[clamav-users] After 0.100.1 Update, clamd crashes

Eric Tykwinski eric-list at truenet.com
Tue Jul 31 15:18:24 EDT 2018


> -----Original Message-----
> From: clamav-users [mailto:clamav-users-bounces at lists.clamav.net] On
> Behalf Of Paul Kosinski
> Sent: Tuesday, July 31, 2018 2:42 PM
> To: clamav-users at lists.clamav.net
> Subject: Re: [clamav-users] After 0.100.1 Update, clamd crashes
<...>
> Software should *never* crash when presented with invalid input,
> especially if the input arrives via the Internet. And it's quite
> conceivable that some especially clever bad guy might attack the source
> of signatures to incapacitate ClamAV, or, in the worst case, to cause it
> to execute arbitrary code instead of "merely" crashing.

Yeah, I think everyone pretty much can agree with that.
And it's not like it's uncommon, Gentoo just got wacked last month.

As far as helping to fix the issue, what yara rule was causing the issue on
100.1?
https://github.com/Yara-Rules/rules/blob/master/Antidebug_AntiVM/antidebug_a
ntivm.yar

This one always fails a few, so I tested this out.
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 497
undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 512
undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 528
undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 544
undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 557
undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 603
undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 614
undefined identifier "pe"
LibClamAV Warning: cli_loadyara: failed to parse or load 7 yara rules from
file /var/lib/clamav/antidebug_antivm.yar, successfully loaded 92 rules.

For loaded sigs:
LibClamAV Warning: cli_loadyara: failed to parse or load 7 yara rules from
file /var/lib/clamav/antidebug_antivm.yar, successfully loaded 92 rules.

If you guys need my config.log for versions of dependencies or anything just
let me know.  
Running 18.04 Ubuntu with OpenSSL 1.1.1, so total dev environment, but looks
like this release is 57 diffs from 100.1 release.




More information about the clamav-users mailing list