Mark,
It looks like this commit, which according to the GitHub tags was
introduced in ClamAV 0.101-beta, made it so that .ign2 rules could no
longer have '.{}' on the end
https://github.com/Cisco-Talos/clamav-devel/commit/b2f59861ee1a53c113fd37fe9378f739cc012042
It also has implications for ignoring alerts from bytecode signatures that
have VirusNames that aren't empty... I'll open a ticket for this
Thanks!
-Andrew
On Mon, Mar 8, 2021 at 6:00 PM Mark Allan <markjal...@gmail.com> wrote:
> Hi Andrew,
>
> Thanks for letting me know it's been dropped now. I was creating the ign2
> file almost identically, except for using double >> instead of single as I
> already have dozens of lines in there.
>
> I see you have it without the .{} suffix. I tried both with it and without
> and it wasn't working, ie
> echo "BC.Img.Exploit.CVE_2018_4891-6453673-2" >> ignored.ign2
> echo "BC.Img.Exploit.CVE_2018_4891-6453673-2.{}" >> ignored.ign2
>
> Are you saying the .{} is no longer required to ignore bytecode signatures?
>
> Thanks again
> Mark
>
> > On 8 Mar 2021, at 5:44 pm, Andrew Williams <awill...@sourcefire.com>
> wrote:
> >
> > Thanks for reporting this Mark. The signature has been dropped and a new
> > bytecode.cvd released.
> >
> > I was able to have the bytecode signature be ignored by creating the
> .ign2
> > file as follows and then moving it into the ClamAV signature directory:
> > `echo "BC.Img.Exploit.CVE_2018_4891-6453673-2" > test.ign2`. Can you
> > elaborate on how you are creating the .ign2 file?
> >
> > Thanks again,
> >
> > -Andrew
> >
> > On Thu, Mar 4, 2021 at 11:16 AM Mark Allan <markjal...@gmail.com> wrote:
> >
> >> Looks like we have another one!
> >> BC.Img.Exploit.CVE_2018_4891-6453673-2
> >>
> >> This is generating loads of FPs as well.
> >>
> >> Curiously (and sorry for listing two issues in one email) adding a
> >> bytecode signature name (with the .{} suffix) to an ign2 file appears to
> >> have no effect. Any thoughts why this might be?
> >>
> >> Best regards,
> >> Mark
> >>
> >>> On 16 Feb 2021, at 3:06 am, Micah Snyder (micasnyd) <
> micas...@cisco.com>
> >> wrote:
> >>>
> >>> It looks like BC.Img.Exploit.CVE_2017_11255-6335669-1 suffered the same
> >> lack of proper FP testing as the other TIFF signature, likely for the
> same
> >> reasons. After some time reviewing it, I agree that
> >> BC.Img.Exploit.CVE_2017_11255-6335669-1 should be dropped. This
> bytecode
> >> signature has a relatively high probability to FP on TIFF files that
> don't
> >> include a ColorMap in the IFD header(s), which is also fairly common.
> >> Reworking the signature would is probably not worth the effort
> considering
> >> the CVE is from 2017.
> >>>
> >>> It should be dropped in the update tomorrow morning.
> >>>
> >>> Thanks for reaching out Mark.
> >>>
> >>> Regards,
> >>> Micah
> >>>
> >>>> -----Original Message-----
> >>>> From: clamav-devel <clamav-devel-boun...@lists.clamav.net> On Behalf
> Of
> >>>> Micah Snyder (micasnyd)
> >>>> Sent: Monday, February 15, 2021 11:36 AM
> >>>> To: ClamAV Development <clamav-devel@lists.clamav.net>
> >>>> Subject: Re: [Clamav-devel] Issue with FP only on 0.103.1
> >>>>
> >>>> Oh, sorry I misread your email. Needed more coffee. You were asking
> >> about
> >>>> a different signature: BC.Img.Exploit.CVE_2017_11255-6335669-1
> >>>> Will investigate.
> >>>>
> >>>> -Micah
> >>>>
> >>>>> -----Original Message-----
> >>>>> From: clamav-devel <clamav-devel-boun...@lists.clamav.net> On Behalf
> >>>>> Of Micah Snyder (micasnyd)
> >>>>> Sent: Monday, February 15, 2021 10:28 AM
> >>>>> To: ClamAV Development <clamav-devel@lists.clamav.net>
> >>>>> Subject: Re: [Clamav-devel] Issue with FP only on 0.103.1
> >>>>>
> >>>>> Hi Mark,
> >>>>>
> >>>>> TL;DR: The type detection mismatch is fixed in the current daily +
> >> 0.103.1.
> >>>>> The issue was with the signature. We didn't know about it because of
> >>>>> the mismatch. You should've found that the offending signature was
> >>>>> dropped on Saturday morning.
> >>>>>
> >>>>> Details:
> >>>>>
> >>>>> 0.103.1 introduced CL_TYPE_TIFF and changed TIFF file type
> recognition
> >>>>> from:
> >>>>> 0:0:49492a00:TIFF Little Endian:CL_TYPE_ANY:CL_TYPE_GRAPHICS
> >>>>> 0:0:4d4d:TIFF Big Endian:CL_TYPE_ANY:CL_TYPE_ GRAPHICS
> >>>>> to:
> >>>>> 0:0:49492a00:TIFF Little Endian:CL_TYPE_ANY:CL_TYPE_TIFF
> >>>>> 0:0:4d4d:TIFF Big Endian:CL_TYPE_ANY:CL_TYPE_TIFF
> >>>>>
> >>>>> When FTM signatures are loaded from daily.cvd, it overrides the
> >>>>> built-in FTM signatures. So it turns out that daily's FTM file had
> >>>>> been missing the original CL_TYPE_GRAPHICS detection of TIFF files
> all
> >>>>> this time, which would've been required for Target:5 signatures to
> >>>>> alert on TIFF files. As a result, the signature in question "worked"
> >>>>> in testing (with a single LDB file, using built-in FTM), but never
> >>>>> worked in worked during FP testing or in production (with a daily CVD
> >> file).
> >>>>>
> >>>>> When we added this to daily.ftm to support 0.103.1:
> >>>>> 0:0:49492a00:TIFF Little Endian:CL_TYPE_ANY:CL_TYPE_TIFF:122
> >>>>> 0:0:4d4d:TIFF Big Endian:CL_TYPE_ANY:CL_TYPE_TIFF:122
> >>>>> ... all of a sudden a signature which was written for TIFF files
> >>>>> started alerting on TIFF files (as it should've) because the new
> >>>>> CL_TYPE_TIFF also alerts on
> >>>>> Target:5 (graphics) types. We never added the CL_TYPE_GRAPHICS
> >>>>> variant for 0.103.0 and prior, which is why it appeared to be an
> issue
> >> with
> >>>> 0.103.1.
> >>>>> Perhaps we should? I'll ask MRT about it.
> >>>>>
> >>>>> Anyways, this is basically a reminder that we need to make sure daily
> >>>>> FTM and libclamav's FTM are in sync.
> >>>>>
> >>>>> -Micah
> >>>>>
> >>>>>
> >>>>>> -----Original Message-----
> >>>>>> From: clamav-devel <clamav-devel-boun...@lists.clamav.net> On
> Behalf
> >>>>>> Of Mark Allan
> >>>>>> Sent: Saturday, February 13, 2021 3:35 PM
> >>>>>> To: ClamAV Development <clamav-devel@lists.clamav.net>
> >>>>>> Subject: Re: [Clamav-devel] Issue with FP only on 0.103.1
> >>>>>>
> >>>>>> Thanks. I've just found another one too
> >>>>>>
> >>>>>> BC.Img.Exploit.CVE_2017_11255-6335669-1
> >>>>>>
> >>>>>> It's triggering on a file that's been part of macOS for many years.
> >>>>>> It's also a tiff file. I can submit this as well if necessary?
> >>>>>>
> >>>>>> Out of interest, is the type detection mismatch something that can
> >>>>>> be fixed in daily.cvd or can I patch libclamav/filetypes_int.h to
> >>>>>> revert it to what it was at 0.103.0?
> >>>>>>
> >>>>>> Mark
> >>>>>>
> >>>>>>> On 12 Feb 2021, at 5:23 am, Micah Snyder (micasnyd)
> >>>>>> <micas...@cisco.com> wrote:
> >>>>>>>
> >>>>>>> It appears to me to be an issue with the signature which is only
> >>>>>>> evident in
> >>>>>> 0.103.1 now that we're matching TIFFs with Target:5 signatures, like
> >>>>>> this
> >>>>> one.
> >>>>>>>
> >>>>>>> There was apparently a mismatch for TIFF file type detection
> >>>>>>> between the
> >>>>>> file type magic signatures built-in to libclamav
> >>>>>> (libclamav/filetypes_int.h) and the .ftm sigs shipped with daily.cvd
> >>>>>> (which override the internal ones when loaded).
> >>>>>>>
> >>>>>>> I'll ask to have the signature dropped and re-evaluated.
> >>>>>>>
> >>>>>>> -Micah
> >>>>>>>
> >>>>>>>> -----Original Message-----
> >>>>>>>> From: clamav-devel <clamav-devel-boun...@lists.clamav.net> On
> >>>>>>>> Behalf Of Micah Snyder (micasnyd)
> >>>>>>>> Sent: Thursday, February 11, 2021 8:27 PM
> >>>>>>>> To: ClamAV Development <clamav-devel@lists.clamav.net>
> >>>>>>>> Subject: Re: [Clamav-devel] Issue with FP only on 0.103.1
> >>>>>>>>
> >>>>>>>> Thank you Mark! We'll take a look.
> >>>>>>>>
> >>>>>>>> -Micah
> >>>>>>>>
> >>>>>>>>> -----Original Message-----
> >>>>>>>>> From: clamav-devel <clamav-devel-boun...@lists.clamav.net> On
> >>>>>> Behalf
> >>>>>>>>> Of Mark Allan
> >>>>>>>>> Sent: Thursday, February 11, 2021 3:54 PM
> >>>>>>>>> To: ClamAV Development <clamav-devel@lists.clamav.net>
> >>>>>>>>> Subject: Re: [Clamav-devel] Issue with FP only on 0.103.1
> >>>>>>>>>
> >>>>>>>>> Hi Micah,
> >>>>>>>>>
> >>>>>>>>> Yes of course! I've just uploaded a zip file (Archive.zip) to
> >>>>>>>>> the FP page on clamav.net
> >>>>>>>>> MD5 (Archive.zip) = 45229d954a884a1e03aba15b9f42168a
> >>>>>>>>>
> >>>>>>>>> Regards
> >>>>>>>>> Mark
> >>>>>>>>>
> >>>>>>>>>> On 11 Feb 2021, at 7:12 pm, Micah Snyder (micasnyd)
> >>>>>>>>> <micas...@cisco.com> wrote:
> >>>>>>>>>>
> >>>>>>>>>> Hi Mark,
> >>>>>>>>>>
> >>>>>>>>>> Do you think you could share a sample or two with me to test.
> >>>>>>>>>> I'm really
> >>>>>>>>> curious what changed and would like to debug each version with a
> >>>>>>>>> sample or two.
> >>>>>>>>>>
> >>>>>>>>>> -Micah
> >>>>>>>>>>
> >>>>>>>>>>> -----Original Message-----
> >>>>>>>>>>> From: clamav-devel <clamav-devel-boun...@lists.clamav.net> On
> >>>>>>>>>>> Behalf Of Mark Allan
> >>>>>>>>>>> Sent: Monday, February 8, 2021 3:04 AM
> >>>>>>>>>>> To: ClamAV Development <clamav-devel@lists.clamav.net>
> >>>>>>>>>>> Subject: [Clamav-devel] Issue with FP only on 0.103.1
> >>>>>>>>>>>
> >>>>>>>>>>> Hi all,
> >>>>>>>>>>>
> >>>>>>>>>>> It looks like the additional image file type support in
> >>>>>>>>>>> 0.103.1 has introduced an issue with a particular signature
> >>>>>>>>>>> which has been in the database since 2018
> >>>>>>>>>>>
> >>>>>>>>>>> Img.Exploit.CVE_2018_4904-6449838-0
> >>>>>>>>>>>
> >>>>>>>>>>> It's flagging up thousands of known-good files. As far as I
> >>>>>>>>>>> can tell, they're all TIFF files.
> >>>>>>>>>>>
> >>>>>>>>>>> I've added that signature to an ign2 file for now, but I'm
> >>>>>>>>>>> wondering if there's something else that's maybe amiss
> >>>>>>>>>>> somewhere either with the signature or the 0.103.1 update?
> >>>>>>>>>>>
> >>>>>>>>>>> Best regards,
> >>>>>>>>>>> Mark
> >>>>>>>>>>>
> >>>>>>>>>>> _______________________________________________
> >>>>>>>>>>>
> >>>>>>>>>>> clamav-devel mailing list
> >>>>>>>>>>> clamav-devel@lists.clamav.net
> >>>>>>>>>>> https://lists.clamav.net/mailman/listinfo/clamav-devel
> >>>>>>>>>>>
> >>>>>>>>>>> Please submit your patches to our Github:
> >>>>>>>>>>> https://github.com/Cisco- Talos/clamav-devel/pulls
> >>>>>>>>>>>
> >>>>>>>>>>> Help us build a comprehensive ClamAV guide:
> >>>>>>>>>>> https://github.com/vrtadmin/clamav-faq
> >>>>>>>>>>>
> >>>>>>>>>>> http://www.clamav.net/contact.html#ml
> >>>>>>>>>> _______________________________________________
> >>>>>>>>>>
> >>>>>>>>>> clamav-devel mailing list
> >>>>>>>>>> clamav-devel@lists.clamav.net
> >>>>>>>>>> https://lists.clamav.net/mailman/listinfo/clamav-devel
> >>>>>>>>>>
> >>>>>>>>>> Please submit your patches to our Github:
> >>>>>>>>>> https://github.com/Cisco-Talos/clamav-devel/pulls
> >>>>>>>>>>
> >>>>>>>>>> Help us build a comprehensive ClamAV guide:
> >>>>>>>>>> https://github.com/vrtadmin/clamav-faq
> >>>>>>>>>>
> >>>>>>>>>> http://www.clamav.net/contact.html#ml
> >>>>>>>>>
> >>>>>>>>> _______________________________________________
> >>>>>>>>>
> >>>>>>>>> clamav-devel mailing list
> >>>>>>>>> clamav-devel@lists.clamav.net
> >>>>>>>>> https://lists.clamav.net/mailman/listinfo/clamav-devel
> >>>>>>>>>
> >>>>>>>>> Please submit your patches to our Github:
> >>>>>>>>> https://github.com/Cisco- Talos/clamav-devel/pulls
> >>>>>>>>>
> >>>>>>>>> Help us build a comprehensive ClamAV guide:
> >>>>>>>>> https://github.com/vrtadmin/clamav-faq
> >>>>>>>>>
> >>>>>>>>> http://www.clamav.net/contact.html#ml
> >>>>>>>> _______________________________________________
> >>>>>>>>
> >>>>>>>> clamav-devel mailing list
> >>>>>>>> clamav-devel@lists.clamav.net
> >>>>>>>> https://lists.clamav.net/mailman/listinfo/clamav-devel
> >>>>>>>>
> >>>>>>>> Please submit your patches to our Github:
> >>>>>>>> https://github.com/Cisco- Talos/clamav-devel/pulls
> >>>>>>>>
> >>>>>>>> Help us build a comprehensive ClamAV guide:
> >>>>>>>> https://github.com/vrtadmin/clamav-faq
> >>>>>>>>
> >>>>>>>> http://www.clamav.net/contact.html#ml
> >>>>>>> _______________________________________________
> >>>>>>>
> >>>>>>> clamav-devel mailing list
> >>>>>>> clamav-devel@lists.clamav.net
> >>>>>>> https://lists.clamav.net/mailman/listinfo/clamav-devel
> >>>>>>>
> >>>>>>> Please submit your patches to our Github:
> >>>>>>> https://github.com/Cisco-Talos/clamav-devel/pulls
> >>>>>>>
> >>>>>>> Help us build a comprehensive ClamAV guide:
> >>>>>>> https://github.com/vrtadmin/clamav-faq
> >>>>>>>
> >>>>>>> http://www.clamav.net/contact.html#ml
> >>>>>>
> >>>>>> _______________________________________________
> >>>>>>
> >>>>>> clamav-devel mailing list
> >>>>>> clamav-devel@lists.clamav.net
> >>>>>> https://lists.clamav.net/mailman/listinfo/clamav-devel
> >>>>>>
> >>>>>> Please submit your patches to our Github: https://github.com/Cisco-
> >>>>>> Talos/clamav-devel/pulls
> >>>>>>
> >>>>>> Help us build a comprehensive ClamAV guide:
> >>>>>> https://github.com/vrtadmin/clamav-faq
> >>>>>>
> >>>>>> http://www.clamav.net/contact.html#ml
> >>>>> _______________________________________________
> >>>>>
> >>>>> clamav-devel mailing list
> >>>>> clamav-devel@lists.clamav.net
> >>>>> https://lists.clamav.net/mailman/listinfo/clamav-devel
> >>>>>
> >>>>> Please submit your patches to our Github: https://github.com/Cisco-
> >>>>> Talos/clamav-devel/pulls
> >>>>>
> >>>>> Help us build a comprehensive ClamAV guide:
> >>>>> https://github.com/vrtadmin/clamav-faq
> >>>>>
> >>>>> http://www.clamav.net/contact.html#ml
> >>>> _______________________________________________
> >>>>
> >>>> clamav-devel mailing list
> >>>> clamav-devel@lists.clamav.net
> >>>> https://lists.clamav.net/mailman/listinfo/clamav-devel
> >>>>
> >>>> Please submit your patches to our Github: https://github.com/Cisco-
> >>>> Talos/clamav-devel/pulls
> >>>>
> >>>> Help us build a comprehensive ClamAV guide:
> >>>> https://github.com/vrtadmin/clamav-faq
> >>>>
> >>>> http://www.clamav.net/contact.html#ml
> >>> _______________________________________________
> >>>
> >>> clamav-devel mailing list
> >>> clamav-devel@lists.clamav.net
> >>> https://lists.clamav.net/mailman/listinfo/clamav-devel
> >>>
> >>> Please submit your patches to our Github:
> >> https://github.com/Cisco-Talos/clamav-devel/pulls
> >>>
> >>> Help us build a comprehensive ClamAV guide:
> >>> https://github.com/vrtadmin/clamav-faq
> >>>
> >>> http://www.clamav.net/contact.html#ml
> >>
> >> _______________________________________________
> >>
> >> clamav-devel mailing list
> >> clamav-devel@lists.clamav.net
> >> https://lists.clamav.net/mailman/listinfo/clamav-devel
> >>
> >> Please submit your patches to our Github:
> >> https://github.com/Cisco-Talos/clamav-devel/pulls
> >>
> >> Help us build a comprehensive ClamAV guide:
> >> https://github.com/vrtadmin/clamav-faq
> >>
> >> http://www.clamav.net/contact.html#ml
> >>
> > _______________________________________________
> >
> > clamav-devel mailing list
> > clamav-devel@lists.clamav.net
> > https://lists.clamav.net/mailman/listinfo/clamav-devel
> >
> > Please submit your patches to our Github:
> https://github.com/Cisco-Talos/clamav-devel/pulls
> >
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml
>
> _______________________________________________
>
> clamav-devel mailing list
> clamav-devel@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-devel
>
> Please submit your patches to our Github:
> https://github.com/Cisco-Talos/clamav-devel/pulls
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
_______________________________________________
clamav-devel mailing list
clamav-devel@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-devel
Please submit your patches to our Github:
https://github.com/Cisco-Talos/clamav-devel/pulls
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
