[clamav-users] human friendly signatures

[Kris Deugau]

G.W. Haywood via clamav-users wrote:
> Hi there,
> 
> On Mon, 21 Mar 2022, Kris Deugau wrote:
> 
>> TBH I'd prefer if Clam *did* continue, just skipping malformed rules
>> (and also whinging loudly in the log).
> 
> I could live with that if it didn't *also* crash.
> 
>> Either would be better than just exiting (it's not a hard *crash*,
>> it's "just" refusing to load a file with a malformed signature -
>> including things like entirely blank lines).
> 
> No, Kris.  It *is* a hard crash - and it doesn't happen when it loads
> the rules, it happens when it tries to scan something *after* loading
> a Yara file which contains a bad rule.  Not neccessarily any bad rule,
> just one with any of a number of different kinds of badness which I've
> found to be problematic.  But as I said in my mail things may well be
> different as a result of Micah's August PR.  TBH I really haven't been
> inclined for quite some time to crash clamd on purpose. :)

Sorry, didn't see that, figured you were talking about the joy of 
finding all those subtle little rules defining a well-formed signature 
To date I haven't managed to trip whatever bug(s) bit you, although I 
*have* found relatively simple signatures that should have matched but 
didn't.

I *have* pushed out "malformed" "signatures" (AKA "signature files with 
a blank line or two at the end") that caused the production clamd 
instances to shut down...  after which I spent some time adding 
validation to the SVN commit hook, and writing a local editing wrapper 
to help make sure signatures were valid before committing.

-kgd