Re: [Clamav-devel] Issue with FP only on 0.103.1
The commit history is messed up between 0.100 and 0.101 due to old (bad) commit
cherry-picking practices back then. That commit was also in 0.100, here:
https://github.com/Cisco-Talos/clamav-devel/commit/28592e59091ba353e637a7cde1038be1e426274b
Ignore the 0.99.3 branch name. The 0.99.3 feature dev branch was renamed to
0.100 to make space for security patch releases after Steve left.
-Micah
> -Original Message-
> From: clamav-devel On Behalf Of
> Andrew Williams
> Sent: Tuesday, March 9, 2021 4:21 PM
> To: ClamAV Development
> Subject: Re: [Clamav-devel] Issue with FP only on 0.103.1
>
> Mark,
>
> It looks like this commit, which according to the GitHub tags was introduced
> in
> ClamAV 0.101-beta, made it so that .ign2 rules could no longer have '.{}' on
> the
> end
>
> https://github.com/Cisco-Talos/clamav-
> devel/commit/b2f59861ee1a53c113fd37fe9378f739cc012042
>
> It also has implications for ignoring alerts from bytecode signatures that
> have
> VirusNames that aren't empty... I'll open a ticket for this
>
> Thanks!
>
> -Andrew
>
> On Mon, Mar 8, 2021 at 6:00 PM Mark Allan wrote:
>
> > Hi Andrew,
> >
> > Thanks for letting me know it's been dropped now. I was creating the
> > ign2 file almost identically, except for using double >> instead of
> > single as I already have dozens of lines in there.
> >
> > I see you have it without the .{} suffix. I tried both with it and
> > without and it wasn't working, ie
> > echo "BC.Img.Exploit.CVE_2018_4891-6453673-2" >> ignored.ign2
> > echo "BC.Img.Exploit.CVE_2018_4891-6453673-2.{}" >>
> > ignored.ign2
> >
> > Are you saying the .{} is no longer required to ignore bytecode signatures?
> >
> > Thanks again
> > Mark
> >
> > > On 8 Mar 2021, at 5:44 pm, Andrew Williams
> > wrote:
> > >
> > > Thanks for reporting this Mark. The signature has been dropped and
> > > a new bytecode.cvd released.
> > >
> > > I was able to have the bytecode signature be ignored by creating the
> > .ign2
> > > file as follows and then moving it into the ClamAV signature directory:
> > > `echo "BC.Img.Exploit.CVE_2018_4891-6453673-2" > test.ign2`. Can
> > > you elaborate on how you are creating the .ign2 file?
> > >
> > > Thanks again,
> > >
> > > -Andrew
> > >
> > > On Thu, Mar 4, 2021 at 11:16 AM Mark Allan
> wrote:
> > >
> > >> Looks like we have another one!
> > >>BC.Img.Exploit.CVE_2018_4891-6453673-2
> > >>
> > >> This is generating loads of FPs as well.
> > >>
> > >> Curiously (and sorry for listing two issues in one email) adding a
> > >> bytecode signature name (with the .{} suffix) to an ign2 file
> > >> appears to have no effect. Any thoughts why this might be?
> > >>
> > >> Best regards,
> > >> Mark
> > >>
> > >>> On 16 Feb 2021, at 3:06 am, Micah Snyder (micasnyd) <
> > micas...@cisco.com>
> > >> wrote:
> > >>>
> > >>> It looks like BC.Img.Exploit.CVE_2017_11255-6335669-1 suffered the
> > >>> same
> > >> lack of proper FP testing as the other TIFF signature, likely for
> > >> the
> > same
> > >> reasons. After some time reviewing it, I agree that
> > >> BC.Img.Exploit.CVE_2017_11255-6335669-1 should be dropped. This
> > bytecode
> > >> signature has a relatively high probability to FP on TIFF files
> > >> that
> > don't
> > >> include a ColorMap in the IFD header(s), which is also fairly common.
> > >> Reworking the signature would is probably not worth the effort
> > considering
> > >> the CVE is from 2017.
> > >>>
> > >>> It should be dropped in the update tomorrow morning.
> > >>>
> > >>> Thanks for reaching out Mark.
> > >>>
> > >>> Regards,
> > >>> Micah
> > >>>
> > >>>> -Original Message-
> > >>>> From: clamav-devel On
> > >>>> Behalf
> > Of
> > >>>> Micah Snyder (micasnyd)
> > >>>> Sent: Monday, February 15, 2021 11:36 AM
> > >>>> To: ClamAV Development
> > >>>> Subject: Re: [Clamav-devel] Issue with FP only on 0.103.1
> > >>>>
> > >>
Re: [Clamav-devel] Issue with FP only on 0.103.1
Mark,
It looks like this commit, which according to the GitHub tags was
introduced in ClamAV 0.101-beta, made it so that .ign2 rules could no
longer have '.{}' on the end
https://github.com/Cisco-Talos/clamav-devel/commit/b2f59861ee1a53c113fd37fe9378f739cc012042
It also has implications for ignoring alerts from bytecode signatures that
have VirusNames that aren't empty... I'll open a ticket for this
Thanks!
-Andrew
On Mon, Mar 8, 2021 at 6:00 PM Mark Allan wrote:
> Hi Andrew,
>
> Thanks for letting me know it's been dropped now. I was creating the ign2
> file almost identically, except for using double >> instead of single as I
> already have dozens of lines in there.
>
> I see you have it without the .{} suffix. I tried both with it and without
> and it wasn't working, ie
> echo "BC.Img.Exploit.CVE_2018_4891-6453673-2" >> ignored.ign2
> echo "BC.Img.Exploit.CVE_2018_4891-6453673-2.{}" >> ignored.ign2
>
> Are you saying the .{} is no longer required to ignore bytecode signatures?
>
> Thanks again
> Mark
>
> > On 8 Mar 2021, at 5:44 pm, Andrew Williams
> wrote:
> >
> > Thanks for reporting this Mark. The signature has been dropped and a new
> > bytecode.cvd released.
> >
> > I was able to have the bytecode signature be ignored by creating the
> .ign2
> > file as follows and then moving it into the ClamAV signature directory:
> > `echo "BC.Img.Exploit.CVE_2018_4891-6453673-2" > test.ign2`. Can you
> > elaborate on how you are creating the .ign2 file?
> >
> > Thanks again,
> >
> > -Andrew
> >
> > On Thu, Mar 4, 2021 at 11:16 AM Mark Allan wrote:
> >
> >> Looks like we have another one!
> >>BC.Img.Exploit.CVE_2018_4891-6453673-2
> >>
> >> This is generating loads of FPs as well.
> >>
> >> Curiously (and sorry for listing two issues in one email) adding a
> >> bytecode signature name (with the .{} suffix) to an ign2 file appears to
> >> have no effect. Any thoughts why this might be?
> >>
> >> Best regards,
> >> Mark
> >>
> >>> On 16 Feb 2021, at 3:06 am, Micah Snyder (micasnyd) <
> micas...@cisco.com>
> >> wrote:
> >>>
> >>> It looks like BC.Img.Exploit.CVE_2017_11255-6335669-1 suffered the same
> >> lack of proper FP testing as the other TIFF signature, likely for the
> same
> >> reasons. After some time reviewing it, I agree that
> >> BC.Img.Exploit.CVE_2017_11255-6335669-1 should be dropped. This
> bytecode
> >> signature has a relatively high probability to FP on TIFF files that
> don't
> >> include a ColorMap in the IFD header(s), which is also fairly common.
> >> Reworking the signature would is probably not worth the effort
> considering
> >> the CVE is from 2017.
> >>>
> >>> It should be dropped in the update tomorrow morning.
> >>>
> >>> Thanks for reaching out Mark.
> >>>
> >>> Regards,
> >>> Micah
> >>>
> >>>> -Original Message-
> >>>> From: clamav-devel On Behalf
> Of
> >>>> Micah Snyder (micasnyd)
> >>>> Sent: Monday, February 15, 2021 11:36 AM
> >>>> To: ClamAV Development
> >>>> Subject: Re: [Clamav-devel] Issue with FP only on 0.103.1
> >>>>
> >>>> Oh, sorry I misread your email. Needed more coffee. You were asking
> >> about
> >>>> a different signature: BC.Img.Exploit.CVE_2017_11255-6335669-1
> >>>> Will investigate.
> >>>>
> >>>> -Micah
> >>>>
> >>>>> -Original Message-
> >>>>> From: clamav-devel On Behalf
> >>>>> Of Micah Snyder (micasnyd)
> >>>>> Sent: Monday, February 15, 2021 10:28 AM
> >>>>> To: ClamAV Development
> >>>>> Subject: Re: [Clamav-devel] Issue with FP only on 0.103.1
> >>>>>
> >>>>> Hi Mark,
> >>>>>
> >>>>> TL;DR: The type detection mismatch is fixed in the current daily +
> >> 0.103.1.
> >>>>> The issue was with the signature. We didn't know about it because of
> >>>>> the mismatch. You should've found that the offending signature was
> >>>>> dropped on Saturday morning.
> >>>>>
> >>>>> Details:
> >>>>>
> >>>>> 0.103.
Re: [Clamav-devel] Issue with FP only on 0.103.1
Hi Andrew,
Thanks for letting me know it's been dropped now. I was creating the ign2 file
almost identically, except for using double >> instead of single as I already
have dozens of lines in there.
I see you have it without the .{} suffix. I tried both with it and without and
it wasn't working, ie
echo "BC.Img.Exploit.CVE_2018_4891-6453673-2" >> ignored.ign2
echo "BC.Img.Exploit.CVE_2018_4891-6453673-2.{}" >> ignored.ign2
Are you saying the .{} is no longer required to ignore bytecode signatures?
Thanks again
Mark
> On 8 Mar 2021, at 5:44 pm, Andrew Williams wrote:
>
> Thanks for reporting this Mark. The signature has been dropped and a new
> bytecode.cvd released.
>
> I was able to have the bytecode signature be ignored by creating the .ign2
> file as follows and then moving it into the ClamAV signature directory:
> `echo "BC.Img.Exploit.CVE_2018_4891-6453673-2" > test.ign2`. Can you
> elaborate on how you are creating the .ign2 file?
>
> Thanks again,
>
> -Andrew
>
> On Thu, Mar 4, 2021 at 11:16 AM Mark Allan wrote:
>
>> Looks like we have another one!
>>BC.Img.Exploit.CVE_2018_4891-6453673-2
>>
>> This is generating loads of FPs as well.
>>
>> Curiously (and sorry for listing two issues in one email) adding a
>> bytecode signature name (with the .{} suffix) to an ign2 file appears to
>> have no effect. Any thoughts why this might be?
>>
>> Best regards,
>> Mark
>>
>>> On 16 Feb 2021, at 3:06 am, Micah Snyder (micasnyd)
>> wrote:
>>>
>>> It looks like BC.Img.Exploit.CVE_2017_11255-6335669-1 suffered the same
>> lack of proper FP testing as the other TIFF signature, likely for the same
>> reasons. After some time reviewing it, I agree that
>> BC.Img.Exploit.CVE_2017_11255-6335669-1 should be dropped. This bytecode
>> signature has a relatively high probability to FP on TIFF files that don't
>> include a ColorMap in the IFD header(s), which is also fairly common.
>> Reworking the signature would is probably not worth the effort considering
>> the CVE is from 2017.
>>>
>>> It should be dropped in the update tomorrow morning.
>>>
>>> Thanks for reaching out Mark.
>>>
>>> Regards,
>>> Micah
>>>
>>>> -Original Message-
>>>> From: clamav-devel On Behalf Of
>>>> Micah Snyder (micasnyd)
>>>> Sent: Monday, February 15, 2021 11:36 AM
>>>> To: ClamAV Development
>>>> Subject: Re: [Clamav-devel] Issue with FP only on 0.103.1
>>>>
>>>> Oh, sorry I misread your email. Needed more coffee. You were asking
>> about
>>>> a different signature: BC.Img.Exploit.CVE_2017_11255-6335669-1
>>>> Will investigate.
>>>>
>>>> -Micah
>>>>
>>>>> -Original Message-
>>>>> From: clamav-devel On Behalf
>>>>> Of Micah Snyder (micasnyd)
>>>>> Sent: Monday, February 15, 2021 10:28 AM
>>>>> To: ClamAV Development
>>>>> Subject: Re: [Clamav-devel] Issue with FP only on 0.103.1
>>>>>
>>>>> Hi Mark,
>>>>>
>>>>> TL;DR: The type detection mismatch is fixed in the current daily +
>> 0.103.1.
>>>>> The issue was with the signature. We didn't know about it because of
>>>>> the mismatch. You should've found that the offending signature was
>>>>> dropped on Saturday morning.
>>>>>
>>>>> Details:
>>>>>
>>>>> 0.103.1 introduced CL_TYPE_TIFF and changed TIFF file type recognition
>>>>> from:
>>>>> 0:0:49492a00:TIFF Little Endian:CL_TYPE_ANY:CL_TYPE_GRAPHICS
>>>>> 0:0:4d4d:TIFF Big Endian:CL_TYPE_ANY:CL_TYPE_ GRAPHICS
>>>>> to:
>>>>> 0:0:49492a00:TIFF Little Endian:CL_TYPE_ANY:CL_TYPE_TIFF
>>>>> 0:0:4d4d:TIFF Big Endian:CL_TYPE_ANY:CL_TYPE_TIFF
>>>>>
>>>>> When FTM signatures are loaded from daily.cvd, it overrides the
>>>>> built-in FTM signatures. So it turns out that daily's FTM file had
>>>>> been missing the original CL_TYPE_GRAPHICS detection of TIFF files all
>>>>> this time, which would've been required for Target:5 signatures to
>>>>> alert on TIFF files. As a result, the signature in question "worked"
>>>>> in testing (with a single LDB file, using built-in FTM), but never
>>>>>
Re: [Clamav-devel] Issue with FP only on 0.103.1
Thanks for reporting this Mark. The signature has been dropped and a new
bytecode.cvd released.
I was able to have the bytecode signature be ignored by creating the .ign2
file as follows and then moving it into the ClamAV signature directory:
`echo "BC.Img.Exploit.CVE_2018_4891-6453673-2" > test.ign2`. Can you
elaborate on how you are creating the .ign2 file?
Thanks again,
-Andrew
On Thu, Mar 4, 2021 at 11:16 AM Mark Allan wrote:
> Looks like we have another one!
> BC.Img.Exploit.CVE_2018_4891-6453673-2
>
> This is generating loads of FPs as well.
>
> Curiously (and sorry for listing two issues in one email) adding a
> bytecode signature name (with the .{} suffix) to an ign2 file appears to
> have no effect. Any thoughts why this might be?
>
> Best regards,
> Mark
>
> > On 16 Feb 2021, at 3:06 am, Micah Snyder (micasnyd)
> wrote:
> >
> > It looks like BC.Img.Exploit.CVE_2017_11255-6335669-1 suffered the same
> lack of proper FP testing as the other TIFF signature, likely for the same
> reasons. After some time reviewing it, I agree that
> BC.Img.Exploit.CVE_2017_11255-6335669-1 should be dropped. This bytecode
> signature has a relatively high probability to FP on TIFF files that don't
> include a ColorMap in the IFD header(s), which is also fairly common.
> Reworking the signature would is probably not worth the effort considering
> the CVE is from 2017.
> >
> > It should be dropped in the update tomorrow morning.
> >
> > Thanks for reaching out Mark.
> >
> > Regards,
> > Micah
> >
> >> -Original Message-
> >> From: clamav-devel On Behalf Of
> >> Micah Snyder (micasnyd)
> >> Sent: Monday, February 15, 2021 11:36 AM
> >> To: ClamAV Development
> >> Subject: Re: [Clamav-devel] Issue with FP only on 0.103.1
> >>
> >> Oh, sorry I misread your email. Needed more coffee. You were asking
> about
> >> a different signature: BC.Img.Exploit.CVE_2017_11255-6335669-1
> >> Will investigate.
> >>
> >> -Micah
> >>
> >>> -Original Message-
> >>> From: clamav-devel On Behalf
> >>> Of Micah Snyder (micasnyd)
> >>> Sent: Monday, February 15, 2021 10:28 AM
> >>> To: ClamAV Development
> >>> Subject: Re: [Clamav-devel] Issue with FP only on 0.103.1
> >>>
> >>> Hi Mark,
> >>>
> >>> TL;DR: The type detection mismatch is fixed in the current daily +
> 0.103.1.
> >>> The issue was with the signature. We didn't know about it because of
> >>> the mismatch. You should've found that the offending signature was
> >>> dropped on Saturday morning.
> >>>
> >>> Details:
> >>>
> >>> 0.103.1 introduced CL_TYPE_TIFF and changed TIFF file type recognition
> >>> from:
> >>> 0:0:49492a00:TIFF Little Endian:CL_TYPE_ANY:CL_TYPE_GRAPHICS
> >>> 0:0:4d4d:TIFF Big Endian:CL_TYPE_ANY:CL_TYPE_ GRAPHICS
> >>> to:
> >>> 0:0:49492a00:TIFF Little Endian:CL_TYPE_ANY:CL_TYPE_TIFF
> >>> 0:0:4d4d:TIFF Big Endian:CL_TYPE_ANY:CL_TYPE_TIFF
> >>>
> >>> When FTM signatures are loaded from daily.cvd, it overrides the
> >>> built-in FTM signatures. So it turns out that daily's FTM file had
> >>> been missing the original CL_TYPE_GRAPHICS detection of TIFF files all
> >>> this time, which would've been required for Target:5 signatures to
> >>> alert on TIFF files. As a result, the signature in question "worked"
> >>> in testing (with a single LDB file, using built-in FTM), but never
> >>> worked in worked during FP testing or in production (with a daily CVD
> file).
> >>>
> >>> When we added this to daily.ftm to support 0.103.1:
> >>> 0:0:49492a00:TIFF Little Endian:CL_TYPE_ANY:CL_TYPE_TIFF:122
> >>> 0:0:4d4d:TIFF Big Endian:CL_TYPE_ANY:CL_TYPE_TIFF:122
> >>> ... all of a sudden a signature which was written for TIFF files
> >>> started alerting on TIFF files (as it should've) because the new
> >>> CL_TYPE_TIFF also alerts on
> >>> Target:5 (graphics) types. We never added the CL_TYPE_GRAPHICS
> >>> variant for 0.103.0 and prior, which is why it appeared to be an issue
> with
> >> 0.103.1.
> >>> Perhaps we should? I'll ask MRT about it.
> >>>
> >>> Anyways, this is basically a reminder that we need to make sure daily
> >>> FTM and libclamav's FTM are in sync.
> >>>
Re: [Clamav-devel] Issue with FP only on 0.103.1
Looks like we have another one!
BC.Img.Exploit.CVE_2018_4891-6453673-2
This is generating loads of FPs as well.
Curiously (and sorry for listing two issues in one email) adding a bytecode
signature name (with the .{} suffix) to an ign2 file appears to have no effect.
Any thoughts why this might be?
Best regards,
Mark
> On 16 Feb 2021, at 3:06 am, Micah Snyder (micasnyd)
> wrote:
>
> It looks like BC.Img.Exploit.CVE_2017_11255-6335669-1 suffered the same lack
> of proper FP testing as the other TIFF signature, likely for the same
> reasons. After some time reviewing it, I agree that
> BC.Img.Exploit.CVE_2017_11255-6335669-1 should be dropped. This bytecode
> signature has a relatively high probability to FP on TIFF files that don't
> include a ColorMap in the IFD header(s), which is also fairly common.
> Reworking the signature would is probably not worth the effort considering
> the CVE is from 2017.
>
> It should be dropped in the update tomorrow morning.
>
> Thanks for reaching out Mark.
>
> Regards,
> Micah
>
>> -Original Message-
>> From: clamav-devel On Behalf Of
>> Micah Snyder (micasnyd)
>> Sent: Monday, February 15, 2021 11:36 AM
>> To: ClamAV Development
>> Subject: Re: [Clamav-devel] Issue with FP only on 0.103.1
>>
>> Oh, sorry I misread your email. Needed more coffee. You were asking about
>> a different signature: BC.Img.Exploit.CVE_2017_11255-6335669-1
>> Will investigate.
>>
>> -Micah
>>
>>> -Original Message-
>>> From: clamav-devel On Behalf
>>> Of Micah Snyder (micasnyd)
>>> Sent: Monday, February 15, 2021 10:28 AM
>>> To: ClamAV Development
>>> Subject: Re: [Clamav-devel] Issue with FP only on 0.103.1
>>>
>>> Hi Mark,
>>>
>>> TL;DR: The type detection mismatch is fixed in the current daily + 0.103.1.
>>> The issue was with the signature. We didn't know about it because of
>>> the mismatch. You should've found that the offending signature was
>>> dropped on Saturday morning.
>>>
>>> Details:
>>>
>>> 0.103.1 introduced CL_TYPE_TIFF and changed TIFF file type recognition
>>> from:
>>> 0:0:49492a00:TIFF Little Endian:CL_TYPE_ANY:CL_TYPE_GRAPHICS
>>> 0:0:4d4d:TIFF Big Endian:CL_TYPE_ANY:CL_TYPE_ GRAPHICS
>>> to:
>>> 0:0:49492a00:TIFF Little Endian:CL_TYPE_ANY:CL_TYPE_TIFF
>>> 0:0:4d4d:TIFF Big Endian:CL_TYPE_ANY:CL_TYPE_TIFF
>>>
>>> When FTM signatures are loaded from daily.cvd, it overrides the
>>> built-in FTM signatures. So it turns out that daily's FTM file had
>>> been missing the original CL_TYPE_GRAPHICS detection of TIFF files all
>>> this time, which would've been required for Target:5 signatures to
>>> alert on TIFF files. As a result, the signature in question "worked"
>>> in testing (with a single LDB file, using built-in FTM), but never
>>> worked in worked during FP testing or in production (with a daily CVD file).
>>>
>>> When we added this to daily.ftm to support 0.103.1:
>>> 0:0:49492a00:TIFF Little Endian:CL_TYPE_ANY:CL_TYPE_TIFF:122
>>> 0:0:4d4d:TIFF Big Endian:CL_TYPE_ANY:CL_TYPE_TIFF:122
>>> ... all of a sudden a signature which was written for TIFF files
>>> started alerting on TIFF files (as it should've) because the new
>>> CL_TYPE_TIFF also alerts on
>>> Target:5 (graphics) types. We never added the CL_TYPE_GRAPHICS
>>> variant for 0.103.0 and prior, which is why it appeared to be an issue with
>> 0.103.1.
>>> Perhaps we should? I'll ask MRT about it.
>>>
>>> Anyways, this is basically a reminder that we need to make sure daily
>>> FTM and libclamav's FTM are in sync.
>>>
>>> -Micah
>>>
>>>
>>>> -Original Message-
>>>> From: clamav-devel On Behalf
>>>> Of Mark Allan
>>>> Sent: Saturday, February 13, 2021 3:35 PM
>>>> To: ClamAV Development
>>>> Subject: Re: [Clamav-devel] Issue with FP only on 0.103.1
>>>>
>>>> Thanks. I've just found another one too
>>>>
>>>>BC.Img.Exploit.CVE_2017_11255-6335669-1
>>>>
>>>> It's triggering on a file that's been part of macOS for many years.
>>>> It's also a tiff file. I can submit this as well if necessary?
>>>>
>>>> Out of interest, is the type detection mismatch something that can
>>>> be fixed in daily.cvd or ca
Re: [Clamav-devel] Issue with FP only on 0.103.1
It looks like BC.Img.Exploit.CVE_2017_11255-6335669-1 suffered the same lack of proper FP testing as the other TIFF signature, likely for the same reasons. After some time reviewing it, I agree that BC.Img.Exploit.CVE_2017_11255-6335669-1 should be dropped. This bytecode signature has a relatively high probability to FP on TIFF files that don't include a ColorMap in the IFD header(s), which is also fairly common. Reworking the signature would is probably not worth the effort considering the CVE is from 2017. It should be dropped in the update tomorrow morning. Thanks for reaching out Mark. Regards, Micah > -Original Message- > From: clamav-devel On Behalf Of > Micah Snyder (micasnyd) > Sent: Monday, February 15, 2021 11:36 AM > To: ClamAV Development > Subject: Re: [Clamav-devel] Issue with FP only on 0.103.1 > > Oh, sorry I misread your email. Needed more coffee. You were asking about > a different signature: BC.Img.Exploit.CVE_2017_11255-6335669-1 > Will investigate. > > -Micah > > > -Original Message- > > From: clamav-devel On Behalf > > Of Micah Snyder (micasnyd) > > Sent: Monday, February 15, 2021 10:28 AM > > To: ClamAV Development > > Subject: Re: [Clamav-devel] Issue with FP only on 0.103.1 > > > > Hi Mark, > > > > TL;DR: The type detection mismatch is fixed in the current daily + 0.103.1. > > The issue was with the signature. We didn't know about it because of > > the mismatch. You should've found that the offending signature was > > dropped on Saturday morning. > > > > Details: > > > > 0.103.1 introduced CL_TYPE_TIFF and changed TIFF file type recognition > > from: > > 0:0:49492a00:TIFF Little Endian:CL_TYPE_ANY:CL_TYPE_GRAPHICS > > 0:0:4d4d:TIFF Big Endian:CL_TYPE_ANY:CL_TYPE_ GRAPHICS > > to: > > 0:0:49492a00:TIFF Little Endian:CL_TYPE_ANY:CL_TYPE_TIFF > > 0:0:4d4d:TIFF Big Endian:CL_TYPE_ANY:CL_TYPE_TIFF > > > > When FTM signatures are loaded from daily.cvd, it overrides the > > built-in FTM signatures. So it turns out that daily's FTM file had > > been missing the original CL_TYPE_GRAPHICS detection of TIFF files all > > this time, which would've been required for Target:5 signatures to > > alert on TIFF files. As a result, the signature in question "worked" > > in testing (with a single LDB file, using built-in FTM), but never > > worked in worked during FP testing or in production (with a daily CVD file). > > > > When we added this to daily.ftm to support 0.103.1: > > 0:0:49492a00:TIFF Little Endian:CL_TYPE_ANY:CL_TYPE_TIFF:122 > > 0:0:4d4d:TIFF Big Endian:CL_TYPE_ANY:CL_TYPE_TIFF:122 > > ... all of a sudden a signature which was written for TIFF files > > started alerting on TIFF files (as it should've) because the new > > CL_TYPE_TIFF also alerts on > > Target:5 (graphics) types. We never added the CL_TYPE_GRAPHICS > > variant for 0.103.0 and prior, which is why it appeared to be an issue with > 0.103.1. > > Perhaps we should? I'll ask MRT about it. > > > > Anyways, this is basically a reminder that we need to make sure daily > > FTM and libclamav's FTM are in sync. > > > > -Micah > > > > > > > -Original Message- > > > From: clamav-devel On Behalf > > > Of Mark Allan > > > Sent: Saturday, February 13, 2021 3:35 PM > > > To: ClamAV Development > > > Subject: Re: [Clamav-devel] Issue with FP only on 0.103.1 > > > > > > Thanks. I've just found another one too > > > > > > BC.Img.Exploit.CVE_2017_11255-6335669-1 > > > > > > It's triggering on a file that's been part of macOS for many years. > > > It's also a tiff file. I can submit this as well if necessary? > > > > > > Out of interest, is the type detection mismatch something that can > > > be fixed in daily.cvd or can I patch libclamav/filetypes_int.h to > > > revert it to what it was at 0.103.0? > > > > > > Mark > > > > > > > On 12 Feb 2021, at 5:23 am, Micah Snyder (micasnyd) > > > wrote: > > > > > > > > It appears to me to be an issue with the signature which is only > > > > evident in > > > 0.103.1 now that we're matching TIFFs with Target:5 signatures, like > > > this > > one. > > > > > > > > There was apparently a mismatch for TIFF file type detection > > > > between the > > > file type magic signatures built-in to libclamav > > > (libclamav/filetypes_int.h)
Re: [Clamav-devel] Issue with FP only on 0.103.1
Oh, sorry I misread your email. Needed more coffee. You were asking about a different signature: BC.Img.Exploit.CVE_2017_11255-6335669-1 Will investigate. -Micah > -Original Message- > From: clamav-devel On Behalf Of > Micah Snyder (micasnyd) > Sent: Monday, February 15, 2021 10:28 AM > To: ClamAV Development > Subject: Re: [Clamav-devel] Issue with FP only on 0.103.1 > > Hi Mark, > > TL;DR: The type detection mismatch is fixed in the current daily + 0.103.1. > The issue was with the signature. We didn't know about it because of the > mismatch. You should've found that the offending signature was dropped > on Saturday morning. > > Details: > > 0.103.1 introduced CL_TYPE_TIFF and changed TIFF file type recognition > from: > 0:0:49492a00:TIFF Little Endian:CL_TYPE_ANY:CL_TYPE_GRAPHICS > 0:0:4d4d:TIFF Big Endian:CL_TYPE_ANY:CL_TYPE_ GRAPHICS > to: > 0:0:49492a00:TIFF Little Endian:CL_TYPE_ANY:CL_TYPE_TIFF > 0:0:4d4d:TIFF Big Endian:CL_TYPE_ANY:CL_TYPE_TIFF > > When FTM signatures are loaded from daily.cvd, it overrides the built-in FTM > signatures. So it turns out that daily's FTM file had been missing the > original > CL_TYPE_GRAPHICS detection of TIFF files all this time, which would've been > required for Target:5 signatures to alert on TIFF files. As a result, the > signature in question "worked" in testing (with a single LDB file, using > built-in > FTM), but never worked in worked during FP testing or in production (with a > daily CVD file). > > When we added this to daily.ftm to support 0.103.1: > 0:0:49492a00:TIFF Little Endian:CL_TYPE_ANY:CL_TYPE_TIFF:122 > 0:0:4d4d:TIFF Big Endian:CL_TYPE_ANY:CL_TYPE_TIFF:122 > ... all of a sudden a signature which was written for TIFF files started > alerting > on TIFF files (as it should've) because the new CL_TYPE_TIFF also alerts on > Target:5 (graphics) types. We never added the CL_TYPE_GRAPHICS variant > for 0.103.0 and prior, which is why it appeared to be an issue with 0.103.1. > Perhaps we should? I'll ask MRT about it. > > Anyways, this is basically a reminder that we need to make sure daily FTM > and libclamav's FTM are in sync. > > -Micah > > > > -----Original Message- > > From: clamav-devel On Behalf > > Of Mark Allan > > Sent: Saturday, February 13, 2021 3:35 PM > > To: ClamAV Development > > Subject: Re: [Clamav-devel] Issue with FP only on 0.103.1 > > > > Thanks. I've just found another one too > > > > BC.Img.Exploit.CVE_2017_11255-6335669-1 > > > > It's triggering on a file that's been part of macOS for many years. > > It's also a tiff file. I can submit this as well if necessary? > > > > Out of interest, is the type detection mismatch something that can be > > fixed in daily.cvd or can I patch libclamav/filetypes_int.h to revert > > it to what it was at 0.103.0? > > > > Mark > > > > > On 12 Feb 2021, at 5:23 am, Micah Snyder (micasnyd) > > wrote: > > > > > > It appears to me to be an issue with the signature which is only > > > evident in > > 0.103.1 now that we're matching TIFFs with Target:5 signatures, like this > one. > > > > > > There was apparently a mismatch for TIFF file type detection between > > > the > > file type magic signatures built-in to libclamav > > (libclamav/filetypes_int.h) and the .ftm sigs shipped with daily.cvd > > (which override the internal ones when loaded). > > > > > > I'll ask to have the signature dropped and re-evaluated. > > > > > > -Micah > > > > > >> -Original Message- > > >> From: clamav-devel On > > >> Behalf Of Micah Snyder (micasnyd) > > >> Sent: Thursday, February 11, 2021 8:27 PM > > >> To: ClamAV Development > > >> Subject: Re: [Clamav-devel] Issue with FP only on 0.103.1 > > >> > > >> Thank you Mark! We'll take a look. > > >> > > >> -Micah > > >> > > >>> -Original Message- > > >>> From: clamav-devel On > > Behalf > > >>> Of Mark Allan > > >>> Sent: Thursday, February 11, 2021 3:54 PM > > >>> To: ClamAV Development > > >>> Subject: Re: [Clamav-devel] Issue with FP only on 0.103.1 > > >>> > > >>> Hi Micah, > > >>> > > >>> Yes of course! I've just uploaded a zip file (Archive.zip) to the > > >>> FP page on clamav.net > > >>>
Re: [Clamav-devel] Issue with FP only on 0.103.1
Hi Mark, TL;DR: The type detection mismatch is fixed in the current daily + 0.103.1. The issue was with the signature. We didn't know about it because of the mismatch. You should've found that the offending signature was dropped on Saturday morning. Details: 0.103.1 introduced CL_TYPE_TIFF and changed TIFF file type recognition from: 0:0:49492a00:TIFF Little Endian:CL_TYPE_ANY:CL_TYPE_GRAPHICS 0:0:4d4d:TIFF Big Endian:CL_TYPE_ANY:CL_TYPE_ GRAPHICS to: 0:0:49492a00:TIFF Little Endian:CL_TYPE_ANY:CL_TYPE_TIFF 0:0:4d4d:TIFF Big Endian:CL_TYPE_ANY:CL_TYPE_TIFF When FTM signatures are loaded from daily.cvd, it overrides the built-in FTM signatures. So it turns out that daily's FTM file had been missing the original CL_TYPE_GRAPHICS detection of TIFF files all this time, which would've been required for Target:5 signatures to alert on TIFF files. As a result, the signature in question "worked" in testing (with a single LDB file, using built-in FTM), but never worked in worked during FP testing or in production (with a daily CVD file). When we added this to daily.ftm to support 0.103.1: 0:0:49492a00:TIFF Little Endian:CL_TYPE_ANY:CL_TYPE_TIFF:122 0:0:4d4d:TIFF Big Endian:CL_TYPE_ANY:CL_TYPE_TIFF:122 ... all of a sudden a signature which was written for TIFF files started alerting on TIFF files (as it should've) because the new CL_TYPE_TIFF also alerts on Target:5 (graphics) types. We never added the CL_TYPE_GRAPHICS variant for 0.103.0 and prior, which is why it appeared to be an issue with 0.103.1. Perhaps we should? I'll ask MRT about it. Anyways, this is basically a reminder that we need to make sure daily FTM and libclamav's FTM are in sync. -Micah > -Original Message- > From: clamav-devel On Behalf Of > Mark Allan > Sent: Saturday, February 13, 2021 3:35 PM > To: ClamAV Development > Subject: Re: [Clamav-devel] Issue with FP only on 0.103.1 > > Thanks. I've just found another one too > > BC.Img.Exploit.CVE_2017_11255-6335669-1 > > It's triggering on a file that's been part of macOS for many years. It's also > a tiff > file. I can submit this as well if necessary? > > Out of interest, is the type detection mismatch something that can be fixed > in daily.cvd or can I patch libclamav/filetypes_int.h to revert it to what it > was > at 0.103.0? > > Mark > > > On 12 Feb 2021, at 5:23 am, Micah Snyder (micasnyd) > wrote: > > > > It appears to me to be an issue with the signature which is only evident in > 0.103.1 now that we're matching TIFFs with Target:5 signatures, like this one. > > > > There was apparently a mismatch for TIFF file type detection between the > file type magic signatures built-in to libclamav (libclamav/filetypes_int.h) > and > the .ftm sigs shipped with daily.cvd (which override the internal ones when > loaded). > > > > I'll ask to have the signature dropped and re-evaluated. > > > > -Micah > > > >> -Original Message- > >> From: clamav-devel On Behalf > >> Of Micah Snyder (micasnyd) > >> Sent: Thursday, February 11, 2021 8:27 PM > >> To: ClamAV Development > >> Subject: Re: [Clamav-devel] Issue with FP only on 0.103.1 > >> > >> Thank you Mark! We'll take a look. > >> > >> -Micah > >> > >>> -Original Message- > >>> From: clamav-devel On > Behalf > >>> Of Mark Allan > >>> Sent: Thursday, February 11, 2021 3:54 PM > >>> To: ClamAV Development > >>> Subject: Re: [Clamav-devel] Issue with FP only on 0.103.1 > >>> > >>> Hi Micah, > >>> > >>> Yes of course! I've just uploaded a zip file (Archive.zip) to the FP > >>> page on clamav.net > >>> MD5 (Archive.zip) = 45229d954a884a1e03aba15b9f42168a > >>> > >>> Regards > >>> Mark > >>> > >>>> On 11 Feb 2021, at 7:12 pm, Micah Snyder (micasnyd) > >>> wrote: > >>>> > >>>> Hi Mark, > >>>> > >>>> Do you think you could share a sample or two with me to test. I'm > >>>> really > >>> curious what changed and would like to debug each version with a > >>> sample or two. > >>>> > >>>> -Micah > >>>> > >>>>> -Original Message- > >>>>> From: clamav-devel On > >>>>> Behalf Of Mark Allan > >>>>> Sent: Monday, February 8, 2021 3:04 AM > >>>>> To: ClamAV Development > >>>&
Re: [Clamav-devel] Issue with FP only on 0.103.1
Thanks. I've just found another one too BC.Img.Exploit.CVE_2017_11255-6335669-1 It's triggering on a file that's been part of macOS for many years. It's also a tiff file. I can submit this as well if necessary? Out of interest, is the type detection mismatch something that can be fixed in daily.cvd or can I patch libclamav/filetypes_int.h to revert it to what it was at 0.103.0? Mark > On 12 Feb 2021, at 5:23 am, Micah Snyder (micasnyd) > wrote: > > It appears to me to be an issue with the signature which is only evident in > 0.103.1 now that we're matching TIFFs with Target:5 signatures, like this > one. > > There was apparently a mismatch for TIFF file type detection between the file > type magic signatures built-in to libclamav (libclamav/filetypes_int.h) and > the .ftm sigs shipped with daily.cvd (which override the internal ones when > loaded). > > I'll ask to have the signature dropped and re-evaluated. > > -Micah > >> -Original Message- >> From: clamav-devel On Behalf Of >> Micah Snyder (micasnyd) >> Sent: Thursday, February 11, 2021 8:27 PM >> To: ClamAV Development >> Subject: Re: [Clamav-devel] Issue with FP only on 0.103.1 >> >> Thank you Mark! We'll take a look. >> >> -Micah >> >>> -Original Message- >>> From: clamav-devel On Behalf >>> Of Mark Allan >>> Sent: Thursday, February 11, 2021 3:54 PM >>> To: ClamAV Development >>> Subject: Re: [Clamav-devel] Issue with FP only on 0.103.1 >>> >>> Hi Micah, >>> >>> Yes of course! I've just uploaded a zip file (Archive.zip) to the FP >>> page on clamav.net >>> MD5 (Archive.zip) = 45229d954a884a1e03aba15b9f42168a >>> >>> Regards >>> Mark >>> >>>> On 11 Feb 2021, at 7:12 pm, Micah Snyder (micasnyd) >>> wrote: >>>> >>>> Hi Mark, >>>> >>>> Do you think you could share a sample or two with me to test. I'm >>>> really >>> curious what changed and would like to debug each version with a >>> sample or two. >>>> >>>> -Micah >>>> >>>>> -Original Message- >>>>> From: clamav-devel On >>>>> Behalf Of Mark Allan >>>>> Sent: Monday, February 8, 2021 3:04 AM >>>>> To: ClamAV Development >>>>> Subject: [Clamav-devel] Issue with FP only on 0.103.1 >>>>> >>>>> Hi all, >>>>> >>>>> It looks like the additional image file type support in 0.103.1 has >>>>> introduced an issue with a particular signature which has been in >>>>> the database since 2018 >>>>> >>>>> Img.Exploit.CVE_2018_4904-6449838-0 >>>>> >>>>> It's flagging up thousands of known-good files. As far as I can >>>>> tell, they're all TIFF files. >>>>> >>>>> I've added that signature to an ign2 file for now, but I'm >>>>> wondering if there's something else that's maybe amiss somewhere >>>>> either with the signature or the 0.103.1 update? >>>>> >>>>> Best regards, >>>>> Mark >>>>> >>>>> ___ >>>>> >>>>> clamav-devel mailing list >>>>> clamav-devel@lists.clamav.net >>>>> https://lists.clamav.net/mailman/listinfo/clamav-devel >>>>> >>>>> Please submit your patches to our Github: https://github.com/Cisco- >>>>> Talos/clamav-devel/pulls >>>>> >>>>> Help us build a comprehensive ClamAV guide: >>>>> https://github.com/vrtadmin/clamav-faq >>>>> >>>>> http://www.clamav.net/contact.html#ml >>>> ___ >>>> >>>> clamav-devel mailing list >>>> clamav-devel@lists.clamav.net >>>> https://lists.clamav.net/mailman/listinfo/clamav-devel >>>> >>>> Please submit your patches to our Github: >>>> https://github.com/Cisco-Talos/clamav-devel/pulls >>>> >>>> Help us build a comprehensive ClamAV guide: >>>> https://github.com/vrtadmin/clamav-faq >>>> >>>> http://www.clamav.net/contact.html#ml >>> >>> ___
Re: [Clamav-devel] Issue with FP only on 0.103.1
It appears to me to be an issue with the signature which is only evident in 0.103.1 now that we're matching TIFFs with Target:5 signatures, like this one. There was apparently a mismatch for TIFF file type detection between the file type magic signatures built-in to libclamav (libclamav/filetypes_int.h) and the .ftm sigs shipped with daily.cvd (which override the internal ones when loaded). I'll ask to have the signature dropped and re-evaluated. -Micah > -Original Message- > From: clamav-devel On Behalf Of > Micah Snyder (micasnyd) > Sent: Thursday, February 11, 2021 8:27 PM > To: ClamAV Development > Subject: Re: [Clamav-devel] Issue with FP only on 0.103.1 > > Thank you Mark! We'll take a look. > > -Micah > > > -Original Message- > > From: clamav-devel On Behalf > > Of Mark Allan > > Sent: Thursday, February 11, 2021 3:54 PM > > To: ClamAV Development > > Subject: Re: [Clamav-devel] Issue with FP only on 0.103.1 > > > > Hi Micah, > > > > Yes of course! I've just uploaded a zip file (Archive.zip) to the FP > > page on clamav.net > > MD5 (Archive.zip) = 45229d954a884a1e03aba15b9f42168a > > > > Regards > > Mark > > > > > On 11 Feb 2021, at 7:12 pm, Micah Snyder (micasnyd) > > wrote: > > > > > > Hi Mark, > > > > > > Do you think you could share a sample or two with me to test. I'm > > > really > > curious what changed and would like to debug each version with a > > sample or two. > > > > > > -Micah > > > > > >> -Original Message- > > >> From: clamav-devel On > > >> Behalf Of Mark Allan > > >> Sent: Monday, February 8, 2021 3:04 AM > > >> To: ClamAV Development > > >> Subject: [Clamav-devel] Issue with FP only on 0.103.1 > > >> > > >> Hi all, > > >> > > >> It looks like the additional image file type support in 0.103.1 has > > >> introduced an issue with a particular signature which has been in > > >> the database since 2018 > > >> > > >> Img.Exploit.CVE_2018_4904-6449838-0 > > >> > > >> It's flagging up thousands of known-good files. As far as I can > > >> tell, they're all TIFF files. > > >> > > >> I've added that signature to an ign2 file for now, but I'm > > >> wondering if there's something else that's maybe amiss somewhere > > >> either with the signature or the 0.103.1 update? > > >> > > >> Best regards, > > >> Mark > > >> > > >> ___ > > >> > > >> clamav-devel mailing list > > >> clamav-devel@lists.clamav.net > > >> https://lists.clamav.net/mailman/listinfo/clamav-devel > > >> > > >> Please submit your patches to our Github: https://github.com/Cisco- > > >> Talos/clamav-devel/pulls > > >> > > >> Help us build a comprehensive ClamAV guide: > > >> https://github.com/vrtadmin/clamav-faq > > >> > > >> http://www.clamav.net/contact.html#ml > > > ___ > > > > > > clamav-devel mailing list > > > clamav-devel@lists.clamav.net > > > https://lists.clamav.net/mailman/listinfo/clamav-devel > > > > > > Please submit your patches to our Github: > > > https://github.com/Cisco-Talos/clamav-devel/pulls > > > > > > Help us build a comprehensive ClamAV guide: > > > https://github.com/vrtadmin/clamav-faq > > > > > > http://www.clamav.net/contact.html#ml > > > > ___ > > > > clamav-devel mailing list > > clamav-devel@lists.clamav.net > > https://lists.clamav.net/mailman/listinfo/clamav-devel > > > > Please submit your patches to our Github: https://github.com/Cisco- > > Talos/clamav-devel/pulls > > > > Help us build a comprehensive ClamAV guide: > > https://github.com/vrtadmin/clamav-faq > > > > http://www.clamav.net/contact.html#ml > ___ > > clamav-devel mailing list > clamav-devel@lists.clamav.net > https://lists.clamav.net/mailman/listinfo/clamav-devel > > Please submit your patches to our Github: https://github.com/Cisco- > Talos/clamav-devel/pulls > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml ___ clamav-devel mailing list clamav-devel@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-devel Please submit your patches to our Github: https://github.com/Cisco-Talos/clamav-devel/pulls Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [Clamav-devel] Issue with FP only on 0.103.1
Thank you Mark! We'll take a look. -Micah > -Original Message- > From: clamav-devel On Behalf Of > Mark Allan > Sent: Thursday, February 11, 2021 3:54 PM > To: ClamAV Development > Subject: Re: [Clamav-devel] Issue with FP only on 0.103.1 > > Hi Micah, > > Yes of course! I've just uploaded a zip file (Archive.zip) to the FP page on > clamav.net > MD5 (Archive.zip) = 45229d954a884a1e03aba15b9f42168a > > Regards > Mark > > > On 11 Feb 2021, at 7:12 pm, Micah Snyder (micasnyd) > wrote: > > > > Hi Mark, > > > > Do you think you could share a sample or two with me to test. I'm really > curious what changed and would like to debug each version with a sample or > two. > > > > -Micah > > > >> -Original Message- > >> From: clamav-devel On Behalf > >> Of Mark Allan > >> Sent: Monday, February 8, 2021 3:04 AM > >> To: ClamAV Development > >> Subject: [Clamav-devel] Issue with FP only on 0.103.1 > >> > >> Hi all, > >> > >> It looks like the additional image file type support in 0.103.1 has > >> introduced an issue with a particular signature which has been in the > >> database since 2018 > >> > >>Img.Exploit.CVE_2018_4904-6449838-0 > >> > >> It's flagging up thousands of known-good files. As far as I can tell, > >> they're all TIFF files. > >> > >> I've added that signature to an ign2 file for now, but I'm wondering > >> if there's something else that's maybe amiss somewhere either with > >> the signature or the 0.103.1 update? > >> > >> Best regards, > >> Mark > >> > >> ___ > >> > >> clamav-devel mailing list > >> clamav-devel@lists.clamav.net > >> https://lists.clamav.net/mailman/listinfo/clamav-devel > >> > >> Please submit your patches to our Github: https://github.com/Cisco- > >> Talos/clamav-devel/pulls > >> > >> Help us build a comprehensive ClamAV guide: > >> https://github.com/vrtadmin/clamav-faq > >> > >> http://www.clamav.net/contact.html#ml > > ___ > > > > clamav-devel mailing list > > clamav-devel@lists.clamav.net > > https://lists.clamav.net/mailman/listinfo/clamav-devel > > > > Please submit your patches to our Github: > > https://github.com/Cisco-Talos/clamav-devel/pulls > > > > Help us build a comprehensive ClamAV guide: > > https://github.com/vrtadmin/clamav-faq > > > > http://www.clamav.net/contact.html#ml > > ___ > > clamav-devel mailing list > clamav-devel@lists.clamav.net > https://lists.clamav.net/mailman/listinfo/clamav-devel > > Please submit your patches to our Github: https://github.com/Cisco- > Talos/clamav-devel/pulls > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml ___ clamav-devel mailing list clamav-devel@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-devel Please submit your patches to our Github: https://github.com/Cisco-Talos/clamav-devel/pulls Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [Clamav-devel] Issue with FP only on 0.103.1
Hi Micah, Yes of course! I've just uploaded a zip file (Archive.zip) to the FP page on clamav.net MD5 (Archive.zip) = 45229d954a884a1e03aba15b9f42168a Regards Mark > On 11 Feb 2021, at 7:12 pm, Micah Snyder (micasnyd) > wrote: > > Hi Mark, > > Do you think you could share a sample or two with me to test. I'm really > curious what changed and would like to debug each version with a sample or > two. > > -Micah > >> -Original Message- >> From: clamav-devel On Behalf Of >> Mark Allan >> Sent: Monday, February 8, 2021 3:04 AM >> To: ClamAV Development >> Subject: [Clamav-devel] Issue with FP only on 0.103.1 >> >> Hi all, >> >> It looks like the additional image file type support in 0.103.1 has >> introduced >> an issue with a particular signature which has been in the database since >> 2018 >> >> Img.Exploit.CVE_2018_4904-6449838-0 >> >> It's flagging up thousands of known-good files. As far as I can tell, >> they're all >> TIFF files. >> >> I've added that signature to an ign2 file for now, but I'm wondering if >> there's >> something else that's maybe amiss somewhere either with the signature or >> the 0.103.1 update? >> >> Best regards, >> Mark >> >> ___ >> >> clamav-devel mailing list >> clamav-devel@lists.clamav.net >> https://lists.clamav.net/mailman/listinfo/clamav-devel >> >> Please submit your patches to our Github: https://github.com/Cisco- >> Talos/clamav-devel/pulls >> >> Help us build a comprehensive ClamAV guide: >> https://github.com/vrtadmin/clamav-faq >> >> http://www.clamav.net/contact.html#ml > ___ > > clamav-devel mailing list > clamav-devel@lists.clamav.net > https://lists.clamav.net/mailman/listinfo/clamav-devel > > Please submit your patches to our Github: > https://github.com/Cisco-Talos/clamav-devel/pulls > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml ___ clamav-devel mailing list clamav-devel@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-devel Please submit your patches to our Github: https://github.com/Cisco-Talos/clamav-devel/pulls Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [Clamav-devel] Issue with FP only on 0.103.1
Hi Mark, Do you think you could share a sample or two with me to test. I'm really curious what changed and would like to debug each version with a sample or two. -Micah > -Original Message- > From: clamav-devel On Behalf Of > Mark Allan > Sent: Monday, February 8, 2021 3:04 AM > To: ClamAV Development > Subject: [Clamav-devel] Issue with FP only on 0.103.1 > > Hi all, > > It looks like the additional image file type support in 0.103.1 has introduced > an issue with a particular signature which has been in the database since 2018 > > Img.Exploit.CVE_2018_4904-6449838-0 > > It's flagging up thousands of known-good files. As far as I can tell, they're > all > TIFF files. > > I've added that signature to an ign2 file for now, but I'm wondering if > there's > something else that's maybe amiss somewhere either with the signature or > the 0.103.1 update? > > Best regards, > Mark > > ___ > > clamav-devel mailing list > clamav-devel@lists.clamav.net > https://lists.clamav.net/mailman/listinfo/clamav-devel > > Please submit your patches to our Github: https://github.com/Cisco- > Talos/clamav-devel/pulls > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml ___ clamav-devel mailing list clamav-devel@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-devel Please submit your patches to our Github: https://github.com/Cisco-Talos/clamav-devel/pulls Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[Clamav-devel] Issue with FP only on 0.103.1
Hi all, It looks like the additional image file type support in 0.103.1 has introduced an issue with a particular signature which has been in the database since 2018 Img.Exploit.CVE_2018_4904-6449838-0 It's flagging up thousands of known-good files. As far as I can tell, they're all TIFF files. I've added that signature to an ign2 file for now, but I'm wondering if there's something else that's maybe amiss somewhere either with the signature or the 0.103.1 update? Best regards, Mark ___ clamav-devel mailing list clamav-devel@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-devel Please submit your patches to our Github: https://github.com/Cisco-Talos/clamav-devel/pulls Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
