ransomware_detection Ransomware recovery endless loading

Hello all and thank you very much for app!!!

The issue that I have is that wen I go the Ransomware tab it appears as loading (or scanning maybe) all the time. I include a screenshot of it. The same happens if I click on scan.

I'm using nextcloud 16.0.0 in a raspberry pi running and up to date archlinux install.

Thanks a lot, José.

Captura de pantalla de 2019-05-24 12-54-11

May 24 '19 11:05 boina

Hi José thanks for reporting your issue. I will try to reproduce your problems in the next days. Are there any error messages in the Nextcloud logs?

Best regards Matthias

May 27 '19 18:05 ilovemilk

Hi José thanks for reporting your issue. I will try to reproduce your problems in the next days. Are there any error messages in the Nextcloud logs?

Best regards Matthias

Hello Matthias,

Here there is more information on the system:

OS: Archlinux System: Raspberry pi 3 nextcloud: 16.0.0.9 php: 7.3.5

Database: Type: mysql Version: 10.3.14 Size: 330,3 MB

and this is the error log that I could trace related to the ransomware protection app as seen in the administrator page. nextcloud_ransomware.txt

Regards, José.

May 29 '19 09:05 boina

Hi José

I tried my best to reproduce your issue with my Raspberry Pi Zero but I couldn't.

Can you post the web developer console logs? You can get them if you go to your Ransomware recovery app and press F12 in your browser. Maybe this can clarify the problems.

Best regards Matthias

May 31 '19 13:05 ilovemilk

Hello, I have hit the same symptoms on two different univention installs of nextcloud. Their NC Version is 15.0.8, Ransomware Protection Version 0.5.2

In the console when loading the ransomware recovery page from the top menu the error console has 404:

The requested URL /ocs/v2.php/apps/ransomware_detection/api/v1/get-debug-mode was not found on this server.

In the network requests tab the call to https://<server IP>/nextcloud/apps/files/ then seems to hang indefinitely in a waiting state while the spinner rotates onscreen as in the first screenshot.

Jul 06 '19 08:07 pixelplumber

Hi pixelplumber

Thanks alot for the additional information this helps tracking the error down! I will try to fix this in the next few days.

Matthias

Jul 09 '19 08:07 ilovemilk

Hello,

I have the same problem. I'm using Nextcloud 16.0.3 on a Synology NAS. Is there already a fix for it?

Tom

Aug 28 '19 17:08 TomW80

Hi,

I hadn't much time to investigate the problem because we are reworking the whole app to use machine learning for a better detection rate.

Something came to my mind today: How many file operations do you have in your database? You can check with SELECT COUNT (*dbprefix*ransomware_detection) FROM *dbname*; where you replace dbprefix and dbname with accordingly to you setup.

Thanks!

Sep 06 '19 18:09 ilovemilk

Hello ilovemilk,

The check with SELECT COUNT(*) FROM oc_ransomware_detection gives 655 entries.

Tom

Sep 09 '19 18:09 TomW80

I have the same issue seems related to scripts not loading. Every other app I use have no issue at all. Most javascripts are showing as blocked in the browser console.

Sep 24 '19 22:09 loxK

@loxK can you post a screenshot of your js console? Is there a error message regarding those blocked scripts?

Sep 25 '19 07:09 sualko

There isn't much

Sep 30 '19 10:09 loxK

I see in Firefox 69.0.1 this:

Content Security Policy: Die Einstellungen der Seite haben das Laden einer Ressource auf inline blockiert ("script-src").

Sep 30 '19 17:09 TomW80

Similar problem here with NextCloud 16.

In Firefox (linux) console:

In Chromium (linux) console:

Nov 08 '19 02:11 pmetras

I think I have figured out the problem but I will have to confirm it first. I think the problem is that the app collects to much data and doesn't remove any data by itself without interaction of the user. This results to a large database table and the view can't list all the data because of a missing pagination.

I will try to produce a large database but if somebody of you could just drop the content of the table oc_ransomware_detection and check if it's working again that would be great! :) Attention after dropping the content you will loose the all the results.

Nov 08 '19 12:11 ilovemilk

I dropped the oc_ransomware_detection table content and accessed the page but I've still the same problem with the spinning icon and Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”). error in the console:

Nov 10 '19 17:11 pmetras

It seems like there are two separate issues at hand:

The app needs to modify CSP settings (see https://docs.nextcloud.com/server/15/developer_manual/api/OCP/AppFramework/Http/ContentSecurityPolicy.html?highlight=allow%20unsafe%20eval)
The app needs to be able to process huge amounts of files (some instances have a lot of files which will reult in a huge table size)

Nov 30 '19 21:11 e-alfred

@ilovemilk why closing the issue is still there in lastest version

Sep 22 '20 23:09 loxK

There will be a new release in the next week with a complete rework of the App. The frontend is now implemented with VueJs instead of JQuery with a complete new UX design. The app internally is reworked to be more structured and uses an OpenAPI REST interface.

So this problem will be resolved with the new release. I just need some time to write some FAQ and app description to tackle some other issues, finish the build process and test the application with real malware samples.

I you want I can reopen the issue until the new release is out! :)

Sep 23 '20 09:09 ilovemilk

I just release a new version and I hope this solves the problem! :)

Dec 02 '20 20:12 ilovemilk

Thanks heaps! It is fixed for me, first time seeing that app running! [happy dance]

Dec 04 '20 04:12 loxK

I really happy this is solved after such long time! :) I'm closing this for now.

Dec 04 '20 08:12 ilovemilk

Hello,

Unfortunately, the problem still exists with me. I am using Nextcloud 18.0.6 on a Synology NAS

I see the following error:

Uninitialized string offset: 0 at /volume1/web/nextcloud/lib/private/Files/Node/Node.php#307 Undefined index: dirname at /volume1/web/nextcloud/apps/ransomware_detection/lib/Monitor.php#260

Dec 08 '20 10:12 TomW80

Thanks for the report.

This concrete error should help :)

Dec 08 '20 12:12 ilovemilk

It looks like you create a directory which doesn't have path? Can you tell what you are doing? What directory you are creating?

Dec 09 '20 10:12 ilovemilk

I have seen the following error, but the other error message of the ransomware has been coming for some time.

[ransomware_detection] Fatal: File Not Found /Backup/ProgramData/Mein Büro/Dokumente/1/Artikel/Art.Nr 11303

DELETE /nextcloud/remote.php/dav/files/*/Backup/ProgramData/Mein%20B%C3%BCro/Dokumente/1/Artikel/Art.Nr%2011303 from 192.168.. by *** at 2020-12-09T22:33:18+00:00

Dec 09 '20 22:12 TomW80

Thanks I try to recreate the scenario! :)

Dec 10 '20 09:12 ilovemilk

So I tried to recreate the problems:

Uninitialized string offset: 0 at /volume1/web/nextcloud/lib/private/Files/Node/Node.php#307 Undefined index: dirname at /volume1/web/nextcloud/apps/ransomware_detection/lib/Monitor.php#260

The path you mentioned I your comment doesn't relate to this issue. This can only pop up if the path is empty so I will add a check for this and improve the debug output! :)

[ransomware_detection] Fatal: File Not Found /Backup/ProgramData/Mein Büro/Dokumente/1/Artikel/Art.Nr 11303

DELETE /nextcloud/remote.php/dav/files/*/Backup/ProgramData/Mein%20B%C3%BCro/Dokumente/1/Artikel/Art.Nr%2011303 from 192.168.. by *** at 2020-12-09T22:33:18+00:00

Can you confirm that the file exist?

Dec 10 '20 20:12 ilovemilk

The file or folder is created shortly and then deleted again immediately.

Dec 14 '20 15:12 TomW80

I am also seeing similar issue even updating to NC 20.0.4. The app list on the server.

/usr/bin/php /config/www/nextcloud/occ app:list Enabled:

accessibility: 1.6.0

activity: 2.13.4

bruteforcesettings: 2.0.1

cloud_federation_api: 1.3.0

comments: 1.10.0

contactsinteraction: 1.1.0

dashboard: 7.0.0

dav: 1.16.2

federatedfilesharing: 1.10.2

federation: 1.10.1

files: 1.15.0

files_external: 1.11.1

files_pdfviewer: 2.0.1

files_rightclick: 0.17.0

files_sharing: 1.12.1

files_trashbin: 1.10.1

files_versions: 1.13.0

files_videoplayer: 1.9.0

firstrunwizard: 2.9.0

keeweb: 0.6.4

logreader: 2.5.0

lookup_server_connector: 1.8.0

nextcloud_announcements: 1.9.0

notifications: 2.8.0

oauth2: 1.8.0

password_policy: 1.10.1

photos: 1.2.1

previewgenerator: 3.1.0

privacy: 1.4.0

provisioning_api: 1.10.0

ransomware_detection: 0.10.0

ransomware_protection: 1.8.0

recommendations: 0.8.0

serverinfo: 1.10.0

settings: 1.2.0

sharebymail: 1.10.0

support: 1.3.0

survey_client: 1.8.0

suspicious_login: 3.2.1

systemtags: 1.10.0

text: 3.1.0

theming: 1.11.0

twofactor_backupcodes: 1.9.0

twofactor_totp: 5.0.0

unsplash: 1.1.7

updatenotification: 1.10.0

user_status: 1.0.1

viewer: 1.4.0

weather_status: 1.0.0

workflowengine: 2.2.0 Disabled:

admin_audit

encryption

files_external_gdrive

user_ldap

When I click on the Ransomware Detection on top, it will only show a spinning circle and then the current page will be reloaded.

Is my situation related to this ticket?

Thanks!

One side question, when I try to run app code check I get the following errors.

/usr/bin/php /config/www/nextcloud/occ app:check-code ransomware_detection An unhandled exception has been thrown: Error: Undefined constant 'T_DOUBLE_COLON' in /config/www/nextcloud/3rdparty/nikic/php-parser/lib/PhpParser/Lexer.php:385 Stack trace: #0 /config/www/nextcloud/3rdparty/nikic/php-parser/lib/PhpParser/Lexer.php(38): PhpParser\Lexer->createTokenMap() #1 /config/www/nextcloud/3rdparty/nikic/php-parser/lib/PhpParser/Lexer/Emulative.php(39): PhpParser\Lexer->__construct(Array) #2 /config/www/nextcloud/3rdparty/nikic/php-parser/lib/PhpParser/ParserFactory.php(23): PhpParser\Lexer\Emulative->__construct() #3 /config/www/nextcloud/lib/private/App/CodeChecker/CodeChecker.php(60): PhpParser\ParserFactory->create(3) #4 /config/www/nextcloud/core/Command/App/CheckCode.php(95): OC\App\CodeChecker\CodeChecker->__construct(Object(OC\App\CodeChecker\StrongComparisonCheck), true) #5 /config/www/nextcloud/3rdparty/symfony/console/Command/Command.php(255): OC\Core\Command\App\CheckCode->execute(Object(Symfony\Component\Console\Input\ArgvInput), Object(Symfony\Component\Console\Output\ConsoleOutput)) #6 /config/www/nextcloud/3rdparty/symfony/console/Application.php(1000): Symfony\Component\Console\Command\Command->run(Object(Symfony\Component\Console\Input\ArgvInput), Object(Symfony\Component\Console\Output\ConsoleOutput)) #7 /config/www/nextcloud/3rdparty/symfony/console/Application.php(271): Symfony\Component\Console\Application->doRunCommand(Object(OC\Core\Command\App\CheckCode), Object(Symfony\Component\Console\Input\ArgvInput), Object(Symfony\Component\Console\Output\ConsoleOutput)) #8 /config/www/nextcloud/3rdparty/symfony/console/Application.php(147): Symfony\Component\Console\Application->doRun(Object(Symfony\Component\Console\Input\ArgvInput), Object(Symfony\Component\Console\Output\ConsoleOutput)) #9 /config/www/nextcloud/lib/private/Console/Application.php(215): Symfony\Component\Console\Application->run(Object(Symfony\Component\Console\Input\ArgvInput), Object(Symfony\Component\Console\Output\ConsoleOutput)) #10 /config/www/nextcloud/console.php(100): OC\Console\Application->run() #11 /config/www/nextcloud/occ(11): require_once('/config/www/nex...') #12 {main}

Jan 07 '21 22:01 jefferyyjhsu

Hey thanks for reporting. The app in version 0.10.0 is just a empty application with no functionality. This due to a critical bug in the recovery for the safety of the users until it's fixed. I recommand disabling the app until a bugfix is released! :)

For more information see #56.

Jan 08 '21 11:01 ilovemilk