[clamav-users] LibClamAV Error
G.W. Haywood
clamav at jubileegroup.co.uk
Sun Dec 13 11:41:07 UTC 2020
Hi there,
On Sun, 13 Dec 2020, Aitor Serra Martín wrote:
> I'm getting this error all the time with complete scans:
>
> LibClamAV Error: [scan_biff_for_xlm_macros] Unexpected state value 4
> ...
> NAME="CloudLinux"
> ...
This message is emitted by the function scan_biff_for_xlm_macros() in
.../libclamav/ole2_extract.c when ClamAV has trouble parsing the data
that it's given. It should theoretically never happen but perhaps the
things that you're scanning are confusing ClamAV. I haven't spent a
lot of time reading the code in that area because I very rarely have
any interest in Microsoft stuff, so some of this is guesswork, but if
you scan large amounts of more or less random binary data for things
like Microsoft Office macros then you can expect sometimes to see odd
results. There may be cases where badly formed (perhaps malicious)
data will confuse ClamAV's parsers - whether MS Office macros or not.
To some extent this is inevitable, and a message like this might be a
warning flag about a clever attack, or more likely it might be noise.
> Any idea about how to fix it?
It isn't clear to me that this is broken, but it might be. To decide
if anything needs to be done, more information is needed. I do not
know what you mean by "all the time with complete scans", please be
more specific. Could we please also have the following:
(a) your version of ClamAV,
(b) how and when it was installed,
(c) exactly which databases you are using,
(d) how you are keeping the databases up to date,
(e) how long you have been using ClamAV and
(f) whether or not it otherwise behaves as you would expect,
(g) your ClamAV configuration - the output of 'clamconf -n',
(h) exactly what you are scanning - sample(s) which give the error,
(i) exactly how you are scanning it - let us see the command line(s) and/or script.
--
73,
Ged.
More information about the clamav-users
mailing list