OK, so tracking this one down took longer than I like to admit! The issue seems to have crept in with commits 3e42216cc and 28afc94c3 back in April/May 2017.
Attached are patches for devel/HEAD as well as the stable 0.101.2 Tests show that the issue is fixed and doesn't appear to introduce any false negatives.....however, it does produce a duplicate output line - one listed the infection found, and the second line (honouring the FP file) saying "OK". The "infected files" count is correct - see output below. Does anyone know how to fix that duplicate output? Cheers Mark virus-2009-04-13-id0007662101.zip: Osx.Worm.Leap-2 FOUND virus-2009-04-13-id0007662101.zip: OK ----------- SCAN SUMMARY ----------- Known viruses: 6168730 Engine version: 0.101.2 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 0.02 MB Data read: 0.00 MB (ratio 0.00:1) Time: 33.865 sec (0 m 33 s)
fix_devel_head.patch
Description: Binary data
fix_101_2.patch
Description: Binary data
> On 12 Jul 2019, at 11:07 pm, Mark Allan <markjal...@gmail.com> wrote: > > Hi, > > I think there's a bug with ClamAV not honouring the contents of a .fp file > within the database directory. > > I've tested 0.101.2 as well as previous versions of ClamAV going back to > 0.99.4 and the issue seems to have appeared as of 0.100.0 onwards. > > To re-create the issue: > > Find a zip file which you know reports an infection when scanned. > Use sigtool --md5 to generate an FP sig of the zip file and save it in a > <filename>.fp file in the databse directory. > Use clamscan to scan the file and see that it still reports the file as being > infected. > > > The output from clamscan --debug shows the .fp file is being loaded, but it > just doesn't seem to be being honoured for some reason. > > I see the same thing when I build ClamAV on macOS as well as when using the > apt-get distribution on Ubuntu 18.04 > > Lastly, it only appears to be an issue with archive filetypes eg .zip, .dmg > etc. Simple files are excluded as expected - similarly, if you generate an FP > sig of a simple file and put that file within an archive, it correctly gets > excluded. > > I'll clone the source from Git on Monday and have a dig through it myself to > see if I can fix the bug, but thought I'd mention it here in case someone's > already on it, or at least knows where I can start looking! > > Cheers > Mark
_______________________________________________ clamav-devel mailing list clamav-devel@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-devel Please submit your patches to our Bugzilla: http://bugzilla.clamav.net Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml