[clamav-users] After 0.100.1 Update, clamd crashes

Micah Snyder (micasnyd) micasnyd at cisco.com
Tue Jul 31 08:50:41 EDT 2018


Thanks for the analysis, Steve.  That is a step towards understanding how to fix it.

I don't believe it's a new bug in 0.100, but was merely revealed due to legitimate improvements in the yara sig loading behavior.
Copypaste'd from my comments in the ticket you linked:

> In 0.99.x some of the rules failed entirely, so the entire database was dropped. In 0.100, some of the rules failed, but it now allows it to partially load the ones that didn't outright fail. However, there appears to be a bug wherein at least one that is getting loaded is causing a crash.

It wouldn't be a good fix to go back and change so it drops the whole ruleset because one failed to load.  The correct fix would be to detect signature features that aren't supported before we attempt to load them so we can drop them.

I welcome any additional research from the community to help find a fix for this.  We have a lot on our plates, and don't have any time dedicated to fix this one ourselves for 0.101.

Regards,
Micah

Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.


On Jul 31, 2018, at 7:50 AM, Steve Basford <steveb_clamav at sanesecurity.com<mailto:steveb_clamav at sanesecurity.com>> wrote:

Just posting a little regarding the Yara issue with 0.100.x:

After a little bit of testing last week... here's what was found:

It seems that in ClamAV 0.100.x if the yara file uses pe.imports *and* has
*multiple* rules inside the single Yara file, it seems to crash linux
versions of ClamAV.


If the Yara rule uses pe.imports (which  btw, isn't supported in CLamAV)
and changed from:

all of ($user*) and pe.imports("advapi32.dll")

to:


all of ($user*)


Then ClamAV doesn't crash in 0.100.x.

Whereas leaving the rule intact (in pre 0.100.x) it just didn't crash.


There a buzilla about it here:


https://bugzilla.clamav.net/show_bug.cgi?id=12077#c14


My little issue is with this statement:

"It wasn't quite clear at the offset of this bug, but ClamAV cannot
support unofficial signatures from a development standpoint. For numerous
reasons, we do not regress against those signatures, and in cases where
sig writers publish non-functional signatures due to insufficient testing
(which then cause crashes in newer versions of clam) we cannot devote our
resources to fixing that problem." (above Bugzilla)


I can see where the above is coming from generally... *but* it's always
been known that Yara pe module import was an issue...

eg:


https://blog.clamav.net/2015/06/clamav-099b-meets-yara.html

"There are currently a few limitations of YARA rules within ClamAV 0.99
beta1, due either to nonexistent ClamAV capabilities or to YARA features
that did not fit well into the ClamAV processing model. We hope to further
evaluate and include as much of this functionality as possible in
subsequent releases. YARA rules using any of the following features will
be **** flagged in error, and the respective rules will be disabled **** :

* Modules – A YARA feature intended to provide modular extensions to the
YARA core. Modules are normally activated using the import keyword. "


So, I feel that the issue is not the fact that ClamAV isn't supporting the
import module... but the fact that now ClamAV crashes on 0.100.x where
before it didn't.

Yararules won't change their rules which need the pe.import module,
because well, that's how Yara will detect things on non-ClamAV software.



--
Cheers,

Steve
Twitter: @sanesecurity

_______________________________________________
clamav-users mailing list
clamav-users at lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20180731/1cc9472a/attachment.html>


More information about the clamav-users mailing list