Thanks for reporting this Mark. The signature has been dropped and a new
bytecode.cvd released.
I was able to have the bytecode signature be ignored by creating the .ign2
file as follows and then moving it into the ClamAV signature directory:
`echo "BC.Img.Exploit.CVE_2018_4891-6453673-2" > test.ign2`. Can you
elaborate on how you are creating the .ign2 file?
Thanks again,
-Andrew
On Thu, Mar 4, 2021 at 11:16 AM Mark Allan <markjal...@gmail.com> wrote:
> Looks like we have another one!
> BC.Img.Exploit.CVE_2018_4891-6453673-2
>
> This is generating loads of FPs as well.
>
> Curiously (and sorry for listing two issues in one email) adding a
> bytecode signature name (with the .{} suffix) to an ign2 file appears to
> have no effect. Any thoughts why this might be?
>
> Best regards,
> Mark
>
> > On 16 Feb 2021, at 3:06 am, Micah Snyder (micasnyd) <micas...@cisco.com>
> wrote:
> >
> > It looks like BC.Img.Exploit.CVE_2017_11255-6335669-1 suffered the same
> lack of proper FP testing as the other TIFF signature, likely for the same
> reasons. After some time reviewing it, I agree that
> BC.Img.Exploit.CVE_2017_11255-6335669-1 should be dropped. This bytecode
> signature has a relatively high probability to FP on TIFF files that don't
> include a ColorMap in the IFD header(s), which is also fairly common.
> Reworking the signature would is probably not worth the effort considering
> the CVE is from 2017.
> >
> > It should be dropped in the update tomorrow morning.
> >
> > Thanks for reaching out Mark.
> >
> > Regards,
> > Micah
> >
> >> -----Original Message-----
> >> From: clamav-devel <clamav-devel-boun...@lists.clamav.net> On Behalf Of
> >> Micah Snyder (micasnyd)
> >> Sent: Monday, February 15, 2021 11:36 AM
> >> To: ClamAV Development <clamav-devel@lists.clamav.net>
> >> Subject: Re: [Clamav-devel] Issue with FP only on 0.103.1
> >>
> >> Oh, sorry I misread your email. Needed more coffee. You were asking
> about
> >> a different signature: BC.Img.Exploit.CVE_2017_11255-6335669-1
> >> Will investigate.
> >>
> >> -Micah
> >>
> >>> -----Original Message-----
> >>> From: clamav-devel <clamav-devel-boun...@lists.clamav.net> On Behalf
> >>> Of Micah Snyder (micasnyd)
> >>> Sent: Monday, February 15, 2021 10:28 AM
> >>> To: ClamAV Development <clamav-devel@lists.clamav.net>
> >>> Subject: Re: [Clamav-devel] Issue with FP only on 0.103.1
> >>>
> >>> Hi Mark,
> >>>
> >>> TL;DR: The type detection mismatch is fixed in the current daily +
> 0.103.1.
> >>> The issue was with the signature. We didn't know about it because of
> >>> the mismatch. You should've found that the offending signature was
> >>> dropped on Saturday morning.
> >>>
> >>> Details:
> >>>
> >>> 0.103.1 introduced CL_TYPE_TIFF and changed TIFF file type recognition
> >>> from:
> >>> 0:0:49492a00:TIFF Little Endian:CL_TYPE_ANY:CL_TYPE_GRAPHICS
> >>> 0:0:4d4d:TIFF Big Endian:CL_TYPE_ANY:CL_TYPE_ GRAPHICS
> >>> to:
> >>> 0:0:49492a00:TIFF Little Endian:CL_TYPE_ANY:CL_TYPE_TIFF
> >>> 0:0:4d4d:TIFF Big Endian:CL_TYPE_ANY:CL_TYPE_TIFF
> >>>
> >>> When FTM signatures are loaded from daily.cvd, it overrides the
> >>> built-in FTM signatures. So it turns out that daily's FTM file had
> >>> been missing the original CL_TYPE_GRAPHICS detection of TIFF files all
> >>> this time, which would've been required for Target:5 signatures to
> >>> alert on TIFF files. As a result, the signature in question "worked"
> >>> in testing (with a single LDB file, using built-in FTM), but never
> >>> worked in worked during FP testing or in production (with a daily CVD
> file).
> >>>
> >>> When we added this to daily.ftm to support 0.103.1:
> >>> 0:0:49492a00:TIFF Little Endian:CL_TYPE_ANY:CL_TYPE_TIFF:122
> >>> 0:0:4d4d:TIFF Big Endian:CL_TYPE_ANY:CL_TYPE_TIFF:122
> >>> ... all of a sudden a signature which was written for TIFF files
> >>> started alerting on TIFF files (as it should've) because the new
> >>> CL_TYPE_TIFF also alerts on
> >>> Target:5 (graphics) types. We never added the CL_TYPE_GRAPHICS
> >>> variant for 0.103.0 and prior, which is why it appeared to be an issue
> with
> >> 0.103.1.
> >>> Perhaps we should? I'll ask MRT about it.
> >>>
> >>> Anyways, this is basically a reminder that we need to make sure daily
> >>> FTM and libclamav's FTM are in sync.
> >>>
> >>> -Micah
> >>>
> >>>
> >>>> -----Original Message-----
> >>>> From: clamav-devel <clamav-devel-boun...@lists.clamav.net> On Behalf
> >>>> Of Mark Allan
> >>>> Sent: Saturday, February 13, 2021 3:35 PM
> >>>> To: ClamAV Development <clamav-devel@lists.clamav.net>
> >>>> Subject: Re: [Clamav-devel] Issue with FP only on 0.103.1
> >>>>
> >>>> Thanks. I've just found another one too
> >>>>
> >>>> BC.Img.Exploit.CVE_2017_11255-6335669-1
> >>>>
> >>>> It's triggering on a file that's been part of macOS for many years.
> >>>> It's also a tiff file. I can submit this as well if necessary?
> >>>>
> >>>> Out of interest, is the type detection mismatch something that can
> >>>> be fixed in daily.cvd or can I patch libclamav/filetypes_int.h to
> >>>> revert it to what it was at 0.103.0?
> >>>>
> >>>> Mark
> >>>>
> >>>>> On 12 Feb 2021, at 5:23 am, Micah Snyder (micasnyd)
> >>>> <micas...@cisco.com> wrote:
> >>>>>
> >>>>> It appears to me to be an issue with the signature which is only
> >>>>> evident in
> >>>> 0.103.1 now that we're matching TIFFs with Target:5 signatures, like
> >>>> this
> >>> one.
> >>>>>
> >>>>> There was apparently a mismatch for TIFF file type detection
> >>>>> between the
> >>>> file type magic signatures built-in to libclamav
> >>>> (libclamav/filetypes_int.h) and the .ftm sigs shipped with daily.cvd
> >>>> (which override the internal ones when loaded).
> >>>>>
> >>>>> I'll ask to have the signature dropped and re-evaluated.
> >>>>>
> >>>>> -Micah
> >>>>>
> >>>>>> -----Original Message-----
> >>>>>> From: clamav-devel <clamav-devel-boun...@lists.clamav.net> On
> >>>>>> Behalf Of Micah Snyder (micasnyd)
> >>>>>> Sent: Thursday, February 11, 2021 8:27 PM
> >>>>>> To: ClamAV Development <clamav-devel@lists.clamav.net>
> >>>>>> Subject: Re: [Clamav-devel] Issue with FP only on 0.103.1
> >>>>>>
> >>>>>> Thank you Mark! We'll take a look.
> >>>>>>
> >>>>>> -Micah
> >>>>>>
> >>>>>>> -----Original Message-----
> >>>>>>> From: clamav-devel <clamav-devel-boun...@lists.clamav.net> On
> >>>> Behalf
> >>>>>>> Of Mark Allan
> >>>>>>> Sent: Thursday, February 11, 2021 3:54 PM
> >>>>>>> To: ClamAV Development <clamav-devel@lists.clamav.net>
> >>>>>>> Subject: Re: [Clamav-devel] Issue with FP only on 0.103.1
> >>>>>>>
> >>>>>>> Hi Micah,
> >>>>>>>
> >>>>>>> Yes of course! I've just uploaded a zip file (Archive.zip) to
> >>>>>>> the FP page on clamav.net
> >>>>>>> MD5 (Archive.zip) = 45229d954a884a1e03aba15b9f42168a
> >>>>>>>
> >>>>>>> Regards
> >>>>>>> Mark
> >>>>>>>
> >>>>>>>> On 11 Feb 2021, at 7:12 pm, Micah Snyder (micasnyd)
> >>>>>>> <micas...@cisco.com> wrote:
> >>>>>>>>
> >>>>>>>> Hi Mark,
> >>>>>>>>
> >>>>>>>> Do you think you could share a sample or two with me to test.
> >>>>>>>> I'm really
> >>>>>>> curious what changed and would like to debug each version with a
> >>>>>>> sample or two.
> >>>>>>>>
> >>>>>>>> -Micah
> >>>>>>>>
> >>>>>>>>> -----Original Message-----
> >>>>>>>>> From: clamav-devel <clamav-devel-boun...@lists.clamav.net> On
> >>>>>>>>> Behalf Of Mark Allan
> >>>>>>>>> Sent: Monday, February 8, 2021 3:04 AM
> >>>>>>>>> To: ClamAV Development <clamav-devel@lists.clamav.net>
> >>>>>>>>> Subject: [Clamav-devel] Issue with FP only on 0.103.1
> >>>>>>>>>
> >>>>>>>>> Hi all,
> >>>>>>>>>
> >>>>>>>>> It looks like the additional image file type support in
> >>>>>>>>> 0.103.1 has introduced an issue with a particular signature
> >>>>>>>>> which has been in the database since 2018
> >>>>>>>>>
> >>>>>>>>> Img.Exploit.CVE_2018_4904-6449838-0
> >>>>>>>>>
> >>>>>>>>> It's flagging up thousands of known-good files. As far as I
> >>>>>>>>> can tell, they're all TIFF files.
> >>>>>>>>>
> >>>>>>>>> I've added that signature to an ign2 file for now, but I'm
> >>>>>>>>> wondering if there's something else that's maybe amiss
> >>>>>>>>> somewhere either with the signature or the 0.103.1 update?
> >>>>>>>>>
> >>>>>>>>> Best regards,
> >>>>>>>>> Mark
> >>>>>>>>>
> >>>>>>>>> _______________________________________________
> >>>>>>>>>
> >>>>>>>>> clamav-devel mailing list
> >>>>>>>>> clamav-devel@lists.clamav.net
> >>>>>>>>> https://lists.clamav.net/mailman/listinfo/clamav-devel
> >>>>>>>>>
> >>>>>>>>> Please submit your patches to our Github:
> >>>>>>>>> https://github.com/Cisco- Talos/clamav-devel/pulls
> >>>>>>>>>
> >>>>>>>>> Help us build a comprehensive ClamAV guide:
> >>>>>>>>> https://github.com/vrtadmin/clamav-faq
> >>>>>>>>>
> >>>>>>>>> http://www.clamav.net/contact.html#ml
> >>>>>>>> _______________________________________________
> >>>>>>>>
> >>>>>>>> clamav-devel mailing list
> >>>>>>>> clamav-devel@lists.clamav.net
> >>>>>>>> https://lists.clamav.net/mailman/listinfo/clamav-devel
> >>>>>>>>
> >>>>>>>> Please submit your patches to our Github:
> >>>>>>>> https://github.com/Cisco-Talos/clamav-devel/pulls
> >>>>>>>>
> >>>>>>>> Help us build a comprehensive ClamAV guide:
> >>>>>>>> https://github.com/vrtadmin/clamav-faq
> >>>>>>>>
> >>>>>>>> http://www.clamav.net/contact.html#ml
> >>>>>>>
> >>>>>>> _______________________________________________
> >>>>>>>
> >>>>>>> clamav-devel mailing list
> >>>>>>> clamav-devel@lists.clamav.net
> >>>>>>> https://lists.clamav.net/mailman/listinfo/clamav-devel
> >>>>>>>
> >>>>>>> Please submit your patches to our Github:
> >>>>>>> https://github.com/Cisco- Talos/clamav-devel/pulls
> >>>>>>>
> >>>>>>> Help us build a comprehensive ClamAV guide:
> >>>>>>> https://github.com/vrtadmin/clamav-faq
> >>>>>>>
> >>>>>>> http://www.clamav.net/contact.html#ml
> >>>>>> _______________________________________________
> >>>>>>
> >>>>>> clamav-devel mailing list
> >>>>>> clamav-devel@lists.clamav.net
> >>>>>> https://lists.clamav.net/mailman/listinfo/clamav-devel
> >>>>>>
> >>>>>> Please submit your patches to our Github:
> >>>>>> https://github.com/Cisco- Talos/clamav-devel/pulls
> >>>>>>
> >>>>>> Help us build a comprehensive ClamAV guide:
> >>>>>> https://github.com/vrtadmin/clamav-faq
> >>>>>>
> >>>>>> http://www.clamav.net/contact.html#ml
> >>>>> _______________________________________________
> >>>>>
> >>>>> clamav-devel mailing list
> >>>>> clamav-devel@lists.clamav.net
> >>>>> https://lists.clamav.net/mailman/listinfo/clamav-devel
> >>>>>
> >>>>> Please submit your patches to our Github:
> >>>>> https://github.com/Cisco-Talos/clamav-devel/pulls
> >>>>>
> >>>>> Help us build a comprehensive ClamAV guide:
> >>>>> https://github.com/vrtadmin/clamav-faq
> >>>>>
> >>>>> http://www.clamav.net/contact.html#ml
> >>>>
> >>>> _______________________________________________
> >>>>
> >>>> clamav-devel mailing list
> >>>> clamav-devel@lists.clamav.net
> >>>> https://lists.clamav.net/mailman/listinfo/clamav-devel
> >>>>
> >>>> Please submit your patches to our Github: https://github.com/Cisco-
> >>>> Talos/clamav-devel/pulls
> >>>>
> >>>> Help us build a comprehensive ClamAV guide:
> >>>> https://github.com/vrtadmin/clamav-faq
> >>>>
> >>>> http://www.clamav.net/contact.html#ml
> >>> _______________________________________________
> >>>
> >>> clamav-devel mailing list
> >>> clamav-devel@lists.clamav.net
> >>> https://lists.clamav.net/mailman/listinfo/clamav-devel
> >>>
> >>> Please submit your patches to our Github: https://github.com/Cisco-
> >>> Talos/clamav-devel/pulls
> >>>
> >>> Help us build a comprehensive ClamAV guide:
> >>> https://github.com/vrtadmin/clamav-faq
> >>>
> >>> http://www.clamav.net/contact.html#ml
> >> _______________________________________________
> >>
> >> clamav-devel mailing list
> >> clamav-devel@lists.clamav.net
> >> https://lists.clamav.net/mailman/listinfo/clamav-devel
> >>
> >> Please submit your patches to our Github: https://github.com/Cisco-
> >> Talos/clamav-devel/pulls
> >>
> >> Help us build a comprehensive ClamAV guide:
> >> https://github.com/vrtadmin/clamav-faq
> >>
> >> http://www.clamav.net/contact.html#ml
> > _______________________________________________
> >
> > clamav-devel mailing list
> > clamav-devel@lists.clamav.net
> > https://lists.clamav.net/mailman/listinfo/clamav-devel
> >
> > Please submit your patches to our Github:
> https://github.com/Cisco-Talos/clamav-devel/pulls
> >
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml
>
> _______________________________________________
>
> clamav-devel mailing list
> clamav-devel@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-devel
>
> Please submit your patches to our Github:
> https://github.com/Cisco-Talos/clamav-devel/pulls
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
_______________________________________________
clamav-devel mailing list
clamav-devel@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-devel
Please submit your patches to our Github:
https://github.com/Cisco-Talos/clamav-devel/pulls
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
