Re: [clamav-users] Match on raw .wsf file?

[Kris Deugau]

Kris Deugau wrote:
> Is there a way to force matching on the raw file, or at least control
> the normalization to some degree so that formatting and details in the
> original code aren't lost?

As a complement to that question, is there a way to *force* other
Javascript files to be normalized for matching?  The key problem with
the obfuscation as in the examples I posted is all the ways you can
split those strings, plus all the variations on whitespace in between
the string fragments and operators.

-kgd


> I've been coming across .wsf files in .zip files, which are essentially
> Javascript wrapped in a very thin wrapper:
> 
> 
> [insert nasty Javascript here]
> 
> 
> However, signatures I've created based on the raw file never match, and
> I finally figured out a few months ago that I'd have to use clamscan
> --leave-temps to dig up the normalized text Clam was actually running
> pattern matches against.
> 
> Unfortunately I've just discovered a flaw in this process, in that the
> normalizing process is also stripping off some of the key JS-obfuscation.
> 
> I've posted the raw first ~8 lines of one of these files, and the
> normalized version of that same chunk of text:
> 
> http://deepnet.cx/clamfrags/raw-wsf-01
> http://deepnet.cx/clamfrags/norm-wsf-01
> 
> In this case, one of the key things I'd like to match on is the
> "br"+"o"+"ken" strings in their broken form, but that information is
> wiped away in the normalized version.
> 
> -kgd
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
> 

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] can't demonstrate that On-Access scanning is working (fedora 24)

[Mickey Sola]

Hugo,

If you could send me the logs it would definitely help me figure out fixes
for some of the quirks you're seeing.

As for combining OnAccessIncludePath and OnAccessMountPath, you would
currently need to run two instances of clamd as the MountPath option
currently supersedes IncludePath when both are specified. I'll look into
the possibility of allowing both to run simultaneously as I can definitely
see the benefit there, but no promises.

OnAccessIncludePath does need to enumerate over all directories within and
build out its internal representation of the specified path, so initial
startup can take awhile for larger hierarchies, which is something to keep
in mind. That said, there might be something else at play here if things
don't start up in a minute or two. You'll definitely want to verify you
have enough inotify watchpoints (although clamd *should* error out with a
message explaining this if that's the case).

Let me know if you have any other questions or need clarifications on
anything.

- Mickey

On Wed, Aug 31, 2016 at 8:08 AM, Hugo Bernier  wrote:

> Hi Mickey,
>
> I turned on debug.
>
> Given:
> ScanOnAccess yes
> OnAccessMountPath /
> CrossFilesystems yes
>
>
>
>
> In my /home directory, which is on a different file system, if I open up
> the eicar test file or any file in the test directory of the source
> distribution I get 17 megs of logs. The on access scanner is clearly doing
> something. It does not however report that it found a virus.
>
> If I move the the eicar test file to / it does print out that it found the
> virus. If I include /home as a separate entry on OnAccessMountPath it also
> detects the virus.
>
> The issue seems to be 'CrossFilesystems yes'.
>
> If you or anyone would like the 17 megs of logs I gathered please let me
> know I'll send it to you directly.
>
> That covers detection, which is a good start. Now I'd like to
> get OnAccessPrevention working simultaneously. When I try
> combining OnAccessMountPath (which doesn't do prevention)
> and OnAccessIncludePath which does, the later doesn't work. Is there any
> way to make it work? If OnAccessIncludePath is the only thing in the config
> it does prevent access to the file. OnAccessIncludePath seems pretty picky:
> I couldn't actually use the config file's example of /home - it refused to
> start. I was able to specify my download directory though,
>
> Best Regards,
> Hugo
>
> On Tue, 30 Aug 2016 at 16:02 Mickey Sola  wrote:
>
> > H, when running clamd manually could you also try enabling debug and
> > opening an eicar sample file in addition to the other tests you've been
> > running?
> >
> > -Mickey
> >
> > On Tue, Aug 30, 2016 at 10:25 AM, Hugo Bernier 
> wrote:
> >
> > > Hi Mickey,
> > >
> > > I've set OnAccessMaxFileSize 1000M.
> > >
> > > Instead of "Tue Aug 30 10:38:59 2016 -> ScanOnAccess: Max file size
> > limited
> > > to -1 bytes"
> > > I get: "Tue Aug 30 12:44:08 2016 -> ScanOnAccess: Max file size limited
> > to
> > > 1048576000 bytes"
> > >
> > > I still don't see any entries when I open up files.
> > >
> > > I should note that I also set this selinux boolean a couple of reboots
> > ago.
> > > antivirus_can_scan_system --> on
> > > in selinux as well.
> > >
> > > I also tried simplifying the configuration to this, and running clamd
> > > manually.
> > >
> > > """
> > > LogClean yes
> > > LogSyslog yes
> > > LogVerbose yes
> > > LocalSocket /var/run/clamd.sock
> > > Foreground yes
> > >
> > > ScanOnAccess yes
> > > OnAccessMountPath /
> > > OnAccessExcludeUID 0
> > > """
> > >
> > > When I execute the following command:
> > > clamdscan minuscule.pdf
> > >
> > > In the logs I see
> > > Aug 30 13:20:17 localhost.localdomain clamd[13472]:
> > > /home//Documents/minuscule.pdf: OK
> > >
> > > When I open the same file with evince, I get nothing from clamd. Note
> > that
> > > I've been sticking to small files to avoid hitting the default file max
> > > (5m).
> > >
> > > Best,
> > > Hugo
> > >
> > > On Tue, 30 Aug 2016 at 11:54 Mickey Sola  wrote:
> > >
> > > > Hi Hugo,
> > > >
> > > > Could you try setting the max filesize option to a non-zero value and
> > let
> > > > me know if that changes anything?
> > > >
> > > > -Mickey
> > > >
> > > > On Aug 30, 2016 7:51 AM, "Hugo Bernier"  wrote:
> > > >
> > > > > We have a new requirement at work that we have virus scanners
> > installed
> > > > on
> > > > > our workstations.
> > > > >
> > > > > What I'm trying to do is demonstrate that onAccess scanning works.
> > What
> > > > I'm
> > > > > expecting, which could be wrong, is that there would be output
> either
> > > in
> > > > > the logs or clamdtop when a file is opened other otherwise
> > manipulated
> > > > when
> > > > > verbose logging and "LogClean" is enabled. My assumption is that my
> > > setup
> > > > > is wrong. I've used
> > > > > http://blog.clamav.net/2016/03/configuring-on-access-
> > > > > 

Re: [clamav-users] clamd does not bind to port when starting through init.d/service ubuntu 16.04

[Jeff Dyke]

This happened to me again on a fresh install on a new 16.04 server, and the
fix, for me was adding directly to clamav-daemon.socket

[Socket]
ListenStream=/run/clamav/clamd.ctl
ListenStream=xx.xx.xx.xx:3310
SocketUser=clamav
SocketGroup=clamav
RemoveOnStop=True

Adding it to extend.conf did not work for me, but when i commted everything
out of extend.conf and reloaded and restarted it listened on both.  I may
play around with different configurations in the future but for now, this
took up too much time.

Seems like its not only me:
http://serverfault.com/questions/798587/debian-8-cant-get-clamav-to-listen-on-tcp-3310?newreg=0a11acb857d341e7b3b4a44aed83553e
https://answers.launchpad.net/ubuntu/+source/clamav/+question/357500



On Mon, Aug 29, 2016 at 10:01 AM, Jeff Dyke  wrote:

> thats what i assumed/knew just checking.  It may be something odd with
> this particular lxc container, but it works well with the others, so the
> (self start) hack allows me to deploy and test code properly.
>
> I'll dig around or perhaps just try a complete purge of all things clam
> and reinstall.
>
> On Mon, Aug 29, 2016 at 9:51 AM, Reindl Harald 
> wrote:
>
>>
>>
>> Am 29.08.2016 um 15:34 schrieb Jeff Dyke:
>>
>>> our config locations for the .service files are in slightly different
>>> areas, so do you mind saying what distro you're running
>>>
>>
>> Fedora but it does not matter
>>
>> the whole concept of systemd is when you disable a existing service and
>> place a unit with the same name below /etc/systemd/system/ that "systemctl
>> enable name.service" enables this one and the distro shipped is no longer
>> used in any way
>>
>> the same for .timer. .socket and what not else
>>
>> /etc/systemd/system/ has the same strcuture as /usr/lib/systemd/system/
>> and is meant for local overrides / replacements
>>
>>
>> ___
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>>
>
>
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] can't demonstrate that On-Access scanning is working (fedora 24)

[Hugo Bernier]

Hi Mickey,

I turned on debug.

Given:
ScanOnAccess yes
OnAccessMountPath /
CrossFilesystems yes




In my /home directory, which is on a different file system, if I open up
the eicar test file or any file in the test directory of the source
distribution I get 17 megs of logs. The on access scanner is clearly doing
something. It does not however report that it found a virus.

If I move the the eicar test file to / it does print out that it found the
virus. If I include /home as a separate entry on OnAccessMountPath it also
detects the virus.

The issue seems to be 'CrossFilesystems yes'.

If you or anyone would like the 17 megs of logs I gathered please let me
know I'll send it to you directly.

That covers detection, which is a good start. Now I'd like to
get OnAccessPrevention working simultaneously. When I try
combining OnAccessMountPath (which doesn't do prevention)
and OnAccessIncludePath which does, the later doesn't work. Is there any
way to make it work? If OnAccessIncludePath is the only thing in the config
it does prevent access to the file. OnAccessIncludePath seems pretty picky:
I couldn't actually use the config file's example of /home - it refused to
start. I was able to specify my download directory though,

Best Regards,
Hugo

On Tue, 30 Aug 2016 at 16:02 Mickey Sola  wrote:

> H, when running clamd manually could you also try enabling debug and
> opening an eicar sample file in addition to the other tests you've been
> running?
>
> -Mickey
>
> On Tue, Aug 30, 2016 at 10:25 AM, Hugo Bernier  wrote:
>
> > Hi Mickey,
> >
> > I've set OnAccessMaxFileSize 1000M.
> >
> > Instead of "Tue Aug 30 10:38:59 2016 -> ScanOnAccess: Max file size
> limited
> > to -1 bytes"
> > I get: "Tue Aug 30 12:44:08 2016 -> ScanOnAccess: Max file size limited
> to
> > 1048576000 bytes"
> >
> > I still don't see any entries when I open up files.
> >
> > I should note that I also set this selinux boolean a couple of reboots
> ago.
> > antivirus_can_scan_system --> on
> > in selinux as well.
> >
> > I also tried simplifying the configuration to this, and running clamd
> > manually.
> >
> > """
> > LogClean yes
> > LogSyslog yes
> > LogVerbose yes
> > LocalSocket /var/run/clamd.sock
> > Foreground yes
> >
> > ScanOnAccess yes
> > OnAccessMountPath /
> > OnAccessExcludeUID 0
> > """
> >
> > When I execute the following command:
> > clamdscan minuscule.pdf
> >
> > In the logs I see
> > Aug 30 13:20:17 localhost.localdomain clamd[13472]:
> > /home//Documents/minuscule.pdf: OK
> >
> > When I open the same file with evince, I get nothing from clamd. Note
> that
> > I've been sticking to small files to avoid hitting the default file max
> > (5m).
> >
> > Best,
> > Hugo
> >
> > On Tue, 30 Aug 2016 at 11:54 Mickey Sola  wrote:
> >
> > > Hi Hugo,
> > >
> > > Could you try setting the max filesize option to a non-zero value and
> let
> > > me know if that changes anything?
> > >
> > > -Mickey
> > >
> > > On Aug 30, 2016 7:51 AM, "Hugo Bernier"  wrote:
> > >
> > > > We have a new requirement at work that we have virus scanners
> installed
> > > on
> > > > our workstations.
> > > >
> > > > What I'm trying to do is demonstrate that onAccess scanning works.
> What
> > > I'm
> > > > expecting, which could be wrong, is that there would be output either
> > in
> > > > the logs or clamdtop when a file is opened other otherwise
> manipulated
> > > when
> > > > verbose logging and "LogClean" is enabled. My assumption is that my
> > setup
> > > > is wrong. I've used
> > > > http://blog.clamav.net/2016/03/configuring-on-access-
> > > > scanning-in-clamav.html as
> > > > a base for the settings described below.
> > > >
> > > > I'm using clamav 0.99.2 from fedora 24 and the up to date stock
> fedora
> > 24
> > > > kernel. CONFIG_FANOTIFY=y and CONFIG_FANOTIFY_ACCESS_PERMISSIONS=y
> are
> > > > present in /boot/config-4.6.7-300.fc24.x86_64.
> > > >
> > > > Here's my configuration in /etc/clam.d/scan.conf:
> > > >
> > > > LogFile /var/log/clamd.scan
> > > > LogFileUnlock yes
> > > > LogFileMaxSize 2M
> > > > LogTime yes
> > > > LogClean yes
> > > > LogVerbose yes
> > > > LogRotate yes
> > > > ExtendedDetectionInfo yes
> > > > PidFile /var/run/clamd.scan/clamd.pid
> > > > LocalSocket /var/run/clamd.scan/clamd.sock
> > > >
> > > > ScanOnAccess yes
> > > > OnAccessMountPath /
> > > > OnAccessMaxFileSize 0
> > > > OnAccessExcludeUID 0
> > > >
> > > > When clamav starts, the logs show the following:
> > > >
> > > > Tue Aug 30 10:38:53 2016 -> +++ Started at Tue Aug 30 10:38:53 2016
> > > > Tue Aug 30 10:38:53 2016 -> Received 0 file descriptor(s) from
> systemd.
> > > > Tue Aug 30 10:38:53 2016 -> clamd daemon 0.99.2 (OS: linux-gnu, ARCH:
> > > > x86_64, CPU: x86_64)
> > > > Tue Aug 30 10:38:53 2016 -> Log file size limited to 2097152 bytes.
> > > > Tue Aug 30 10:38:53 2016 -> Reading databases from /var/lib/clamav
> > > > Tue Aug 30 10:38:53 2016 -> Not loading