[clamav-users] Problems with 3rd party sigs

Mark Foley mfoley at novatec-inc.com
Fri Mar 31 17:45:01 UTC 2017 

Per advice on this list, I downloaded and installed the clamav-unofficial-sigs
scripts from the link on Sanesecurity.

I've not been able to get it running. Two problems:

1. The /etc/cron.d/clamav-unofficial-sigs cron script won't run from crond. I get an email:

/bin/sh: clamav: command not found

I've searched the computer and the clamav-unofficial-sigs.sh script looking for a
reference to a clamav command and simply cannot find such a command. I've
sprinkles `echo` statements throughout clamav-unofficial-sigs.sh and redirected
the cron script's output to a log file. I never get anything in the logfile.
Yet, if I run clamav-unofficial-sigs.sh as root manually, it runs fine.

2. I run a cron'd clamscan job to scan mail folders several time a day. I get
the following errors which are new since installing the unofficial-sigs:

LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 497 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 512 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 528 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 544 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 557 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 603 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 614 undefined identifier "pe"
LibClamAV Error: cli_loadyara: failed to parse rules file /var/lib/clamav/antidebug_antivm.yar, error count 7
LibClamAV Error: yyerror(): /var/lib/clamav/EMAIL_Cryptowall.yar line 34 duplicate identifier "CryptoWall_Resume_phish"
LibClamAV Error: yyerror(): /var/lib/clamav/EMAIL_Cryptowall.yar line 52 duplicate identifier "docx_macro"
LibClamAV Error: cli_loadyara: failed to parse rules file /var/lib/clamav/EMAIL_Cryptowall.yar, error count 2

The lines at /var/lib/clamav/antidebug_antivm.yar line 497 are:

496	contition:
497             pe.imports("kernel32.dll","CheckRemoteDebuggerPresent") and
498             pe.imports("kernel32.dll","IsDebuggerPresent")

These seem like rather basic programming bugs.  Nevertheless, it does appear to
catch new signatures, e.g.:

/home/HPRS/mpress/Maildir/.Deleted Items/cur/1463485456.M955042P32209.mail,S=13067,W=13269:2,S: Sanesecurity.Foxhole.Zip_fs226.UNOFFICIAL FOUND
/home/HPRS/mpress/Maildir/.Deleted Items/cur/1460374151.M124643P21974.mail,S=30684,W=31217:2,S: Sanesecurity.Spam.12404.Ml.UNOFFICIAL FOUND
/home/HPRS/shay/Maildir/.Trash/cur/1485781802.M776532P6090.mail,S=2905,W=2971:2,S!(1)MAIL:mixedtextportion: Sanesecurity.Junk.33365.UNOFFICIAL FOUND
/home/HPRS/shay/Maildir/.Trash/cur/1486393658.M60634P26487.mail,S=48881,W=49823:2,S: Sanesecurity.Spam.12427.FakeRenew.UNOFFICIAL FOUND
/home/HPRS/dsmith/Maildir/.Deleted Items.Sent/cur/1443025877.M266324P18041.mail,S=22511,W=22844:2,S: Sanesecurity.Foxhole.Zip_Wordexe.1.UNOFFICIAL FOUND

etc.

Has anyone on this list encountered the same problem and if so were you able to
fix them? I'm running Slackware.

Thanks, Mark

More information about the clamav-users mailing list