It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

ClamshellAV reports 'Html.Malware.Agent-6625161-0' on plugins Edited

I'm fairly confident that this isn't a critical issue, however, I felt you folks should be aware that after running ClamshellAV on CentOS 7, the following appeared in my log (for what seems directly related to 'plugins' packages for JIRA and Bitbucket servers):

/opt/atlassian/jira/atlassian-jira/WEB-INF/atlassian-bundled-plugins/atlassian-universal-plugin-manager-plugin-2.22.9.jar: Html.Malware.Agent-6625161-0 FOUND

/opt/atlassian/jira/atlassian-jira/WEB-INF/atlassian-bundled-plugins/upm-application-plugin-2.22.9.jar: Html.Malware.Agent-6625161-0 FOUND

/opt/atlassian/jira/temp/plugin.7678726411037657193.atlassian-universal-plugin-manager-plugin-2.22.12.jar: Html.Malware.Agent-6625161-0 FOUND

/opt/atlassian/jira/temp/plugin.1235045691871667837.atlassian-universal-plugin-manager-plugin-2.22.11.jar: Html.Malware.Agent-6625161-0 FOUND

/opt/atlassian/bitbucket/5.11.1/app/WEB-INF/atlassian-bundled-plugins/atlassian-universal-plugin-manager-plugin-2.22.9.jar: Html.Malware.Agent-6625161-0 FOUND

/var/atlassian/application-data/jira/plugins/installed-plugins/plugin.7678726411037657193.atlassian-universal-plugin-manager-plugin-2.22.12.jar: Html.Malware.Agent-6625161-0 FOUND

/var/atlassian/application-data/jira/plugins/.osgi-plugins/transformed-plugins/atlassian-universal-plugin-manager-plugin-2.22.9_1530114812000.jar: Html.Malware.Agent-6625161-0 FOUND

/var/atlassian/application-data/jira/plugins/.osgi-plugins/transformed-plugins/upm-application-plugin-2.22.9_1530114812000.jar: Html.Malware.Agent-6625161-0 FOUND

/var/atlassian/application-data/jira/plugins/.osgi-plugins/transformed-plugins/plugin.1235045691871667837.atlassian-universal-plugin-manager-plugin-2.22.11_1530732163000.jar: Html.Malware.Agent-6625161-0 FOUND

/var/atlassian/application-data/jira/plugins/.osgi-plugins/transformed-plugins/plugin.7678726411037657193.atlassian-universal-plugin-manager-plugin-2.22.12_1532789555000.jar: Html.Malware.Agent-6625161-0 FOUND

/var/atlassian/application-data/bitbucket/plugins/.osgi-cache/transformed-plugins/atlassian-universal-plugin-manager-plugin-2.22.9_1527316560000.jar: Html.Malware.Agent-6625161-0 FOUND

3 answers

1 accepted

0 votes
Answer accepted
Ben Woskow Atlassian Team Jul 31, 2018

Hello,

I want to assure you that the plugins listed above are not malware. The latest ClamAV virus database includes this rule which is in fact a false positive.

I have submitted a false positive request to the ClamAV team to resolve this issue. Please follow https://ecosystem.atlassian.net/browse/UPM-5905 for progress on this issue.

In the meantime, the workaround described on this post seems like a good approach.

Cheers,
Ben

I'm also seeing this in all my Jira 7.2.7 and Confluence 5.10 instances. I'm running ClamAV 0.99.4/24797/Mon Jul 30 09:42:33 2018

The virus signature update last night now finds UPM to be malware. Because we do not automatically quarantine suspect files, this didn't cause an issue on application restart. It's just noisy.

I've ticketed Atlassian for this.

There are two workarounds available -

* exclude the directories where the jar files exist so clamscan doesn't find the files

* exclude the files (disclosure: this method was developed by another engineer and I have not vetted it)

In order to add a file to the false-positive whitelist you need to add the info to a file named sigfile.fp in the same directory as the db files for clamav this is located in /var/clamav. Actually you can name the file anything you want just ensure the extension is .fp This is the info that is required, again it is a simple task in bash to get the data.

  • MD5 sum
  • File size in bytes
  • 6 digit date
  • Base file name with last extension removed. So if the file is foo.bat then the file name is foo. If it is foo.bar.bat the file name is foo.bar.

 With that  info you would add it to /var/clamav/sigfile.fp formatted like this:

                MD5:SIZE:DATEID_NAME

That entry represents a single file and make sure there is only one entry per line 1000 files then 1000 lines

And that is all there is to it, it takes effect as soon as the file is saved.

I have also noticed this issue; it was also flagged for the first time on Saturday. My guess is that a ClamAV update has mistakenly flagged the plugin; can somebody please confirm that this is a false flag?

 

/data/atlassian/confluence.old/confluence/WEB-INF/atlassian-bundled-plugins/atlassian-universal-plugin-manager-plugin-2.20.jar: Html.Malware.Agent-6625208-0 FOUND
/data/atlassian/application-data/confluence.old/plugins-osgi-cache/transformed-plugins/atlassian-universal-plugin-manager-plugin-2.20_1449523626000.jar: Html.Malware.Agent-6625208-0 FOUND
/data/atlassian/application-data/confluence/plugins-cache/1493144169000plugin.1940237532048614219.atlassian-universal-plugin-manager-plugin-2.21.4.jar: Html.Malware.Agent-6625208-0 FOUND
/data/atlassian/application-data/confluence/plugins-cache/1532100170000plugin.6730594808569807862.atlassian-universal-plugin-manager-plugin-2.22.12.jar: Html.Malware.Agent-6625161-0 FOUND
/data/atlassian/application-data/confluence/plugins-osgi-cache/transformed-plugins/1493144169000plugin.1940237532048614219.atlassian-universal-plugin-manager-plugin-2.21.4_1493144169000.jar: Html.Malware.Agent-6625208-0 FOUND
/data/atlassian/application-data/confluence/plugins-osgi-cache/transformed-plugins/1532100170000plugin.6730594808569807862.atlassian-universal-plugin-manager-plugin-2.22.12_1532100170000.jar: Html.Malware.Agent-6625161-0 FOUND
/data/atlassian/application-data/confluence/plugins-osgi-cache/transformed-plugins/atlassian-universal-plugin-manager-plugin-2.22.5_1528329572000.jar: Html.Malware.Agent-6625208-0 FOUND
/data/atlassian/application-data/confluence/plugins-osgi-cache/transformed-plugins/1530063048000plugin.4333718534734086921.atlassian-universal-plugin-manager-plugin-2.22.11_1530063048000.jar: Html.Malware.Agent-6625208-0 FOUND
/data/atlassian/application-data/jira/plugins/installed-plugins/plugin.5181128983702769347.atlassian-universal-plugin-manager-plugin-2.22.12.jar: Html.Malware.Agent-6625161-0 FOUND
/data/atlassian/application-data/jira/plugins/.osgi-plugins/transformed-plugins/atlassian-universal-plugin-manager-plugin-2.22.9_1525859694000.jar: Html.Malware.Agent-6625208-0 FOUND
/data/atlassian/application-data/jira/plugins/.osgi-plugins/transformed-plugins/plugin.257991843025947925.atlassian-universal-plugin-manager-plugin-2.22.11_1528761034000.jar: Html.Malware.Agent-6625208-0 FOUND
/data/atlassian/application-data/jira/plugins/.osgi-plugins/transformed-plugins/plugin.5181128983702769347.atlassian-universal-plugin-manager-plugin-2.22.12_1532109693000.jar: Html.Malware.Agent-6625161-0 FOUND
/data/atlassian/application-data/jira/plugins/.osgi-plugins/transformed-plugins/plugin.1266146764422473197.atlassian-universal-plugin-manager-plugin-2.22.10_1527882621000.jar: Html.Malware.Agent-6625208-0 FOUND
/data/atlassian/application-data/jira/plugins/.osgi-plugins/transformed-plugins/upm-application-plugin-2.22.9_1525859694000.jar: Html.Malware.Agent-6625208-0 FOUND
/data/atlassian/confluence/confluence/WEB-INF/atlassian-bundled-plugins/atlassian-universal-plugin-manager-plugin-2.22.5.jar: Html.Malware.Agent-6625208-0 FOUND
/data/atlassian/confluence/temp/plugin.4333718534734086921.atlassian-universal-plugin-manager-plugin-2.22.11.jar: Html.Malware.Agent-6625208-0 FOUND
/data/atlassian/confluence/temp/plugin.6730594808569807862.atlassian-universal-plugin-manager-plugin-2.22.12.jar: Html.Malware.Agent-6625161-0 FOUND
/data/atlassian/jira/atlassian-jira/WEB-INF/atlassian-bundled-plugins/atlassian-universal-plugin-manager-plugin-2.22.9.jar: Html.Malware.Agent-6625208-0 FOUND
/data/atlassian/jira/atlassian-jira/WEB-INF/atlassian-bundled-plugins/upm-application-plugin-2.22.9.jar: Html.Malware.Agent-6625208-0 FOUND
/data/atlassian/jira/temp/plugin.5181128983702769347.atlassian-universal-plugin-manager-plugin-2.22.12.jar: Html.Malware.Agent-6625161-0 FOUND
/data/atlassian/jira/temp/plugin.257991843025947925.atlassian-universal-plugin-manager-plugin-2.22.11.jar: Html.Malware.Agent-6625208-0 FOUND

Suggest an answer

Log in or Sign up to answer
Community showcase
Published in Bitbucket

Atlassian supported Jenkins integration for Bitbucket Server

We’ve been building a plugin to integrate Bitbucket Server and Jenkins CI, and I’m excited to announce that our alpha is ready to download and install. It lets you seamlessly configure a Jenkins job ...

432 views 0 9
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you