Hi Andrew,
Thanks for letting me know it's been dropped now. I was creating the ign2 file
almost identically, except for using double >> instead of single as I already
have dozens of lines in there.
I see you have it without the .{} suffix. I tried both with it and without and
it wasn't working, ie
echo "BC.Img.Exploit.CVE_2018_4891-6453673-2" >> ignored.ign2
echo "BC.Img.Exploit.CVE_2018_4891-6453673-2.{}" >> ignored.ign2
Are you saying the .{} is no longer required to ignore bytecode signatures?
Thanks again
Mark
> On 8 Mar 2021, at 5:44 pm, Andrew Williams <awill...@sourcefire.com> wrote:
>
> Thanks for reporting this Mark. The signature has been dropped and a new
> bytecode.cvd released.
>
> I was able to have the bytecode signature be ignored by creating the .ign2
> file as follows and then moving it into the ClamAV signature directory:
> `echo "BC.Img.Exploit.CVE_2018_4891-6453673-2" > test.ign2`. Can you
> elaborate on how you are creating the .ign2 file?
>
> Thanks again,
>
> -Andrew
>
> On Thu, Mar 4, 2021 at 11:16 AM Mark Allan <markjal...@gmail.com> wrote:
>
>> Looks like we have another one!
>> BC.Img.Exploit.CVE_2018_4891-6453673-2
>>
>> This is generating loads of FPs as well.
>>
>> Curiously (and sorry for listing two issues in one email) adding a
>> bytecode signature name (with the .{} suffix) to an ign2 file appears to
>> have no effect. Any thoughts why this might be?
>>
>> Best regards,
>> Mark
>>
>>> On 16 Feb 2021, at 3:06 am, Micah Snyder (micasnyd) <micas...@cisco.com>
>> wrote:
>>>
>>> It looks like BC.Img.Exploit.CVE_2017_11255-6335669-1 suffered the same
>> lack of proper FP testing as the other TIFF signature, likely for the same
>> reasons. After some time reviewing it, I agree that
>> BC.Img.Exploit.CVE_2017_11255-6335669-1 should be dropped. This bytecode
>> signature has a relatively high probability to FP on TIFF files that don't
>> include a ColorMap in the IFD header(s), which is also fairly common.
>> Reworking the signature would is probably not worth the effort considering
>> the CVE is from 2017.
>>>
>>> It should be dropped in the update tomorrow morning.
>>>
>>> Thanks for reaching out Mark.
>>>
>>> Regards,
>>> Micah
>>>
>>>> -----Original Message-----
>>>> From: clamav-devel <clamav-devel-boun...@lists.clamav.net> On Behalf Of
>>>> Micah Snyder (micasnyd)
>>>> Sent: Monday, February 15, 2021 11:36 AM
>>>> To: ClamAV Development <clamav-devel@lists.clamav.net>
>>>> Subject: Re: [Clamav-devel] Issue with FP only on 0.103.1
>>>>
>>>> Oh, sorry I misread your email. Needed more coffee. You were asking
>> about
>>>> a different signature: BC.Img.Exploit.CVE_2017_11255-6335669-1
>>>> Will investigate.
>>>>
>>>> -Micah
>>>>
>>>>> -----Original Message-----
>>>>> From: clamav-devel <clamav-devel-boun...@lists.clamav.net> On Behalf
>>>>> Of Micah Snyder (micasnyd)
>>>>> Sent: Monday, February 15, 2021 10:28 AM
>>>>> To: ClamAV Development <clamav-devel@lists.clamav.net>
>>>>> Subject: Re: [Clamav-devel] Issue with FP only on 0.103.1
>>>>>
>>>>> Hi Mark,
>>>>>
>>>>> TL;DR: The type detection mismatch is fixed in the current daily +
>> 0.103.1.
>>>>> The issue was with the signature. We didn't know about it because of
>>>>> the mismatch. You should've found that the offending signature was
>>>>> dropped on Saturday morning.
>>>>>
>>>>> Details:
>>>>>
>>>>> 0.103.1 introduced CL_TYPE_TIFF and changed TIFF file type recognition
>>>>> from:
>>>>> 0:0:49492a00:TIFF Little Endian:CL_TYPE_ANY:CL_TYPE_GRAPHICS
>>>>> 0:0:4d4d:TIFF Big Endian:CL_TYPE_ANY:CL_TYPE_ GRAPHICS
>>>>> to:
>>>>> 0:0:49492a00:TIFF Little Endian:CL_TYPE_ANY:CL_TYPE_TIFF
>>>>> 0:0:4d4d:TIFF Big Endian:CL_TYPE_ANY:CL_TYPE_TIFF
>>>>>
>>>>> When FTM signatures are loaded from daily.cvd, it overrides the
>>>>> built-in FTM signatures. So it turns out that daily's FTM file had
>>>>> been missing the original CL_TYPE_GRAPHICS detection of TIFF files all
>>>>> this time, which would've been required for Target:5 signatures to
>>>>> alert on TIFF files. As a result, the signature in question "worked"
>>>>> in testing (with a single LDB file, using built-in FTM), but never
>>>>> worked in worked during FP testing or in production (with a daily CVD
>> file).
>>>>>
>>>>> When we added this to daily.ftm to support 0.103.1:
>>>>> 0:0:49492a00:TIFF Little Endian:CL_TYPE_ANY:CL_TYPE_TIFF:122
>>>>> 0:0:4d4d:TIFF Big Endian:CL_TYPE_ANY:CL_TYPE_TIFF:122
>>>>> ... all of a sudden a signature which was written for TIFF files
>>>>> started alerting on TIFF files (as it should've) because the new
>>>>> CL_TYPE_TIFF also alerts on
>>>>> Target:5 (graphics) types. We never added the CL_TYPE_GRAPHICS
>>>>> variant for 0.103.0 and prior, which is why it appeared to be an issue
>> with
>>>> 0.103.1.
>>>>> Perhaps we should? I'll ask MRT about it.
>>>>>
>>>>> Anyways, this is basically a reminder that we need to make sure daily
>>>>> FTM and libclamav's FTM are in sync.
>>>>>
>>>>> -Micah
>>>>>
>>>>>
>>>>>> -----Original Message-----
>>>>>> From: clamav-devel <clamav-devel-boun...@lists.clamav.net> On Behalf
>>>>>> Of Mark Allan
>>>>>> Sent: Saturday, February 13, 2021 3:35 PM
>>>>>> To: ClamAV Development <clamav-devel@lists.clamav.net>
>>>>>> Subject: Re: [Clamav-devel] Issue with FP only on 0.103.1
>>>>>>
>>>>>> Thanks. I've just found another one too
>>>>>>
>>>>>> BC.Img.Exploit.CVE_2017_11255-6335669-1
>>>>>>
>>>>>> It's triggering on a file that's been part of macOS for many years.
>>>>>> It's also a tiff file. I can submit this as well if necessary?
>>>>>>
>>>>>> Out of interest, is the type detection mismatch something that can
>>>>>> be fixed in daily.cvd or can I patch libclamav/filetypes_int.h to
>>>>>> revert it to what it was at 0.103.0?
>>>>>>
>>>>>> Mark
>>>>>>
>>>>>>> On 12 Feb 2021, at 5:23 am, Micah Snyder (micasnyd)
>>>>>> <micas...@cisco.com> wrote:
>>>>>>>
>>>>>>> It appears to me to be an issue with the signature which is only
>>>>>>> evident in
>>>>>> 0.103.1 now that we're matching TIFFs with Target:5 signatures, like
>>>>>> this
>>>>> one.
>>>>>>>
>>>>>>> There was apparently a mismatch for TIFF file type detection
>>>>>>> between the
>>>>>> file type magic signatures built-in to libclamav
>>>>>> (libclamav/filetypes_int.h) and the .ftm sigs shipped with daily.cvd
>>>>>> (which override the internal ones when loaded).
>>>>>>>
>>>>>>> I'll ask to have the signature dropped and re-evaluated.
>>>>>>>
>>>>>>> -Micah
>>>>>>>
>>>>>>>> -----Original Message-----
>>>>>>>> From: clamav-devel <clamav-devel-boun...@lists.clamav.net> On
>>>>>>>> Behalf Of Micah Snyder (micasnyd)
>>>>>>>> Sent: Thursday, February 11, 2021 8:27 PM
>>>>>>>> To: ClamAV Development <clamav-devel@lists.clamav.net>
>>>>>>>> Subject: Re: [Clamav-devel] Issue with FP only on 0.103.1
>>>>>>>>
>>>>>>>> Thank you Mark! We'll take a look.
>>>>>>>>
>>>>>>>> -Micah
>>>>>>>>
>>>>>>>>> -----Original Message-----
>>>>>>>>> From: clamav-devel <clamav-devel-boun...@lists.clamav.net> On
>>>>>> Behalf
>>>>>>>>> Of Mark Allan
>>>>>>>>> Sent: Thursday, February 11, 2021 3:54 PM
>>>>>>>>> To: ClamAV Development <clamav-devel@lists.clamav.net>
>>>>>>>>> Subject: Re: [Clamav-devel] Issue with FP only on 0.103.1
>>>>>>>>>
>>>>>>>>> Hi Micah,
>>>>>>>>>
>>>>>>>>> Yes of course! I've just uploaded a zip file (Archive.zip) to
>>>>>>>>> the FP page on clamav.net
>>>>>>>>> MD5 (Archive.zip) = 45229d954a884a1e03aba15b9f42168a
>>>>>>>>>
>>>>>>>>> Regards
>>>>>>>>> Mark
>>>>>>>>>
>>>>>>>>>> On 11 Feb 2021, at 7:12 pm, Micah Snyder (micasnyd)
>>>>>>>>> <micas...@cisco.com> wrote:
>>>>>>>>>>
>>>>>>>>>> Hi Mark,
>>>>>>>>>>
>>>>>>>>>> Do you think you could share a sample or two with me to test.
>>>>>>>>>> I'm really
>>>>>>>>> curious what changed and would like to debug each version with a
>>>>>>>>> sample or two.
>>>>>>>>>>
>>>>>>>>>> -Micah
>>>>>>>>>>
>>>>>>>>>>> -----Original Message-----
>>>>>>>>>>> From: clamav-devel <clamav-devel-boun...@lists.clamav.net> On
>>>>>>>>>>> Behalf Of Mark Allan
>>>>>>>>>>> Sent: Monday, February 8, 2021 3:04 AM
>>>>>>>>>>> To: ClamAV Development <clamav-devel@lists.clamav.net>
>>>>>>>>>>> Subject: [Clamav-devel] Issue with FP only on 0.103.1
>>>>>>>>>>>
>>>>>>>>>>> Hi all,
>>>>>>>>>>>
>>>>>>>>>>> It looks like the additional image file type support in
>>>>>>>>>>> 0.103.1 has introduced an issue with a particular signature
>>>>>>>>>>> which has been in the database since 2018
>>>>>>>>>>>
>>>>>>>>>>> Img.Exploit.CVE_2018_4904-6449838-0
>>>>>>>>>>>
>>>>>>>>>>> It's flagging up thousands of known-good files. As far as I
>>>>>>>>>>> can tell, they're all TIFF files.
>>>>>>>>>>>
>>>>>>>>>>> I've added that signature to an ign2 file for now, but I'm
>>>>>>>>>>> wondering if there's something else that's maybe amiss
>>>>>>>>>>> somewhere either with the signature or the 0.103.1 update?
>>>>>>>>>>>
>>>>>>>>>>> Best regards,
>>>>>>>>>>> Mark
>>>>>>>>>>>
>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>
>>>>>>>>>>> clamav-devel mailing list
>>>>>>>>>>> clamav-devel@lists.clamav.net
>>>>>>>>>>> https://lists.clamav.net/mailman/listinfo/clamav-devel
>>>>>>>>>>>
>>>>>>>>>>> Please submit your patches to our Github:
>>>>>>>>>>> https://github.com/Cisco- Talos/clamav-devel/pulls
>>>>>>>>>>>
>>>>>>>>>>> Help us build a comprehensive ClamAV guide:
>>>>>>>>>>> https://github.com/vrtadmin/clamav-faq
>>>>>>>>>>>
>>>>>>>>>>> http://www.clamav.net/contact.html#ml
>>>>>>>>>> _______________________________________________
>>>>>>>>>>
>>>>>>>>>> clamav-devel mailing list
>>>>>>>>>> clamav-devel@lists.clamav.net
>>>>>>>>>> https://lists.clamav.net/mailman/listinfo/clamav-devel
>>>>>>>>>>
>>>>>>>>>> Please submit your patches to our Github:
>>>>>>>>>> https://github.com/Cisco-Talos/clamav-devel/pulls
>>>>>>>>>>
>>>>>>>>>> Help us build a comprehensive ClamAV guide:
>>>>>>>>>> https://github.com/vrtadmin/clamav-faq
>>>>>>>>>>
>>>>>>>>>> http://www.clamav.net/contact.html#ml
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>>
>>>>>>>>> clamav-devel mailing list
>>>>>>>>> clamav-devel@lists.clamav.net
>>>>>>>>> https://lists.clamav.net/mailman/listinfo/clamav-devel
>>>>>>>>>
>>>>>>>>> Please submit your patches to our Github:
>>>>>>>>> https://github.com/Cisco- Talos/clamav-devel/pulls
>>>>>>>>>
>>>>>>>>> Help us build a comprehensive ClamAV guide:
>>>>>>>>> https://github.com/vrtadmin/clamav-faq
>>>>>>>>>
>>>>>>>>> http://www.clamav.net/contact.html#ml
>>>>>>>> _______________________________________________
>>>>>>>>
>>>>>>>> clamav-devel mailing list
>>>>>>>> clamav-devel@lists.clamav.net
>>>>>>>> https://lists.clamav.net/mailman/listinfo/clamav-devel
>>>>>>>>
>>>>>>>> Please submit your patches to our Github:
>>>>>>>> https://github.com/Cisco- Talos/clamav-devel/pulls
>>>>>>>>
>>>>>>>> Help us build a comprehensive ClamAV guide:
>>>>>>>> https://github.com/vrtadmin/clamav-faq
>>>>>>>>
>>>>>>>> http://www.clamav.net/contact.html#ml
>>>>>>> _______________________________________________
>>>>>>>
>>>>>>> clamav-devel mailing list
>>>>>>> clamav-devel@lists.clamav.net
>>>>>>> https://lists.clamav.net/mailman/listinfo/clamav-devel
>>>>>>>
>>>>>>> Please submit your patches to our Github:
>>>>>>> https://github.com/Cisco-Talos/clamav-devel/pulls
>>>>>>>
>>>>>>> Help us build a comprehensive ClamAV guide:
>>>>>>> https://github.com/vrtadmin/clamav-faq
>>>>>>>
>>>>>>> http://www.clamav.net/contact.html#ml
>>>>>>
>>>>>> _______________________________________________
>>>>>>
>>>>>> clamav-devel mailing list
>>>>>> clamav-devel@lists.clamav.net
>>>>>> https://lists.clamav.net/mailman/listinfo/clamav-devel
>>>>>>
>>>>>> Please submit your patches to our Github: https://github.com/Cisco-
>>>>>> Talos/clamav-devel/pulls
>>>>>>
>>>>>> Help us build a comprehensive ClamAV guide:
>>>>>> https://github.com/vrtadmin/clamav-faq
>>>>>>
>>>>>> http://www.clamav.net/contact.html#ml
>>>>> _______________________________________________
>>>>>
>>>>> clamav-devel mailing list
>>>>> clamav-devel@lists.clamav.net
>>>>> https://lists.clamav.net/mailman/listinfo/clamav-devel
>>>>>
>>>>> Please submit your patches to our Github: https://github.com/Cisco-
>>>>> Talos/clamav-devel/pulls
>>>>>
>>>>> Help us build a comprehensive ClamAV guide:
>>>>> https://github.com/vrtadmin/clamav-faq
>>>>>
>>>>> http://www.clamav.net/contact.html#ml
>>>> _______________________________________________
>>>>
>>>> clamav-devel mailing list
>>>> clamav-devel@lists.clamav.net
>>>> https://lists.clamav.net/mailman/listinfo/clamav-devel
>>>>
>>>> Please submit your patches to our Github: https://github.com/Cisco-
>>>> Talos/clamav-devel/pulls
>>>>
>>>> Help us build a comprehensive ClamAV guide:
>>>> https://github.com/vrtadmin/clamav-faq
>>>>
>>>> http://www.clamav.net/contact.html#ml
>>> _______________________________________________
>>>
>>> clamav-devel mailing list
>>> clamav-devel@lists.clamav.net
>>> https://lists.clamav.net/mailman/listinfo/clamav-devel
>>>
>>> Please submit your patches to our Github:
>> https://github.com/Cisco-Talos/clamav-devel/pulls
>>>
>>> Help us build a comprehensive ClamAV guide:
>>> https://github.com/vrtadmin/clamav-faq
>>>
>>> http://www.clamav.net/contact.html#ml
>>
>> _______________________________________________
>>
>> clamav-devel mailing list
>> clamav-devel@lists.clamav.net
>> https://lists.clamav.net/mailman/listinfo/clamav-devel
>>
>> Please submit your patches to our Github:
>> https://github.com/Cisco-Talos/clamav-devel/pulls
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>>
> _______________________________________________
>
> clamav-devel mailing list
> clamav-devel@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-devel
>
> Please submit your patches to our Github:
> https://github.com/Cisco-Talos/clamav-devel/pulls
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
_______________________________________________
clamav-devel mailing list
clamav-devel@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-devel
Please submit your patches to our Github:
https://github.com/Cisco-Talos/clamav-devel/pulls
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
