files_antivirus icon indicating copy to clipboard operation
files_antivirus copied to clipboard
verified publisher icon nextcloud

Virus detection is chaotic!

Open EpeR1 opened this issue 5 years ago • 3 comments

The Virus detection is absolutely chaotic in latest stable version!

In my test: I have an infected putty.exe, and many clean .mp4 video files.

  • If I do a pure ClaAV check (clamscan), the clamav recognises the putty.exe as infected, and .mp4 files as clean.

  • If I upload the nature putty.exe, the nextcloud warns about the virus, and rejects the upload, It is correct.

  • If I upload video files by nature, nextcloud allows the upload, It is OK.

  • When I compress the putty.exe into a .zip file, the nextcloud recognises the infection, It is also OK.

  • But, when I put these video files, and putty.exe to a .zip file together, the nextcloud does not recognise the virus, and allows the .zip file to upload!

  • When I waited a few hours, or a whole day, and all my files! were deleted from my nextcloud account by the antivirus app! (Previously I uploaded the compressed zip file of putty and videos, and video files in nature also.)

The result is the same, when I try these steps with .tar.gz compression!

So, I think it is not only a background credentials resetting error (as mentioned in: https://github.com/nextcloud/files_antivirus/issues/167 and https://github.com/nextcloud/files_antivirus/pull/169 ), it is also a compressed file opening error!

Environment: Latest stable Nextcloud (19.0.3), and antivirus app. Debian 10.6 apache 2.4.46 php 7.3.19 php-zip, and all php modules are installed, as requested in Nextcloud Admin Manual.

EpeR1 avatar Oct 01 '20 13:10 EpeR1

I think it is related with the following bug reports: https://github.com/nextcloud/files_antivirus/issues/164 https://github.com/nextcloud/files_antivirus/issues/163 https://github.com/nextcloud/files_antivirus/issues/161

EpeR1 avatar Oct 01 '20 13:10 EpeR1

  • But, when I put these video files, and putty.exe to a .zip file together, the nextcloud does not recognise the virus, and allows the .zip file to upload!

From what I've seen of the code, archived files are not treated differently than other files, they're sent "as is" to ClamAV. NC is not opening the archive and sending the individual files contained in it to ClamAV. What happens when you scan the zip directly with ClamAV ? If it is not detected, then this is an issue with ClamAV. If it is detected by ClamAV but not Nextcloud, then it is a problem with NC and you should provide debug logs to help investigating.

  • When I waited a few hours, or a whole day, and all my files! were deleted from my nextcloud account by the antivirus app! (Previously I uploaded the compressed zip file of putty and videos, and video files in nature also.)

This part is probably linked to #167. It is possible that one file is detected as infected, and all the following files are wrongly detected as infected, resulting in the deletion of all those files.

bpatath avatar Oct 05 '20 19:10 bpatath

Does this error still occur? I think we fixed some of those issues recently.

kesselb avatar Sep 27 '21 19:09 kesselb