Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

What's the meaning of 'LibClamAV Warning: crtmgr_rsa_verify: verification failed: fp_exptmod failed with 1' win7 x64 v105 #604

Closed
ggaussling opened this issue May 31, 2022 · 18 comments · Fixed by #727
Closed

What's the meaning of 'LibClamAV Warning: crtmgr_rsa_verify: verification failed: fp_exptmod failed with 1' win7 x64 v105 #604

ggaussling opened this issue May 31, 2022 · 18 comments · Fixed by #727
Labels
🐛bug

Comments

@ggaussling
Copy link

ggaussling commented May 31, 2022
edited
Loading

Hi,

I issued this cmd line

clamscan --recursive c:\

sometimes I get this warning:
LibClamAV Warning: crtmgr_rsa_verify: verification failed: fp_exptmod failed with 1

I don't know if this is harmless, and where does it come from.

This link here is the only appearance on the net, I was able to find:

>> Random Trash/John Titor und Weltlinien • Zeit;Reisen.mp4: OK

LibClamAV Warning: crtmgr_rsa_verify: verification failed: fp_exptmod failed with 1
>> Random Trash/CUDA/cuda_10.0.130_win10_network.exe: OK

http://webcache.googleusercontent.com/search?q=cache:gQqfY4JsG6kJ:https://uraniumhexafluori.de/ClamAV/&hl=de&gl=de&strip=1&vwsrc=0
Memento: https://web.archive.org/web/20220531130349/https://uraniumhexafluori.de/ClamAV/

e.g.

C:\Users\Mich24\Downloads\naps2-6.1.2-setup.exe: OK
LibClamAV Warning: crtmgr_rsa_verify: verification failed: fp_exptmod failed with 1
LibClamAV Warning: crtmgr_rsa_verify: verification failed: fp_exptmod failed with 1
C:\Users\Mich24\Downloads\Nextcloud-3.4.4-x64.msi: OK
C:\Users\Mich24\Downloads\npp.8.3.3.Installer.x64.exe: OK
C:\Users\Mich24\Downloads\Player Setup.exe: Win.Trojan.Softpulse-519 FOUND
LibClamAV Warning: crtmgr_rsa_verify: verification failed: fp_exptmod failed with 1
LibClamAV Warning: crtmgr_rsa_verify: verification failed: fp_exptmod failed with 1
LibClamAV Warning: crtmgr_rsa_verify: verification failed: fp_exptmod failed with 1
C:\Users\Mich24\Downloads\ProcessExplorer.zip: OK

Hardware:

Lenovo IdeaPad N581
Intel(R) Core(TM) i5-3210M CPU @ 2.50GHz
Intel Ivy Bridge rev. 09
Intel HM76 rev. 04
4 GBytes DDR3 RAM 798.7 MHz (1:6)
HDD: ST500LM012 HN-M500MBB, 465.8GB, 5400RPM, SATA AHCI

freshclam.log:

--------------------------------------
daily database available for download (remote version: 26557)
daily.cvd updated (version: 26557, sigs: 1985004, f-level: 90, builder: raynman)
main database available for download (remote version: 62)
main.cvd updated (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr)
bytecode database available for download (remote version: 333)
bytecode.cvd updated (version: 333, sigs: 92, f-level: 63, builder: awillia2)

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. Alle Rechte vorbehalten.

C:\Windows\system32>clamconf > C:\Programme\ClamAV\clamconf.txt

clamconf.txt

C:\Windows\system32>clamconf -n
Checking configuration files in C:\Program Files\ClamAV

Config file: clamd.conf
-----------------------
LogFile = "C:\Programme\ClamAV\clamd.log"
PidFile = "C:\Programme\ClamAV\clamd.pid"
DatabaseDirectory = "C:\Programme\ClamAV\database"
TCPSocket = "3310"
TCPAddr = "localhost"

Config file: freshclam.conf
---------------------------
PidFile = "C:\Programme\ClamAV\freshclam.pid"
DatabaseDirectory = "C:\Programme\ClamAV\database"
UpdateLogFile = "C:\Programme\ClamAV\freshclam.log"
DatabaseMirror = "database.clamav.net"
NotifyClamd = "C:\Programme\ClamAV\clamd.conf"

clamav-milter.conf not found

Software settings
-----------------
Version: 0.105.0
Optional features supported: MEMPOOL AUTOIT_EA06 BZIP2 LIBXML2 PCRE2 JSON RAR

Database information
--------------------
Database directory: C:\Programme\ClamAV\database
bytecode.cvd: version 333, sigs: 92, built on Mon Mar  8 16:21:51 2021
daily.cvd: version 26557, sigs: 1985004, built on Mon May 30 10:05:44 2022
main.cvd: version 62, sigs: 6647427, built on Thu Sep 16 14:32:42 2021
Total number of signatures: 8632523

Platform information
--------------------
uname: Microsoft Windows 6.1 SP1.0 Build 7601
OS: Windows, ARCH: AMD64, CPU: AMD64
zlib version: 1.2.12 (1.2.12), compile flags: 65
platform id: 0x10259696080000000000077c

Build information
-----------------
Microsoft Visual C++: (0.7.124)
sizeof(void*) = 8
Engine flevel: 150, dconf: 150

C:\Windows\system32>```
@ggaussling
Copy link
Author

ggaussling commented Jun 1, 2022
edited
Loading

regarding my observations, I think, it might got to do with temporarily unavailable resources of my computer. Maybe the scanned item needs more ressources, or other processes are using those off. It may loops on the item, until the ressources are available again?

@micahsnyder
Copy link
Contributor

@ggaussling Do you see this issue every time you scan Nextcloud-3.4.4-x64.msi and ProcessExplorer.zip? It could be a clamav bug. If you can share a link to these files I can give it a try on my machine.

@qs5779
Copy link

qs5779 commented Jun 5, 2022

I started seeing this error regularly in my periodic scan jobs, beginning a few weeks ago.

@micahsnyder
Copy link
Contributor

@qs5779 did you upgrade clamav to a new version a few weeks ago, or are there files new to your system in the past few weeks that trigger this warning?

@qs5779
Copy link

qs5779 commented Jun 7, 2022

[2022-05-13T06:26:52-0400] [ALPM] upgraded clamav (0.104.2-1 -> 0.105.0-1) was my last upgrade. I am not 100% sure, but that is about the time I started seeing the message. My job scans a specific list of directories one at a time, and it seems to output the warning for each recursive scan.

@micahsnyder
Copy link
Contributor

Apologies for the delayed reply @qs5779. I'm seeing the same issue as well with many signed files. I'll add a task to our Jira to investigate.

@SokolInTheCloud
Copy link

I got the same issue. Windows 7 x64 sp1 in VirtualBox. I have tried clamscan 0.105.0 both x86 and x64 versions, for files and memory scan.

@tuchaVshortah
Copy link

Got the same issue. Manjaro Linux with the 5.18.5-lqx1-1-lqx kernel (Liquorix), ClamAV 0.105.0.

@jeb2112
Copy link

jeb2112 commented Jul 6, 2022

I am seeing this message. I have just built clamav from the github source, version 1.0.0, my first time using it. I have Ubuntu 19.10 5.3.0-64-generic

@unixdigest
Copy link

Same issue on Arch Linux ClamAV 0.105.0-1.

LibClamAV Warning: crtmgr_rsa_verify: verification failed: fp_exptmod failed with 1
LibClamAV Warning: crtmgr_rsa_verify: verification failed: fp_exptmod failed with 1
LibClamAV Warning: crtmgr_rsa_verify: verification failed: fp_exptmod failed with 1
...

@servusdei2018
Copy link

Same issue, Arch linux, 5.15 kernel x86_64.

@piot
Copy link

piot commented Aug 9, 2022

Got the same issue, Manjaro 5.15.59-1 x86_64

@damienlmc
Copy link

Il faut utiliser le --nocerts pour enlever l'erreur, cependant cette dernière n'impacte pas votre scan.

@ndonathan
Copy link

Fresh install of ClamAV on MacOS with brew and getting same error.

@foto-andreas
Copy link

Fresh install with ClamAV Package from Download Page on MacOS: Same error.

@civanakbas
Copy link

Same issue. Arch Linux 5.15.61-1-lts kernel with ClamAv 0.105.0

@simulanics
Copy link

simulanics commented Sep 1, 2022
edited
Loading

Fresh install for Windows 11 - "LibClamAV Warning: crtmgr_rsa_verify: verification failed: fp_exptmod failed with 1"

*** Only seeing this error on Microsoft .Net created files (ie CSharp); and not all of them, just some. (Try Microsoft.HTTP.Net.dll or Microsoft.Versioning, System.Net.HTTP, System.Diagnostics.*, System.Threading.dll, WindowBase.dll, or any another .NET framework file or compiled EXE)

Appears that the codesigning for .NET file on Windows is triggering this error. Other platforms, cannot attest, unless they are cross-platform .Net Core files causing the issue?

@micahsnyder
Copy link
Contributor

Hi all. I have an update. I investigated this and found the issue has to do with certificate verification for trusting authenticode signed executables. The ability to trust executables signed by trusted publishers was added in 0.105 development, but was subsequently broken when upgrading the vendored TomsFastMath library for fast floating point math. Specifically, it appears to happen when the executable is signed by a trusted certificate when clamav is determining if the signature can be trusted.

For context, we have a number of rules for trusted certificates in our daily database right now, most of which are for Microsoft code signing certificates. So you're probably seeing this message when scanning Microsoft-signed programs.

So the good news is that this bug's only adverse affect is that files which could have been trusted are instead fully scanned.

While working on improvements to the allmatch feature, I included a test to verify that the certificate trust feature works, which is when I realized the origin of this bug. I've kept the test, and have marked it as "expected failure": 0f5aeb7#diff-4fffe0ac06fa6a2638d7264c4df60286cd139248cfca5ec19e5dca63b789d021R123-R160
Once we fix this issue, that test should pass.

I don't have an ETA for fixing this issue, however. One of my teammates is expected to work on this in the coming weeks.

@micahsnyder micahsnyder mentioned this issue Oct 19, 2022
Merged
@micahsnyder micahsnyder mentioned this issue Nov 28, 2022
Closed
@15Cyndaquil 15Cyndaquil mentioned this issue Mar 11, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
🐛bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix EXE/DLL cert verification micahsnyder/clamav-micah