A few months ago one of our team observed that adding ign2 entries for bytecode
signatures (BC.* signatures) can be confusing. They added these notes in a new
task in our Jira:
It looks like bytecode sigs used to need to be allowlisted via ign2 files with
entries like the following:
BC.Img.Exploit.CVE_2018_4891-6453673-2.{}
'{}' corresponded to an empty 'VirusName', but for BC sigs that use non-empty
ones it would need to be allowlisted as:
BC.Img.Exploit.CVE_2018_4891-6453673-2.
{VirusNames}
This commit makes it so that signatures can be allowlisted with just
`BC.Img.Exploit.CVE_2018_4891-6453673-2` in the ign2 file:
https://github.com/Cisco-Talos/clamav-devel/commit/b2f59861ee1a53c113fd37fe9378f739cc012042
The downsides with this approach are:
- backward compatibility was not preserved, so any existing .ign2 sigs people
had for bytecode rules likely stopped working
- it's no longer possible to allowlist specific VirusNames from within a
bytecode sig
- currently, bytecode sigs that match with a VirusName will show up as
BC.Img.Exploit.CVE_2018_4891-6453673-2.VirusName for the detection name, but
the corresponding ign2 entry would have to be
`BC.Img.Exploit.CVE_2018_4891-6453673-2`
If we get a chance, we should address some or all of these.
We should definitely document the current behavior and limitations for bytecode
signature entries on
https://docs.clamav.net/manual/Signatures/AllowLists.html?highlight=fp#file-allow-lists
Orion if you're interested in helping with the docs, the equivalent page is
here:
https://github.com/Cisco-Talos/clamav-documentation/blob/main/src/manual/Signatures/AllowLists.md
-Micah
> -----Original Message-----
> From: clamav-users <clamav-users-boun...@lists.clamav.net> On Behalf Of
> Orion Poplawski via clamav-users
> Sent: Wednesday, July 21, 2021 12:35 PM
> To: eric-l...@truenet.com; ClamAV users ML <clamav-
> us...@lists.clamav.net>
> Cc: Orion Poplawski <or...@nwra.com>
> Subject: Re: [clamav-users] Cannot ignore BC.Gif.Exploit.Agent-
> 1425366.Agent
>
> Looks like "BC.Gif.Exploit-1425366" finally did the trick. Thanks. Is this
> kind of
> thing documented anywhere?
>
> On 7/21/21 12:33 PM, eric-l...@truenet.com wrote:
> > Orion,
> >
> > Did you keep .Agent at the end of the whitelist?
> > It should just be BC.Gif.Exploit.Agent-1425366.
> >
> > I scanned the tar balls at gnome.org and didn't find anything though, but
> maybe you got it from somewhere else.
> >
> > Sincerely,
> >
> > Eric Tykwinski
> > TrueNet, Inc.
> > P: 610-429-8300
> >
> > -----Original Message-----
> > From: clamav-users <clamav-users-boun...@lists.clamav.net> On Behalf
> > Of Orion Poplawski via clamav-users
> > Sent: Wednesday, July 21, 2021 1:48 PM
> > To: ClamAV users ML <clamav-users@lists.clamav.net>
> > Cc: Orion Poplawski <or...@nwra.com>
> > Subject: [clamav-users] Cannot ignore
> > BC.Gif.Exploit.Agent-1425366.Agent
> >
> > clamav is reporting BC.Gif.Exploit.Agent-1425366.Agent for a gif
> > inside of the
> > gdk-pixbuf2 tarball. I've tried adding it do our local whitelist.ign2
> > file, but
> that doesn't appear to take effect. Any way to ignore this definition?
> >
> > Thanks,
> > Orion
> >
> > --
> > Orion Poplawski
> > IT Systems Manager 720-772-5637
> > NWRA, Boulder/CoRA Office FAX: 303-415-9702
> > 3380 Mitchell Lane or...@nwra.com
> > Boulder, CO 80301 https://www.nwra.com/
> >
> >
> >
>
>
> --
> Orion Poplawski
> IT Systems Manager 720-772-5637
> NWRA, Boulder/CoRA Office FAX: 303-415-9702
> 3380 Mitchell Lane or...@nwra.com
> Boulder, CO 80301 https://www.nwra.com/
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
![Re: [clamav-users] Cannot ignore BC.Gif.Exploit.Agent-1425366.Agent](/search?l=clamav-users@lists.clamav.net&q=subject:%22Re%5C%3A+%5C%5Bclamav%5C-users%5C%5D+Cannot+ignore+BC.Gif.Exploit.Agent%5C-1425366.Agent%22&o=newest){kind=link}
