SOLVED Bypassing ClamAV Scan question

[Michaelit]

Dear cPanel members and stuff,
i face an issue with a daily clamav (scan and delete) cron job and i would like to read your suggestions.
In daily basis i perform an entire scan to all available accounts. Once a malicious file is found, clamav delete it and once the whole process complete, a notification message is sent to the email inbox with the results!

What's the issue here? Clamav deleted files today that contain hexadecimal code inside as YARA.php_malware_hexinject.UNOFFICIAL FOUND! These files have not been modified.

Of course by auto deleting these files, websites stop working properly. So the question is how can i bypass this issue as i will have to restore the same files once per day!

Thank you in advance!

 

[rpvw]

Here are a couple of sites with information you might like to look at:

What is YARA.eval_post.UNOFFICIAL and what should I do about it?
Whitelisting signatures for Clamav antivirus

In the case of the second site, you will probably need to create your .ign2 whitelist file in the /usr/local/cpanel/3rdparty/share/clamav folder.

Do remember that you would then be removing that signature from ALL scans, not just the php files that you are currently having issues with.

Please Note : - I have NOT tried this, so you will have to experiment at your own risk.

The one thing that grabs my attention in everything I am reading about clamav detecting YARA code, is that everyone is talking about clamav UNOFFICIAL signature rules. Are you using or including any unofficial rule-sets ? If you are, perhaps you may like to reappraise your choices of the rule-sets you are including in your scans.

I hope this helps - Good luck

 

[Michaelit]

Thank you @rpvw for your response.
It's true that these "malicious" files have been uploaded a long time ago so as it clearly seems clamav updated its signature the day before yesterday as for this malware.
I use the predefined rule-sets as i haven't modified something in particular there. I prefer to avoid changing such rules.

I would like to be able to whitelist this signature at least in PHP files as only PHP files were deleted yesterday as "malicious"! Is there such a way or another approach.

Thank you again!

Edit: As another approach could be to exclude the directories where these files are located in ClamAV Config and the daily ClamAV scan however i believe that it's not a good choice.

Here is a relative scan summary:

----------- SCAN SUMMARY -----------
Known viruses: 6657511
Engine version: 0.100.0
Scanned directories: 501
Scanned files: 3082
Infected files: 0
Data scanned: 44.44 MB
Data read: 23.44 MB (ratio 1.90:1)
Time: 56.423 sec (0 m 56 s)
/home/_UNAME_/public_html/components/com_reservations/includes/reservations.fhelper.php: YARA.php_malware_hexinject.UNOFFICIAL FOUND
/home/_UNAME_/public_html/components/com_reservations/includes/reservations.fhelper.php: Removed.
/home/_UNAME_/public_html/administrator/components/com_reservations/install.reservations.php: YARA.php_malware_hexinject.UNOFFICIAL FOUND
/home/_UNAME_/public_html/administrator/components/com_reservations/install.reservations.php: Removed.
/home/_UNAME_/public_html/administrator/components/com_reservations/includes/reservations.class.php: YARA.php_malware_hexinject.UNOFFICIAL FOUND
/home/_UNAME_/public_html/administrator/components/com_reservations/includes/reservations.class.php: Removed.
/home/_UNAME_/public_html/administrator/components/com_reservations/includes/rc.class.php: YARA.php_malware_hexinject.UNOFFICIAL FOUND
/home/_UNAME_/public_html/administrator/components/com_reservations/includes/rc.class.php: Removed.

 

[Michaelit]

Maldetect also notify me with short delay (24h):

HOST:      _HOSTNAME_
SCAN ID:   180912-0559.20156
STARTED:   Sep 12 2018 05:59:25 +0300
COMPLETED: Sep 12 2018 05:59:43 +0300
ELAPSED:   18s [find: 1s]

PATH:       
RANGE:         1 days
TOTAL FILES:   251
TOTAL HITS:    4
TOTAL CLEANED: 0

WARNING: Automatic quarantine is currently disabled, detected threats are still accessible to users!
To enable, set quarantine_hits=1 and/or to quarantine hits from this scan run:
/usr/local/sbin/maldet -q 180912-0559.20156

FILE HIT LIST:
{YARA}php_malware_hexinject : /home/_UNAME_/public_html/components/com_reservations/includes/reservations.fhelper.php
{YARA}php_malware_hexinject : /home/_UNAME_/public_html/administrator/components/com_reservations/install.reservations.php
{YARA}php_malware_hexinject : /home/_UNAME_/public_html/administrator/components/com_reservations/includes/reservations.class.php
{YARA}php_malware_hexinject : /home/_UNAME_/public_html/administrator/components/com_reservations/includes/rc.class.php
===============================================
Linux Malware Detect v1.6.3 < [email protected] >

Linux Malware Detect (LMD)

 

[rpvw]

Well, if I saw two different malware detectors both flagging the same files as being infected, I would probably suspend the site pending further investigation.

• The quick answer is to tell the client to disinfect or remove the infected files before you will reinstate the site.
• The more ethical answer would perhaps be to download the files and pass then through Virus Total and then analyse what the issues are.

Just because you think a recent definitions update is responsible for false positives, doesn't necessarily signify that the detection is in error. It is always possible that the files have been infected or compromised for many months, and the detections have just got better.

I am seeing a lot of references to a severe XSS and Arbitrary File Upload Vulnerability relating to the com_reservations components from back in 2013 - that doesn't signify that the issues were ever fixed and don't still exist, nor that some new exploitable vector hasn't been discovered.

It may also be worth while to download a fresh copy of the com_reservations component, and see if the files on the server are the same as the fresh copy (diff them) - this would highlight anything (additional malware code) having been added to the files from one vector or another.

I sincerely hope, for your sake, that this turns out to be a false positive detection, but I strongly recommend that you treat it as an actual compromise or infection until you are absolutely sure that isn't.

 

[Michaelit]

Thank you @rpvw for your time. What can i say? I totally agree with exactly what you've written.
I quote you below what i have already done.

1. First of all i checked the modified date time for all these files. Nothing strange here.
   
2. I checked the differences using kDiff3 with exactly the same results as above.
   
3. The most important is that i am really familiar with these files as i have developed these sites so i know in which piece of code this rule-set has been triggered.
   
4. I also checked them using Virus Total link as you've guided me. I upload an image about. Nothing suspicious!

It's hard to set these sites as offline as i have developed them!

I am seeing a lot of references to a severe XSS and Arbitrary File Upload Vulnerability relating to the com_reservations components from back in 2013 - that doesn't signify that the issues were ever fixed and don't still exist, nor that some new exploitable vector hasn't been discovered.

Can you please send me more details as for that?

I don't really know how can i bypass it. A temporary solution is the whitelist. What if these files will be modified in future by a 'third' hand? The whitelisted rule-set won't be triggered.

 

[rpvw]

You may want to work with the ClamAV developers (It is likely that your Maldetect is using the ClamAV engine to scan for malware anyway), and report your false positives for appraisal at ClamavNet

Meanwhile, you may like to explore a temporary solution by using the

clamscan 
--exclude=REGEX, --exclude-dir=REGEX
              Don’t scan file/directory names matching regular expression. These options can be used multiple times.

options in your cron call. See man clamscan for other options

Perhaps something like the call

clamscan -r /home --exclude-dir=\/com_reservations.

might do the trick ?

 

[Michaelit]

I already did that! Thank you! I really hope find a solution.
I will keep you informed!

I simply deleted the --remove flag for the clamscan line in order to avoid restoring the inflected files once per day as well i changed the parameter quarantine_hits in maldetect conf file to 0. 0 means notify me and 1 move the inflected file to guarantee.

Unfortunately there are more files that are placed to different directories than the reservations.

 

[cPanelLauren]

@rpvw the advice you're providing here is accurate and detailed - thank you very much for your help with this one.


I was under the impression that the YARA related stuff was not official as well but based on this thread and another I've had today it would seem that it has been included into ClamAV's signatures.

What version of the virusdefs are on your server? For example mine:

rpm -qa cpanel-clamav-virusdefs
cpanel-clamav-virusdefs-0.100.0-1.cp1170.x86_64

 

[rpvw]

On my server cPanel v74.0.6

rpm -qa cpanel-clamav-virusdefs
cpanel-clamav-virusdefs-0.100.0-1.cp1170.x86_64

OK, just a thought here ......

We all know that we are not running the very latest version of the ClamAV engine (mine is cpanel-clamav-0.100.0-1.cp1170.x86_64 and the latest un-cPanel'd (is that a word? ) build is 0.100.1 , so I wonder if the definitions are providing false positives with the older core?

**EDIT**

The following statement from ClamAV FAQ might be worth taking into account

The last CVD update detects a lot of false positives on my system. Why?
Before publishing a CVD update, we test it for false positives using the latest stable release of ClamAV. If you want to avoid problems with false positives, you must run the latest stable version of ClamAV.

 

[Michaelit]

I confirm exactly the same virus definitions:

cPanel v74.0.6 - Centos 6.10

rpm -qa cpanel-clamav-virusdefs
cpanel-clamav-virusdefs-0.100.0-1.cp1170.x86_64

 

[Michaelit]

After the false positives report for appraisal at ClamavNet this issue has marked as solved. Thank you @rpvw for the support.