Trouble Syncing PDF Library - 415 Unsupported Media Type/Virus PUA.pdf.Trojan.EmbeddedJavascript-1

[xthursdayx]

Describe the bug

I run Nextcloud in a docker container on my linux server and use clamAV running in a separate container to scan the files, via the "Antivirus for files" (2.1.1) app. I use Nextcloud to sync a large library of academic PDFs, however for some reason a significant number of my PDF files are being incorrectly marked as being infected with a Trojan virus and then will not sync. When this happens I receive the error "415 Unsupported Media Type" to "PUT filename.pdf" (PUA.Pdf.Trojan.EmbeddedJavaScript-1 is detected. Upload cannot be completed). These files are seemingly no different than other PDFs that sync with no trouble and they are the same file type (obviously). I've also run tested them with multiple other virus scanners and they are clean. My Antivirus for files settings are Mode: Daemon, Stream Length: 26214400 bytes, When infected files are found during a background scan: only log Does any one have any idea how I can fix this without completely disabling my antivirus?

To Reproduce Add certain pdfs to synced folder.

Expected behavior That the pdf will be scanned by the antivirus program and then sync.

Actual behavior The files will not sync and receive a false Trojan positive.

Server configuration

Operating system: Windows, Linux, MacOS... Linux Docker

Web server: Nginx

Database: MariaDB

PHP version: 7.2.19

Nextcloud version: 16.0.4

Contacts version: (see Nextcloud apps page) 3.1.3

Updated from an older Nextcloud or fresh install: Existing install

Signing status:

No errors have been found.

List of activated apps:

  - accessibility: 1.2.0
  - activity: 2.9.1
  - audioplayer: 2.8.4
  - bruteforcesettings: 1.4.0
  - calendar: 1.7.1
  - cloud_federation_api: 0.2.0
  - contacts: 3.1.3
  - dav: 1.9.2
  - federatedfilesharing: 1.6.0
  - federation: 1.6.0
  - files: 1.11.0
  - files_antivirus: 2.1.1
  - files_external: 1.7.0
  - files_pdfviewer: 1.5.0
  - files_rightclick: 0.15.1
  - files_sharing: 1.8.0
  - files_texteditor: 2.8.0
  - files_trashbin: 1.6.0
  - files_versions: 1.9.0
  - files_videoplayer: 1.5.0
  - firstrunwizard: 2.5.0
  - gallery: 18.3.0
  - logreader: 2.1.0
  - lookup_server_connector: 1.4.0
  - nextcloud_announcements: 1.5.0
  - notes: 3.0.2
  - notifications: 2.4.1
  - oauth2: 1.4.2
  - password_policy: 1.6.0
  - phonetrack: 0.5.2
  - polls: 0.10.2
  - privacy: 1.0.0
  - provisioning_api: 1.6.0
  - recommendations: 0.4.0
  - richdocuments: 3.4.1
  - serverinfo: 1.6.0
  - sharebymail: 1.6.0
  - spreed: 6.0.4
  - support: 1.0.0
  - survey_client: 1.4.0
  - systemtags: 1.6.0
  - tasks: 0.11.1
  - theming: 1.7.0
  - twofactor_backupcodes: 1.5.0
  - twofactor_totp: 3.0.1
  - unsplash: 1.1.3
  - updatenotification: 1.6.0
  - viewer: 1.1.0
  - workflowengine: 1.6.0
Disabled:
  - admin_audit
  - comments
  - encryption
  - user_ldap

Nextcloud configuration:

{
    "system": {
        "memcache.local": "\\OC\\Memcache\\APCu",
        "filelocking.enabled": "true",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 6379,
            "timeout": 0
        },
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "192.168.1.107:444",
            "nextcloud.my.page",
            "collabora.my.page"
        ],
        "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
        "overwrite.cli.url": "https:\/\/nextcloud.my.page",
        "overwritehost": "nextcloud.my.page",
        "overwriteprotocol": "https",
        "dbtype": "mysql",
        "version": "16.0.4.1",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpmode": "smtp",
        "mail_sendmailmode": "smtp",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpauthtype": "LOGIN",
        "mail_smtpauth": 1,
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "465",
        "mail_smtpsecure": "ssl",
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "maintenance": false,
        "theme": "",
        "loglevel": 0,
        "twofactor_enforced": "true",
        "twofactor_enforced_groups": [],
        "twofactor_enforced_excluded_groups": [],
        "ldapIgnoreNamingRules": false,
        "ldapProviderFactory": "OCA\\User_LDAP\\LDAPProviderFactory"
    }
}

Client configuration

Browser: Brave/Firefox

Operating system: MacOS

CardDAV-clients: Joplin Fantastical MacOS contacts & calendars iOS contacts & calendars Thunderbird

Logs

Web server error log

Debug | core | SCSSCacher: /apps/privacy/css/style.scss compiled and successfully cached |   | 2019-09-10T15:09:27-0400
-- | -- | -- | -- | --
Debug | cron | Finished OCA\Spreed\BackgroundJob\RemoveEmptyRooms job with ID 17608 in 0 seconds |   | 2019-09-10T15:00:06-0400
Debug | cron | Run OCA\Spreed\BackgroundJob\RemoveEmptyRooms job with ID 17608 |   | 2019-09-10T15:00:06-0400
Debug | cron | Finished OCA\Spreed\BackgroundJob\ExpireSignalingMessage job with ID 17607 in 0 seconds |   | 2019-09-10T15:00:06-0400
Debug | cron | Run OCA\Spreed\BackgroundJob\ExpireSignalingMessage job with ID 17607 |   | 2019-09-10T15:00:06-0400
Debug | cron | Finished OCA\UpdateNotification\ResetTokenBackgroundJob job with ID 98 in 0 seconds |   | 2019-09-10T15:00:06-0400
Debug | cron | Run OCA\UpdateNotification\ResetTokenBackgroundJob job with ID 98 |   | 2019-09-10T15:00:06-0400
Debug | cron | Finished OCA\Files_Antivirus\BackgroundJob\BackgroundScanner job with ID 32 in 5 seconds |   | 2019-09-10T15:00:06-0400
Fatal | files_antivirus | File is infected. PUA.Pdf.Trojan.EmbeddedJavaScript-1 File: 306999Account: zandrsn Path: /zandrsn/files/Work/Reading/Bookends/Attachments/Everything/Full_Database/Cole 2017 Objectives, ownershi nextcloud/contacts#3.pdf |   | 2019-09-10T15:00:05-0400
Debug | files_antivirus | Response :: stream: PUA.Pdf.Trojan.EmbeddedJavaScript-1 FOUND |   | 2019-09-10T15:00:05-0400
Debug | files_antivirus | Scan is done File: 306999 Account: zandrsn Path: /zandrsn/files/Work/Reading/Bookends/Attachments/Everything/Full_Database/Cole 2017 Objectives, ownershi nextcloud/contacts#3.pdf |   | 2019-09-10T15:00:05-0400
Debug | files_antivirus | Scan started File: 306999 Account: zandrsn Path: /zandrsn/files/Work/Reading/Bookends/Attachments/Everything/Full_Database/Cole 2017 Objectives, ownershi nextcloud/contacts#3.pdf |   | 2019-09-10T15:00:05-0400
Fatal | files_antivirus | File is infected. PUA.Pdf.Trojan.EmbeddedJavaScript-1 File: 306998Account: zandrsn Path: /zandrsn/files/Work/Reading/Bookends/Attachments/Everything/Full_Database/Clifton 2017 Extracting ideolo.pdf |  

Nextcloud log

data/nextcloud.log

{"reqId":"1pTy08bwgQUGpr14lB7F","level":0,"time":"2019-09-10T19:00:05+00:00","remoteAddr":"","user":"--","app":"files_antivirus","method":"","url":"--","message":"Scan started File: 306998 Account: zandrsn Path: \/zandrsn\/files\/Work\/Reading\/Bookends\/Attachments\/Everything\/Full_Database\/Clifton 2017 Extracting ideolo.pdf","userAgent":"--","version":"16.0.4.1"}
{"reqId":"1pTy08bwgQUGpr14lB7F","level":0,"time":"2019-09-10T19:00:05+00:00","remoteAddr":"","user":"--","app":"files_antivirus","method":"","url":"--","message":"Scan is done File: 306998 Account: zandrsn Path: \/zandrsn\/files\/Work\/Reading\/Bookends\/Attachments\/Everything\/Full_Database\/Clifton 2017 Extracting ideolo.pdf","userAgent":"--","version":"16.0.4.1"}
{"reqId":"1pTy08bwgQUGpr14lB7F","level":0,"time":"2019-09-10T19:00:05+00:00","remoteAddr":"","user":"--","app":"files_antivirus","method":"","url":"--","message":"Response :: stream: PUA.Pdf.Trojan.EmbeddedJavaScript-1 FOUND\n","userAgent":"--","version":"16.0.4.1"}
{"reqId":"1pTy08bwgQUGpr14lB7F","level":4,"time":"2019-09-10T19:00:05+00:00","remoteAddr":"","user":"--","app":"files_antivirus","method":"","url":"--","message":"File is infected. PUA.Pdf.Trojan.EmbeddedJavaScript-1 File: 306998Account: zandrsn Path: \/zandrsn\/files\/Work\/Reading\/Bookends\/Attachments\/Everything\/Full_Database\/Clifton 2017 Extracting ideolo.pdf","userAgent":"--","version":"16.0.4.1"}
{"reqId":"1pTy08bwgQUGpr14lB7F","level":0,"time":"2019-09-10T19:00:05+00:00","remoteAddr":"","user":"--","app":"files_antivirus","method":"","url":"--","message":"Scan started File: 306999 Account: zandrsn Path: \/zandrsn\/files\/Work\/Reading\/Bookends\/Attachments\/Everything\/Full_Database\/Cole 2017 Objectives, ownershi nextcloud/contacts#3.pdf","userAgent":"--","version":"16.0.4.1"}
{"reqId":"1pTy08bwgQUGpr14lB7F","level":0,"time":"2019-09-10T19:00:05+00:00","remoteAddr":"","user":"--","app":"files_antivirus","method":"","url":"--","message":"Scan is done File: 306999 Account: zandrsn Path: \/zandrsn\/files\/Work\/Reading\/Bookends\/Attachments\/Everything\/Full_Database\/Cole 2017 Objectives, ownershi nextcloud/contacts#3.pdf","userAgent":"--","version":"16.0.4.1"}
{"reqId":"1pTy08bwgQUGpr14lB7F","level":0,"time":"2019-09-10T19:00:05+00:00","remoteAddr":"","user":"--","app":"files_antivirus","method":"","url":"--","message":"Response :: stream: PUA.Pdf.Trojan.EmbeddedJavaScript-1 FOUND\n","userAgent":"--","version":"16.0.4.1"}
{"reqId":"1pTy08bwgQUGpr14lB7F","level":4,"time":"2019-09-10T19:00:05+00:00","remoteAddr":"","user":"--","app":"files_antivirus","method":"","url":"--","message":"File is infected. PUA.Pdf.Trojan.EmbeddedJavaScript-1 File: 306999Account: zandrsn Path: \/zandrsn\/files\/Work\/Reading\/Bookends\/Attachments\/Everything\/Full_Database\/Cole 2017 Objectives, ownershi nextcloud/contacts#3.pdf","userAgent":"--","version":"16.0.4.1"}
{"reqId":"1pTy08bwgQUGpr14lB7F","level":0,"time":"2019-09-10T19:00:06+00:00","remoteAddr":"","user":"--","app":"cron","method":"","url":"--","message":"Finished OCA\\Files_Antivirus\\BackgroundJob\\BackgroundScanner job with ID 32 in 5 seconds","userAgent":"--","version":"16.0.4.1"}
{"reqId":"1pTy08bwgQUGpr14lB7F","level":0,"time":"2019-09-10T19:00:06+00:00","remoteAddr":"","user":"--","app":"cron","method":"","url":"--","message":"Run OCA\\UpdateNotification\\ResetTokenBackgroundJob job with ID 98","userAgent":"--","version":"16.0.4.1"}
{"reqId":"1pTy08bwgQUGpr14lB7F","level":0,"time":"2019-09-10T19:00:06+00:00","remoteAddr":"","user":"--","app":"cron","method":"","url":"--","message":"Finished OCA\\UpdateNotification\\ResetTokenBackgroundJob job with ID 98 in 0 seconds","userAgent":"--","version":"16.0.4.1"}
{"reqId":"1pTy08bwgQUGpr14lB7F","level":0,"time":"2019-09-10T19:00:06+00:00","remoteAddr":"","user":"--","app":"cron","method":"","url":"--","message":"Run OCA\\Spreed\\BackgroundJob\\ExpireSignalingMessage job with ID 17607","userAgent":"--","version":"16.0.4.1"}
{"reqId":"1pTy08bwgQUGpr14lB7F","level":0,"time":"2019-09-10T19:00:06+00:00","remoteAddr":"","user":"--","app":"cron","method":"","url":"--","message":"Finished OCA\\Spreed\\BackgroundJob\\ExpireSignalingMessage job with ID 17607 in 0 seconds","userAgent":"--","version":"16.0.4.1"}
{"reqId":"1pTy08bwgQUGpr14lB7F","level":0,"time":"2019-09-10T19:00:06+00:00","remoteAddr":"","user":"--","app":"cron","method":"","url":"--","message":"Run OCA\\Spreed\\BackgroundJob\\RemoveEmptyRooms job with ID 17608","userAgent":"--","version":"16.0.4.1"}
{"reqId":"1pTy08bwgQUGpr14lB7F","level":0,"time":"2019-09-10T19:00:06+00:00","remoteAddr":"","user":"--","app":"cron","method":"","url":"--","message":"Finished OCA\\Spreed\\BackgroundJob\\RemoveEmptyRooms job with ID 17608 in 0 seconds","userAgent":"--","version":"16.0.4.1"}
{"reqId":"6NhOD82Ra27QzWfwaV3L","level":0,"time":"2019-09-10T19:09:27+00:00","remoteAddr":"172.17.0.1","user":"zandrsn","app":"core","method":"GET","url":"\/settings\/user\/privacy","message":"SCSSCacher: \/apps\/privacy\/css\/style.scss compiled and successfully cached","userAgent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36","version":"16.0.4.1"}

Browser log

N/A

[skjnldsv]

This is the contacts repository... Moving!

[xthursdayx]

This is the contacts repository... Moving!

Sorry about that! Didn't notice.

[FlorentPoinsaut]

Hi! I have encountered the same problem. As you can read here, it is ClamAV that detects Potentially Unwanted Applications. You can disable this behavior: https://docs.clamav.net/faq/faq-pua.html This is what I did, previously I was using this Docker image with PUA enabled by default. Now, I use this offical image : https://hub.docker.com/r/clamav/clamav and PUA is disabled by default. So, it is not a bug for the files_antivirus app.