[SOLVED] Clamav detect malware in firefox cache.

arsv · 2020-11-02 15:27:40

I recently install Archlinux in my laptop, I'm new in Linux.

I ran clamav test last week and this was the output:

-------------------------------------------------------------------------------

/home/lws/.cache/mozilla/firefox/dcgmxkdk.default-release/cache2/entries/4D7695BE867F1B14DC3D0F3FD8B6C240EA7366D4: Urlhaus.Malware.191095-8836388-0 FOUND
/home/lws/.cache/mozilla/firefox/dcgmxkdk.default-release/cache2/entries/1FC3E341EDFCEE2CF8D8C063E481C6AD63F8A823: Urlhaus.Malware.191095-8836388-0 FOUND
/home/lws/.cache/mozilla/firefox/dcgmxkdk.default-release/cache2/entries/84094B7630FFB42C36CF024C8CBC5C30C0ACDF9C: Urlhaus.Malware.161756-8797115-0 FOUND
/usr/lib/firefox/browser/extensions/uBlock0@raymondhill.net.xpi: Urlhaus.Malware.191095-8836388-0 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 8930483
Engine version: 0.103.0
Scanned directories: 17639
Scanned files: 115372
Infected files: 4
Total errors: 34426
Data scanned: 8039.14 MB
Data read: 7878.21 MB (ratio 1.02:1)
Time: 1125.775 sec (18 m 45 s)
Start Date: 2020:10:31 04:55:12
End Date:   2020:10:31 05:13:57

So I cleaned firefox cache and then a new scan only showed the ublock origin extension as a malware(I think this is a false positive).

But today I ran a scan again and the new output is:

-------------------------------------------------------------------------------

/home/lws/.cache/mozilla/firefox/dcgmxkdk.default-release/cache2/entries/1FC3E341EDFCEE2CF8D8C063E481C6AD63F8A823: Urlhaus.Malware.191095-8836388-0 FOUND
/usr/lib/firefox/browser/extensions/uBlock0@raymondhill.net.xpi: Urlhaus.Malware.191095-8836388-0 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 8931290
Engine version: 0.103.0
Scanned directories: 21347
Scanned files: 112651
Infected files: 2
Total errors: 34468
Data scanned: 7681.54 MB
Data read: 7787.10 MB (ratio 0.99:1)
Time: 1141.101 sec (19 m 1 s)
Start Date: 2020:11:02 15:34:58
End Date:   2020:11:02 15:53:59

How can I know what is that? Should I block all cache in firefox? I run it in Firejail if that matters.

PS: Sorry for my english.

Last edited by arsv (2020-11-05 23:14:45)

mpan · 2020-11-02 16:04:06

It seems like you have visited a website that contained URLs that are used to distribute malware, those pages were cached by Firefox and now ClamAV detects them.

Those files are doing nothing by themselves: this is just a cache. The problem is a step earlier: you are visiting a website that distributes malware.

I do not know how ClamAV constructs their threat identifiers, but they roughly match those two entries in the URLhaus database: 161756 and 191095.

Last edited by mpan (2020-11-02 16:07:44)

Zod · 2020-11-02 16:20:07

UBlock Origin uses URLhaus to track malicious urls.

Not familiar with clamav to understand what the relationship is between them

https://gitlab.com/curben/urlhaus-filter

Edit: It appears that you can use URLhaus as policy for blocking DNS requests.

https://abuse.ch/blog/using-urlhaus-as- … -zone-rpz/

Last edited by Zod (2020-11-02 16:26:27)

arsv · 2020-11-02 16:54:31

mpan wrote:

It seems like you have visited a website that contained URLs that are used to distribute malware, those pages were cached by Firefox and now ClamAV detects them.
Those files are doing nothing by themselves: this is just a cache. The problem is a step earlier: you are visiting a website that distributes malware.
I do not know how ClamAV constructs their threat identifiers, but they roughly match those two entries in the URLhaus database: 161756 and 191095.

But I don't visit this urls. Looking my firefox history I only visit 6 urls(trust and safe). The 95% of my history is archwiki and arch forums.

arsv · 2020-11-02 16:56:46

Zod wrote:

UBlock Origin uses URLhaus to track malicious urls.
Not familiar with clamav to understand what the relationship is between them
https://gitlab.com/curben/urlhaus-filter
Edit: It appears that you can use URLhaus as policy for blocking DNS requests.
https://abuse.ch/blog/using-urlhaus-as- … -zone-rpz/

Maybe ublock saves this urls in firefox cache and clamav detect that? Or it doesn't work like that?

Zod · 2020-11-02 17:11:22

arsv wrote:

Maybe ublock saves this urls in firefox cache and clamav detect that? Or it doesn't work like that?

That's along the lines of what I'm thinking.

Without examining the cache file that is created, my guess is ublock creates the file in such a fashion that clamav alerts on it...kinda like a Eicar test file.

Last edited by Zod (2020-11-02 17:11:39)

mpan · 2020-11-02 22:02:15

arsv wrote:

But I don't visit this urls. Looking my firefox history I only visit 6 urls(trust and safe). The 95% of my history is archwiki and arch forums.

Most likely this is not the address of the website you have directly visited. It’s something the website was linking to.

euromatlox · 2020-11-03 15:35:06

Not totally related into this issue, but kinda tip. If preserving cache is not needed, using temporary filesystem (RAM) is an option.
In your case the new line for /etc/fstab is below. Change the size if needed (that's my current setting). I recommend cleaning the cache before using this tmpfs directory as replacement.
Reboot needed of course after fstab edited. If need to return to original directory (on hdd), remove or disable this fstab line and reboot.

tmpfs  /home/lws/.cache/mozilla 	tmpfs 	noatime,nodev,nosuid,size=200M,x-gvfs-hide	0 0

Check also Arch tmpfs wiki.

Last edited by euromatlox (2020-11-04 16:07:40)

mpan · 2020-11-03 22:51:50

Malware in browser’s cache is not doing anything by just lying around. It possesses no more danger than it did while acquired by Firefox. Removing it is not solving the problem: in particular since clearly arsv is revisiting websites that spread it, so it will just get downloaded again. And that’s under the assumption anything is being downloaded, which seems to be false: ClamAV is reporting URLs to malware present in the cached content, not malware itself.

As for using tmpfs: it is stored in memory. That has some drawbacks.

It uses RAM and, if present, swap. Both are scarce resource compared to HDD/SSD space.
As soon as Firefox frees memory by pushing entries to the disk cache, you’re moving them back to memory.

While historically using in-memory storage for the disk cache was used to trade RAM for browser speed by people, who considered FIrefox’s choices suboptimal or not matching their tastes, using that merely for periodic file removal seems like overkill. I will strongly stress that this is not needed for protection against malware, but if someone wants to clean disk cache, there are other options: systemd, cleaning cache on Firefox exit or disabling disk cache altogether.

Last edited by mpan (2020-11-03 22:58:39)

euromatlox · 2020-11-04 16:01:02

Scarce RAM is not a problem nowadays for most computer. Plenty of that available. I do not see any bad things using tmpfs, but of course it's not necessary. All choices usually have their drawbacks and advantages. Who really needs gigabytes cache for browser ?..if really needs, then of course HDD space is better option.
(I edited my last message, removed that 'viruses' clause, not to give wrong idea.)

Last edited by euromatlox (2020-11-04 16:05:54)

mpan · 2020-11-05 01:07:35

I have never said anything about RAM being scarce in absolute terms. There is a whole sentence there, consisting of 9 words, not 4. And around 90 more words after it.

The point is: not only it’s unrelated to that problem, but it has only a vague possible advantage, which was relevant mostly in the past. Even then it was a tradeoff with uncertain net outcome. Yes, everything has its pros and cons: therefore somebody had to explain cons if another person has shown only pros. I see no reason to oppose that.

You are free to prove that post wrong, but I am not willing to engage in an offtopic discussion containing arguments only slightly related to fragments of the statement — in particular not on the forum.

Last edited by mpan (2020-11-05 01:16:28)

arsv · 2020-11-05 23:12:51

Ok, I have time today and I did some test about this case.

In ublock origin options, in filter list there is an option called "online malicious url blocklist". It comes selected by default, and is updated from time to time.

It creates some files in firefox cache, in particular if you go to about:cache in firefox there are 3 files called:

https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt?_=8
https://raw.githubusercontent.com/uBlockOrigin/uAssets/master/filters/filters-2020.txt?_=8
https://raw.githubusercontent.com/uBlockOrigin/uAssets/master/filters/unbreak.txt?_=8

I don't know wich of these 3 files is the one that clamav marks. I think it's the first since it apperars "urlhaus" in its name, but all 3 are more less the same size and I'm not sure.

Thank you to everyone who has reply in this thread, I have learned some things.

Last edited by arsv (2020-11-05 23:22:11)

mpan · 2020-11-05 23:24:06

In “urlhaus-filter-online.txt”, line 6324 matches 191095. That would explan at least a part of the story. But I was not aware extensions save their own files into Firefox cache.

Last edited by mpan (2020-11-05 23:25:59)

Cyberpunk_Is_Bae · 2020-11-12 08:49:50

Hi there.

I just had this problem too.

I ran:

# clamscan -r --log=/root/clamav/log/scan.log --move=/root/clamav/quarantine /

It actually took my XPI (the firefox extension itself) and killed it, moving it into quarantine, and I had to reinstall the extension.

This is horrible behavior if it's going to be the status quo. Can anyone confirm that this is repeatable / is there anything we can do?

progandy · 2020-11-12 10:12:29

You can add whitelists: https://www.clamav.net/documents/whitelist-databases
If you do not want to ignore the signature completely, then you'll have to update the file hashes each time the extension is updated.

mpan · 2020-11-13 04:18:40

Cyberpunk_Is_Bae wrote:

I ran:

# clamscan -r --log=/root/clamav/log/scan.log --move=/root/clamav/quarantine /

Removing an extension, that acts as a firewall and protects against malicious websites, is hardly a solution to the problem. By this logic you could solve it by:

pacman -Rsn clamav

Or by removing ClamAV’s signature databases.

Arch Linux

#1 2020-11-02 15:27:40

[SOLVED] Clamav detect malware in firefox cache.

#2 2020-11-02 16:04:06

Re: [SOLVED] Clamav detect malware in firefox cache.

#3 2020-11-02 16:20:07

Re: [SOLVED] Clamav detect malware in firefox cache.

#4 2020-11-02 16:54:31

Re: [SOLVED] Clamav detect malware in firefox cache.

#5 2020-11-02 16:56:46

Re: [SOLVED] Clamav detect malware in firefox cache.

#6 2020-11-02 17:11:22

Re: [SOLVED] Clamav detect malware in firefox cache.

#7 2020-11-02 22:02:15

Re: [SOLVED] Clamav detect malware in firefox cache.

#8 2020-11-03 15:35:06

Re: [SOLVED] Clamav detect malware in firefox cache.

#9 2020-11-03 22:51:50

Re: [SOLVED] Clamav detect malware in firefox cache.

#10 2020-11-04 16:01:02

Re: [SOLVED] Clamav detect malware in firefox cache.

#11 2020-11-05 01:07:35

Re: [SOLVED] Clamav detect malware in firefox cache.

#12 2020-11-05 23:12:51

Re: [SOLVED] Clamav detect malware in firefox cache.

#13 2020-11-05 23:24:06

Re: [SOLVED] Clamav detect malware in firefox cache.

#14 2020-11-12 08:49:50

Re: [SOLVED] Clamav detect malware in firefox cache.

#15 2020-11-12 10:12:29

Re: [SOLVED] Clamav detect malware in firefox cache.

#16 2020-11-13 04:18:40

Re: [SOLVED] Clamav detect malware in firefox cache.

Board footer