Virus detected while Response :: stream: OK
markuman opened this issue · comments
The file is scanned during background scan. Clamav response with Response :: stream: OK
, but the logs throws then a "level": 4
error and classify it with Infected file found (during background scan) PUA.Doc.Packed.EncryptedDoc-6563700-0
.
It's unclear where this comes from. When I transfer that file to another nextcloud host (same setup, same nextcloud version, same clamav version), it doesn't throw a level 4 error.
Maybe there is a concurrency error?
[
{
"reqId": "4u789jcqK1fvARdwcqDE",
"level": 0,
"time": "2020-09-08T10:40:22+00:00",
"remoteAddr": "",
"user": "--",
"app": "files_antivirus",
"method": "",
"url": "--",
"message": "Scanning file with fileid: 10151",
"userAgent": "--",
"version": "19.0.2.2"
},
{
"reqId": "4u789jcqK1fvARdwcqDE",
"level": 0,
"time": "2020-09-08T10:40:22+00:00",
"remoteAddr": "",
"user": "--",
"app": "files_antivirus",
"method": "",
"url": "--",
"message": "Scan started File: 10151 Account: nextclouduser Path: /nextclouduser/files/photos/san francisco.jpg",
"userAgent": "--",
"version": "19.0.2.2"
},
{
"reqId": "4u789jcqK1fvARdwcqDE",
"level": 0,
"time": "2020-09-08T10:40:22+00:00",
"remoteAddr": "",
"user": "--",
"app": "files_antivirus",
"method": "",
"url": "--",
"message": "Scan is done File: 10151 Account: nextclouduser Path: /nextclouduser/files/photos/san francisco.jpg",
"userAgent": "--",
"version": "19.0.2.2"
},
{
"reqId": "4u789jcqK1fvARdwcqDE",
"level": 0,
"time": "2020-09-08T10:40:22+00:00",
"remoteAddr": "",
"user": "--",
"app": "files_antivirus",
"method": "",
"url": "--",
"message": "Response :: stream: OK\n",
"userAgent": "--",
"version": "19.0.2.2"
},
{
"reqId": "4u789jcqK1fvARdwcqDE",
"level": 4,
"time": "2020-09-08T10:40:22+00:00",
"remoteAddr": "",
"user": "--",
"app": "files_antivirus",
"method": "",
"url": "--",
"message": "Infected file found (during background scan) PUA.Doc.Packed.EncryptedDoc-6563700-0 File: 10151 Account: nextclouduser Path: /nextclouduser/files/photos/san francisco.jpg",
"userAgent": "--",
"version": "19.0.2.2"
}
]
Does this error still occur?
Dunno, we disabled it because of too many false-positiv findings.
All right. I think the false positive case when the previous file were infected recently. Feel free to give it a try ;)