Filter False-Positive PUA.Doc.Packed.EncryptedDoc-6563700-0
markuman opened this issue · comments
I see a lot of False-Positive messages e.g. on PNG, jpeg, PDF files etc.
"message":"Infected file found (during background scan) PUA.Doc.Packed.EncryptedDoc-6563700-0 File: 10147 Account: ...
I try to add an rule to handle it not as a warning.
PUA\.Doc\.Packed\.EncryptedDoc-6563700-0 FOUND
it does not work. can someone give me an advice?
So after some trial an error, I guess I know how it works.
When I upload an infected file, you'll get 4 log messages in your data/nextcloud.log file.
To whilelist that file you're uploading, you need the first message log of that 4 (the message starts with Response:.
[
{
"reqId": "pva8wPXXBN75sRbArOHw",
"level": 0,
"time": "2020-09-08T10:09:32+00:00",
"remoteAddr": "172.18.0.3",
"user": "m",
"app": "files_antivirus",
"method": "PUT",
"url": "/remote.php/webdav/tmp/eicarcom2.zip",
"message": "Response :: stream: Win.Test.EICAR_HDB-1 FOUND\n",
"userAgent": "Mozilla/5.0 (X11; Linux x86_64; rv:79.0) Gecko/20100101 Firefox/79.0",
"version": "19.0.2.2"
},
...
this is the first log. On this log you must apply your regexp.
/.*. Win.Test.EICAR_HDB-1 FOUND$/ and set the rule to "clean" and it works.
FYI: This is the full log of an upload scan for one file.
The first message is the response.
[
{
"reqId": "pva8wPXXBN75sRbArOHw",
"level": 0,
"time": "2020-09-08T10:09:32+00:00",
"remoteAddr": "172.18.0.3",
"user": "m",
"app": "files_antivirus",
"method": "PUT",
"url": "/remote.php/webdav/tmp/eicarcom2.zip",
"message": "Response :: stream: Win.Test.EICAR_HDB-1 FOUND\n",
"userAgent": "Mozilla/5.0 (X11; Linux x86_64; rv:79.0) Gecko/20100101 Firefox/79.0",
"version": "19.0.2.2"
},
{
"reqId": "pva8wPXXBN75sRbArOHw",
"level": 2,
"time": "2020-09-08T10:09:32+00:00",
"remoteAddr": "172.18.0.3",
"user": "m",
"app": "files_antivirus",
"method": "PUT",
"url": "/remote.php/webdav/tmp/eicarcom2.zip",
"message": "Infected file deleted. Win.Test.EICAR_HDB-1 Account: m Path: files/tmp/eicarcom2.zip.ocTransferId1714334355.part",
"userAgent": "Mozilla/5.0 (X11; Linux x86_64; rv:79.0) Gecko/20100101 Firefox/79.0",
"version": "19.0.2.2"
},
{
"reqId": "pva8wPXXBN75sRbArOHw",
"level": 4,
"time": "2020-09-08T10:09:32+00:00",
"remoteAddr": "172.18.0.3",
"user": "m",
"app": "files_antivirus",
"method": "PUT",
"url": "/remote.php/webdav/tmp/eicarcom2.zip",
"message": "Infected file deleted. Win.Test.EICAR_HDB-1 File: files/tmp/eicarcom2.zip.ocTransferId1714334355.part Account: m",
"userAgent": "Mozilla/5.0 (X11; Linux x86_64; rv:79.0) Gecko/20100101 Firefox/79.0",
"version": "19.0.2.2"
},
{
"reqId": "pva8wPXXBN75sRbArOHw",
"level": 3,
"time": "2020-09-08T10:09:32+00:00",
"remoteAddr": "172.18.0.3",
"user": "m",
"app": "no app in context",
"method": "PUT",
"url": "/remote.php/webdav/tmp/eicarcom2.zip",
"message": {
"Exception": "OCP\\Files\\InvalidContentException",
"Message": "Virus Win.Test.EICAR_HDB-1 is detected in the file. Upload cannot be completed.",
"Code": 0,
"Trace": [
{
"function": "OCA\\Files_Antivirus\\{closure}",
"class": "OCA\\Files_Antivirus\\AvirWrapper",
"type": "->",
"args": [
"*** sensitive parameters replaced ***"
]
},
{
"file": "/var/www/html/apps/files_external/3rdparty/icewind/streams/src/CallbackWrapper.php",
"line": 121,
"function": "call_user_func",
"args": [
{
"__class__": "Closure"
}
]
},
{
"file": "/var/www/html/lib/private/Files/Storage/Wrapper/Wrapper.php",
"line": 631,
"function": "stream_close",
"class": "Icewind\\Streams\\CallbackWrapper",
"type": "->",
"args": []
},
{
"file": "/var/www/html/lib/private/Files/Storage/Wrapper/Wrapper.php",
"line": 631,
"function": "writeStream",
"class": "OC\\Files\\Storage\\Wrapper\\Wrapper",
"type": "->",
"args": [
"files/tmp/eicarcom2.zip.ocTransferId1714334355.part",
null,
null
]
},
{
"file": "/var/www/html/apps/dav/lib/Connector/Sabre/File.php",
"line": 202,
"function": "writeStream",
"class": "OC\\Files\\Storage\\Wrapper\\Wrapper",
"type": "->",
"args": [
"files/tmp/eicarcom2.zip.ocTransferId1714334355.part",
null
]
},
{
"file": "/var/www/html/apps/dav/lib/Connector/Sabre/Directory.php",
"line": 154,
"function": "put",
"class": "OCA\\DAV\\Connector\\Sabre\\File",
"type": "->",
"args": [
null
]
},
{
"file": "/var/www/html/3rdparty/sabre/dav/lib/DAV/Server.php",
"line": 1104,
"function": "createFile",
"class": "OCA\\DAV\\Connector\\Sabre\\Directory",
"type": "->",
"args": [
"eicarcom2.zip",
null
]
},
{
"file": "/var/www/html/3rdparty/sabre/dav/lib/DAV/CorePlugin.php",
"line": 527,
"function": "createFile",
"class": "Sabre\\DAV\\Server",
"type": "->",
"args": [
"tmp/eicarcom2.zip",
null,
null
]
},
{
"file": "/var/www/html/3rdparty/sabre/event/lib/WildcardEmitterTrait.php",
"line": 89,
"function": "httpPut",
"class": "Sabre\\DAV\\CorePlugin",
"type": "->",
"args": [
{
"__class__": "Sabre\\HTTP\\Request"
},
{
"__class__": "Sabre\\HTTP\\Response"
}
]
},
{
"file": "/var/www/html/3rdparty/sabre/dav/lib/DAV/Server.php",
"line": 474,
"function": "emit",
"class": "Sabre\\DAV\\Server",
"type": "->",
"args": [
"method:PUT",
[
{
"__class__": "Sabre\\HTTP\\Request"
},
{
"__class__": "Sabre\\HTTP\\Response"
}
]
]
},
{
"file": "/var/www/html/3rdparty/sabre/dav/lib/DAV/Server.php",
"line": 251,
"function": "invokeMethod",
"class": "Sabre\\DAV\\Server",
"type": "->",
"args": [
{
"__class__": "Sabre\\HTTP\\Request"
},
{
"__class__": "Sabre\\HTTP\\Response"
}
]
},
{
"file": "/var/www/html/3rdparty/sabre/dav/lib/DAV/Server.php",
"line": 319,
"function": "start",
"class": "Sabre\\DAV\\Server",
"type": "->",
"args": []
},
{
"file": "/var/www/html/apps/dav/appinfo/v1/webdav.php",
"line": 82,
"function": "exec",
"class": "Sabre\\DAV\\Server",
"type": "->",
"args": []
},
{
"file": "/var/www/html/remote.php",
"line": 167,
"args": [
"/var/www/html/apps/dav/appinfo/v1/webdav.php"
],
"function": "require_once"
}
],
"File": "/var/www/html/custom_apps/files_antivirus/lib/AvirWrapper.php",
"Line": 154,
"CustomMessage": "--"
},
"userAgent": "Mozilla/5.0 (X11; Linux x86_64; rv:79.0) Gecko/20100101 Firefox/79.0",
"version": "19.0.2.2"
},
{
"reqId": "pva8wPXXBN75sRbArOHw",
"level": 4,
"time": "2020-09-08T10:09:32+00:00",
"remoteAddr": "172.18.0.3",
"user": "m",
"app": "webdav",
"method": "PUT",
"url": "/remote.php/webdav/tmp/eicarcom2.zip",
"message": {
"Exception": "OCA\\DAV\\Connector\\Sabre\\Exception\\UnsupportedMediaType",
"Message": "Virus Win.Test.EICAR_HDB-1 is detected in the file. Upload cannot be completed.",
"Code": 0,
"Trace": [
{
"file": "/var/www/html/apps/dav/lib/Connector/Sabre/File.php",
"line": 252,
"function": "convertToSabreException",
"class": "OCA\\DAV\\Connector\\Sabre\\File",
"type": "->",
"args": [
{
"__class__": "OCP\\Files\\InvalidContentException"
}
]
},
{
"file": "/var/www/html/apps/dav/lib/Connector/Sabre/Directory.php",
"line": 154,
"function": "put",
"class": "OCA\\DAV\\Connector\\Sabre\\File",
"type": "->",
"args": [
null
]
},
{
"file": "/var/www/html/3rdparty/sabre/dav/lib/DAV/Server.php",
"line": 1104,
"function": "createFile",
"class": "OCA\\DAV\\Connector\\Sabre\\Directory",
"type": "->",
"args": [
"eicarcom2.zip",
null
]
},
{
"file": "/var/www/html/3rdparty/sabre/dav/lib/DAV/CorePlugin.php",
"line": 527,
"function": "createFile",
"class": "Sabre\\DAV\\Server",
"type": "->",
"args": [
"tmp/eicarcom2.zip",
null,
null
]
},
{
"file": "/var/www/html/3rdparty/sabre/event/lib/WildcardEmitterTrait.php",
"line": 89,
"function": "httpPut",
"class": "Sabre\\DAV\\CorePlugin",
"type": "->",
"args": [
{
"__class__": "Sabre\\HTTP\\Request"
},
{
"__class__": "Sabre\\HTTP\\Response"
}
]
},
{
"file": "/var/www/html/3rdparty/sabre/dav/lib/DAV/Server.php",
"line": 474,
"function": "emit",
"class": "Sabre\\DAV\\Server",
"type": "->",
"args": [
"method:PUT",
[
{
"__class__": "Sabre\\HTTP\\Request"
},
{
"__class__": "Sabre\\HTTP\\Response"
}
]
]
},
{
"file": "/var/www/html/3rdparty/sabre/dav/lib/DAV/Server.php",
"line": 251,
"function": "invokeMethod",
"class": "Sabre\\DAV\\Server",
"type": "->",
"args": [
{
"__class__": "Sabre\\HTTP\\Request"
},
{
"__class__": "Sabre\\HTTP\\Response"
}
]
},
{
"file": "/var/www/html/3rdparty/sabre/dav/lib/DAV/Server.php",
"line": 319,
"function": "start",
"class": "Sabre\\DAV\\Server",
"type": "->",
"args": []
},
{
"file": "/var/www/html/apps/dav/appinfo/v1/webdav.php",
"line": 82,
"function": "exec",
"class": "Sabre\\DAV\\Server",
"type": "->",
"args": []
},
{
"file": "/var/www/html/remote.php",
"line": 167,
"args": [
"/var/www/html/apps/dav/appinfo/v1/webdav.php"
],
"function": "require_once"
}
],
"File": "/var/www/html/apps/dav/lib/Connector/Sabre/File.php",
"Line": 644,
"Previous": {
"Exception": "OCP\\Files\\InvalidContentException",
"Message": "Virus Win.Test.EICAR_HDB-1 is detected in the file. Upload cannot be completed.",
"Code": 0,
"Trace": [
{
"function": "OCA\\Files_Antivirus\\{closure}",
"class": "OCA\\Files_Antivirus\\AvirWrapper",
"type": "->",
"args": [
"*** sensitive parameters replaced ***"
]
},
{
"file": "/var/www/html/apps/files_external/3rdparty/icewind/streams/src/CallbackWrapper.php",
"line": 121,
"function": "call_user_func",
"args": [
{
"__class__": "Closure"
}
]
},
{
"file": "/var/www/html/lib/private/Files/Storage/Wrapper/Wrapper.php",
"line": 631,
"function": "stream_close",
"class": "Icewind\\Streams\\CallbackWrapper",
"type": "->",
"args": []
},
{
"file": "/var/www/html/lib/private/Files/Storage/Wrapper/Wrapper.php",
"line": 631,
"function": "writeStream",
"class": "OC\\Files\\Storage\\Wrapper\\Wrapper",
"type": "->",
"args": [
"files/tmp/eicarcom2.zip.ocTransferId1714334355.part",
null,
null
]
},
{
"file": "/var/www/html/apps/dav/lib/Connector/Sabre/File.php",
"line": 202,
"function": "writeStream",
"class": "OC\\Files\\Storage\\Wrapper\\Wrapper",
"type": "->",
"args": [
"files/tmp/eicarcom2.zip.ocTransferId1714334355.part",
null
]
},
{
"file": "/var/www/html/apps/dav/lib/Connector/Sabre/Directory.php",
"line": 154,
"function": "put",
"class": "OCA\\DAV\\Connector\\Sabre\\File",
"type": "->",
"args": [
null
]
},
{
"file": "/var/www/html/3rdparty/sabre/dav/lib/DAV/Server.php",
"line": 1104,
"function": "createFile",
"class": "OCA\\DAV\\Connector\\Sabre\\Directory",
"type": "->",
"args": [
"eicarcom2.zip",
null
]
},
{
"file": "/var/www/html/3rdparty/sabre/dav/lib/DAV/CorePlugin.php",
"line": 527,
"function": "createFile",
"class": "Sabre\\DAV\\Server",
"type": "->",
"args": [
"tmp/eicarcom2.zip",
null,
null
]
},
{
"file": "/var/www/html/3rdparty/sabre/event/lib/WildcardEmitterTrait.php",
"line": 89,
"function": "httpPut",
"class": "Sabre\\DAV\\CorePlugin",
"type": "->",
"args": [
{
"__class__": "Sabre\\HTTP\\Request"
},
{
"__class__": "Sabre\\HTTP\\Response"
}
]
},
{
"file": "/var/www/html/3rdparty/sabre/dav/lib/DAV/Server.php",
"line": 474,
"function": "emit",
"class": "Sabre\\DAV\\Server",
"type": "->",
"args": [
"method:PUT",
[
{
"__class__": "Sabre\\HTTP\\Request"
},
{
"__class__": "Sabre\\HTTP\\Response"
}
]
]
},
{
"file": "/var/www/html/3rdparty/sabre/dav/lib/DAV/Server.php",
"line": 251,
"function": "invokeMethod",
"class": "Sabre\\DAV\\Server",
"type": "->",
"args": [
{
"__class__": "Sabre\\HTTP\\Request"
},
{
"__class__": "Sabre\\HTTP\\Response"
}
]
},
{
"file": "/var/www/html/3rdparty/sabre/dav/lib/DAV/Server.php",
"line": 319,
"function": "start",
"class": "Sabre\\DAV\\Server",
"type": "->",
"args": []
},
{
"file": "/var/www/html/apps/dav/appinfo/v1/webdav.php",
"line": 82,
"function": "exec",
"class": "Sabre\\DAV\\Server",
"type": "->",
"args": []
},
{
"file": "/var/www/html/remote.php",
"line": 167,
"args": [
"/var/www/html/apps/dav/appinfo/v1/webdav.php"
],
"function": "require_once"
}
],
"File": "/var/www/html/custom_apps/files_antivirus/lib/AvirWrapper.php",
"Line": 154
},
"CustomMessage": "--"
},
"userAgent": "Mozilla/5.0 (X11; Linux x86_64; rv:79.0) Gecko/20100101 Firefox/79.0",
"version": "19.0.2.2"
}
]