Re: [Clamav-devel] Issue with FP only on 0.103.1
It appears to me to be an issue with the signature which is only evident in 0.103.1 now that we're matching TIFFs with Target:5 signatures, like this one. There was apparently a mismatch for TIFF file type detection between the file type magic signatures built-in to libclamav (libclamav/filetypes_int.h) and the .ftm sigs shipped with daily.cvd (which override the internal ones when loaded). I'll ask to have the signature dropped and re-evaluated. -Micah > -Original Message- > From: clamav-devel On Behalf Of > Micah Snyder (micasnyd) > Sent: Thursday, February 11, 2021 8:27 PM > To: ClamAV Development > Subject: Re: [Clamav-devel] Issue with FP only on 0.103.1 > > Thank you Mark! We'll take a look. > > -Micah > > > -Original Message- > > From: clamav-devel On Behalf > > Of Mark Allan > > Sent: Thursday, February 11, 2021 3:54 PM > > To: ClamAV Development > > Subject: Re: [Clamav-devel] Issue with FP only on 0.103.1 > > > > Hi Micah, > > > > Yes of course! I've just uploaded a zip file (Archive.zip) to the FP > > page on clamav.net > > MD5 (Archive.zip) = 45229d954a884a1e03aba15b9f42168a > > > > Regards > > Mark > > > > > On 11 Feb 2021, at 7:12 pm, Micah Snyder (micasnyd) > > wrote: > > > > > > Hi Mark, > > > > > > Do you think you could share a sample or two with me to test. I'm > > > really > > curious what changed and would like to debug each version with a > > sample or two. > > > > > > -Micah > > > > > >> -Original Message- > > >> From: clamav-devel On > > >> Behalf Of Mark Allan > > >> Sent: Monday, February 8, 2021 3:04 AM > > >> To: ClamAV Development > > >> Subject: [Clamav-devel] Issue with FP only on 0.103.1 > > >> > > >> Hi all, > > >> > > >> It looks like the additional image file type support in 0.103.1 has > > >> introduced an issue with a particular signature which has been in > > >> the database since 2018 > > >> > > >> Img.Exploit.CVE_2018_4904-6449838-0 > > >> > > >> It's flagging up thousands of known-good files. As far as I can > > >> tell, they're all TIFF files. > > >> > > >> I've added that signature to an ign2 file for now, but I'm > > >> wondering if there's something else that's maybe amiss somewhere > > >> either with the signature or the 0.103.1 update? > > >> > > >> Best regards, > > >> Mark > > >> > > >> ___ > > >> > > >> clamav-devel mailing list > > >> clamav-devel@lists.clamav.net > > >> https://lists.clamav.net/mailman/listinfo/clamav-devel > > >> > > >> Please submit your patches to our Github: https://github.com/Cisco- > > >> Talos/clamav-devel/pulls > > >> > > >> Help us build a comprehensive ClamAV guide: > > >> https://github.com/vrtadmin/clamav-faq > > >> > > >> http://www.clamav.net/contact.html#ml > > > ___ > > > > > > clamav-devel mailing list > > > clamav-devel@lists.clamav.net > > > https://lists.clamav.net/mailman/listinfo/clamav-devel > > > > > > Please submit your patches to our Github: > > > https://github.com/Cisco-Talos/clamav-devel/pulls > > > > > > Help us build a comprehensive ClamAV guide: > > > https://github.com/vrtadmin/clamav-faq > > > > > > http://www.clamav.net/contact.html#ml > > > > ___ > > > > clamav-devel mailing list > > clamav-devel@lists.clamav.net > > https://lists.clamav.net/mailman/listinfo/clamav-devel > > > > Please submit your patches to our Github: https://github.com/Cisco- > > Talos/clamav-devel/pulls > > > > Help us build a comprehensive ClamAV guide: > > https://github.com/vrtadmin/clamav-faq > > > > http://www.clamav.net/contact.html#ml > ___ > > clamav-devel mailing list > clamav-devel@lists.clamav.net > https://lists.clamav.net/mailman/listinfo/clamav-devel > > Please submit your patches to our Github: https://github.com/Cisco- > Talos/clamav-devel/pulls > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml ___ clamav-devel mailing list clamav-devel@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-devel Please submit your patches to our Github: https://github.com/Cisco-Talos/clamav-devel/pulls Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [Clamav-devel] Issue with FP only on 0.103.1
Thank you Mark! We'll take a look. -Micah > -Original Message- > From: clamav-devel On Behalf Of > Mark Allan > Sent: Thursday, February 11, 2021 3:54 PM > To: ClamAV Development > Subject: Re: [Clamav-devel] Issue with FP only on 0.103.1 > > Hi Micah, > > Yes of course! I've just uploaded a zip file (Archive.zip) to the FP page on > clamav.net > MD5 (Archive.zip) = 45229d954a884a1e03aba15b9f42168a > > Regards > Mark > > > On 11 Feb 2021, at 7:12 pm, Micah Snyder (micasnyd) > wrote: > > > > Hi Mark, > > > > Do you think you could share a sample or two with me to test. I'm really > curious what changed and would like to debug each version with a sample or > two. > > > > -Micah > > > >> -Original Message- > >> From: clamav-devel On Behalf > >> Of Mark Allan > >> Sent: Monday, February 8, 2021 3:04 AM > >> To: ClamAV Development > >> Subject: [Clamav-devel] Issue with FP only on 0.103.1 > >> > >> Hi all, > >> > >> It looks like the additional image file type support in 0.103.1 has > >> introduced an issue with a particular signature which has been in the > >> database since 2018 > >> > >>Img.Exploit.CVE_2018_4904-6449838-0 > >> > >> It's flagging up thousands of known-good files. As far as I can tell, > >> they're all TIFF files. > >> > >> I've added that signature to an ign2 file for now, but I'm wondering > >> if there's something else that's maybe amiss somewhere either with > >> the signature or the 0.103.1 update? > >> > >> Best regards, > >> Mark > >> > >> ___ > >> > >> clamav-devel mailing list > >> clamav-devel@lists.clamav.net > >> https://lists.clamav.net/mailman/listinfo/clamav-devel > >> > >> Please submit your patches to our Github: https://github.com/Cisco- > >> Talos/clamav-devel/pulls > >> > >> Help us build a comprehensive ClamAV guide: > >> https://github.com/vrtadmin/clamav-faq > >> > >> http://www.clamav.net/contact.html#ml > > ___ > > > > clamav-devel mailing list > > clamav-devel@lists.clamav.net > > https://lists.clamav.net/mailman/listinfo/clamav-devel > > > > Please submit your patches to our Github: > > https://github.com/Cisco-Talos/clamav-devel/pulls > > > > Help us build a comprehensive ClamAV guide: > > https://github.com/vrtadmin/clamav-faq > > > > http://www.clamav.net/contact.html#ml > > ___ > > clamav-devel mailing list > clamav-devel@lists.clamav.net > https://lists.clamav.net/mailman/listinfo/clamav-devel > > Please submit your patches to our Github: https://github.com/Cisco- > Talos/clamav-devel/pulls > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml ___ clamav-devel mailing list clamav-devel@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-devel Please submit your patches to our Github: https://github.com/Cisco-Talos/clamav-devel/pulls Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [Clamav-devel] Issue with FP only on 0.103.1
Hi Micah, Yes of course! I've just uploaded a zip file (Archive.zip) to the FP page on clamav.net MD5 (Archive.zip) = 45229d954a884a1e03aba15b9f42168a Regards Mark > On 11 Feb 2021, at 7:12 pm, Micah Snyder (micasnyd) > wrote: > > Hi Mark, > > Do you think you could share a sample or two with me to test. I'm really > curious what changed and would like to debug each version with a sample or > two. > > -Micah > >> -Original Message- >> From: clamav-devel On Behalf Of >> Mark Allan >> Sent: Monday, February 8, 2021 3:04 AM >> To: ClamAV Development >> Subject: [Clamav-devel] Issue with FP only on 0.103.1 >> >> Hi all, >> >> It looks like the additional image file type support in 0.103.1 has >> introduced >> an issue with a particular signature which has been in the database since >> 2018 >> >> Img.Exploit.CVE_2018_4904-6449838-0 >> >> It's flagging up thousands of known-good files. As far as I can tell, >> they're all >> TIFF files. >> >> I've added that signature to an ign2 file for now, but I'm wondering if >> there's >> something else that's maybe amiss somewhere either with the signature or >> the 0.103.1 update? >> >> Best regards, >> Mark >> >> ___ >> >> clamav-devel mailing list >> clamav-devel@lists.clamav.net >> https://lists.clamav.net/mailman/listinfo/clamav-devel >> >> Please submit your patches to our Github: https://github.com/Cisco- >> Talos/clamav-devel/pulls >> >> Help us build a comprehensive ClamAV guide: >> https://github.com/vrtadmin/clamav-faq >> >> http://www.clamav.net/contact.html#ml > ___ > > clamav-devel mailing list > clamav-devel@lists.clamav.net > https://lists.clamav.net/mailman/listinfo/clamav-devel > > Please submit your patches to our Github: > https://github.com/Cisco-Talos/clamav-devel/pulls > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml ___ clamav-devel mailing list clamav-devel@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-devel Please submit your patches to our Github: https://github.com/Cisco-Talos/clamav-devel/pulls Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [Clamav-devel] Issue with FP only on 0.103.1
Hi Mark, Do you think you could share a sample or two with me to test. I'm really curious what changed and would like to debug each version with a sample or two. -Micah > -Original Message- > From: clamav-devel On Behalf Of > Mark Allan > Sent: Monday, February 8, 2021 3:04 AM > To: ClamAV Development > Subject: [Clamav-devel] Issue with FP only on 0.103.1 > > Hi all, > > It looks like the additional image file type support in 0.103.1 has introduced > an issue with a particular signature which has been in the database since 2018 > > Img.Exploit.CVE_2018_4904-6449838-0 > > It's flagging up thousands of known-good files. As far as I can tell, they're > all > TIFF files. > > I've added that signature to an ign2 file for now, but I'm wondering if > there's > something else that's maybe amiss somewhere either with the signature or > the 0.103.1 update? > > Best regards, > Mark > > ___ > > clamav-devel mailing list > clamav-devel@lists.clamav.net > https://lists.clamav.net/mailman/listinfo/clamav-devel > > Please submit your patches to our Github: https://github.com/Cisco- > Talos/clamav-devel/pulls > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml ___ clamav-devel mailing list clamav-devel@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-devel Please submit your patches to our Github: https://github.com/Cisco-Talos/clamav-devel/pulls Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
