Topic: Re Clam with massive false positives

[compsos]

Hi
We have just had a system overnight quarantined approx 17000 files all for a virus called

BC.Exploit.CVE_2012_1847

Has anyone else seen this happen? We are in the process of restoring from backup.
SME 7.5.1clamav-db-0.97-1.el4.rf
clamd-0.97-1.el4.rf
clamav-0.97-1.el4.rf
smeserver-clamav-2.0.0-12.el4.sme

We have had 10 systems hit by this problem.

[compsos]

Seems Clam may have issued a fix
http://comments.gmane.org/gmane.comp.security.virus.clamav.user/37391
If you have not been hit then do a freshclam ASAP.

Edit: fixed the link

[compsos]

If you have been hit then Stefano wrote a perl script for an earlier false positive. Thank you Stefano
To test comment out the line
system($stringa);
to
# system($stringa);
This almost works but the cp command an not stat the files. So we have a list but no result. Have tried changing the chmod. Manually from the console works but not the script. Anyone have a solution?
 

Code: [Select]

#!/usr/bin/perl

# open file
open (FILE, './mytest1.log');

# loop through lines
while (<FILE>)
{
   if (/(.*)(: moved to )(.*)/)
    {
      # store "source" and "destination" in 2 new variables
      my $t3 = $3;
      my $t1 = $1;
      # in source line, remove the ' character at beginning of line
      $t3 =~ s/^'//;
      # again, remove the ' character at the end
      $t3 =~ s/'$//;
      # concatenate source and destination, separed by a tab
      my $stringa = $t3."\t".$t1;
      # replace all spaces " " with "\ "
      $stringa =~ s/ /\\ /g;
      # replace all ' with \'
      $stringa =~ s/'/\\'/g;
      # replace all ( with \(
      $stringa =~ s/\(/\\\(/g;
      # replace all ) with \)
      $stringa =~ s/\)/\\\)/g;
      #print the resulting line with "cp " at the beginning
      print 'cp '.$stringa."\n";
      # call and execute the command
      # this line should be commented with # to check for errors
      system($stringa);
        }
}   
close (FILE);


[CharlieBrady]

We have had 10 systems hit by this problem.

Really? And you have not yet sent a bug report?

I know you have seen this before, but the message appears not to have sunk in:

Don't report problems here - Please report bugs and potential bugs in the bug tracker

[compsos]

Hi Charlie
This is not an SME bug but a clam error in the bytecode.cld file from what I have found.
Do you want other systems faults reported in the SME bug tracker?
The posting was initially suggesting other users should check if they have been hit. Yes maybe the restoration idea should be in the bug tracker but the warning should be as wide as possible. On systems hit it does make quite a mess.

[ctm]

I've had 4 systems hit, caused a bit of panic with the users. I ended up modifying slightly Stefano's & goniol1's script from Jan 2010 to move the files back. Don't forget to copy & rename the log file (/var/log/clamd/clamscan.log) up into the root directory.

Code: [Select]

#!/usr/bin/perl
use strict;
use warnings;

# open file
open (FILE, './mytest.log');

# loop through lines
while (<FILE>)
{
   if (/(.*)(: moved to )(.*)/)
    {
      # store "source" and "destination" in 2 new variables
      my $t3 = $3;
      my $t1 = $1;
      # in source line, remove the ' character at beginning of line
      $t3 =~ s/^'//;
      # again, remove the ' character at the end
      $t3 =~ s/'$//;
      # concatenate source and destination, separed by a tab
      my $stringa = $t3."\t".$t1;
      # replace all spaces " " with "\ "
      $stringa =~ s/ /\\ /g;
      # replace all ' with \'
      $stringa =~ s/'/\\'/g;
      # replace all ( with \(
      $stringa =~ s/\(/\\\(/g;
      # replace all ) with \)
      $stringa =~ s/\)/\\\)/g;
      # replace all & with \& 
      $stringa =~ s/\&/\\\&/g;

      #print the resulting line with "cp " at the beginning
      print 'cp -pu '.$stringa."\n";
      # call and execute the command
      # this line should be commented with # to check for errors
      # system 'cp -pu '.$stringa."\n";

        }
}
close (FILE);



[compsos]

Hi CTM
I used the same script but it kept failing on the cp command with "can not stat:" error. I notice you have "cp -pu" for the copy command. I tried "cp -fu" but it failed. Tried changing permissions etc but no luck. Did any of your clamav logs have a file path abbreviated with "/.../"?
We are actually up to 12 systems with one shifting 113,281 files.

[ctm]

I added the 'u' to the cp command as I had to run the script twice. The first time I had errors with '&' in file names, so added the extra line to change them to '/&'. The second time ran through perfectly, user permissions etc were all fine.

I've just checked the log file again, and it does have lots of entries with /../. Actually because that client is an outpost of a Korean multinational, most of the file names and paths are full of strange characters (the console not able to display Korean!). All went back into their correct places though.

When I ran the script on the second machine (which was English), the sript ran without errors.

I can only suggest that there are other 'characters' than need delimiting like the '&' I found. Once you find what the offending character is just add an extra line the change it to '\&\ etc.

I'm running the script on the other two known machines later today (being morning now in Sydney).

Let us know how you get on, 113,000 files should turn up a few more issues. Good luck.

Craig

[compsos]

Hi Craig
I have started a bug report http://bugs.contribs.org/show_bug.cgi?id=6929 so that maybe in the future there are easier ways to recover. Please take a look as you may have something to add to the discussion. Thanks.