Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

SOLVED Bypassing ClamAV Scan question

Discussion in 'Security' started by Michaelit, Sep 11, 2018.

  1. Michaelit

    Michaelit Active Member

    Joined:
    Aug 5, 2015
    Messages:
    43
    Likes Received:
    5
    Trophy Points:
    8
    Location:
    Italy
    cPanel Access Level:
    Root Administrator
    Dear cPanel members and stuff,
    i face an issue with a daily clamav (scan and delete) cron job and i would like to read your suggestions.
    In daily basis i perform an entire scan to all available accounts. Once a malicious file is found, clamav delete it and once the whole process complete, a notification message is sent to the email inbox with the results!

    What's the issue here? Clamav deleted files today that contain hexadecimal code inside as YARA.php_malware_hexinject.UNOFFICIAL FOUND! These files have not been modified.

    Of course by auto deleting these files, websites stop working properly. So the question is how can i bypass this issue as i will have to restore the same files once per day!

    Thank you in advance!
     
  2. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    1,088
    Likes Received:
    442
    Trophy Points:
    113
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    Here are a couple of sites with information you might like to look at:

    What is YARA.eval_post.UNOFFICIAL and what should I do about it?
    Whitelisting signatures for Clamav antivirus

    In the case of the second site, you will probably need to create your .ign2 whitelist file in the /usr/local/cpanel/3rdparty/share/clamav folder.

    Do remember that you would then be removing that signature from ALL scans, not just the php files that you are currently having issues with.

    Please Note : - I have NOT tried this, so you will have to experiment at your own risk.

    The one thing that grabs my attention in everything I am reading about clamav detecting YARA code, is that everyone is talking about clamav UNOFFICIAL signature rules. Are you using or including any unofficial rule-sets ? If you are, perhaps you may like to reappraise your choices of the rule-sets you are including in your scans.

    I hope this helps - Good luck
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. Michaelit

    Michaelit Active Member

    Joined:
    Aug 5, 2015
    Messages:
    43
    Likes Received:
    5
    Trophy Points:
    8
    Location:
    Italy
    cPanel Access Level:
    Root Administrator
    Thank you @rpvw for your response.
    It's true that these "malicious" files have been uploaded a long time ago so as it clearly seems clamav updated its signature the day before yesterday as for this malware.
    I use the predefined rule-sets as i haven't modified something in particular there. I prefer to avoid changing such rules.

    I would like to be able to whitelist this signature at least in PHP files as only PHP files were deleted yesterday as "malicious"! Is there such a way or another approach.

    Thank you again!

    Edit: As another approach could be to exclude the directories where these files are located in ClamAV Config and the daily ClamAV scan however i believe that it's not a good choice.

    Here is a relative scan summary:
     
    #3 Michaelit, Sep 11, 2018
    Last edited: Sep 11, 2018
  4. Michaelit

    Michaelit Active Member

    Joined:
    Aug 5, 2015
    Messages:
    43
    Likes Received:
    5
    Trophy Points:
    8
    Location:
    Italy
    cPanel Access Level:
    Root Administrator
    Maldetect also notify me with short delay (24h):

    Code:
    HOST:      _HOSTNAME_
    SCAN ID:   180912-0559.20156
    STARTED:   Sep 12 2018 05:59:25 +0300
    COMPLETED: Sep 12 2018 05:59:43 +0300
    ELAPSED:   18s [find: 1s]
    
    PATH:       
    RANGE:         1 days
    TOTAL FILES:   251
    TOTAL HITS:    4
    TOTAL CLEANED: 0
    
    WARNING: Automatic quarantine is currently disabled, detected threats are still accessible to users!
    To enable, set quarantine_hits=1 and/or to quarantine hits from this scan run:
    /usr/local/sbin/maldet -q 180912-0559.20156
    
    FILE HIT LIST:
    {YARA}php_malware_hexinject : /home/_UNAME_/public_html/components/com_reservations/includes/reservations.fhelper.php
    {YARA}php_malware_hexinject : /home/_UNAME_/public_html/administrator/components/com_reservations/install.reservations.php
    {YARA}php_malware_hexinject : /home/_UNAME_/public_html/administrator/components/com_reservations/includes/reservations.class.php
    {YARA}php_malware_hexinject : /home/_UNAME_/public_html/administrator/components/com_reservations/includes/rc.class.php
    ===============================================
    Linux Malware Detect v1.6.3 < proj@rfxn.com >
    
    Linux Malware Detect (LMD)
     
    #4 Michaelit, Sep 12, 2018
    Last edited by a moderator: Sep 12, 2018
  5. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    1,088
    Likes Received:
    442
    Trophy Points:
    113
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    Well, if I saw two different malware detectors both flagging the same files as being infected, I would probably suspend the site pending further investigation.

    • The quick answer is to tell the client to disinfect or remove the infected files before you will reinstate the site.
    • The more ethical answer would perhaps be to download the files and pass then through Virus Total and then analyse what the issues are.

    Just because you think a recent definitions update is responsible for false positives, doesn't necessarily signify that the detection is in error. It is always possible that the files have been infected or compromised for many months, and the detections have just got better.

    I am seeing a lot of references to a severe XSS and Arbitrary File Upload Vulnerability relating to the com_reservations components from back in 2013 - that doesn't signify that the issues were ever fixed and don't still exist, nor that some new exploitable vector hasn't been discovered.

    It may also be worth while to download a fresh copy of the com_reservations component, and see if the files on the server are the same as the fresh copy (diff them) - this would highlight anything (additional malware code) having been added to the files from one vector or another.

    I sincerely hope, for your sake, that this turns out to be a false positive detection, but I strongly recommend that you treat it as an actual compromise or infection until you are absolutely sure that isn't.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    cPanelLauren likes this.
  6. Michaelit

    Michaelit Active Member

    Joined:
    Aug 5, 2015
    Messages:
    43
    Likes Received:
    5
    Trophy Points:
    8
    Location:
    Italy
    cPanel Access Level:
    Root Administrator
    Thank you @rpvw for your time. What can i say? I totally agree with exactly what you've written.
    I quote you below what i have already done.
    1. First of all i checked the modified date time for all these files. Nothing strange here.
    2. I checked the differences using kDiff3 with exactly the same results as above.
    3. The most important is that i am really familiar with these files as i have developed these sites so i know in which piece of code this rule-set has been triggered.
    4. I also checked them using Virus Total link as you've guided me. I upload an image about. Nothing suspicious!

    It's hard to set these sites as offline as i have developed them!

    Can you please send me more details as for that?

    I don't really know how can i bypass it. A temporary solution is the whitelist. What if these files will be modified in future by a 'third' hand? The whitelisted rule-set won't be triggered.
     

    Attached Files:

  7. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    1,088
    Likes Received:
    442
    Trophy Points:
    113
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    You may want to work with the ClamAV developers (It is likely that your Maldetect is using the ClamAV engine to scan for malware anyway), and report your false positives for appraisal at ClamavNet

    Meanwhile, you may like to explore a temporary solution by using the
    Code:
    clamscan 
    --exclude=REGEX, --exclude-dir=REGEX
                  Don’t scan file/directory names matching regular expression. These options can be used multiple times.
    
    
    options in your cron call. See man clamscan for other options

    Perhaps something like the call
    Code:
    clamscan -r /home --exclude-dir=\/com_reservations.
    might do the trick ?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #7 rpvw, Sep 12, 2018
    Last edited: Sep 12, 2018
    cPanelLauren likes this.
  8. Michaelit

    Michaelit Active Member

    Joined:
    Aug 5, 2015
    Messages:
    43
    Likes Received:
    5
    Trophy Points:
    8
    Location:
    Italy
    cPanel Access Level:
    Root Administrator
    I already did that! Thank you! I really hope find a solution.
    I will keep you informed!

    I simply deleted the --remove flag for the clamscan line in order to avoid restoring the inflected files once per day as well i changed the parameter quarantine_hits in maldetect conf file to 0. 0 means notify me and 1 move the inflected file to guarantee.

    Unfortunately there are more files that are placed to different directories than the reservations.
     
    #8 Michaelit, Sep 12, 2018
    Last edited: Sep 12, 2018
  9. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,124
    Likes Received:
    473
    Trophy Points:
    233
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    @rpvw the advice you're providing here is accurate and detailed - thank you very much for your help with this one.


    I was under the impression that the YARA related stuff was not official as well but based on this thread and another I've had today it would seem that it has been included into ClamAV's signatures.

    What version of the virusdefs are on your server? For example mine:

    Code:
    rpm -qa cpanel-clamav-virusdefs
    cpanel-clamav-virusdefs-0.100.0-1.cp1170.x86_64
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    1,088
    Likes Received:
    442
    Trophy Points:
    113
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    On my server cPanel v74.0.6
    Code:
    rpm -qa cpanel-clamav-virusdefs
    cpanel-clamav-virusdefs-0.100.0-1.cp1170.x86_64
    OK, just a thought here ......

    We all know that we are not running the very latest version of the ClamAV engine (mine is cpanel-clamav-0.100.0-1.cp1170.x86_64 and the latest un-cPanel'd (is that a word? ) build is 0.100.1 , so I wonder if the definitions are providing false positives with the older core?

    **EDIT**

    The following statement from ClamAV FAQ might be worth taking into account
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #10 rpvw, Sep 12, 2018
    Last edited: Sep 12, 2018
    cPanelLauren likes this.
  11. Michaelit

    Michaelit Active Member

    Joined:
    Aug 5, 2015
    Messages:
    43
    Likes Received:
    5
    Trophy Points:
    8
    Location:
    Italy
    cPanel Access Level:
    Root Administrator
    I confirm exactly the same virus definitions:

    cPanel v74.0.6 - Centos 6.10
    Code:
    rpm -qa cpanel-clamav-virusdefs
    cpanel-clamav-virusdefs-0.100.0-1.cp1170.x86_64
    
     
  12. Michaelit

    Michaelit Active Member

    Joined:
    Aug 5, 2015
    Messages:
    43
    Likes Received:
    5
    Trophy Points:
    8
    Location:
    Italy
    cPanel Access Level:
    Root Administrator
    After the false positives report for appraisal at ClamavNet this issue has marked as solved. Thank you @rpvw for the support.
     
    cPanelLauren likes this.
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice