Hi, we have customer using Owncloud that in turn uses clamd to scan for viruses in uploaded files.
This customer keeps getting messages the file is infected with Win.Malware.Ausiv-9881459-0. Owncloud seems to be using TCP socket streaming to scan this. Not sure if it extracts the file itself first. We see this in the logs: May 3 14:42:07 hostxxxx clamd[36275]: instream(127.0.0.1@34022): Win.Malware.Ausiv-9881459-0 FOUND However, if I put the ZIP on the filesystem it finds nothing: # telnet localhost 3310 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. SCAN /tmp/SigningHub-v8.6.3-RR-Win64-29Mar2024.zip /tmp/SigningHub-v8.6.3-RR-Win64-29Mar2024.zip: OK Connection closed by foreign host. clamscan doesn't find anything either: # clamscan SigningHub-v8.6.3-RR-Win64-29Mar2024.zip /tmp/SigningHub-v8.6.3-RR-Win64-29Mar2024.zip: OK ----------- SCAN SUMMARY ----------- Known viruses: 8692233 Engine version: 0.103.11 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 0.00 MB Data read: 609.80 MB (ratio 0.00:1) Time: 16.315 sec (0 m 16 s) Start Date: 2024:05:03 17:04:20 End Date: 2024:05:03 17:04:36 This system is running Oracle Linux 8 and has a bit older version of clam itself. On my gentoo linux box at home the same happens tho', even tried forcing it to scan inside archives with filesize increased. Both the speed at which this happens and the fact that even with '-a' it doesn't print any filenames within the archive seem to indicate it's not really doing it. Scanning against the extracted archive takes much much longer. clamscan -a --max-filesize=2048M --scan-archive=yes SigningHub-v8.6.3-RR-Win64-29Mar2024.zip Loading: 5s, ETA: 0s [========================>] 8.69M/8.69M sigs Compiling: 2s, ETA: 0s [========================>] 41/41 tasks /tmp/SigningHub-v8.6.3-RR-Win64-29Mar2024.zip: OK ----------- SCAN SUMMARY ----------- Known viruses: 8692425 Engine version: 1.3.0 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 0.00 MB Data read: 609.80 MB (ratio 0.00:1) Time: 7.097 sec (0 m 7 s) Start Date: 2024:05:03 17:06:22 End Date: 2024:05:03 17:06:29 Both clam on the Oracle Linux 8 and on my gentoo system (1.3.0) find a virus when extracting the ZIP to a folder and scanning that recursively. /tmp/tt $ clamscan -r Loading: 5s, ETA: 0s [========================>] 8.69M/8.69M sigs Compiling: 2s, ETA: 0s [========================>] 41/41 tasks /tmp/tt/acknowledgments.txt: OK ... /tmp/tt/admin/bin/Aspose.Words.dll: Win.Malware.Ausiv-9881459-0 FOUND ... /tmp/tt/web/Web.config: OK ----------- SCAN SUMMARY ----------- Known viruses: 8692425 Engine version: 1.3.0 Scanned directories: 200 Scanned files: 1139 Infected files: 4 Data scanned: 524.40 MB Data read: 1182.24 MB (ratio 0.44:1) Time: 107.934 sec (1 m 47 s) Start Date: 2024:05:03 17:07:23 End Date: 2024:05:03 17:09:11 Scanning the folder takes 1 minute 47 seconds in total - of which ~7s loading/compiling database. Scanning of the zip completes nearly instant after that whereas the extracted folder thus takes around 1m40. Am I missing something here? Presume we'd need to submit the DLL file for analysis on the false/positive? Thanks in advance and have a nice weekend! _______________________________________________ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
