[clamav-users] yum-installing ClamAV in Amazon Linux

Helmut Hullen Hullen at t-online.de
Sat May 14 02:19:00 EDT 2016


Hallo, Mich,

Du meintest am 14.05.16:

> When we install ClamAV in our Amazon Linux ElasticBeanstalk instance
> with yum install clamav it gets installed without PCRE support,
> although the libraries are present in the instance.

> LibClamAV Warning: cli_loadldb: logical signature for
> Win.Trojan.ssid18332-1 uses PCREs but support is disabled, skipping
> LibClamAV Warning: cli_loadldb: logical signature for
> Win.Ransomware.Locky-4 uses PCREs but support is disabled, skipping
> LibClamAV Warning: cli_loadldb: logical signature for
> Html.Exploit.CVE_2016_0184-1
> uses PCREs but support is disabled, skipping

> However PCRE is installed in the machine:

[...]

Same problem here, IIRC since clamav version 0.99.

Kernel: 3.19.6, self compiled under Slackware.
"/usr/lib/libpcre.so.1.2.4" from the "elflibs" packet, march 2015.

"clamconf -n" tells
Checking configuration files in /etc

Config file: clamd.conf
-----------------------
LogFile = "/var/log/clamav/clamd.log"
LogSyslog = "yes"
LogFacility = "LOG_MAIL"
PidFile = "/var/run/clamav/clamd.pid"
LocalSocket = "/var/run/clamav/clamd.socket"
LocalSocketGroup = "clamav"
LocalSocketMode = "660"
ExitOnOOM = "yes"
User = "clamav"
AllowSupplementaryGroups = "yes"

Config file: freshclam.conf
---------------------------
UpdateLogFile = "/var/log/freshclam.log"
Checks = "2"
DatabaseMirror = "db.de.clamav.net", "database.clamav.net"

Config file: clamav-milter.conf
-------------------------------

Software settings
-----------------
Version: 0.99.2
Optional features supported: MEMPOOL IPv6 AUTOIT_EA06 BZIP2 LIBXML2 ICONV RAR

Database information
--------------------
Database directory: /var/lib/clamav
main.cvd: version 57, sigs: 4218790, built on Thu Mar 17 00:17:06 2016
bytecode.cld: version 277, sigs: 47, built on Fri Apr 15 20:57:09 2016
daily.cld: version 21542, sigs: 141937, built on Sat May 14 06:55:20 2016
Total number of signatures: 4360774

Platform information
--------------------
uname: Linux 3.19.6-multi #1 SMP Wed May 6 10:26:05 CEST 2015 i686
OS: linux-gnu, ARCH: i386, CPU: i486
Full OS version: WARNING: zlib version mismatch: 1.2.3 (1.2.8)
zlib version: 1.2.3 (1.2.8), compile flags: 55
platform id: 0x0a1152520400000000030406

Build information
-----------------
GNU C: 3.4.6 (3.4.6)
CPPFLAGS:
CFLAGS: -O2 -march=i486 -mtune=i686  -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE
CXXFLAGS:
LDFLAGS:
Configure: '--prefix=/usr' '--libdir=/usr/lib' '--localstatedir=/var' '--sysconfdir=/etc' '--mandir=/usr/man' '--with-user=clamav' '--with-group=clamav' '--with-dbdir=/var/lib/clamav' '--enable-milter' '--enable-id-check' '--enable-clamdtop' '--disable-static' '--disable-experimental' '--build=i486-slackware-linux' 'build_alias=i486-slackware-linux' 'CFLAGS=-O2 -march=i486 -mtune=i686' 'PKG_CONFIG_PATH=/usr/local/lib/pkgconfig:/usr/lib/pkgconfig:/opt/kde/lib/pkgconfig' --enable-ltdl-convenience
sizeof(void*) = 4
Engine flevel: 82, dconf: 82

=================================================================

And "clamconf 2>&1 | grep -i pcre" tells

PCREMatchLimit = "10000"
PCRERecMatchLimit = "5000"
PCREMaxFileSize = "26214400"

Adding "--disable-pcre" doesn't change anything, and also "--with-pcre=/ 
usr/lib" or "--with-pcre=/usr/local/lib" (and symlinking "libpcre")  
doesn't help.

===================================================================

And tracing with "strace clamscan" tells

read(5, "Eicar-Test-Signature;Target:0;0;"..., 32768) = 32768
mmap2(NULL, 262144, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x419f1000
read(5, "e.ZBot-23;Target:1;(0>20)&1&2;S0"..., 28672) = 28672
read(5, ";000000056473637000;000000066473"..., 4096) = 4096
mmap2(NULL, 262144, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x41a31000
mmap2(NULL, 262144, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x41a71000
read(5, "6361685F626167757A;7975646869406"..., 28672) = 28672
read(5, "5656565;6d6435;637261636b6572;73"..., 4096) = 4096
mmap2(NULL, 262144, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x41ab1000
mmap2(NULL, 262144, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x41af1000
read(5, "gine:51-255,Target:6;(0&1&2&3);7"..., 28672) = 28672
read(5, "P,Target:0;(0&1);0:646578;414354"..., 4096) = 4096
mmap2(NULL, 262144, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x41b31000
read(5, "_2013_3886-1;Engine:51-255,Targe"..., 28672) = 28672
read(5, "0CC744240800000000C7442404000000"..., 4096) = 4096
mmap2(NULL, 262144, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x41b71000
mmap2(NULL, 262144, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x41bb1000
read(5, "00000005B8D83FE340000890424E8691"..., 28672) = 28672
read(5, "5C84883C018488945E88B45F8489848C"..., 4096) = 4096
read(5, ";554889E541565389D04C8B350702030"..., 28672) = 28672
read(5, "an.Cryfile-12;Engine:51-255,Targ"..., 4096) = 4096
mmap2(NULL, 262144, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x41bf1000
mmap2(NULL, 262144, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x41c31000
read(5, "1;Engine:51-255,Target:1;(0&1&2&"..., 28672) = 28672
read(5, "16E61676572;67657444796E616D6963"..., 4096) = 4096
mmap2(NULL, 262144, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x41c71000
mmap2(NULL, 262144, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x41cb1000
read(5, "305c7830305c7830305c7830305c7830"..., 28672) = 28672
read(5, ";5363616e416c6c50726f63657373;67"..., 4096) = 4096
mmap2(NULL, 262144, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x41cf1000
mmap2(NULL, 262144, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x41d31000
read(5, "t.CVE_2014_7911-1;Engine:51-255,"..., 28672) = 28672
read(5, "6a75736368656431302d31395c;433a5"..., 4096) = 4096
mmap2(NULL, 262144, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x41d71000
read(5, "73202620227374656d4f626a65637422"..., 28672) = 28672
read(5, "80038003900310053004b00590050004"..., 4096) = 4096
mmap2(NULL, 262144, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x41db1000
futex(0x402826e0, FUTEX_WAKE_PRIVATE, 2147483647) = 0
write(2, "LibClamAV Warning: cli_loadldb: "..., 122LibClamAV Warning: cli_loadldb: logical signature for Win.Trojan.ssid18332-1 uses PCREs but support is disabled, skipping
) = 122
read(5, "8012a23b8fe1bd9012a23b4fe1b8b002"..., 28672) = 28672
read(5, "d08bc10bc7750689b5ccfdffff8d75f3"..., 4096) = 4096
mmap2(NULL, 262144, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x41df1000
read(5, "fb316a6695ac0497b7d4f006564ec4b1"..., 28672) = 28672
read(5, "515058595d595b\nWin.Adware.Imali-"..., 4096) = 4096
mmap2(NULL, 262144, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x41e31000
read(5, "6e3d22312e302e302e3022;520069006"..., 28672) = 28672
read(5, "065006100720063006800500072006f0"..., 4096) = 4096
mmap2(NULL, 262144, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x41e71000
read(5, "400610079002c0020003a00440062004"..., 20480) = 20480
read(5, "07800740065006e00730069006f006e0"..., 4096) = 4096
read(5, "0760061006c002c0020003a005500730"..., 24576) = 24576
read(5, "3f800720983f80977040430eb0204378"..., 4096) = 4096
read(5, "3f583f5c3f603f643f683f6c3f703f74"..., 28672) = 28672
read(5, "56e74;2e72656d6f76656e6f6465;3c7"..., 4096) = 4096
mmap2(NULL, 262144, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x41eb1000
mmap2(NULL, 262144, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x41ef1000
read(5, "65737361676557\nWin.Trojan.BlackE"..., 16384) = 16384
read(5, "70553f5e623d62767a5a244e2940345d"..., 4096) = 4096
write(2, "LibClamAV Warning: cli_loadldb: "..., 122LibClamAV Warning: cli_loadldb: logical signature for Win.Ransomware.Locky-4 uses PCREs but support is disabled, skipping
) = 122
mmap2(NULL, 262144, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x41f31000
write(2, "LibClamAV Warning: cli_loadldb: "..., 128LibClamAV Warning: cli_loadldb: logical signature for Html.Exploit.CVE_2016_0184-1 uses PCREs but support is disabled, skipping
) = 128
brk(0x80c1000)                          = 0x80c1000

===================================================================

Viele Gruesse!
Helmut




More information about the clamav-users mailing list