Clamav antivirus false positive?

france · May 26, 2019, 5:41pm

NethServer Version: NethServer release 7.6.1810 (final)

Hi everyone, using the programmed scan of clamav from today the system has detected several files infected with Win.Exploit.CVE_2019_0903-6966169-0 FOUND in .pdf file and even on a server system font file: rsfs10.ttf: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
False positive ?
Thank you

Installed Packages
Name : nethserver-clamscan
Arch : noarch
Version : 0.1.2
Release : 3.ns7.sdl
Size : 69 k
Repo : installed
From repo : stephdl

ClamAV update process started at Sun May 26 19:40:50 2019

main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)

daily.cvd is up to date (version: 25461, sigs: 1581583, f-level: 63, builder: raynman)

bytecode.cvd is up to date (version: 328, sigs: 94, f-level: 63, builder: neo)

dnutan · May 26, 2019, 6:11pm

Check the files with some other antivirus (virustotal…) but it appears to be a false positive:

france · May 26, 2019, 6:20pm

thanks, anyway you had read one of the posts you listed me. I believe that this is a false positive.

michelandre · May 27, 2019, 1:08am

Hi france,

I had the same error today. Clam found 100s files with: Win.Exploit.CVE_2019_0903-6966169-0 mainly in .ttf, .pdf, .png, …/Sent/…, .eot. Most of them in .pdf.

In WordPress, Links Checker was complaining and reported a few links not working. I checked around and the files were not in the folder it used to be.

In Thunderbird, I add a new account: root@myFQDN and in the last 2 reports from Clam, both from 03h47.

Subject: Clam Antivirus Scan Results - Sun May 26 01:50:01 2019
Lots of virus and files moved to quarantaine.
Subject: /sbin/e-smith/nethserver-clamscan
sh : ligne 1 : 416 Erreur de segmentation nice /usr/bin/clamscan --recursive --infected --stdout --max-files=10000 --max-filesize=45M --max-scansize=45M --max-recursion=16 --max-dir-recursion=15 --exclude-dir=^/boot --exclude-dir=^/proc --exclude-dir=^/sys --exclude-dir=^/usr/share/doc --exclude-dir=^/var/spool/clamav/quarantine --move=/var/spool/clamav/quarantine --official-db-only=yes --bytecode=yes --bytecode-timeout=120000 --scan-html=yes --max-htmlnormalize=45M --max-htmlnotags=45M --max-scriptnormalize=45M --scan-mail=yes --scan-archive=yes --scan-pdf=yes --scan-ole2=yes --scan-elf=yes --scan-pe=yes --max-embeddedpe=45M --max-iconspe=100 --scan-swf=yes --scan-xmldocs=yes --scan-hwp3=yes --max-rechwp3=16 / 2> /var/log/clamav/clamscan-errors.log

In NS web interface, the files were all in quarantaine and I released back all of them.

WorPress Link Checker stoped complaining.

Those PDF files are old and were transfered from SME-9.2 to NS-7.6.1810. In years, Clam never complained before.

What am I missing here?

Any help appreciated,

Michel-André

compsos · May 27, 2019, 1:24am

Nethserver 7.6.1810
We are seeing the same issue. Emails with attachments are being blocked ones without are OK. Addresses that are whitelisted not affected.
clamd[6379]: instream(local): Win.Exploit.CVE_2019_0903-6966169-0 FOUND
Preformatted text5.7.1 clamav: virus found: “Win.Exploit.CVE_2019_0903-6966169-0”;

Trying this workaround https://www.clamav.net/documents/how-do-i-ignore-whitelist-a-clamav-signature.
Archlinux is having the same issue.

michelandre · May 27, 2019, 1:40am

Hi Gordon.

According to:
https://forum.directadmin.com/showthread.php?t=57936 at the bottom of the page and
https://www.clamav.net/documents/how-do-i-ignore-whitelist-a-clamav-signature

I desactivated Clam in web Interface.

touch /var/lib/clamav/whitelist.ign2

Edit /var/lib/clamav/whitelist.ign2 and add

 Win.Exploit.CVE_2019_0903-6966169-0

I activated Clam in web Interface.

Hoping it want sabotage something…

Michel-André

michelandre · May 27, 2019, 2:28am

Hi again Gordon,

In the web interface, I checked Clam to see when was the last update:

 Last update
     1969-12-31 19:100:

This look 04:900 before the Big Bang for Linux (1970-01-01 00:00).
So I manually updated at the console with:

 freshclam

Web interface

 Last update
     2019-05-26 21:50

Right time.

Then I checked /var/lib/clamav/whitelist.ign2
No more there !!!
Disappeared or included in a .conf somewhere?

Time to take a break and think about something else for a while,

Michel-André

compsos · May 27, 2019, 3:02am

@michelandre
No our edit of the file remain. The process is described here https://www.clamav.net/documents/how-do-i-ignore-whitelist-a-clamav-signature.
It is working for us.

france · May 27, 2019, 6:12am

Hi, the same situation very similar to yours.
Also happened to me on very old files (.pdf) transferred by time and from other computers.
However I have tried the change and it seems to work.
I noticed that the file is ignored from the shell running only clamscan. Activating from web-gui continues to detect the virus.
We are waiting for a new database to try again.

Known viruses: 6307256
Engine version: 0.101.2
Scanned directories: 2
Scanned files: 15
Infected files: 0
Scanned date: 17.86 MB
Data read: 16.23 MB (ratio 1.10: 1)
Time: 60.168 sec (1 m 0 s)

m.traeumner · May 27, 2019, 7:49am

@dev_team Is it a bug?

stephdl · May 27, 2019, 8:55am

With the gui you can enable a lot of settings that could make some false positive, the same setting must be used to compare

giacomo · May 27, 2019, 9:56am

Yes, it’s a bug on clamav signature. We must wait the upstream fix

france · May 27, 2019, 10:02am

Sure. Fortunately, the offending files have not been moved to quarantine but only detected, by my choice of option. For me it’s just due to the definitions. Different users of different distros have the same problem. Thanks Stèphane

flatspin · May 27, 2019, 10:40am

Same problem here:

sh: line 1: 2014 Segmentation fault nice /usr/bin/clamscan --recursive --infected --stdout --max-files=10000 --max-filesize=45M --max-scansize=45M --max-recursion=16 --max-dir-recursion=15 --exclude-dir=^/boot --exclude-dir=^/proc --exclude-dir=^/sys --exclude-dir=^/usr/share/doc --exclude-dir=^/var/spool/clamav/quarantine --exclude-dir=^/var/squidguard/blacklists --exclude-dir=^/var/lib/urbackup --exclude-dir=^/etc/suricata/rules/ --exclude-dir=^/tmp/emerging.rules.tar.gz --exclude-dir=^/var/spool/clamav/quarantine --bytecode=yes --bytecode-timeout=120000 --scan-html=yes --max-htmlnormalize=45M --max-htmlnotags=45M --max-scriptnormalize=45M --scan-mail=yes --scan-archive=yes --scan-pdf=yes --scan-ole2=yes --scan-elf=yes --scan-pe=yes --max-embeddedpe=45M --max-iconspe=100 --scan-swf=yes --scan-xmldocs=yes --scan-hwp3=yes --max-rechwp3=16 --phishing-sigs=yes --phishing-scan-urls=yes / 2> /var/log/clamav/clamscan-errors.log

Let’s wait and see…

flatspin · May 27, 2019, 11:18am

Can you please show your entry in “whitelist.ign2”?
If I enter Win.Exploit.CVE_2019_0903-6966169-0 I get this error: Scanned Folder: /ERROR: Malformed database. So how to format this entry correctly?

Thanks.

Edit: Please ignore this. I did a enter at the end of the line, so a new empty line was created.

france · May 27, 2019, 11:28am

hello unfortunately now the server is down. however if I remember correctly /var/lib/clamav/whitelist.ign2 is the same as yours. As previously written, the shell scan with clamascan does not report virus presence, but activating clamav on email filter on my server continues to give false detection.

compsos · May 27, 2019, 12:28pm

@france
Just 1 line with
Win.Exploit.CVE_2019_0903-6966169-0
Most are holding but suspect we still have 1 server with the issue and the whitelist file.
grep -i exploit /var/log/maillog will show if it is blocking email

filippo_carletti · May 27, 2019, 1:25pm

Clamav signatures have been fixed, nobody should have problems now.

asl · May 27, 2019, 2:35pm

I can confirm it. Everything well again!