Antivirus fails to update due to 0.0.0.0 clamav.net host file entries

Don't miss a thing. Post your questions and discussion about other uncategorized NAS features here.
Locked
qone1one
New here
Posts: 7
Joined: Thu May 09, 2019 7:49 pm

Re: Antivirus fails to update due to 0.0.0.0 clamav.net host file entries

Post by qone1one »

kellic wrote: Fri May 10, 2019 10:58 pm
qone1one wrote: Fri May 10, 2019 8:28 pm

"We have enhanced the built-in security mechanism in the QTS versions listed below. This enhancement allows QTS to disable the malware"
This is the bit I don't get, I noticed that when upgrading to the latest firmware and yet I was still able to download the Malware Removal tool manually, run it, have it remove the malware only to have it tell that it has removed the malware and that I need to change my passwords every time I boot the NAS. So something is still there and I'm no closer to understanding the problem.
Question. Do the entries in the host file come back after the scan and reboot?
Just wanted to get clarification. It is verbatim saying you need to change your password on _EVERY_ reboot? I can understand the thinking of requiring a change of password on _A_ reboot as this malware may have compromised your admin password. But there is no reason on EVERY reboot.
Host files, how would I check that?

Yes, password change advice comes up every time I run the Malware Remover (which I'm not even sure I need as my FW is at 4.3.6.0923 and "This enhancement allows QTS to disable the malware" makes me think its included in the package now). However, each time I reboot and run the tool again I'm told that the remover has "Repaired infected file or folder: Name: /tmp/config/autorun.sh" along with the change passwords advice and to reboot the NAS again. So stuck in a loop. :s

Also I have seen the advisory from QNAP "Warning: If your NAS device is already infected, updating QTS and all NAS applications may not completely remove the malware. QNAP is currently working on a removal solution and will update this advisory once it is publicly available." - does this mean that the current Malware Removal Tool is no good and we are to wait for another one? Its not clear to me.
kellic
Starting out
Posts: 28
Joined: Fri Mar 02, 2018 2:33 am

Re: Antivirus fails to update due to 0.0.0.0 clamav.net host file entries

Post by kellic »

qone1one wrote: Fri May 10, 2019 11:35 pm
kellic wrote: Fri May 10, 2019 10:58 pm
qone1one wrote: Fri May 10, 2019 8:28 pm

"We have enhanced the built-in security mechanism in the QTS versions listed below. This enhancement allows QTS to disable the malware"
This is the bit I don't get, I noticed that when upgrading to the latest firmware and yet I was still able to download the Malware Removal tool manually, run it, have it remove the malware only to have it tell that it has removed the malware and that I need to change my passwords every time I boot the NAS. So something is still there and I'm no closer to understanding the problem.
Question. Do the entries in the host file come back after the scan and reboot?
Just wanted to get clarification. It is verbatim saying you need to change your password on _EVERY_ reboot? I can understand the thinking of requiring a change of password on _A_ reboot as this malware may have compromised your admin password. But there is no reason on EVERY reboot.
Host files, how would I check that?

Yes, password change advice comes up every time I run the Malware Remover (which I'm not even sure I need as my FW is at 4.3.6.0923 and "This enhancement allows QTS to disable the malware" makes me think its included in the package now). However, each time I reboot and run the tool again I'm told that the remover has "Repaired infected file or folder: Name: /tmp/config/autorun.sh" along with the change passwords advice and to reboot the NAS again. So stuck in a loop. :s

Also I have seen the advisory from QNAP "Warning: If your NAS device is already infected, updating QTS and all NAS applications may not completely remove the malware. QNAP is currently working on a removal solution and will update this advisory once it is publicly available." - does this mean that the current Malware Removal Tool is no good and we are to wait for another one? Its not clear to me.
Sounds like standard cover your *coughs* assets, response from QNAP, or any large company actually. If the scan doesn't come back with anything and the host file isn't altered with hundreds of entries you should be fine.

Disclaimer I'm still in the research / observation phase of purchasing a QNAP. But its based on Linux so it should be the same as any *nix distro. You will want to "cat" the hostfile. The host file is like a little black book that converts names into phone numbers, or in this case IP addresses. If the White pages are for the world. (DNS) the host file is what is looked at first before going to the white pages phone book.

You will need to SSH/Putty into your NAS. (I'm unaware if there is a local app that lets you access the shell from the Web GUI. Best I can tell there is not.)

Prerequisite:

Download Putty to your system: https://www.chiark.greenend.org.uk/~sgt ... atest.html
Enable SSH access if you haven't already: You will need to enable access before you can access it with: A basic SSH server is already installed and configured in your NAS, but you'll need to check that it's enabled. Login to your NAS QTS desktop and navigate to Control Panel -> Network Services -> Telnet / SSH...Only enable SSH. Telnet is NOT secure.

TIP: YOU SHOULD ALWAYS DISABLE THIS ONCE DONE UNLESS YOU ARE CERTAIN THAT THIS IS NOT PRESENTED TO THE INTERNET. JUST REVERSE THE ABOVE PROCESS.

The use the following to get into an SSH session.

[HOWTO] use the Linux command line
viewtopic.php?t=128704

Short of it in the putty session from the same network as your QNAP is on: type the IP address, connection type: SSH, and click open. type your credentials and hit enter.

Again I don't have a QNAP yet but I'm going to assume that this has the hostfile in the same place as all *nix systems.

From the command line run

cat /etc/hosts

If the thing scrolls a lot you can do the following to inspect run
cat /etc/hosts | more

hit enter to proceed line by line.

ctrl-c to end the scrolling.


Easier you can do grep 0.0.0.0 /etc/hosts

If you still have entries like this

0.0.0.0 bugs.clamav.net
0.0.0.0 current.cvd.clamav.net
0.0.0.0 database.clamav.net
0.0.0.0 db.local.clamav.net
0.0.0.0 update.nai.com
0.0.0.0 db.ac.clamav.net
0.0.0.0 db.ac.ipv6.clamav.net
0.0.0.0 db.ac.big.clamav.net

You are either still at risk or the malware removal software didn't clean up the mess, but may have at least removed the offending malware. If that is the case I'd open a support ticket with QNAP.

Frankly they should get spammed into the ground with this as this SHOULD be a paint point for them. Microsoft took security lightly until security problems bit them in the *** with Windows XP. Service Pack 2 was the beginning, but JUST the beginning of them taking it serious as they were swamped with support cases, and companies and business's calling out that BS. Today Windows is FAR more secure than it use to be at it is all due to pressure to get their **** fixed.
P3R
Guru
Posts: 13190
Joined: Sat Dec 29, 2007 1:39 am
Location: Stockholm, Sweden (UTC+01:00)

Re: Antivirus fails to update due to 0.0.0.0 clamav.net host file entries

Post by P3R »

kellic wrote: Sun May 12, 2019 12:26 am But its based on Linux so it should be the same as any *nix distro.
Not in every aspect so be careful. Many with that expectation have been surprised.
(I'm unaware if there is a local app that lets you access the shell from the Web GUI. Best I can tell there is not.)
There isn't so SSH/Putty is the way to go.
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!

A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.

All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
ianch99
Starting out
Posts: 11
Joined: Sun Jan 07, 2018 5:43 pm

Re: Antivirus fails to update due to 0.0.0.0 clamav.net host file entries

Post by ianch99 »

When I started this thread, I did not think that I would sell my QNAP but that is exactly what I have done. When I started looking for NAS, I wanted a solution that "just worked", had quality hardware and software and was enterprise grade in terms of its reliability & security. After reading the reviews, It was a toss up between QNAP & Synology. QNAP edged it on the price/performance factor but there was not much in it.

All companies will have software vulnerabilities. The issue is not that they have them but how they handle it. This is an important metric on how to judge the quality of the company and ability of the engineering group to respond to the problem. To be honest, QNAP had failed in both of these areas. The security advisory (https://www.qnap.com/en-uk/security-adv ... -201902-13) is weak:

- no CVE number
- 4 months later and "QNAP is [still] currently working on a removal solution and will update this advisory once it is publicly available."
- no description of the attack vector
- no description of the malware purpose
- etc.

The script provided by Support to "fix" the problem is called 'Derek Be Gone" (or something like that). I mean, really?

I bought a comparable DS218+ and so far, it is night & day in terms of the quality of the software and the feature set. The UI is consistent and effective and the backup solution, especially, is excellent with seamless integration with local & cloud storage. I started getting detailed CVE emails that put the QNAP responses in a very poor light and, and this was quite funny, the day after I got it, I saw an update for the ClamAV software in contrast to the old version that QNAP still ship.

They also have a dedicated GSuite app which is a good fit for me being a GSuite owner.

Anyway, YMMV but I can say, after using both systems, QNAP is a poor second to Synology.

Lastly, sound advice: use a Open VPN server (on your router) and remotely access your NAS (and LAN) via a VPN tunnel. Better safe than sorry ...
Levo
Starting out
Posts: 27
Joined: Mon Aug 24, 2009 10:13 pm

Re: Antivirus fails to update due to 0.0.0.0 clamav.net host file entries

Post by Levo »

I have started to have the same issue as soon as upgraded to 4.3.6 from 4.3.4 (or something thereabouts).
I get the dreaded, "Failed to update virus definitions...." log.
When I try to import the "main.cvd" it fails with the file format error.
I have no clamav entries in the /etc/hosts.
It is really frustrating that Qnap is not saying/doing anything about this.
I am on my 3rd Qnap and the way they are going, may consider something else for my next one...
TVS-471 16GB - 5.0.0 - 3x WD Red 6TB + WD 10TB
TS-639 Pro - 4.2.6 - 3x WD Red 4TB + WD 10TB
dealpapa
Starting out
Posts: 33
Joined: Sat Jan 12, 2019 12:14 am

Re: Antivirus fails to update due to 0.0.0.0 clamav.net host file entries

Post by dealpapa »

4.3.6.0979 build 20190620 2019-06-20 fixed my problem
Locked

Return to “Miscellaneous”