linux-malware-detect icon indicating copy to clipboard operation
linux-malware-detect copied to clipboard

Published 20 hours ago verified publisher icon rfxn

rfxn.yara clamav error and a false positive on openssl tls1.h

Open odlevakp opened this issue 5 years ago • 4 comments

Seems latest rfxn database identifies openssl-1.1.1c/include/openssl/tls1.h as YARA.php_malware_hexinject.UNOFFICIAL.

To replicate:

mkdir /tmp/scan
cd /tmp/scan

wget https://anaconda.org/conda-forge/openssl/1.1.1c/download/linux-64/openssl-1.1.1c-h516909a_0.tar.bz2
tar xf openssl-1.1.1c-h516909a_0.tar.bz2

rm -f /var/lib/clamav/rfxn.*

Plain clamscan without rfxn db:

clamscan --infected -r /tmp/scan/

----------- SCAN SUMMARY -----------
Known viruses: 6528659
Engine version: 0.101.4
Scanned directories: 13
Scanned files: 141
Infected files: 0
Data scanned: 15.05 MB
Data read: 7.91 MB (ratio 1.90:1)
Time: 64.451 sec (1 m 4 s)

Checked include/openssl/tls1.h with virustotal, clean.

lmd --update-sigs --force

clamscan --infected -r /tmp/scan/
LibClamAV Error: yyerror(): /var/lib/clamav/rfxn.yara line 8955 undefined identifier "is__elf"
LibClamAV Warning: cli_loadyara: failed to parse or load 1 yara rules from file /var/lib/clamav/rfxn.yara, successfully loaded 784 rules.
/tmp/scan/include/openssl/tls1.h: YARA.php_malware_hexinject.UNOFFICIAL FOUND
/tmp/scan/openssl-1.1.1c-h516909a_0.tar.bz2: YARA.php_malware_hexinject.UNOFFICIAL FOUND

----------- SCAN SUMMARY -----------
Known viruses: 6544233
Engine version: 0.101.4
Scanned directories: 13
Scanned files: 141
Infected files: 2
Data scanned: 6.74 MB
Data read: 7.91 MB (ratio 0.85:1)
Time: 65.160 sec (1 m 5 s)

There is also a clamav error regarding rfxn.yara.

odlevakp avatar Nov 06 '19 09:11 odlevakp

Seems like a regression related to https://github.com/rfxn/linux-malware-detect/issues/309.

We are observing the same issue in every environment that has a copy of the openssl tls1.h header file (e.g. "node-v10.0.0/deps/openssl/openssl/include/openssl/tls1.h").

philm avatar Nov 07 '19 17:11 philm

Since this is still an issue and I am seeing a lot of false positives (in my case anaconda / tensorflow) on backend servers that have no PHP, simplest for me was to put it into ignore_sigs.

cat /usr/local/maldetect/ignore_sigs
{YARA}php_malware_hexinject

odlevakp avatar Nov 23 '19 18:11 odlevakp

Seeing the same issue. I think it started showing up after installation of maldet.

f00dog-x300 avatar Feb 21 '21 15:02 f00dog-x300

Getting this now:

FILE HIT LIST: {HEX}php.gzbase64.inject.452 : /home/yo/maldetect-1.6.4/files/clean/gzbase64.inject.unclassed {HEX}php.cmdshell.antichat.201 : /home/yo/maldetect-1.6.4/files/sigs/rfxn.yara

Just installed yesterday... false positive or real hit?

santiagodemierre avatar Oct 18 '21 11:10 santiagodemierre