[clamav-users] After 0.100.1 Update, clamd crashes

Eric Tykwinski eric-list at truenet.com
Tue Jul 31 09:06:47 EDT 2018


Micah,

 

Running master branch from GitHub: ClamAV 0.101.0/24799/Tue Jul 31 04:44:57 2018

 

It doesn’t seem to have an issue, as far as I can tell.

 

# clamscan --debug 2>&1 /dev/null | grep "loaded" | grep yara
LibClamAV debug: load_oneyara: successfully loaded YARA.AnglerEKredirector

LibClamAV debug: load_oneyara: successfully loaded YARA.angler_flash

LibClamAV debug: load_oneyara: successfully loaded YARA.angler_flash2

LibClamAV debug: load_oneyara: successfully loaded YARA.angler_flash4

LibClamAV debug: load_oneyara: successfully loaded YARA.angler_flash5

LibClamAV debug: load_oneyara: successfully loaded YARA.angler_flash_uncompressed

LibClamAV debug: load_oneyara: successfully loaded YARA.angler_html

LibClamAV debug: load_oneyara: successfully loaded YARA.angler_html2

LibClamAV debug: load_oneyara: successfully loaded YARA.angler_jar

LibClamAV debug: load_oneyara: successfully loaded YARA.angler_js

LibClamAV debug: cli_loadyara: loaded 10 of 10 yara signatures from /var/lib/clamav/EK_Angler.yar

LibClamAV debug: load_oneyara: successfully loaded YARA.blackhole2_jar

LibClamAV debug: load_oneyara: successfully loaded YARA.blackhole2_jar2

LibClamAV debug: load_oneyara: successfully loaded YARA.blackhole2_jar3

LibClamAV debug: load_oneyara: successfully loaded YARA.blackhole2_pdf

LibClamAV debug: load_oneyara: successfully loaded YARA.blackhole_basic

LibClamAV debug: load_oneyara: successfully loaded YARA.blackhole1_jar

LibClamAV debug: load_oneyara: successfully loaded YARA.blackhole2_css

LibClamAV debug: load_oneyara: successfully loaded YARA.blackhole2_htm

LibClamAV debug: load_oneyara: successfully loaded YARA.blackhole2_htm10

LibClamAV debug: load_oneyara: successfully loaded YARA.blackhole2_htm11

LibClamAV debug: load_oneyara: successfully loaded YARA.blackhole2_htm12

LibClamAV debug: load_oneyara: successfully loaded YARA.blackhole2_htm3

LibClamAV debug: load_oneyara: successfully loaded YARA.blackhole2_htm4

LibClamAV debug: load_oneyara: successfully loaded YARA.blackhole2_htm5

LibClamAV debug: load_oneyara: successfully loaded YARA.blackhole2_htm6

LibClamAV debug: load_oneyara: successfully loaded YARA.blackhole2_htm8

LibClamAV debug: cli_loadyara: loaded 16 of 16 yara signatures from /var/lib/clamav/EK_Blackhole.yar

LibClamAV debug: load_oneyara: successfully loaded YARA.bleedinglife2_adobe_2010_1297_exploit

LibClamAV debug: load_oneyara: successfully loaded YARA.bleedinglife2_adobe_2010_2884_exploit

LibClamAV debug: load_oneyara: successfully loaded YARA.bleedinglife2_jar2

LibClamAV debug: load_oneyara: successfully loaded YARA.bleedinglife2_java_2010_0842_exploit

LibClamAV debug: cli_loadyara: loaded 4 of 4 yara signatures from /var/lib/clamav/EK_BleedingLife.yar

LibClamAV debug: load_oneyara: successfully loaded YARA.crimepack_jar

LibClamAV debug: load_oneyara: successfully loaded YARA.crimepack_jar3

LibClamAV debug: cli_loadyara: loaded 2 of 2 yara signatures from /var/lib/clamav/EK_Crimepack.yar

LibClamAV debug: load_oneyara: successfully loaded YARA.eleonore_jar

LibClamAV debug: load_oneyara: successfully loaded YARA.eleonore_jar2

LibClamAV debug: load_oneyara: successfully loaded YARA.eleonore_jar3

LibClamAV debug: load_oneyara: successfully loaded YARA.eleonore_js

LibClamAV debug: load_oneyara: successfully loaded YARA.eleonore_js2

LibClamAV debug: load_oneyara: successfully loaded YARA.eleonore_js3

LibClamAV debug: cli_loadyara: loaded 6 of 6 yara signatures from /var/lib/clamav/EK_Eleonore.yar

LibClamAV debug: load_oneyara: successfully loaded YARA.fragus_htm

LibClamAV debug: load_oneyara: successfully loaded YARA.fragus_js

LibClamAV debug: load_oneyara: successfully loaded YARA.fragus_js2

LibClamAV debug: load_oneyara: successfully loaded YARA.fragus_js_flash

LibClamAV debug: load_oneyara: successfully loaded YARA.fragus_js_java

LibClamAV debug: load_oneyara: successfully loaded YARA.fragus_js_quicktime

LibClamAV debug: load_oneyara: successfully loaded YARA.fragus_js_vml

LibClamAV debug: cli_loadyara: loaded 7 of 7 yara signatures from /var/lib/clamav/EK_Fragus.yar

LibClamAV debug: load_oneyara: successfully loaded YARA.phoenix_html

LibClamAV debug: load_oneyara: successfully loaded YARA.phoenix_html10

LibClamAV debug: load_oneyara: successfully loaded YARA.phoenix_html11

LibClamAV debug: load_oneyara: successfully loaded YARA.phoenix_html2

LibClamAV debug: load_oneyara: successfully loaded YARA.phoenix_html3

LibClamAV debug: load_oneyara: successfully loaded YARA.phoenix_html4

LibClamAV debug: load_oneyara: successfully loaded YARA.phoenix_html5

LibClamAV debug: load_oneyara: successfully loaded YARA.phoenix_html6

LibClamAV debug: load_oneyara: successfully loaded YARA.phoenix_html7

LibClamAV debug: load_oneyara: successfully loaded YARA.phoenix_html8

LibClamAV debug: load_oneyara: successfully loaded YARA.phoenix_html9

LibClamAV debug: load_oneyara: successfully loaded YARA.phoenix_jar

LibClamAV debug: load_oneyara: successfully loaded YARA.phoenix_jar2

LibClamAV debug: load_oneyara: successfully loaded YARA.phoenix_jar3

LibClamAV debug: load_oneyara: successfully loaded YARA.phoenix_pdf

LibClamAV debug: load_oneyara: successfully loaded YARA.phoenix_pdf2

LibClamAV debug: load_oneyara: successfully loaded YARA.phoenix_pdf3

LibClamAV debug: cli_loadyara: loaded 17 of 17 yara signatures from /var/lib/clamav/EK_Phoenix.yar

LibClamAV debug: load_oneyara: successfully loaded YARA.sakura_jar

LibClamAV debug: load_oneyara: successfully loaded YARA.sakura_jar2

LibClamAV debug: cli_loadyara: loaded 2 of 2 yara signatures from /var/lib/clamav/EK_Sakura.yar

LibClamAV debug: load_oneyara: successfully loaded YARA.zeroaccess_css

LibClamAV debug: load_oneyara: successfully loaded YARA.zeroaccess_css2

LibClamAV debug: load_oneyara: successfully loaded YARA.zeroaccess_htm

LibClamAV debug: load_oneyara: successfully loaded YARA.zeroaccess_js

LibClamAV debug: load_oneyara: successfully loaded YARA.zeroaccess_js2

LibClamAV debug: load_oneyara: successfully loaded YARA.zeroaccess_js3

LibClamAV debug: load_oneyara: successfully loaded YARA.zeroaccess_js4

LibClamAV debug: cli_loadyara: loaded 7 of 7 yara signatures from /var/lib/clamav/EK_ZeroAcces.yar

LibClamAV debug: load_oneyara: successfully loaded YARA.zerox88_js2

LibClamAV debug: load_oneyara: successfully loaded YARA.zerox88_js3

LibClamAV debug: cli_loadyara: loaded 2 of 2 yara signatures from /var/lib/clamav/EK_Zerox88.yar

LibClamAV debug: load_oneyara: successfully loaded YARA.zeus_js

LibClamAV debug: cli_loadyara: loaded 1 of 1 yara signatures from /var/lib/clamav/EK_Zeus.yar

LibClamAV debug: load_oneyara: successfully loaded YARA.Sanesecurity_TestSig_Type4_Hdr_2

LibClamAV debug: load_oneyara: successfully loaded YARA.Sanesecurity_TestSig_Type3_Bdy_4

LibClamAV debug: load_oneyara: successfully loaded YARA.Sanesecurity_TestSig_Type4_Bdy_3

LibClamAV debug: load_oneyara: successfully loaded YARA.Sanesecurity_PhishingTestSig_1

LibClamAV debug: cli_loadyara: loaded 4 of 4 yara signatures from /var/lib/clamav/Sanesecurity_sigtest.yara

LibClamAV debug: /var/lib/clamav/Sanesecurity_sigtest.yara loaded

LibClamAV debug: load_oneyara: successfully loaded YARA.Sanesecurity_Spam_test

LibClamAV debug: load_oneyara: successfully loaded YARA.Sanesecurity_Spam_pornspam

LibClamAV debug: cli_loadyara: loaded 2 of 2 yara signatures from /var/lib/clamav/Sanesecurity_spam.yara

LibClamAV debug: /var/lib/clamav/Sanesecurity_spam.yara loaded

LibClamAV debug: load_oneyara: successfully loaded YARA.OITC_pdf_with_emb_docm

LibClamAV debug: load_oneyara: successfully loaded YARA.INDICATOR_IMPLANT_Loader

LibClamAV debug: load_oneyara: successfully loaded YARA.INDICATOR_Implant_Loader2

LibClamAV debug: load_oneyara: generic string: [File {0} has been uploaded in {1}] => [46696c65207b307d20686173206265656e2075706c6f6164656420696e207b317d]

LibClamAV debug: load_oneyara: successfully loaded YARA.IMPLANT2_3

LibClamAV debug: load_oneyara: successfully loaded YARA.CryptoWall_Resume_phish

LibClamAV debug: load_oneyara: successfully loaded YARA.java_JSocket_20151217

LibClamAV debug: load_oneyara: successfully loaded YARA.detect_powershell_precursor_downloader

LibClamAV debug: load_oneyara: successfully loaded YARA.kmon_cred_phish

LibClamAV debug: load_oneyara: successfully loaded YARA.rtf_phishing_script_lines

LibClamAV debug: cli_loadyara: loaded 9 of 9 yara signatures from /var/lib/clamav/winnow_malware.yara

LibClamAV debug: /var/lib/clamav/winnow_malware.yara loaded

 

Sincerely,

 

Eric Tykwinski

TrueNet, Inc.

P: 610-429-8300

 

From: clamav-users [mailto:clamav-users-bounces at lists.clamav.net] On Behalf Of Micah Snyder (micasnyd)
Sent: Tuesday, July 31, 2018 8:51 AM
To: steveb_clamav at sanesecurity.com; ClamAV users ML
Subject: Re: [clamav-users] After 0.100.1 Update, clamd crashes

 

Thanks for the analysis, Steve.  That is a step towards understanding how to fix it.   

 

I don't believe it's a new bug in 0.100, but was merely revealed due to legitimate improvements in the yara sig loading behavior.   

Copypaste'd from my comments in the ticket you linked:

 

> In 0.99.x some of the rules failed entirely, so the entire database was dropped. In 0.100, some of the rules failed, but it now allows it to partially load the ones that didn't outright fail. However, there appears to be a bug wherein at least one that is getting loaded is causing a crash. 

 

It wouldn't be a good fix to go back and change so it drops the whole ruleset because one failed to load.  The correct fix would be to detect signature features that aren't supported before we attempt to load them so we can drop them. 

 

I welcome any additional research from the community to help find a fix for this.  We have a lot on our plates, and don't have any time dedicated to fix this one ourselves for 0.101. 

 

Regards,

Micah

 
Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20180731/5b1704be/attachment.html>


More information about the clamav-users mailing list