[clamav-users] Malformed pattern daily.ldb version 25410

David Raynor draynor at sourcefire.com
Fri Apr 5 16:16:42 UTC 2019 

I can recreate that same issue with daily cvd 25410, using ClamAV 0.100.1.
That was the first 0.100.X I had handy to do a quick test.
The problem is something specific to sigtool and only the list-sigs
feature. It does not affect clamscan or clamd, and does not affect the
--find-sigs option of sigtool.
We do ongoing signature load testing with several different versions of
ClamAV, but focus on scan testing.

It does still happen with the latest release so I'll talk with the team
about opening this as a bug.

Thanks for the report.

Dave R.

On Fri, Apr 5, 2019 at 11:12 AM David Shrimpton via clamav-users <
clamav-users at lists.clamav.net> wrote:

> I can reproduce the Malformed pattern problem with a file with just the
> one  signature:
>
> Xls.Downloader.Powload-6923120-0     which is an even longer one .
>
> This is 4 signatures before Doc.Trojan.Agent-6923124-0 in daily.ldb
>
> sigtool reports the wrong line numbering eg with a file with just
> Xls.Downloader.Powload-6923120-0 it reports
> the problem as being on line 2.  It seems to be 4 lines out when reporting
> on the whole daily.ldb
>
> again sigtool --find Xls.Downloader.Powload-6923120-0  | sigtool
> --decode-sigs
>
> doesn't show a problem.
>
> clamscan --debug -d file_with_just_the_sig_above.ldb somefile
> doesn't show a problem.
>
> Xls.Downloader.Powload-6923120-0 turned up in daily 25410 which was when
> the problem started
>
> Maybe sigtool --list can't handle long signatures in ClamAV 0.100.2
>
> There does seem a pointlessness to signatures based upon exact variable
> names etc that are obfuscated
> and  likely will vary with each sample.  A regex signature to get any
> variable name would be better.
>
>
> David Shrimpton
>
> ________________________________________
> From: clamav-users <clamav-users-bounces at lists.clamav.net> on behalf of
> Arnaud Jacques <webmaster at securiteinfo.com>
> Sent: Saturday, April 6, 2019 12:27 AM
> To: clamav-users at lists.clamav.net
> Subject: Re: [clamav-users] Malformed pattern daily.ldb version 25410
>
> Hello,
>
> > sigtool --find-sigs Doc.Trojan.Agent-6923124-0 | sigtool --decode-sigs
> I don't understand why this signature is so long, and why it is based on
> always changing variables.
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users at lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>


-- 
---
Dave Raynor
Talos Security Intelligence and Research Group
draynor at sourcefire.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20190405/4747f843/attachment.htm>

More information about the clamav-users mailing list