Antivirus fails to update due to 0.0.0.0 clamav.net host file entries

Don't miss a thing. Post your questions and discussion about other uncategorized NAS features here.
Post Reply
ianch99
New here
Posts: 7
Joined: Sun Jan 07, 2018 5:43 pm

Antivirus fails to update due to 0.0.0.0 clamav.net host file entries

Post by ianch99 » Mon Jan 21, 2019 1:42 am

Since recent firmware updates, the ClamAV Antivirus fails to update due to 700+ clamav.net entries in /etc/hosts, all set to 0.0.0.0 e.g.

0.0.0.0 bugs.clamav.net
0.0.0.0 current.cvd.clamav.net
0.0.0.0 database.clamav.net
0.0.0.0 db.local.clamav.net
0.0.0.0 update.nai.com
0.0.0.0 db.ac.clamav.net
0.0.0.0 db.ac.ipv6.clamav.net
0.0.0.0 db.ac.big.clamav.net
<snip>

As they are all set to 0.0.0.0, the ClamAV update fails. If you remove these entries, the update runs fine but they return on after rebooting.

Has anyone seen this or have any clues?

I have logged a ticket with QNAP and they asked me to set DNS to the Google servers and to do a 3 second reset via the pinhole. This I did but no change in behaviour .. the problem remains :(

Very strange ..

User avatar
Don
Guru
Posts: 11527
Joined: Thu Jan 03, 2008 4:56 am
Location: Long Island, New York
Contact:

Re: Antivirus fails to update due to 0.0.0.0 clamav.net host file entries

Post by Don » Mon Jan 21, 2019 1:47 am

Do you run the malware remover? Is your NAS accessible from the internet? If so you might have been hacked.
Read the Online Manuals and use the forum search feature before posting.

It is a recommended to use RAID and have external backups. RAID will protect you from disk failure, keep your system running, and data accessible while the disk is replaced and the RAID rebuilt. Backups will allow you to recover data that is lost or corrupted, or from system failure. One does not replace the other.

Submit bugs and feature requests to QNAP via their Helpdesk app.

NAS: TVS-882BR | F/W: 4.3.6.0805 | 40GB | 2 x M.2 SATA RAID 1 (System/VMs) | 4 x M.2 NMVe QM2-4P-384A RAID 5 (Cache) | 5 x 4TB HDD RAID 6 (Data) | 1 x Blu-ray
NAS: TVS-663 | F/W: 4.3.6.0805 | 16GB | 2 x M.2 NMVe QM2-2P RAID 1 (Cache) | 4 x 4TB RAID 5
Apps: Boinc, Squid, DNSMasq, PLEX, iDrive, QVPN, QLMS, MP3fs, HBS, Entware, DLstation, +others

ianch99
New here
Posts: 7
Joined: Sun Jan 07, 2018 5:43 pm

Re: Antivirus fails to update due to 0.0.0.0 clamav.net host file entries

Post by ianch99 » Mon Jan 21, 2019 2:00 am

Malware Remover 3.3.1 is running daily and is reporting clean. As for internet access, the only access is indirect via apps such as Plex, Serviio and Cloudlink. These are all protected by (different) strong passwords.

On a qnap, what code is run when booting that may populate the /etc/hosts file? Something, somewhere is adding these entries ... autorun.sh is reported as empty in Control Panel --> Hardware --> General

User avatar
Don
Guru
Posts: 11527
Joined: Thu Jan 03, 2008 4:56 am
Location: Long Island, New York
Contact:

Re: Antivirus fails to update due to 0.0.0.0 clamav.net host file entries

Post by Don » Mon Jan 21, 2019 2:19 am

No idea what might be setting that. You could try uninstalling and reinstalling clamav.
Read the Online Manuals and use the forum search feature before posting.

It is a recommended to use RAID and have external backups. RAID will protect you from disk failure, keep your system running, and data accessible while the disk is replaced and the RAID rebuilt. Backups will allow you to recover data that is lost or corrupted, or from system failure. One does not replace the other.

Submit bugs and feature requests to QNAP via their Helpdesk app.

NAS: TVS-882BR | F/W: 4.3.6.0805 | 40GB | 2 x M.2 SATA RAID 1 (System/VMs) | 4 x M.2 NMVe QM2-4P-384A RAID 5 (Cache) | 5 x 4TB HDD RAID 6 (Data) | 1 x Blu-ray
NAS: TVS-663 | F/W: 4.3.6.0805 | 16GB | 2 x M.2 NMVe QM2-2P RAID 1 (Cache) | 4 x 4TB RAID 5
Apps: Boinc, Squid, DNSMasq, PLEX, iDrive, QVPN, QLMS, MP3fs, HBS, Entware, DLstation, +others

ianch99
New here
Posts: 7
Joined: Sun Jan 07, 2018 5:43 pm

Re: Antivirus fails to update due to 0.0.0.0 clamav.net host file entries

Post by ianch99 » Mon Jan 21, 2019 2:46 am

Don wrote:
Mon Jan 21, 2019 2:19 am
No idea what might be setting that. You could try uninstalling and reinstalling clamav.
ClamAV seems a built in app so I guess I would need to reset the NAS i.e. a 10 second reset?

User avatar
Don
Guru
Posts: 11527
Joined: Thu Jan 03, 2008 4:56 am
Location: Long Island, New York
Contact:

Re: Antivirus fails to update due to 0.0.0.0 clamav.net host file entries

Post by Don » Mon Jan 21, 2019 5:18 am

Not in front of my NAS but thought it was an add in app. I could be wrong.
Read the Online Manuals and use the forum search feature before posting.

It is a recommended to use RAID and have external backups. RAID will protect you from disk failure, keep your system running, and data accessible while the disk is replaced and the RAID rebuilt. Backups will allow you to recover data that is lost or corrupted, or from system failure. One does not replace the other.

Submit bugs and feature requests to QNAP via their Helpdesk app.

NAS: TVS-882BR | F/W: 4.3.6.0805 | 40GB | 2 x M.2 SATA RAID 1 (System/VMs) | 4 x M.2 NMVe QM2-4P-384A RAID 5 (Cache) | 5 x 4TB HDD RAID 6 (Data) | 1 x Blu-ray
NAS: TVS-663 | F/W: 4.3.6.0805 | 16GB | 2 x M.2 NMVe QM2-2P RAID 1 (Cache) | 4 x 4TB RAID 5
Apps: Boinc, Squid, DNSMasq, PLEX, iDrive, QVPN, QLMS, MP3fs, HBS, Entware, DLstation, +others

User avatar
Toxic17
Experience counts
Posts: 4579
Joined: Tue Jan 25, 2011 11:41 pm
Location: Planet Earth
Contact:

Re: Antivirus fails to update due to 0.0.0.0 clamav.net host file entries

Post by Toxic17 » Mon Jan 21, 2019 7:17 pm

clamav is built in as the default av application on most QTS's. I think some of the older versions it may have been a QPKG.

the worrying factor is entries in the /etc/host file.

I have no clamav entries at all in 3 of my QNAPs /etc/host file

I suggest you remove these, and I am guessing something has added them. more likely a trojan or virus/malware.

did you tell QNAP of your 700+ entries of clamav in your host file?
Regards Simon

QNAP 4.3.x/4.2.x Manuals

QNAP Club Repository
Submit a ticket • QNAP Helpdesk
QNAP Tutorials, User Manuals, FAQs, Downloads, Wiki
When you ask a question, please include the following


MeteoBridge NanoSD • ODROID XU4Q • FlightAware ProStick Plus
NAS: TVS-463/QM2-2P 4.3.6.0805 • TS-453BT3 4.3.6.0805 • TS-121 4.3.3.0789 • APC Back-UPS ES 700G
QPKG's: TwonkyServer 8.51 • QApache 2.4.37.7214 • QSonarr 3.0.0.348 • QNBZGet 21.0-r2220 • phpMyAdmin 4.8.3 • Qmono 5.14.0.177 • Lychee 3.2.6
Network: VM Hub 3.0 <500/35> • SamKnows WhiteBox • Sophos XG v17.5.0 GA • Ubiquiti CloudKey • UAP AC Pro / UAP AC Lite • TL-SG1016DE • SLM2008 • Dell 7050 MFF

ianch99
New here
Posts: 7
Joined: Sun Jan 07, 2018 5:43 pm

Re: Antivirus fails to update due to 0.0.0.0 clamav.net host file entries

Post by ianch99 » Mon Jan 21, 2019 7:26 pm

Toxic17 wrote:
Mon Jan 21, 2019 7:17 pm
clamav is built in as the default av application on most QTS's. I think some of the older versions it may have been a QPKG.

the worrying factor is entries in the /etc/host file.

I have no clamav entries at all in 3 of my QNAPs /etc/host file

I suggest you remove these, and I am guessing something has added them. more likely a trojan or virus/malware.

did you tell QNAP of your 700+ entries of clamav in your host file?
I have told QNAP of this issue i.e. the hosts file "bonus" entries that reappear on reboot. No response yet as such, just the usual boilerplate response i.e. please reset this & that.

This is the crucial question, and it is one for you all to ponder on: if this is "malware" and not some weird QNAP o/s behaviour then why does ClamAV and the Malware Remover not comment on the presence of said malware "signature" in /etc/hosts? After all, it is plain sight in /etc in an unencrypted text file. I mean, even I can write a virus checker to look for this!

Very concerning ... if this cannot be "discovered" in plain sight then what hope for detecting a sophisticated piece of malware?

User avatar
Toxic17
Experience counts
Posts: 4579
Joined: Tue Jan 25, 2011 11:41 pm
Location: Planet Earth
Contact:

Re: Antivirus fails to update due to 0.0.0.0 clamav.net host file entries

Post by Toxic17 » Mon Jan 21, 2019 7:33 pm

av and malware are only good if they know the type of attack. if this is a new type of attack, then maybe clamav or malware app do not know about it. the fact host file has 0.0.0.0 for all clamav URLS suggest you will never get an update so it stops any av dat file finding the issue in the first place.

these entries have been added to stop clamav from updating. who would do this? a hacker. no one else.
I suggest you remove the av entries, try an AV update.

BTW ClamAV does not by default scan the QNAP OS. only the shared file area.

do you allow your NAS to have internet access or use any cloudbased app on the QNAP? something like myQNAPcloud?? thats usually how it gets infected.

even if the av now works you have an infected OS. really the only thing to do with that is wipe the QNAP and start again, restore your shared data from a backup that you should be doing. else it will probably happen again. if you use myqnapcloud, then your gonna have to change passwords and possibly get a new account. Personally I dont use myqnapcloud, plenty have been hacked this way.
Regards Simon

QNAP 4.3.x/4.2.x Manuals

QNAP Club Repository
Submit a ticket • QNAP Helpdesk
QNAP Tutorials, User Manuals, FAQs, Downloads, Wiki
When you ask a question, please include the following


MeteoBridge NanoSD • ODROID XU4Q • FlightAware ProStick Plus
NAS: TVS-463/QM2-2P 4.3.6.0805 • TS-453BT3 4.3.6.0805 • TS-121 4.3.3.0789 • APC Back-UPS ES 700G
QPKG's: TwonkyServer 8.51 • QApache 2.4.37.7214 • QSonarr 3.0.0.348 • QNBZGet 21.0-r2220 • phpMyAdmin 4.8.3 • Qmono 5.14.0.177 • Lychee 3.2.6
Network: VM Hub 3.0 <500/35> • SamKnows WhiteBox • Sophos XG v17.5.0 GA • Ubiquiti CloudKey • UAP AC Pro / UAP AC Lite • TL-SG1016DE • SLM2008 • Dell 7050 MFF

jhand00
Starting out
Posts: 32
Joined: Thu Apr 23, 2015 3:42 am

Re: Antivirus fails to update due to 0.0.0.0 clamav.net host file entries

Post by jhand00 » Tue Jan 22, 2019 10:50 am

I appear to have been hacked the same way. My system wasn't updating the system firmware either and I had all of those clamav.net entries in /etc/hosts.

jhand00
Starting out
Posts: 32
Joined: Thu Apr 23, 2015 3:42 am

Re: Antivirus fails to update due to 0.0.0.0 clamav.net host file entries

Post by jhand00 » Tue Jan 22, 2019 11:13 am

I did have qnapcloud enabled. My guess is that it was through that, but other possibilities are that I had https access available from the Internet, along with port forwarding to a Plex server on the QNAP server.

ianch99
New here
Posts: 7
Joined: Sun Jan 07, 2018 5:43 pm

Re: Antivirus fails to update due to 0.0.0.0 clamav.net host file entries

Post by ianch99 » Tue Jan 22, 2019 6:46 pm

jhand00 wrote:
Tue Jan 22, 2019 11:13 am
I did have qnapcloud enabled. My guess is that it was through that, but other possibilities are that I had https access available from the Internet, along with port forwarding to a Plex server on the QNAP server.
Glad to know I am not going mad! Don't bother with the 3 and 10 second resets, they do not fix the problem.

Out of interest, I downgraded to 4.3.4.0675 firmware and the hosts file did not have the 700+ entries. I then upgraded to 4.3.4.0695 and they came back :(. I am thinking it is related to the config settings that persist on the /share/CACHEDEV1_DATA device. There is a new Malware Remover version 3.4.0 that came out yesterday so QNAP know that they have an issue here. I ran this and it says it "Malware was detected and removed. You must restart the NAS". You do this and then it runs on restart and says the same thing --> endless loop.

I am checking my backups and will reset the entire machine inc. raid array using latest firmware to get out of this. Total waste of my time.

Last thoughts:

I bought the QNAP based on its reputation and I feel personally let down. All software has problems but it seems that QNAP is reluctant to be honest with its customers. In order to detect malware, you are usually responding to an exploit that has a designation and documented behaviour. Most if not all, anti-malware software will inform the user that it has detected a known signature. None that I know of just says "I have found malware" except QNAP's application. If I knew what malware was found, I could mitigate any risks that it may have introduced with my system and my data. With QNAP, we are flying blind and have no idea what has been compromised.

Some users have commented that they never use any of the internet facing features due to security concerns. If so, what are you saying about QNAP and also why buy something when you "shouldn't use" many of the features you bought the unit for in the first place.

Thisisnotmyname
Easy as a breeze
Posts: 353
Joined: Mon Nov 19, 2018 1:21 am

Re: Antivirus fails to update due to 0.0.0.0 clamav.net host file entries

Post by Thisisnotmyname » Wed Jan 23, 2019 12:06 am

ianch99 wrote:
Tue Jan 22, 2019 6:46 pm
Some users have commented that they never use any of the internet facing features due to security concerns. If so, what are you saying about QNAP and also why buy something when you "shouldn't use" many of the features you bought the unit for in the first place.


I'm sure you're frustrated right now but that's hyperbole to say not exposing your unit directly to open internet equates to not using many futures of the unit. Your laptop likely has a web server you could install (like IIS) but you'd never think of exposing it out to the open internet and running a web site from it, does that mean you can't use many features of your laptop? of course not. Many people will though run an intranet web site from their QNAP NAS, that's not exposed to the public internet but utilizing a technology of the device. Others may expose their QNAP's features across the internet but shield that access behind a VPN (either QNAP's own or a hardware VPN) so their not allowing the entire world to attempt to exploit their device (other than attacking the VPN which is less vulnerable than say a web server or an admin tool like phpmyadmin).

ianch99
New here
Posts: 7
Joined: Sun Jan 07, 2018 5:43 pm

Re: Antivirus fails to update due to 0.0.0.0 clamav.net host file entries

Post by ianch99 » Wed Jan 23, 2019 12:28 am

Thisisnotmyname wrote:
Wed Jan 23, 2019 12:06 am
ianch99 wrote:
Tue Jan 22, 2019 6:46 pm
Some users have commented that they never use any of the internet facing features due to security concerns. If so, what are you saying about QNAP and also why buy something when you "shouldn't use" many of the features you bought the unit for in the first place.
I'm sure you're frustrated right now but that's hyperbole to say not exposing your unit directly to open internet equates to not using many futures of the unit. Your laptop likely has a web server you could install (like IIS) but you'd never think of exposing it out to the open internet and running a web site from it, does that mean you can't use many features of your laptop? of course not. Many people will though run an intranet web site from their QNAP NAS, that's not exposed to the public internet but utilizing a technology of the device. Others may expose their QNAP's features across the internet but shield that access behind a VPN (either QNAP's own or a hardware VPN) so their not allowing the entire world to attempt to exploit their device (other than attacking the VPN which is less vulnerable than say a web server or an admin tool like phpmyadmin).
I have to disagree. If the product is advertised with features that link the unit with internet (myQNAPCloud, QSync, etc.) it not unreasonable to expect to use they as documented. You say that "Others may expose their QNAP's features across the internet but shield that access behind a VPN (either QNAP's own or a hardware VPN)". I agree this is more secure but it is more difficult and here's the rub, QNAP do not warn people (from what I can see) to only use these internet-facing services behind a VPN. Moreover, the product pages encourage direct access e.g.

https://support.myqnapcloud.com/feature ... =cloudlink
CloudLink is the best remote access service provided by myQNAPcloud that allows you to connect to your device via the Internet using the myQNAPcloud website (www.myqnapcloud.com). No complicated port forwarding settings on the router are required: just install CloudLink App on device App Center and sign in myQNAPcloud ID (QID) on your device. Then you can access files from the myQNAPcloud website. CloudLink will select the best connection for you according to your network environment. In addition to the web-based connection, CloudLink also allows you to connect to your QNAP device with QNAP Mobile Apps Qfile, Qmanager and the PC utility Qsync. CloudLink makes remote connectivity so easy.

I see no disclaimer to only use these services via a VPN unless I have missed this ..

dolbyman
Guru
Posts: 11940
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: Antivirus fails to update due to 0.0.0.0 clamav.net host file entries

Post by dolbyman » Wed Jan 23, 2019 12:59 am

QNAP promised lots of things on their product pages, that does not mean they work well (4k playback,karaoke,etc) or are hardened enough to not get you hacked (personal cloud,photo/video sharing,etc)

That is how marketing (sadly) works

pretty sure the *terms and conditions* you have to accept also makes you wave all liability for data loss or theft
Last edited by dolbyman on Wed Jan 23, 2019 1:06 am, edited 1 time in total.

Post Reply

Return to “Miscellaneous”