[clamav-users] Clamd crashes frequently - macOS Catalina

Mark Allan markjallan at gmail.com
Thu May 7 13:50:14 UTC 2020 

Hi Micah,

Curiously it only seems to affect clamd/clamdscan. The standalone clamscan doesn't appear to be affected, which means it took quite a while to track down the file which causes the crash.

The signature in question is Email.Exploit.Efail-6641027-1

The file triggering the crash for me is 'actionmailer-2.2.2.gem' a gem within the Ruby framework on Mac OS X 10.6.8

	/System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/lib/ruby/gems/1.8/cache/actionmailer-2.2.2.gem

	SHA-256	164de36ca0e858ccc9bd3e33ae1ee3d3bb9f964f7d941621b3bec725945af5fe

I've uploaded it to VirusTotal.

For what it's worth, I was wrong about the version of lib-pcre that we're using. Our current build runs with pcre2 (10.32) but our test machine in question was using an older version of ClamAV (0.100.1) which was compiled with pcre 8.41

Still quite surprising that a signature can bring down clamd though.

Hope the above is useful.

Best regards
Mark 

> On 5 May 2020, at 6:28 pm, Micah Snyder (micasnyd) <micasnyd at cisco.com> wrote:
> 
> Mark,
>  
> It probably won’t make much difference, though there is a possible slow scan time issue in pcre2 10.32 for case-insensitive patterns.
>  
> If you have a sample and signature that cause the issue, I’d love a copy so I can investigate further.
>  
> -Micah
>  
> From: Mark Allan <markjallan at gmail.com>
> Date: Tuesday, May 5, 2020 at 5:20 AM
> To: ClamAV users ML <clamav-users at lists.clamav.net>, Micah Snyder (micasnyd) <micasnyd at cisco.com>
> Subject: Re: [clamav-users] Clamd crashes frequently - macOS Catalina
> 
> Hi Micah, 
>  
> Al is correct, we're using 10.32. I see 10.34 is now available, so I'll compile against that when I get a chance and see if it makes any difference.
>  
> Mark
> 
> 
> On 5 May 2020, at 6:25 am, Al Varnell via clamav-users <clamav-users at lists.clamav.net <mailto:clamav-users at lists.clamav.net>> wrote:
>  
> Micah,
>  
> Looks to be 10.32, but Mark should be along shortly to confirm.
>  
> -Al-
> 
> 
> On May 4, 2020, at 13:23, Micah Snyder (micasnyd) via clamav-users <clamav-users at lists.clamav.net <mailto:clamav-users at lists.clamav.net>> wrote:
>  
> Hi Mark, 
>  
> Which pcre2 version are you using?
>  
> Regards,
> Micah
>  
> From: clamav-users <clamav-users-bounces at lists.clamav.net <mailto:clamav-users-bounces at lists.clamav.net>>
> Date: Saturday, May 2, 2020 at 5:50 PM
> To: ClamAV users ML <clamav-users at lists.clamav.net <mailto:clamav-users at lists.clamav.net>>
> Cc: Mark Allan <markjallan at gmail.com <mailto:markjallan at gmail.com>>
> Subject: Re: [clamav-users] Clamd crashes frequently - macOS Catalina
> 
> Hi James,
>  
> Glad that seems to have helped.
>  
> Al and others are correct that the distro should be updated to use pcre2, but I'm not convinced that's the root of the problem. We're seeing the issue with that signature despite already using pcre2 in our build.
>  
> Mark
> 
> 
> 
> On 2 May 2020, at 3:45 am, Al Varnell via clamav-users <clamav-users at lists.clamav.net <mailto:clamav-users at lists.clamav.net>> wrote:
>  
> Although I complete support what Mark has recommended, I would caution that there could easily be a future signature that will cause this same issue if the root cause of not upgrading to pcre2 is not accomplished, and figuring out what signature that is won’t be easy.
> 
> Sent from my iPad
>  
> -Al-
> 
> 
> 
> On May 1, 2020, at 18:38, James Brown via clamav-users <clamav-users at lists.clamav.net <mailto:clamav-users at lists.clamav.net>> wrote:
> 
> On 1 May 2020, at 8:31 pm, Mark Allan via clamav-users <clamav-users at lists.clamav.net <mailto:clamav-users at lists.clamav.net>> wrote:
>  
> Try excluding Email.Exploit.Efail-6641027-1 from the main ClamAV set.
>  
> Thanks Mark. After over 12 hours clamd is still up and running. Looks like that sig was causing the problem.
>  
> James.
> 
> _______________________________________________
> 
> clamav-users mailing list
> clamav-users at lists.clamav.net <mailto:clamav-users at lists.clamav.net>
> https://lists.clamav.net/mailman/listinfo/clamav-users <https://lists.clamav.net/mailman/listinfo/clamav-users>
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq <https://github.com/vrtadmin/clamav-faq>
> 
> http://www.clamav.net/contact.html#ml <http://www.clamav.net/contact.html#ml>
> 
> _______________________________________________
> 
> clamav-users mailing list
> clamav-users at lists.clamav.net <mailto:clamav-users at lists.clamav.net>
> https://lists.clamav.net/mailman/listinfo/clamav-users <https://lists.clamav.net/mailman/listinfo/clamav-users>
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq <https://github.com/vrtadmin/clamav-faq>
> 
> http://www.clamav.net/contact.html#ml <http://www.clamav.net/contact.html#ml>
>  
> 
> _______________________________________________
> 
> clamav-users mailing list
> clamav-users at lists.clamav.net <mailto:clamav-users at lists.clamav.net>
> https://lists.clamav.net/mailman/listinfo/clamav-users <https://lists.clamav.net/mailman/listinfo/clamav-users>
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq <https://github.com/vrtadmin/clamav-faq>
> 
> http://www.clamav.net/contact.html#ml <http://www.clamav.net/contact.html#ml>
>  
> 
> _______________________________________________
> 
> clamav-users mailing list
> clamav-users at lists.clamav.net <mailto:clamav-users at lists.clamav.net>
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20200507/2d483d91/attachment.htm>

More information about the clamav-users mailing list