files_antivirus
files_antivirus copied to clipboard
nextcloud
Infected file detected and deleted, "Only log" option being ignored
Steps to reproduce
- Set ClamAV to only log detected files:
- Create test txt file with content as per here https://en.wikipedia.org/wiki/EICAR_test_file
- See that file was detected and deleted
Expected behaviour
File has being logged, admin notified.
Actual behaviour
Log only option being ignored.
Server configuration
Operating system: Ubuntu 18.04
Web server: Apache/2.4.41
Database: mysql Ver 15.1 Distrib 10.1.44-MariaDB
PHP version: 7.3.16
Nextcloud version: 18.0.3
Where did you install Nextcloud from: Official
List of activated apps:
Enabled:
- accessibility: 1.4.0
- activity: 2.11.0
- admin_audit: 1.8.0
- audioplayer: 2.10.0
- bruteforcesettings: 1.6.0
- calendar: 2.0.3
- checksum: 0.4.4
- cloud_federation_api: 1.1.0
- comments: 1.8.0
- data_request: 1.5.0
- dav: 1.14.0
- deck: 0.8.2
- drawio: 0.9.5
- federatedfilesharing: 1.8.0
- federation: 1.8.0
- files: 1.13.1
- files_antivirus 2.3.0
- files_automatedtagging: 1.8.2
- files_external: 1.9.0
- files_mindmap: 0.0.21
- files_pdfviewer: 1.7.0
- files_retention: 1.7.0
- files_rightclick: 0.15.2
- files_sharing: 1.10.1
- files_trashbin: 1.8.0
- files_versions: 1.11.0
- files_videoplayer: 1.7.0
- firstrunwizard: 2.7.0
- flowupload: 0.1.8
- gpxpod: 4.2.1
- keeweb: 0.6.2
- logreader: 2.3.0
- lookup_server_connector: 1.6.0
- mail: 1.3.2
- maps: 0.1.6
- nextcloud_announcements: 1.7.0
- notes: 3.2.0
- notifications: 2.6.0
- oauth2: 1.6.0
- ocdownloader: 1.7.6
- password_policy: 1.8.0
- phonetrack: 0.6.2
- photos: 1.0.0
- polls: 1.3.0
- previewgenerator: 2.3.0
- privacy: 1.2.0
- provisioning_api: 1.8.0
- radio: 0.6.6
- recommendations: 0.6.0
- serverinfo: 1.8.0
- settings: 1.0.0
- sharebymail: 1.8.0
- spreed: 8.0.7
- survey_client: 1.6.0
- systemtags: 1.8.0
- text: 2.0.0
- theming: 1.9.0
- twofactor_backupcodes: 1.7.0
- twofactor_totp: 4.1.3
- unsplash: 1.1.5
- updatenotification: 1.8.0
- viewer: 1.2.0
- weather: 1.7.1
- workflowengine: 2.0.0
Disabled:
- encryption
- impersonate
- sharerenamer
- support
- user_ldap
Nextcloud configuration:
{
"system": {
"instanceid": "***REMOVED SENSITIVE VALUE***",
"passwordsalt": "***REMOVED SENSITIVE VALUE***",
"secret": "***REMOVED SENSITIVE VALUE***",
"trusted_domains": {
"0": "***REMOVED SENSITIVE VALUE***",
"2": "***REMOVED SENSITIVE VALUE***"
},
"datadirectory": "***REMOVED SENSITIVE VALUE***",
"overwrite.cli.url": "https:\/\/***REMOVED SENSITIVE VALUE***\/nextcloud",
"dbtype": "mysql",
"version": "18.0.3.0",
"dbname": "***REMOVED SENSITIVE VALUE***",
"dbhost": "***REMOVED SENSITIVE VALUE***",
"dbport": "",
"dbtableprefix": "oc_",
"mysql.utf8mb4": true,
"dbuser": "***REMOVED SENSITIVE VALUE***",
"dbpassword": "***REMOVED SENSITIVE VALUE***",
"installed": true,
"filesystem_check_changes": 0,
"memcache.local": "\\OC\\Memcache\\APCu",
"memcache.locking": "\\OC\\Memcache\\Redis",
"memcache.distributed": "\\OC\\Memcache\\Redis",
"redis": {
"host": "***REMOVED SENSITIVE VALUE***",
"port": 6379,
"timeout": 1.5
},
"mail_smtpmode": "smtp",
"mail_smtpauthtype": "LOGIN",
"mail_from_address": "***REMOVED SENSITIVE VALUE***",
"mail_domain": "***REMOVED SENSITIVE VALUE***",
"maintenance": false,
"theme": "",
"logfile": "\/***REMOVED SENSITIVE VALUE***\/nextcloud.log",
"loglevel": 1,
"trashbin_retention_obligation": "14, auto",
"versions_retention_obligation": "14, auto",
"data-fingerprint": "***REMOVED SENSITIVE VALUE***",
"enable_previews": true,
"enabledPreviewProviders": [
"OC\\Preview\\PNG",
"OC\\Preview\\JPEG",
"OC\\Preview\\GIF",
"OC\\Preview\\BMP",
"OC\\Preview\\XBitmap",
"OC\\Preview\\Movie",
"OC\\Preview\\PDF",
"OC\\Preview\\MP3",
"OC\\Preview\\TXT",
"OC\\Preview\\MarkDown"
],
"preview_max_x": 1920,
"preview_max_y": 1080,
"auth.bruteforce.protection.enabled": true,
"simpleSignUpLink.shown": false,
"mail_smtpsecure": "tls",
"mail_smtpauth": 1,
"mail_smtphost": "***REMOVED SENSITIVE VALUE***",
"mail_smtpport": "587",
"mail_smtpname": "***REMOVED SENSITIVE VALUE***",
"mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
"twofactor_enforced": "true",
"twofactor_enforced_groups": [
"admin"
],
"twofactor_enforced_excluded_groups": [],
"has_rebuilt_cache": true,
"updater.release.channel": "stable",
"app_install_overwrite": [
"keeweb",
"radio"
]
}
}
Nextcloud log (data/owncloud.log)
{"reqId":"Gt7Vps8HTaH9lR2gFYWi","level":2,"time":"2020-04-28T08:53:27+00:00","remoteAddr":"1.1.1.1.","user":"USER","app":"files_antivirus","method":"GET","url":"/index.php/apps/text/session/create?fileId=4638250&filePath=%2FNew+text+document.txt&guestName=null&forceRecreate=false","message":"Infected file deleted. Eicar-Signature Account: USER Path: appdata_XXXXX/text/documents/4638250","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0) Gecko/20100101 Firefox/73.0","version":"18.0.3.0","id":"5ea7f038c1bc4"}
I have the same issue. Infected file is deleted even when "only log" is selected.
I have the same issue. I posted my logs for this issue in the mentioned link above
Could it be that the files were added from the web UI?
Is there a possibility that this option only works during background scans? :When infected files are found during a background scan
