files_antivirus icon indicating copy to clipboard operation
files_antivirus copied to clipboard
verified publisher icon nextcloud

Logs spam with the same file info if file is found.

Open GAS85 opened this issue 5 years ago • 1 comments

Steps to reproduce

  1. Create test virus e.g. testvirus.com and New text document.txt as per here https://en.wikipedia.org/wiki/EICAR_test_file
  2. Setup background scan grafik
  3. See a lot of spam entries in a logs when the same files are found. grafik
  4. Check that the same entrance is multiple times in the logs:
grep "Infected file found" nextcloud.log* | wc -l
310
grep "Infected file found" nextcloud.log | grep "/USER1/files/testvirus.com" | wc -l
162
[IcanDo@myhome data]# grep "Infected file found" nextcloud.log | grep "/USER2/files/New text document.txt" | wc -l
148

Expected behaviour

File should be scanned only once (if not changed) and an error should be logged and admin group should be notified. On update/change file should be re-scanned or DB flag should be changed to force file re-scan.

Actual behaviour

  • The same test file is re-scanned multiple times, but was not changed/touched during this time.
  • Multiple log entrance are produced:
grep "Infected file found" nextcloud.log* | wc -l
310
grep "Infected file found" nextcloud.log | grep "/USER1/files/testvirus.com" | wc -l
162
[IcanDo@myhome data]# grep "Infected file found" nextcloud.log | grep "/USER2/files/New text document.txt" | wc -l
148
  • Admin Group notified.

Server configuration

Operating system: Ubuntu 18.04

Web server: Apache/2.4.43

Database: mysql Ver 15.1 Distrib 10.1.44-MariaDB

PHP version: 7.3.17-1

Nextcloud version: 18.0.4

Where did you install Nextcloud from: Official

List of activated apps:

Enabled:
  - accessibility: 1.4.0
  - activity: 2.11.0
  - admin_audit: 1.8.0
  - audioplayer: 2.10.0
  - bruteforcesettings: 1.6.0
  - calendar: 2.0.3
  - checksum: 0.4.4
  - cloud_federation_api: 1.1.0
  - comments: 1.8.0
  - data_request: 1.5.0
  - dav: 1.14.0
  - deck: 1.0.0
  - drawio: 0.9.5
  - federatedfilesharing: 1.8.0
  - federation: 1.8.0
  - files: 1.13.1
  - files_antivirus: 2.3.0
  - files_automatedtagging: 1.8.2
  - files_external: 1.9.0
  - files_mindmap: 0.0.21
  - files_pdfviewer: 1.7.0
  - files_retention: 1.7.0
  - files_rightclick: 0.15.2
  - files_sharing: 1.10.1
  - files_trashbin: 1.8.0
  - files_versions: 1.11.0
  - files_videoplayer: 1.7.0
  - firstrunwizard: 2.7.0
  - flowupload: 0.1.8
  - forms: 1.1.1
  - gpxpod: 4.2.1
  - keeweb: 0.6.2
  - logreader: 2.3.0
  - lookup_server_connector: 1.6.0
  - mail: 1.3.4
  - maps: 0.1.6
  - nextcloud_announcements: 1.7.0
  - notes: 3.3.0
  - notifications: 2.6.0
  - oauth2: 1.6.0
  - ocdownloader: 1.7.7
  - password_policy: 1.8.0
  - phonetrack: 0.6.2
  - photos: 1.0.0
  - polls: 1.4.3
  - previewgenerator: 2.3.0
  - privacy: 1.2.0
  - provisioning_api: 1.8.0
  - radio: 0.6.6
  - recommendations: 0.6.0
  - serverinfo: 1.8.0
  - settings: 1.0.0
  - sharebymail: 1.8.0
  - spreed: 8.0.8
  - survey_client: 1.6.0
  - systemtags: 1.8.0
  - text: 2.0.0
  - theming: 1.9.0
  - twofactor_backupcodes: 1.7.0
  - twofactor_totp: 4.1.3
  - unsplash: 1.1.5
  - updatenotification: 1.8.0
  - viewer: 1.2.0
  - weather: 1.7.2
  - workflowengine: 2.0.0
Disabled:
  - encryption
  - impersonate
  - sharerenamer
  - support
  - user_ldap

Nextcloud configuration:

{
    "system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": {
            "0": "***REMOVED SENSITIVE VALUE***",
            "2": "***REMOVED SENSITIVE VALUE***"
        },
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "overwrite.cli.url": "https:\/\/***REMOVED SENSITIVE VALUE***\/nextcloud",
        "dbtype": "mysql",
        "version": "18.0.4.2",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "filesystem_check_changes": 0,
        "memcache.local": "\\OC\\Memcache\\APCu",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "memcache.distributed": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 6379,
            "timeout": 1.5
        },
        "mail_smtpmode": "smtp",
        "mail_smtpauthtype": "LOGIN",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "maintenance": false,
        "theme": "",
        "logfile": "\/var\/log\/nextcloud.log",
        "loglevel": 1,
        "trashbin_retention_obligation": "14, auto",
        "versions_retention_obligation": "14, auto",
        "data-fingerprint": "***REMOVED SENSITIVE VALUE***",
        "enable_previews": true,
        "enabledPreviewProviders": [
            "OC\\Preview\\PNG",
            "OC\\Preview\\JPEG",
            "OC\\Preview\\GIF",
            "OC\\Preview\\BMP",
            "OC\\Preview\\XBitmap",
            "OC\\Preview\\Movie",
            "OC\\Preview\\PDF",
            "OC\\Preview\\MP3",
            "OC\\Preview\\TXT",
            "OC\\Preview\\MarkDown"
        ],
        "preview_max_x": 1920,
        "preview_max_y": 1080,
        "jpeg_quality": 90,
        "auth.bruteforce.protection.enabled": true,
        "simpleSignUpLink.shown": false,
        "mail_smtpsecure": "tls",
        "mail_smtpauth": 1,
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "587",
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "twofactor_enforced": "true",
        "twofactor_enforced_groups": [
            "admin"
        ],
        "twofactor_enforced_excluded_groups": [],
        "has_rebuilt_cache": true,
        "updater.release.channel": "stable",
        "app_install_overwrite": [
            "keeweb",
            "radio"
        ]
    }
}

Logs

Nextcloud log (data/owncloud.log)

nextcloud.log:{"reqId":"MjJnqGiZOUnS7LX5R3k1","level":4,"time":"2020-05-11T06:15:16+00:00","remoteAddr":"","user":"--","app":"files_antivirus","method":"","url":"--","message":"Infected file found (during background scan) Win.Test.EICAR_HDB-1 File: 4622181Account: USER1 Path: /USER1/files/testvirus.com","userAgent":"--","version":"18.0.4.2"}
nextcloud.log:{"reqId":"MjJnqGiZOUnS7LX5R3k1","level":4,"time":"2020-05-11T06:15:16+00:00","remoteAddr":"","user":"--","app":"files_antivirus","method":"","url":"--","message":"Infected file found (during background scan) Eicar-Signature File: 4638250Account: USER2 Path: /USER2/files/New text document.txt","userAgent":"--","version":"18.0.4.2"}
nextcloud.log:{"reqId":"2IpNCCghPo92PmCbvPlJ","level":4,"time":"2020-05-11T06:30:25+00:00","remoteAddr":"","user":"--","app":"files_antivirus","method":"","url":"--","message":"Infected file found (during background scan) Win.Test.EICAR_HDB-1 File: 4622181Account: USER1 Path: /USER1/files/testvirus.com","userAgent":"--","version":"18.0.4.2"}
nextcloud.log:{"reqId":"2IpNCCghPo92PmCbvPlJ","level":4,"time":"2020-05-11T06:30:25+00:00","remoteAddr":"","user":"--","app":"files_antivirus","method":"","url":"--","message":"Infected file found (during background scan) Eicar-Signature File: 4638250Account: USER2 Path: /USER2/files/New text document.txt","userAgent":"--","version":"18.0.4.2"}
nextcloud.log:{"reqId":"3V6LbskveKSaUWSdDgs8","level":4,"time":"2020-05-11T07:00:03+00:00","remoteAddr":"","user":"--","app":"files_antivirus","method":"","url":"--","message":"Infected file found (during background scan) Win.Test.EICAR_HDB-1 File: 4622181Account: USER1 Path: /USER1/files/testvirus.com","userAgent":"--","version":"18.0.4.2"}
nextcloud.log:{"reqId":"3V6LbskveKSaUWSdDgs8","level":4,"time":"2020-05-11T07:00:03+00:00","remoteAddr":"","user":"--","app":"files_antivirus","method":"","url":"--","message":"Infected file found (during background scan) Eicar-Signature File: 4638250Account: USER2 Path: /USER2/files/New text document.txt","userAgent":"--","version":"18.0.4.2"}
nextcloud.log:{"reqId":"EK6P2yTtHtx7WqHbJ7kf","level":4,"time":"2020-05-11T07:15:22+00:00","remoteAddr":"","user":"--","app":"files_antivirus","method":"","url":"--","message":"Infected file found (during background scan) Win.Test.EICAR_HDB-1 File: 4622181Account: USER1 Path: /USER1/files/testvirus.com","userAgent":"--","version":"18.0.4.2"}
nextcloud.log:{"reqId":"EK6P2yTtHtx7WqHbJ7kf","level":4,"time":"2020-05-11T07:15:22+00:00","remoteAddr":"","user":"--","app":"files_antivirus","method":"","url":"--","message":"Infected file found (during background scan) Eicar-Signature File: 4638250Account: USER2 Path: /USER2/files/New text document.txt","userAgent":"--","version":"18.0.4.2"}
nextcloud.log:{"reqId":"N2n6g17X4R2j5PoYee9Z","level":4,"time":"2020-05-11T07:45:18+00:00","remoteAddr":"","user":"--","app":"files_antivirus","method":"","url":"--","message":"Infected file found (during background scan) Win.Test.EICAR_HDB-1 File: 4622181Account: USER1 Path: /USER1/files/testvirus.com","userAgent":"--","version":"18.0.4.2"}
nextcloud.log:{"reqId":"N2n6g17X4R2j5PoYee9Z","level":4,"time":"2020-05-11T07:45:18+00:00","remoteAddr":"","user":"--","app":"files_antivirus","method":"","url":"--","message":"Infected file found (during background scan) Eicar-Signature File: 4638250Account: USER2 Path: /USER2/files/New text document.txt","userAgent":"--","version":"18.0.4.2"}

GAS85 avatar May 11 '20 07:05 GAS85

Activity is also spammed with this information, but only for current user: grafik

GAS85 avatar May 11 '20 08:05 GAS85