[Pkg-clamav-devel] Bug#537926: clamav-daemon: clamd does not ignore PUA

Jason Desai jase at sensis.com
Tue Jul 21 19:13:48 UTC 2009 

Package: clamav-daemon
Version: 0.95.2+dfsg-1~volatile1
Severity: normal

clamd is detecting PUA even when it has been configured not to.  Notice in the clamd.conf file the option "DetectPUA disabled" is set.  Yet, it is still detecting it, making our scanning proxy server detect lots of false positives.

Specifically, here is an example, scanning the file stl-headerfooter.js from 
http://images.stltoday.com/stltoday/js/stl-headerfooter.js

$ clamscan stl-headerfooter.js
stl-headerfooter.js: PUA.Script.Packed-9 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 600377
Engine version: 0.95.2
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.47 MB
Data read: 0.23 MB (ratio 2.00:1)
Time: 1.702 sec (0 m 1 s)

$ clamdscan -V
ClamAV 0.95.2/9601/Tue Jul 21 10:31:58 2009

>From clamav.log:
Tue Jul 21 15:10:18 2009 -> +++ Started at Tue Jul 21 15:10:18 2009
Tue Jul 21 15:10:18 2009 -> clamd daemon 0.95.2 (OS: linux-gnu, ARCH: i386, CPU: i486)
Tue Jul 21 15:10:18 2009 -> Log file size limit disabled.
Tue Jul 21 15:10:18 2009 -> Reading databases from /var/lib/clamav
Tue Jul 21 15:10:18 2009 -> Not loading PUA signatures.
Tue Jul 21 15:10:19 2009 -> Loaded 600377 signatures.
Tue Jul 21 15:10:19 2009 -> LOCAL: Unix socket file /var/run/clamav/clamd.ctl
Tue Jul 21 15:10:19 2009 -> LOCAL: Setting connection queue length to 15
Tue Jul 21 15:10:19 2009 -> Limits: Global size limit set to 104857600 bytes.
Tue Jul 21 15:10:19 2009 -> Limits: File size limit set to 26214400 bytes.
Tue Jul 21 15:10:19 2009 -> Limits: Recursion level limit set to 16.
Tue Jul 21 15:10:19 2009 -> Limits: Files limit set to 10000.
Tue Jul 21 15:10:19 2009 -> Archive support enabled.
Tue Jul 21 15:10:19 2009 -> Algorithmic detection enabled.
Tue Jul 21 15:10:19 2009 -> Portable Executable support enabled.
Tue Jul 21 15:10:19 2009 -> ELF support enabled.
Tue Jul 21 15:10:19 2009 -> Mail files support enabled.
Tue Jul 21 15:10:19 2009 -> OLE2 support enabled.
Tue Jul 21 15:10:19 2009 -> PDF support enabled.
Tue Jul 21 15:10:19 2009 -> HTML support enabled.
Tue Jul 21 15:10:19 2009 -> Self checking every 3600 seconds.
Tue Jul 21 15:10:27 2009 -> /home/jase/stl-headerfooter.js: PUA.Script.Packed-9

Notice that one log entry says that it is not loading PUA signatures, yet, it found PUA.Script.Packed-9.

I suppose it is possible that this is a signature issue, but I'm not sure.

Let me know if you need any additional info.  Thanks!

Jason

-- Package-specific info:
--- configuration ---
Checking configuration files in /etc/clamav

Config file: clamd.conf
-----------------------
LogFile = "/var/log/clamav/clamav.log"
LogFileUnlock disabled
LogFileMaxSize disabled
LogTime = "yes"
LogClean disabled
LogSyslog disabled
LogFacility = "LOG_LOCAL6"
LogVerbose disabled
PidFile = "/var/run/clamav/clamd.pid"
TemporaryDirectory = "/tmp"
DatabaseDirectory = "/var/lib/clamav"
LocalSocket = "/var/run/clamav/clamd.ctl"
FixStaleSocket = "yes"
TCPSocket disabled
TCPAddr disabled
MaxConnectionQueueLength = "15"
StreamMaxLength = "10485760"
StreamMinPort = "1024"
StreamMaxPort = "2048"
MaxThreads = "12"
ReadTimeout = "180"
CommandReadTimeout = "5"
SendBufTimeout = "200"
MaxQueue = "100"
IdleTimeout = "30"
ExcludePath disabled
MaxDirectoryRecursion = "15"
FollowDirectorySymlinks disabled
FollowFileSymlinks disabled
SelfCheck = "3600"
VirusEvent disabled
ExitOnOOM disabled
Foreground disabled
Debug disabled
LeaveTemporaryFiles disabled
User = "dansguardian"
AllowSupplementaryGroups = "yes"
DetectPUA disabled
ExcludePUA disabled
IncludePUA disabled
AlgorithmicDetection = "yes"
ScanPE = "yes"
ScanELF = "yes"
DetectBrokenExecutables disabled
ScanMail = "yes"
MailFollowURLs disabled
ScanPartialMessages disabled
PhishingSignatures = "yes"
PhishingScanURLs = "yes"
PhishingAlwaysBlockCloak disabled
PhishingAlwaysBlockSSLMismatch disabled
HeuristicScanPrecedence disabled
StructuredDataDetection disabled
StructuredMinCreditCardCount = "3"
StructuredMinSSNCount = "3"
StructuredSSNFormatNormal = "yes"
StructuredSSNFormatStripped disabled
ScanHTML = "yes"
ScanOLE2 = "yes"
ScanPDF = "yes"
ScanArchive = "yes"
ArchiveBlockEncrypted disabled
MaxScanSize = "104857600"
MaxFileSize = "26214400"
MaxRecursion = "16"
MaxFiles = "10000"
ClamukoScanOnAccess disabled
ClamukoScanOnOpen disabled
ClamukoScanOnClose disabled
ClamukoScanOnExec disabled
ClamukoIncludePath disabled
ClamukoExcludePath disabled
ClamukoMaxFileSize = "5242880"
DevACOnly disabled
DevACDepth disabled

Config file: freshclam.conf
---------------------------
LogFileMaxSize disabled
LogTime disabled
LogSyslog disabled
LogFacility = "LOG_LOCAL6"
LogVerbose disabled
PidFile = "/var/run/clamav/freshclam.pid"
DatabaseDirectory = "/var/lib/clamav/"
Foreground disabled
Debug disabled
AllowSupplementaryGroups disabled
UpdateLogFile = "/var/log/clamav/freshclam.log"
DatabaseOwner = "dansguardian"
Checks = "12"
DNSDatabaseInfo = "current.cvd.clamav.net"
DatabaseMirror = "db.local.clamav.net", "database.clamav.net", "db.us.clamav.net"
MaxAttempts = "5"
ScriptedUpdates = "yes"
CompressLocalDatabase disabled
HTTPProxyServer = "localhost"
HTTPProxyPort = "3128"
HTTPProxyUsername disabled
HTTPProxyPassword disabled
HTTPUserAgent disabled
NotifyClamd = "/etc/clamav/clamd.conf"
OnUpdateExecute disabled
OnErrorExecute disabled
OnOutdatedExecute disabled
LocalIPAddress disabled
ConnectTimeout = "30"
ReceiveTimeout = "30"
SubmitDetectionStats disabled
DetectionStatsCountry disabled
SafeBrowsing disabled

clamav-milter.conf not found

Software settings
-----------------
Version: 0.95.2
Optional features supported: MEMPOOL IPv6 FRESHCLAM_DNS_FIX AUTOIT_EA06 BZIP2 
Database directory: /var/lib/clamav/
main.cld: version 51, sigs: 545035, built on Thu May 14 10:28:45 2009
daily.cld: version 9601, sigs: 55961, built on Tue Jul 21 10:31:58 2009

--- data dir ---
total 51240
drwxr-xr-x 2 dansguardian dansguardian     4096 Dec 28  2008 clamav-450f2653f53ec88bf9dd25a9780c5bbf
drwxr-xr-x 2 dansguardian clamav           4096 Jan  9  2008 clamav-6308fea2243378d968625b9539ae74b2
-rw-r--r-- 1 dansguardian clamav        1870864 Jan  9  2008 clamav-97a32efa17261c3fbd2a9133642d240b
drwxr-xr-x 2 dansguardian dansguardian     4096 Dec 21  2008 clamav-f0887c42d7adcb0430925c81b701cca8
-rw-r--r-- 1 dansguardian dansguardian  3431936 Jul 21 11:22 daily.cld
drwxr-xr-x 2 dansguardian dansguardian     4096 May 29  2008 daily.inc
-rw-r--r-- 1 dansguardian dansguardian 47079936 May 14 11:44 main.cld
drwxr-xr-x 2 dansguardian dansguardian     4096 May 29  2008 main.inc

-- System Information:
Debian Release: 5.0.2
Architecture: i386 (i686)

Kernel: Linux 2.6.26-2-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash

Versions of packages clamav-daemon depends on:
ii  clamav-base      0.95.2+dfsg-1~volatile1 anti-virus utility for Unix - base
ii  clamav-freshclam 0.95.2+dfsg-1~volatile1 anti-virus utility for Unix - viru
ii  libbz2-1.0       1.0.5-1                 high-quality block-sorting file co
ii  libc6            2.7-18                  GNU C Library: Shared libraries
ii  libclamav6       0.95.2+dfsg-1~volatile1 anti-virus utility for Unix - libr
ii  libltdl3         1.5.26-4                A system independent dlopen wrappe
ii  libncurses5      5.7+20081213-1          shared libraries for terminal hand
ii  libtommath0      0.39-3                  multiple-precision integer library
ii  lsb-base         3.2-20                  Linux Standard Base 3.2 init scrip
ii  ucf              3.0016                  Update Configuration File: preserv
ii  zlib1g           1:1.2.3.3.dfsg-12       compression library - runtime

clamav-daemon recommends no packages.

Versions of packages clamav-daemon suggests:
pn  clamav-docs                   <none>     (no description available)
pn  daemon                        <none>     (no description available)

-- no debconf information

More information about the Pkg-clamav-devel mailing list