ClamAV detects virus in Modsec Audit logs

Question

I have a Xen VM running Debian Stretch with Apache2 to play around with. I have installed ClamAV and Modsecurity (not doing anything just logging at the moment). I keep getting emails from ClamAV stating that it detects a virus Win.Exploit.Unicode_Mixed-1 in the Modsec log files.

luke@lamp:~$ sudo clamscan -i /var/log/apache2/
/var/log/apache2/modsec_audit.log.7.gz: Win.Exploit.Unicode_Mixed-1 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 6107846
Engine version: 0.100.3
Scanned directories: 1
Scanned files: 60
Infected files: 1
Data scanned: 111.06 MB
Data read: 23.27 MB (ratio 4.77:1)
Time: 42.726 sec (0 m 42 s)
luke@lamp:~$

I have submitted the file to VirusTotal.com. ClamAV is the only one to detect on the logfile. This has been going on for months now. Freshclam is keeping ClamAV updated as well.

Is there a way an actual log file can be infected? Is there a way to whitelist the rotating logfiles without whitelisting the signature?

But what i really want to know is this; is there a way to find out what is in the log that is triggering the detection?

EDIT: i managed to locate the string in the logfile. it is;

jXAQADAZABARALAYAIAQAIAQAIAhAAAZ1AIAIAJ11AIAIABABABQI1AIQIAIQI111AIAJQYAZBABABABABkMAGB9u4JB

Now that I found the string causing the detection, how can I find out what it is supposed to do? It is in the "If" line of the log excerpt below.

--0a71b754-A--
[09/Apr/2019:16:10:10 +0800] XKxTYn8AAQEAAGyvyjUAAAAI 202.28.64.1 18716 <local IP of server> 80
--0a71b754-B--
PROPFIND / HTTP/1.1
Host: localhost
Connection: Close
Content-Length: 0
If: <http://localhost/aaaaaaa潨硣睡焳椶䝲稹䭷佰畓穏䡨噣浔桅㥓偬啧杣㍤䘰硅楒吱䱘橑牁䈱瀵塐㙤汇$

Thanks,

Luke

Answer 1

How does ClamAV work?

ClamAV works based on signatures. Many people often falsely believe that anti-virus software is based on hashes, but this is false. This answer by a guy working for an anti-virus vendor explains this more in detail.

The way signatures work is similar to how regular expressions work. It takes a pattern and tries to apply it to a file (or parts of a file) being scanned. If the pattern fits, then ClamAV will return a positive result.

If the file is actually malicious, then we call this a true positive. If it's not malicious, but was detected as being malicious, then it's called a false positive.

Why does ClamAV detect this file?

I decoded the signature for Win.Exploit.Unicode_Mixed-1 and it's as follows:

VIRUS NAME: Win.Exploit.Unicode_Mixed-1
TARGET TYPE: ANY FILE
OFFSET: *
DECODED SIGNATURE: jXAQADAZABARALAYAIAQAIAQAIAhAAAZ1AIAIAJ11AIAIABABABQI1AIQIAIQI111AIAJQYAZBABABABABkMAGB9u4JB

This sadly doesn't include any information regarding the nature of the supposed exploit. I tried to search for information, but only wound up with people having the same false positive. This answer explains the problem more in-depth.

What to do now?

The name Win.Exploit.Unicode_Mixed-1 implies it's an exploit specific to Microsoft Windows. Given that you are running a Debian environment means that this should not affect you. Further, this signature was found in a log file, which further leads me to believe that it's a false positive.

Given that this signature is rather dubious, I would disable the signature by running:

echo "Win.Exploit.Unicode_Mixed-1" >> /var/lib/clamav/whitelist.ign2

Please note that /var/lib/clamav/ is the default directory of ClamAV database files on my system. Your distribution may have a different path.