[gentoo-user] Fwd: Unexpected behaviour

[gentoo-user] Fwd: Unexpected behaviour

[Konstantin]

[-- Attachment #1: Type: text/plain, Size: 1987 bytes --]

Hello,

I've tried to find an answer from clamav-users but still no reply in
that mail list.

I'm forwarding my message to this list and hope some one help me to
find that is the problem.

---------- Forwarded message ----------
From: Konstantin
Date: Thu, Mar 24, 2016 at 11:29 PM
Subject: Unexpected behaviour
To: clamav-users@lists.clamav.net


Hello

I have 2 Gentoo based SMTP servers. Both hosts have the same packages
installed with the same USE flags.
I'm using clamav-0.98.7 with amavisd. Output from clamconf attached to
this message. Clamav settings and signature files are equal.

I have a custom signature
e350ca9b3b6ddbdabd3845a66f755f22122b8eb5ed79b9d19bd87e34e4aa5008:340992:Trojan.DNC4
for this doc file
https://malwr.com/analysis/ZTdiYjRiMDZlNzEyNDUwZmI3OTdiYjg4NTYxMDMyNmM/

Both hosts found malware in this file with clamscan command. No
problem in this case.

Here is the problem i have.
When a message scanned with clamd then only host1 detect trojan with
custom signature.
host1:
echo "CONTSCAN /tmp/feb_invoice_1426277.doc" | socat -
"UNIX-CONNECT:/var/run/clamav/clamd.sock"
/tmp/feb_invoice_1426277.doc: Trojan_Generic.DNC4.UNOFFICIAL FOUND

host2 detect it as Heuristics.OLE2.ContainsMacros:
echo "CONTSCAN /tmp/feb_invoice_1426277.doc" | socat -
"UNIX-CONNECT:/var/run/clamav/clamd.sock"
/tmp/feb_invoice_1426277.doc: Heuristics.OLE2.ContainsMacros FOUND

Another interesting thing is that host1 detect that trojan not by
signature with size 340992(original doc file).
I suppose that there was detected a PE32 file inside that .doc file
with this signature:
c3DNC406e57af90685a7002f7ea63340a1e7d3a1ed3805e7ec8b0909865b57bd6c:126976:Trojan_Generic.DNC4

Can you guys please explain how this happened and what can be a
difference between these 2 hosts?
I expect that if a signature found then Heuristics results not appear.

Thank you.
--
This message was delivered using 100% recycled electrons.


-- 
This message was delivered using 100% recycled electrons.

[-- Attachment #2: clamconf.txt --]
[-- Type: text/plain, Size: 5719 bytes --]

Checking configuration files in /etc

Config file: clamd.conf
-----------------------
LogFile = "/var/log/clamav/clamd.log"
StatsHostID disabled
StatsEnabled disabled
StatsPEDisabled disabled
StatsTimeout disabled
LogFileUnlock disabled
LogFileMaxSize = "10485760"
LogTime = "yes"
LogClean disabled
LogSyslog = "yes"
LogFacility = "LOG_LOCAL6"
LogVerbose disabled
LogRotate disabled
ExtendedDetectionInfo disabled
PidFile = "/var/run/clamav/clamd.pid"
TemporaryDirectory disabled
DatabaseDirectory = "/var/lib/clamav"
OfficialDatabaseOnly disabled
LocalSocket = "/var/run/clamav/clamd.sock"
LocalSocketGroup disabled
LocalSocketMode disabled
FixStaleSocket = "yes"
TCPSocket disabled
TCPAddr disabled
MaxConnectionQueueLength = "30"
StreamMaxLength = "26214400"
StreamMinPort = "1024"
StreamMaxPort = "2048"
MaxThreads = "50"
ReadTimeout = "300"
CommandReadTimeout = "5"
SendBufTimeout = "500"
MaxQueue = "100"
IdleTimeout = "30"
ExcludePath disabled
MaxDirectoryRecursion = "15"
FollowDirectorySymlinks disabled
FollowFileSymlinks disabled
CrossFilesystems = "yes"
SelfCheck = "600"
DisableCache disabled
VirusEvent disabled
ExitOnOOM disabled
AllowAllMatchScan = "yes"
Foreground disabled
Debug disabled
LeaveTemporaryFiles disabled
User = "clamav"
AllowSupplementaryGroups = "yes"
Bytecode = "yes"
BytecodeSecurity = "TrustSigned"
BytecodeTimeout = "5000"
BytecodeUnsigned disabled
BytecodeMode = "Auto"
DetectPUA = "yes"
ExcludePUA = "PWTool", "Spam"
IncludePUA disabled
AlgorithmicDetection = "yes"
ScanPE = "yes"
ScanELF = "yes"
DetectBrokenExecutables = "yes"
ScanMail = "yes"
ScanPartialMessages disabled
PhishingSignatures = "yes"
PhishingScanURLs = "yes"
PhishingAlwaysBlockCloak disabled
PhishingAlwaysBlockSSLMismatch disabled
PartitionIntersection disabled
HeuristicScanPrecedence = "yes"
StructuredDataDetection disabled
StructuredMinCreditCardCount = "3"
StructuredMinSSNCount = "3"
StructuredSSNFormatNormal = "yes"
StructuredSSNFormatStripped disabled
ScanHTML = "yes"
ScanOLE2 = "yes"
OLE2BlockMacros = "yes"
ScanPDF = "yes"
ScanSWF = "yes"
ScanArchive = "yes"
ArchiveBlockEncrypted disabled
ForceToDisk disabled
MaxScanSize = "104857600"
MaxFileSize = "52428800"
MaxRecursion = "16"
MaxFiles = "10000"
MaxEmbeddedPE = "10485760"
MaxHTMLNormalize = "10485760"
MaxHTMLNoTags = "2097152"
MaxScriptNormalize = "5242880"
MaxZipTypeRcg = "1048576"
MaxPartitions = "50"
MaxIconsPE = "100"
ScanOnAccess disabled
OnAccessIncludePath disabled
OnAccessExcludePath disabled
OnAccessExcludeUID disabled
OnAccessMaxFileSize = "5242880"
DevACOnly disabled
DevACDepth disabled
DevPerformance disabled
DevLiblog disabled
DisableCertCheck disabled

Config file: freshclam.conf
---------------------------
StatsHostID disabled
StatsEnabled disabled
StatsTimeout disabled
LogFileMaxSize = "1048576"
LogTime = "yes"
LogSyslog disabled
LogFacility = "LOG_LOCAL6"
LogVerbose disabled
LogRotate disabled
PidFile = "/var/run/clamav/freshclam.pid"
DatabaseDirectory = "/var/lib/clamav"
Foreground disabled
Debug disabled
AllowSupplementaryGroups = "yes"
UpdateLogFile = "/var/log/clamav/freshclam.log"
DatabaseOwner = "clamav"
Checks = "24"
DNSDatabaseInfo = "current.cvd.clamav.net"
DatabaseMirror = "database.clamav.net"
PrivateMirror disabled
MaxAttempts = "5"
ScriptedUpdates = "yes"
TestDatabases = "yes"
CompressLocalDatabase disabled
ExtraDatabase disabled
DatabaseCustomURL disabled
HTTPProxyServer disabled
HTTPProxyPort disabled
HTTPProxyUsername disabled
HTTPProxyPassword disabled
HTTPUserAgent disabled
NotifyClamd = "/etc/clamd.conf"
OnUpdateExecute disabled
OnErrorExecute disabled
OnOutdatedExecute disabled
LocalIPAddress disabled
ConnectTimeout = "60"
ReceiveTimeout = "60"
SubmitDetectionStats disabled
DetectionStatsCountry disabled
DetectionStatsHostID disabled
SafeBrowsing disabled
Bytecode = "yes"

clamav-milter.conf not found

Software settings
-----------------
Version: 0.98.7
Optional features supported: MEMPOOL AUTOIT_EA06 BZIP2 LIBXML2 ICONV RAR JIT

Database information
--------------------
Database directory: /var/lib/clamav
[3rd Party] javascript.ndb: 37216 sigs
daily.cld: version 21472, sigs: 83894, built on Thu Mar 24 14:24:50 2016
main.cvd: version 57, sigs: 4218790, built on Wed Mar 16 23:17:06 2016
bytecode.cvd: version 275, sigs: 45, built on Mon Mar 14 18:51:14 2016
[3rd Party] securiteinfo.hdb: 1804601 sigs
[3rd Party] securiteinfoascii.hdb: 89692 sigs
[3rd Party] securiteinfohtml.hdb: 49224 sigs
[3rd Party] custom-sigs.hdb: 1603 sigs
Total number of signatures: 6285065

Platform information
--------------------
uname: Linux 4.1.12-gentoo #1 SMP Fri Jan 8 14:56:47 UTC 2016 x86_64
OS: linux-gnu, ARCH: x86_64, CPU: x86_64
zlib version: 1.2.8 (1.2.8), compile flags: a9
Triple: x86_64-pc-linux-gnu
CPU: i686, Little-endian

Build information
-----------------
GNU C: 4.9.3 (4.9.3)
GNU C++: 4.9.3 (4.9.3)
CPPFLAGS: 
CFLAGS: -O2 -pipe -fno-strict-aliasing -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE
CXXFLAGS: -O2 -pipe
LDFLAGS: -Wl,-O1 -Wl,--as-needed
Configure: '--prefix=/usr' '--build=x86_64-pc-linux-gnu' '--host=x86_64-pc-linux-gnu' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--datadir=/usr/share' '--sysconfdir=/etc' '--localstatedir=/var/lib' '--disable-dependency-tracking' '--disable-silent-rules' '--libdir=/usr/lib64' '--disable-experimental' '--disable-fanotify' '--enable-id-check' '--with-dbdir=/var/lib/clamav' '--with-system-tommath' '--with-zlib=/usr' '--enable-bzip2' '--disable-clamdtop' '--disable-ipv6' '--disable-milter' '--disable-static' '--with-iconv' '--without-libjson' 'build_alias=x86_64-pc-linux-gnu' 'host_alias=x86_64-pc-linux-gnu' 'CFLAGS=-O2 -pipe' 'LDFLAGS=-Wl,-O1 -Wl,--as-needed'
sizeof(void*) = 8
Engine flevel: 80, dconf: 80

Re: [gentoo-user] Fwd: Unexpected behaviour

[Mick]

[-- Attachment #1: Type: text/plain, Size: 2406 bytes --]

On Monday 04 Apr 2016 17:49:13 Konstantin wrote:
> Hello,
> 
> I've tried to find an answer from clamav-users but still no reply in
> that mail list.
> 
> I'm forwarding my message to this list and hope some one help me to
> find that is the problem.
> 
> ---------- Forwarded message ----------
> From: Konstantin
> Date: Thu, Mar 24, 2016 at 11:29 PM
> Subject: Unexpected behaviour
> To: clamav-users@lists.clamav.net
> 
> 
> Hello
> 
> I have 2 Gentoo based SMTP servers. Both hosts have the same packages
> installed with the same USE flags.
> I'm using clamav-0.98.7 with amavisd. Output from clamconf attached to
> this message. Clamav settings and signature files are equal.

When you say equal, do you mean same versions and exactly same signatures?


> I have a custom signature
> e350ca9b3b6ddbdabd3845a66f755f22122b8eb5ed79b9d19bd87e34e4aa5008:340992:Troj
> an.DNC4 for this doc file
> https://malwr.com/analysis/ZTdiYjRiMDZlNzEyNDUwZmI3OTdiYjg4NTYxMDMyNmM/
> 
> Both hosts found malware in this file with clamscan command. No
> problem in this case.
> 
> Here is the problem i have.
> When a message scanned with clamd then only host1 detect trojan with
> custom signature.
> host1:
> echo "CONTSCAN /tmp/feb_invoice_1426277.doc" | socat -
> "UNIX-CONNECT:/var/run/clamav/clamd.sock"
> /tmp/feb_invoice_1426277.doc: Trojan_Generic.DNC4.UNOFFICIAL FOUND
> 
> host2 detect it as Heuristics.OLE2.ContainsMacros:
> echo "CONTSCAN /tmp/feb_invoice_1426277.doc" | socat -
> "UNIX-CONNECT:/var/run/clamav/clamd.sock"
> /tmp/feb_invoice_1426277.doc: Heuristics.OLE2.ContainsMacros FOUND
> 
> Another interesting thing is that host1 detect that trojan not by
> signature with size 340992(original doc file).
> I suppose that there was detected a PE32 file inside that .doc file
> with this signature:
> c3DNC406e57af90685a7002f7ea63340a1e7d3a1ed3805e7ec8b0909865b57bd6c:126976:Tr
> ojan_Generic.DNC4
> 
> Can you guys please explain how this happened and what can be a
> difference between these 2 hosts?

I am guessing that one of the hosts had its signatures updated with a more 
recent version than the other.

If they are identical then I'm out of ideas.

> I expect that if a signature found then Heuristics results not appear.
> 
> Thank you.
> --
> This message was delivered using 100% recycled electrons.

-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 473 bytes --]

Re: [gentoo-user] Fwd: Unexpected behaviour

[R0b0t1]

[-- Attachment #1: Type: text/plain, Size: 340 bytes --]

I would like to know what you mean by identical. Unfortunately all you can
do is keep comparing things - but even if you go as far as comparing the
tool chains (unsure if you mentioned binhost) in great detail you still
might not track everything down.

By all means keep looking, but be relieved they at least got detected as
*something.*

[-- Attachment #2: Type: text/html, Size: 375 bytes --]

Re: [gentoo-user] Fwd: Unexpected behaviour

[Konstantin]

[-- Attachment #1: Type: text/plain, Size: 620 bytes --]

I'm using the same configs in /etc for all running applications. Clamav
signature databases are the same.
I recompiled  all its dependencies but it did not help yet.
05.04.2016 2:26 пользователь "R0b0t1" <r030t1@gmail.com> написал:

> I would like to know what you mean by identical. Unfortunately all you can
> do is keep comparing things - but even if you go as far as comparing the
> tool chains (unsure if you mentioned binhost) in great detail you still
> might not track everything down.
>
> By all means keep looking, but be relieved they at least got detected as
> *something.*
>

[-- Attachment #2: Type: text/html, Size: 868 bytes --]

Re: [gentoo-user] Fwd: Unexpected behaviour

[Konstantin]

[-- Attachment #1: Type: text/plain, Size: 930 bytes --]

I've applied a patch provided in Bug 11512
<https://bugzilla.clamav.net/attachment.cgi?id=7077&action=diff>
And it is solved my problem 😀

On Fri, Apr 8, 2016 at 8:36 PM, Konstantin <myownletters@gmail.com> wrote:
> I'm using the same configs in /etc for all running applications. Clamav
> signature databases are the same.
> I recompiled  all its dependencies but it did not help yet.
>
> 05.04.2016 2:26 пользователь "R0b0t1" <r030t1@gmail.com> написал:
>>
>> I would like to know what you mean by identical. Unfortunately all you
can
>> do is keep comparing things - but even if you go as far as comparing the
>> tool chains (unsure if you mentioned binhost) in great detail you still
>> might not track everything down.
>>
>> By all means keep looking, but be relieved they at least got detected as
>> *something.*



-- 
This message was delivered using 100% recycled electrons.

[-- Attachment #2: Type: text/html, Size: 1205 bytes --]