ClamshellAV reports 'Html.Malware.Agent-6625161-0' on plugins Edited

I'm fairly confident that this isn't a critical issue, however, I felt you folks should be aware that after running ClamshellAV on CentOS 7, the following appeared in my log (for what seems directly related to 'plugins' packages for JIRA and Bitbucket servers):

/opt/atlassian/jira/atlassian-jira/WEB-INF/atlassian-bundled-plugins/atlassian-universal-plugin-manager-plugin-2.22.9.jar: Html.Malware.Agent-6625161-0 FOUND

/opt/atlassian/jira/atlassian-jira/WEB-INF/atlassian-bundled-plugins/upm-application-plugin-2.22.9.jar: Html.Malware.Agent-6625161-0 FOUND

/opt/atlassian/jira/temp/plugin.7678726411037657193.atlassian-universal-plugin-manager-plugin-2.22.12.jar: Html.Malware.Agent-6625161-0 FOUND

/opt/atlassian/jira/temp/plugin.1235045691871667837.atlassian-universal-plugin-manager-plugin-2.22.11.jar: Html.Malware.Agent-6625161-0 FOUND

/opt/atlassian/bitbucket/5.11.1/app/WEB-INF/atlassian-bundled-plugins/atlassian-universal-plugin-manager-plugin-2.22.9.jar: Html.Malware.Agent-6625161-0 FOUND

/var/atlassian/application-data/jira/plugins/installed-plugins/plugin.7678726411037657193.atlassian-universal-plugin-manager-plugin-2.22.12.jar: Html.Malware.Agent-6625161-0 FOUND

/var/atlassian/application-data/jira/plugins/.osgi-plugins/transformed-plugins/atlassian-universal-plugin-manager-plugin-2.22.9_1530114812000.jar: Html.Malware.Agent-6625161-0 FOUND

/var/atlassian/application-data/jira/plugins/.osgi-plugins/transformed-plugins/upm-application-plugin-2.22.9_1530114812000.jar: Html.Malware.Agent-6625161-0 FOUND

/var/atlassian/application-data/jira/plugins/.osgi-plugins/transformed-plugins/plugin.1235045691871667837.atlassian-universal-plugin-manager-plugin-2.22.11_1530732163000.jar: Html.Malware.Agent-6625161-0 FOUND

/var/atlassian/application-data/jira/plugins/.osgi-plugins/transformed-plugins/plugin.7678726411037657193.atlassian-universal-plugin-manager-plugin-2.22.12_1532789555000.jar: Html.Malware.Agent-6625161-0 FOUND

/var/atlassian/application-data/bitbucket/plugins/.osgi-cache/transformed-plugins/atlassian-universal-plugin-manager-plugin-2.22.9_1527316560000.jar: Html.Malware.Agent-6625161-0 FOUND

3 answers

1 accepted

0 votes
Accepted answer
Ben Woskow Atlassian Team Jul 31, 2018

Hello,

I want to assure you that the plugins listed above are not malware. The latest ClamAV virus database includes this rule which is in fact a false positive.

I have submitted a false positive request to the ClamAV team to resolve this issue. Please follow https://ecosystem.atlassian.net/browse/UPM-5905 for progress on this issue.

In the meantime, the workaround described on this post seems like a good approach.

Cheers,
Ben

I'm also seeing this in all my Jira 7.2.7 and Confluence 5.10 instances. I'm running ClamAV 0.99.4/24797/Mon Jul 30 09:42:33 2018

The virus signature update last night now finds UPM to be malware. Because we do not automatically quarantine suspect files, this didn't cause an issue on application restart. It's just noisy.

I've ticketed Atlassian for this.

There are two workarounds available -

* exclude the directories where the jar files exist so clamscan doesn't find the files

* exclude the files (disclosure: this method was developed by another engineer and I have not vetted it)

In order to add a file to the false-positive whitelist you need to add the info to a file named sigfile.fp in the same directory as the db files for clamav this is located in /var/clamav. Actually you can name the file anything you want just ensure the extension is .fp This is the info that is required, again it is a simple task in bash to get the data.

  • MD5 sum
  • File size in bytes
  • 6 digit date
  • Base file name with last extension removed. So if the file is foo.bat then the file name is foo. If it is foo.bar.bat the file name is foo.bar.

 With that  info you would add it to /var/clamav/sigfile.fp formatted like this:

                MD5:SIZE:DATEID_NAME

That entry represents a single file and make sure there is only one entry per line 1000 files then 1000 lines

And that is all there is to it, it takes effect as soon as the file is saved.

I have also noticed this issue; it was also flagged for the first time on Saturday. My guess is that a ClamAV update has mistakenly flagged the plugin; can somebody please confirm that this is a false flag?

 

/data/atlassian/confluence.old/confluence/WEB-INF/atlassian-bundled-plugins/atlassian-universal-plugin-manager-plugin-2.20.jar: Html.Malware.Agent-6625208-0 FOUND
/data/atlassian/application-data/confluence.old/plugins-osgi-cache/transformed-plugins/atlassian-universal-plugin-manager-plugin-2.20_1449523626000.jar: Html.Malware.Agent-6625208-0 FOUND
/data/atlassian/application-data/confluence/plugins-cache/1493144169000plugin.1940237532048614219.atlassian-universal-plugin-manager-plugin-2.21.4.jar: Html.Malware.Agent-6625208-0 FOUND
/data/atlassian/application-data/confluence/plugins-cache/1532100170000plugin.6730594808569807862.atlassian-universal-plugin-manager-plugin-2.22.12.jar: Html.Malware.Agent-6625161-0 FOUND
/data/atlassian/application-data/confluence/plugins-osgi-cache/transformed-plugins/1493144169000plugin.1940237532048614219.atlassian-universal-plugin-manager-plugin-2.21.4_1493144169000.jar: Html.Malware.Agent-6625208-0 FOUND
/data/atlassian/application-data/confluence/plugins-osgi-cache/transformed-plugins/1532100170000plugin.6730594808569807862.atlassian-universal-plugin-manager-plugin-2.22.12_1532100170000.jar: Html.Malware.Agent-6625161-0 FOUND
/data/atlassian/application-data/confluence/plugins-osgi-cache/transformed-plugins/atlassian-universal-plugin-manager-plugin-2.22.5_1528329572000.jar: Html.Malware.Agent-6625208-0 FOUND
/data/atlassian/application-data/confluence/plugins-osgi-cache/transformed-plugins/1530063048000plugin.4333718534734086921.atlassian-universal-plugin-manager-plugin-2.22.11_1530063048000.jar: Html.Malware.Agent-6625208-0 FOUND
/data/atlassian/application-data/jira/plugins/installed-plugins/plugin.5181128983702769347.atlassian-universal-plugin-manager-plugin-2.22.12.jar: Html.Malware.Agent-6625161-0 FOUND
/data/atlassian/application-data/jira/plugins/.osgi-plugins/transformed-plugins/atlassian-universal-plugin-manager-plugin-2.22.9_1525859694000.jar: Html.Malware.Agent-6625208-0 FOUND
/data/atlassian/application-data/jira/plugins/.osgi-plugins/transformed-plugins/plugin.257991843025947925.atlassian-universal-plugin-manager-plugin-2.22.11_1528761034000.jar: Html.Malware.Agent-6625208-0 FOUND
/data/atlassian/application-data/jira/plugins/.osgi-plugins/transformed-plugins/plugin.5181128983702769347.atlassian-universal-plugin-manager-plugin-2.22.12_1532109693000.jar: Html.Malware.Agent-6625161-0 FOUND
/data/atlassian/application-data/jira/plugins/.osgi-plugins/transformed-plugins/plugin.1266146764422473197.atlassian-universal-plugin-manager-plugin-2.22.10_1527882621000.jar: Html.Malware.Agent-6625208-0 FOUND
/data/atlassian/application-data/jira/plugins/.osgi-plugins/transformed-plugins/upm-application-plugin-2.22.9_1525859694000.jar: Html.Malware.Agent-6625208-0 FOUND
/data/atlassian/confluence/confluence/WEB-INF/atlassian-bundled-plugins/atlassian-universal-plugin-manager-plugin-2.22.5.jar: Html.Malware.Agent-6625208-0 FOUND
/data/atlassian/confluence/temp/plugin.4333718534734086921.atlassian-universal-plugin-manager-plugin-2.22.11.jar: Html.Malware.Agent-6625208-0 FOUND
/data/atlassian/confluence/temp/plugin.6730594808569807862.atlassian-universal-plugin-manager-plugin-2.22.12.jar: Html.Malware.Agent-6625161-0 FOUND
/data/atlassian/jira/atlassian-jira/WEB-INF/atlassian-bundled-plugins/atlassian-universal-plugin-manager-plugin-2.22.9.jar: Html.Malware.Agent-6625208-0 FOUND
/data/atlassian/jira/atlassian-jira/WEB-INF/atlassian-bundled-plugins/upm-application-plugin-2.22.9.jar: Html.Malware.Agent-6625208-0 FOUND
/data/atlassian/jira/temp/plugin.5181128983702769347.atlassian-universal-plugin-manager-plugin-2.22.12.jar: Html.Malware.Agent-6625161-0 FOUND
/data/atlassian/jira/temp/plugin.257991843025947925.atlassian-universal-plugin-manager-plugin-2.22.11.jar: Html.Malware.Agent-6625208-0 FOUND

Suggest an answer

Log in or Sign up to answer
Community showcase
Published Nov 06, 2018 in Bitbucket

Upgrade Best Practices

Hello! My name is Mark Askew and I am a Premier Support Engineer for products Bitbucket Server/Data Center, Fisheye & Crucible. Today, I want to bring the discussion that Jennifer, Matt, and ...

1,963 views 7 10
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you