Maldet can't scan files/directories with whitespace. VERSION:1.6.4

[leooelx]

I am using Maldet+Clamav+Inotify with monitor mode in a shared directory on Samba,

when I put a malware with no whitespace on name, Maldet can scan and move the file to quarantine, but when I put a file with whitespace on name the log clamscan_log show:

File: PDFXCview - Copy.exe
ERROR: Can't access file /media/raid5/samba/public/PDFXCview

The same error happens with whitespace on a directory name:

FILE: PDFXCview.exe
ERROR: Can't access file /media/raid5/samba/public/new

I tryied to change the filter rule on line 1569 of file internal/functions from:

$tlog $inotify_log inotify | grep -E "CREATE|MODIFY|MOVED_FROM|MOVED_TO" | grep -E -v '/.. ' | awk '{print$1}' | sort | uniq > $monitor_scanlist

to:

$tlog $inotify_log inotify | awk -F"CREATE|MODIFY|MOVED_FROM|MOVED_TO" '{print $1}' | grep -E -v '/.. ' | sort | uniq | sed -r 's/[ $]+/\&/g' | sed 's/.{2}$//' > $monitor_scanlist

clamscan_log:
ERROR: Can't access file /media/raid5/samba/public/PDFXCview\ -\ Copy.exe
AND
ERROR: Can't access file /media/raid5/samba/public/new\ folder/PDFXCview.exe

and to:

$tlog $inotify_log inotify | grep -E "CREATE|MODIFY|MOVED_FROM|MOVED_TO" | grep -E -v '/.. ' | awk -F'(CREATE|MODIFY|MOVED_FROM|MOVED_TO)' '{print $1}' | sort | uniq > $monitor_scanlist

clamscan_log:
ERROR: Can't access file /media/raid5/samba/public/PDFXCview - Copy.exe
AND
ERROR: Can't access file /media/raid5/samba/public/new folder/PDFXCview.exe

When I use the command clamscan -r /media/raid5/samba/public, it found the malwares, even with the whitespaces.

Does anyone know tell me where is the bug?

tnks!

[leooelx]

I solved the issue.

Now maldet can scan and quarantine files with whitespaces and files with whitespaces inside directories with whitespaces.

In the line 1569 of file internal/functions we have to set the filter on this way:

$tlog $inotify_log inotify | awk -F"CREATE|MODIFY|MOVED_FROM|MOVED_TO" '{print $1}' | grep -E -v '/.. ' | sort | uniq | sed 's/.{1}$//' > $monitor_scanlist

My thanks to https://github.com/miglinux for helping me to monitor the contents of temporary random files that contained the path and file name.

[bzed]

@rfxn well, I think that is a grave enough bug to warrant an immediate fix and release?

[Gazoo]

@rfxn any updates on a release to fix this ?

[arafatx]

I think he might be busy with some other things. Last commit was April 2019.

[leooelx]

I think he might be busy with some other things. Last commit was April 2019.

The issue was solved with my code on the version 1.6.5

Line 1569.
https://github.com/rfxn/linux-malware-detect/blob/master/files/internals/functions

[Gazoo]

Thanks for this guys. Happy to see work on 1.6.5 :)

[Gazoo]

Think we can get an official 1.6.5 release now?

[danci1973]

I think the proposed solution needs a few improvements.

1. You still need to grep 'CREATE|MODIFY|MOVED_FROM|MOVED_TO' from inotify log, otherwise the file list will contain stuff like:

Setting up watches.  Beware: since -r was given, this may take a while!
Watches established.

Basically, anything that's written to the inotify_log is then treated as a file.

2. awk in this form creates a list of files that end with spaces (at least on CentOS 7.9) and clamdscan can't access these files. I suggest adding spaces to the field separators:

awk -F" CREATE| MODIFY| MOVED_FROM| MOVED_TO"

3. I don't quite understand the purpose of grep -E -v '/.. ', but in this form it removes all files or directories that start with two characters followed by a space (for example, /var/www/it is just a test would be removed from the list).

4. What is sed 's/.{1}$//' supposed to do?

5. I think it would be useful if monitor mode would also use ignore_paths, so my take on it is this:

$tlog $inotify_log inotify | grep -E " CREATE| MODIFY| MOVED_FROM| MOVED_TO" | awk -F" CREATE| MODIFY| MOVED_FROM| MOVED_TO" '{print $1}' | sort -u | grep -vf $ignore_paths> $monitor_scanlist