudo clamdscan --fdpass /tmp/sample.html --no-summary
/tmp/sample.html: OK
$ sudo clamdscan --fdpass /tmp/sample.zip --no-summary
/tmp/sample.zip: OK
Attachments
Attaching samples and logical signatures demonstrated above for convenience.
files.zip