[clamav-users] Clamscan crash on Mac OS X - yara rules

Micah Snyder (micasnyd) micasnyd at cisco.com
Thu May 17 09:00:17 EDT 2018


Yes, please attach to https://bugzilla.clamav.net/show_bug.cgi?id=12077 and we'll take a look.

Unfortunately ClamAV yara support isn't as comprehensive as the full yara language definition.  There's no guarantee that legitimate yara rules for other applications will work with ClamAV without testing of each rule.  We have plans to improve the yara support, but I'm unsure if / when full yara support could be implemented.


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.


On May 17, 2018, at 1:27 AM, Al Varnell via clamav-users <clamav-users at lists.clamav.net<mailto:clamav-users at lists.clamav.net>> wrote:


From: Al Varnell <alvarnell at mac.com<mailto:alvarnell at mac.com>>
Subject: Re: [clamav-users] Clamscan crash on Mac OS X - yara rules
Date: May 17, 2018 at 1:27:03 AM EDT
To: ClamAV users ML <clamav-users at lists.clamav.net<mailto:clamav-users at lists.clamav.net>>


You almost certainly need to attach it to a ticket at <https://bugzilla.clamav.net <https://bugzilla.clamav.net/>>. I don't see how anybody would be able to make sense of a partial crash report.

That being said, it's almost certainly the result of a misconfigured yara rule, so they will need to see that, as well, if you have the time to narrow it down to a single list. I know there is already an open ticket on a previous rule from an UNOFFICIAL definition list.

-Al-
ClamXAV User

On Wed, May 16, 2018 at 07:08 PM, James Brown via clamav-users wrote:


Application Specific Information:
Assertion failed: (sp =3D=3D 0), function yr_execute_code, file =
yara_exec.c, line 177.
=20

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   libsystem_kernel.dylib         0x00007fff9895d82a __kill + 10
1   libsystem_c.dylib              0x00007fff92ed6a9c abort + 177
2   libsystem_c.dylib              0x00007fff92f095de __assert_rtn =
+ 146
3   libclamav.7.dylib              0x000000010eaa61ee =
yr_execute_code + 4638 (yara_exec.c:177)
4   libclamav.7.dylib              0x000000010e9c7560 cli_exp_eval =
+ 928 (matcher.c:817)
5   libclamav.7.dylib              0x000000010e9c8bbc =
cli_fmap_scandesc + 3900 (matcher.c:1220)
6   libclamav.7.dylib              0x000000010e9de079 cli_scanraw + =
153 (scanners.c:2424)
7   libclamav.7.dylib              0x000000010e9ddb4d =
magic_scandesc + 10333 (scanners.c:3469)
8   libclamav.7.dylib              0x000000010e9e000d =
cli_base_scandesc + 365 (scanners.c:3616)
9   libclamav.7.dylib              0x000000010e9e05df scan_common + =
671 (scanners.c:4016)
10  libclamav.7.dylib              0x000000010e9e06b2 =
cl_scandesc_callback + 34 (scanners.c:4030)
11  clamscan                       0x000000010e9a1a95 scanfile + =
741 (manager.c:392)
12  clamscan                       0x000000010e9a12a1 scanmanager + =
5729 (manager.c:1166)
13  clamscan                       0x000000010e99f968 main + 680 =
(clamscan.c:161)
14  clamscan                       0x000000010e99aff4 start + 52

Let me know if there=E2=80=99s an email address I can send the full =
crash logs to if that would help.

Thanks,

James.


_______________________________________________
clamav-users mailing list
clamav-users at lists.clamav.net<mailto:clamav-users at lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml




More information about the clamav-users mailing list