-
-
Notifications
You must be signed in to change notification settings - Fork 117
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
antidebug_antivm.yar & EMAIL_Cryptowall.yar crashes ClamAV 0.100 on Solaris #203
Comments
It is the same on Linux (Slackware). |
same on Arch linux - clamd fails with Since clamav 0.100 (which I updated today) |
Same on debian 8 after last update (0.99 -> 0.100). |
can confirm for Debian Jessie. libclamav7:amd64 (0.99.2+dfsg-0+deb8u3, 0.100.0+dfsg-0+deb8u1) syslog: Jun 25 19:12:57 mail amavis[3777]: (03777-16) (!)ClamAV-clamd: Empty result from /var/run/clamav/clamd.ctl, retrying (2) |
downgraded to 0.99.2+dfsg-0+deb8u3 and apt-mark hold clamav-freshclam clamav-base clamav clamav-daemon issue currently worked-around. |
It seems that it is enough to disable yara rules, and keep the fresh clamav version: |
Is this project still alive ? How could we fix the problem with yara rules ? |
Hi, |
same problem here, (14-456 smtpout03) smtpout-03 ~ # rpm -qa | grep clamav strace says: [...] blah blah |
It's now a problem in Ubuntu (16.04 and 18.04) too following recent apt-get upgrade. |
Same issue over here... yara rules are an issue as it seems.. |
Fedora 28, same:
|
There's looks to be a bug in the yara rule parsing, which is filed here: https://bugzilla.clamav.net/show_bug.cgi?id=12077 No ETA on a fix. I have removed the yara rules as per @vladki77 's suggestion in #203 (comment) to resolve the issue. According to https://bugzilla.clamav.net/show_bug.cgi?id=12077#c14, the offending yara rule is in |
Added extremeshok/clamav-unofficial-sigs#203 reference for Yara rules bug with clamav > 0.100 Added yararulesproject_enabled="no"
I am currently busy with active development of this. |
Same again with v7.2 and Debian stretch. |
Still the same issue. I've disabled the yara rules for now. Every update enables them though. CC @extremeshok |
I found an issue with the winnow_malware.yar file and EMAIL_Cryptowall.yar - they both contained the same identifier. I decided to exclude the winnow file from the sanesecurity sigs by copying the sanesecurity declaration (declare -a sanesecurity_dbs=(... ) into user.conf and commenting out the yar file #winnow_malware.yara|LOW # detect spam I deleted the yar file from /var/lib/clamav and all seems to be well now. |
Ditto, and this causes clamd to fail entirely. I commented out |
Hi,
Has anyone getting the same.
If EMAIL_Cryptowall.yar & antidebug_antivm.yar are used I get core dump on clamav 0.100. Previous versions gave errors but never crashed.
Jusr proof it works without these 2 files:
Any comments.
Cheers
Andrew
The text was updated successfully, but these errors were encountered: