Background scan detecting file scanned after an infected file as also infected.
opened this issue · comments
Steps to reproduce
- Using latest version 3.2.1
- Upload infected file to Nextcloud
- Enable antivirus and wait for background scan
Expected behaviour
Only the uploaded known infected file should be detected as infected in logs.
Actual behaviour
The infected file and what I assume is the very next file scanned are both detected as infected.
Server configuration
Operating system: Alpine Linux 3.13 Arm64
Web server: Nginx 1.18.0
Database: PostgreSQL 13.3
PHP version: PHP 7.4.21
Nextcloud version: 20.0.12
Where did you install Nextcloud from: Alpine Linux Repositories
List of activated apps:
/usr/share/webapps/nextcloud # sudo -u nginx php occ app:list
Enabled:
- bruteforcesettings: 2.2.0
- cloud_federation_api: 1.3.0
- contactsinteraction: 1.1.0
- dav: 1.16.2
- federatedfilesharing: 1.10.2
- files: 1.15.0
- files_antivirus: 3.2.1
- logreader: 2.5.0
- lookup_server_connector: 1.8.0
- oauth2: 1.8.0
- provisioning_api: 1.10.0
- settings: 1.2.0
- twofactor_backupcodes: 1.9.0
- viewer: 1.4.0
- workflowengine: 2.2.0
Disabled:
Nextcloud configuration:
/usr/share/webapps/nextcloud # sudo -u nginx php occ config:list system
{
"system": {
"instanceid": "***REMOVED SENSITIVE VALUE***",
"passwordsalt": "***REMOVED SENSITIVE VALUE***",
"secret": "***REMOVED SENSITIVE VALUE***",
"trusted_domains": [
"***REMOVED SENSITIVE VALUE***",
"***REMOVED SENSITIVE VALUE***"
],
"trusted_proxies": "***REMOVED SENSITIVE VALUE***",
"datadirectory": "***REMOVED SENSITIVE VALUE***",
"dbtype": "pgsql",
"version": "20.0.12.1",
"overwrite.cli.url": "https:\/\/192.168.1.120",
"dbname": "***REMOVED SENSITIVE VALUE***",
"dbhost": "***REMOVED SENSITIVE VALUE***",
"dbport": "",
"dbtableprefix": "oc_",
"dbuser": "***REMOVED SENSITIVE VALUE***",
"dbpassword": "***REMOVED SENSITIVE VALUE***",
"installed": true,
"memcache.local": "\\OC\\Memcache\\APCu",
"mail_smtpmode": "sendmail",
"mail_sendmailmode": "pipe",
"mail_from_address": "***REMOVED SENSITIVE VALUE***",
"mail_domain": "***REMOVED SENSITIVE VALUE***",
"theme": "",
"loglevel": "2",
"maintenance": false
}
}
Client configuration
Browser: Chrome Version 92.0.4515.131 (Official Build) (64-bit)
Operating system: Ubuntu 20.04.2 LTS
Logs
Nextcloud log (data/owncloud.log)
{"reqId":"SpeK7yNfeD9nXumgvMfw","level":4,"time":"2021-08-13T22:20:22+00:00","remoteAddr":"","user":"--","app":"files_antivirus","method":"","url":"--","message":"Infected file found (during background scan) Win.Malware.Aa93a15d-6745814-0 File: 2966 Account: deand Path: /deand/files/Pinkbike Photos & Videos/p4pb2417061.jpg","userAgent":"--","version":"20.0.12.1","id":"6117893318cfc"}
{"reqId":"SpeK7yNfeD9nXumgvMfw","level":4,"time":"2021-08-13T22:20:22+00:00","remoteAddr":"","user":"--","app":"files_antivirus","method":"","url":"--","message":"Infected file found (during background scan) Win.Malware.Aa93a15d-6745814-0 File: 6771 Account: deand Path: /deand/files/Windows_Loader_v2.2.1.zip","userAgent":"--","version":"20.0.12.1","id":"6117893318d7b"}
Clamav log
Fri Aug 13 22:56:07 2021 -> SelfCheck: Database status OK.
Fri Aug 13 23:10:45 2021 -> SelfCheck: Database status OK.
Fri Aug 13 23:20:22 2021 -> instream(local): Win.Malware.Aa93a15d-6745814-0 FOUND
Fri Aug 13 23:20:45 2021 -> SelfCheck: Database status OK.
Fri Aug 13 23:30:47 2021 -> SelfCheck: Database status OK.
Fri Aug 13 23:40:47 2021 -> SelfCheck: Database status OK.
Comments
I can see issue #167 and pull #169 seem to be aimed at resolving this and predate the current release by someway but the issue still exists. I have turned off deleting for infected files found during background scan for the time being as this would result in files being deleted unnecessarily.
If I am not mistaken and pull #169 is included in the latest release could this be the result of some sort of concurrency issue?