Micah,
Running master branch from GitHub: ClamAV 0.101.0/24799/Tue Jul 31 04:44:57 2018 It doesn’t seem to have an issue, as far as I can tell. # clamscan --debug 2>&1 /dev/null | grep "loaded" | grep yara LibClamAV debug: load_oneyara: successfully loaded YARA.AnglerEKredirector LibClamAV debug: load_oneyara: successfully loaded YARA.angler_flash LibClamAV debug: load_oneyara: successfully loaded YARA.angler_flash2 LibClamAV debug: load_oneyara: successfully loaded YARA.angler_flash4 LibClamAV debug: load_oneyara: successfully loaded YARA.angler_flash5 LibClamAV debug: load_oneyara: successfully loaded YARA.angler_flash_uncompressed LibClamAV debug: load_oneyara: successfully loaded YARA.angler_html LibClamAV debug: load_oneyara: successfully loaded YARA.angler_html2 LibClamAV debug: load_oneyara: successfully loaded YARA.angler_jar LibClamAV debug: load_oneyara: successfully loaded YARA.angler_js LibClamAV debug: cli_loadyara: loaded 10 of 10 yara signatures from /var/lib/clamav/EK_Angler.yar LibClamAV debug: load_oneyara: successfully loaded YARA.blackhole2_jar LibClamAV debug: load_oneyara: successfully loaded YARA.blackhole2_jar2 LibClamAV debug: load_oneyara: successfully loaded YARA.blackhole2_jar3 LibClamAV debug: load_oneyara: successfully loaded YARA.blackhole2_pdf LibClamAV debug: load_oneyara: successfully loaded YARA.blackhole_basic LibClamAV debug: load_oneyara: successfully loaded YARA.blackhole1_jar LibClamAV debug: load_oneyara: successfully loaded YARA.blackhole2_css LibClamAV debug: load_oneyara: successfully loaded YARA.blackhole2_htm LibClamAV debug: load_oneyara: successfully loaded YARA.blackhole2_htm10 LibClamAV debug: load_oneyara: successfully loaded YARA.blackhole2_htm11 LibClamAV debug: load_oneyara: successfully loaded YARA.blackhole2_htm12 LibClamAV debug: load_oneyara: successfully loaded YARA.blackhole2_htm3 LibClamAV debug: load_oneyara: successfully loaded YARA.blackhole2_htm4 LibClamAV debug: load_oneyara: successfully loaded YARA.blackhole2_htm5 LibClamAV debug: load_oneyara: successfully loaded YARA.blackhole2_htm6 LibClamAV debug: load_oneyara: successfully loaded YARA.blackhole2_htm8 LibClamAV debug: cli_loadyara: loaded 16 of 16 yara signatures from /var/lib/clamav/EK_Blackhole.yar LibClamAV debug: load_oneyara: successfully loaded YARA.bleedinglife2_adobe_2010_1297_exploit LibClamAV debug: load_oneyara: successfully loaded YARA.bleedinglife2_adobe_2010_2884_exploit LibClamAV debug: load_oneyara: successfully loaded YARA.bleedinglife2_jar2 LibClamAV debug: load_oneyara: successfully loaded YARA.bleedinglife2_java_2010_0842_exploit LibClamAV debug: cli_loadyara: loaded 4 of 4 yara signatures from /var/lib/clamav/EK_BleedingLife.yar LibClamAV debug: load_oneyara: successfully loaded YARA.crimepack_jar LibClamAV debug: load_oneyara: successfully loaded YARA.crimepack_jar3 LibClamAV debug: cli_loadyara: loaded 2 of 2 yara signatures from /var/lib/clamav/EK_Crimepack.yar LibClamAV debug: load_oneyara: successfully loaded YARA.eleonore_jar LibClamAV debug: load_oneyara: successfully loaded YARA.eleonore_jar2 LibClamAV debug: load_oneyara: successfully loaded YARA.eleonore_jar3 LibClamAV debug: load_oneyara: successfully loaded YARA.eleonore_js LibClamAV debug: load_oneyara: successfully loaded YARA.eleonore_js2 LibClamAV debug: load_oneyara: successfully loaded YARA.eleonore_js3 LibClamAV debug: cli_loadyara: loaded 6 of 6 yara signatures from /var/lib/clamav/EK_Eleonore.yar LibClamAV debug: load_oneyara: successfully loaded YARA.fragus_htm LibClamAV debug: load_oneyara: successfully loaded YARA.fragus_js LibClamAV debug: load_oneyara: successfully loaded YARA.fragus_js2 LibClamAV debug: load_oneyara: successfully loaded YARA.fragus_js_flash LibClamAV debug: load_oneyara: successfully loaded YARA.fragus_js_java LibClamAV debug: load_oneyara: successfully loaded YARA.fragus_js_quicktime LibClamAV debug: load_oneyara: successfully loaded YARA.fragus_js_vml LibClamAV debug: cli_loadyara: loaded 7 of 7 yara signatures from /var/lib/clamav/EK_Fragus.yar LibClamAV debug: load_oneyara: successfully loaded YARA.phoenix_html LibClamAV debug: load_oneyara: successfully loaded YARA.phoenix_html10 LibClamAV debug: load_oneyara: successfully loaded YARA.phoenix_html11 LibClamAV debug: load_oneyara: successfully loaded YARA.phoenix_html2 LibClamAV debug: load_oneyara: successfully loaded YARA.phoenix_html3 LibClamAV debug: load_oneyara: successfully loaded YARA.phoenix_html4 LibClamAV debug: load_oneyara: successfully loaded YARA.phoenix_html5 LibClamAV debug: load_oneyara: successfully loaded YARA.phoenix_html6 LibClamAV debug: load_oneyara: successfully loaded YARA.phoenix_html7 LibClamAV debug: load_oneyara: successfully loaded YARA.phoenix_html8 LibClamAV debug: load_oneyara: successfully loaded YARA.phoenix_html9 LibClamAV debug: load_oneyara: successfully loaded YARA.phoenix_jar LibClamAV debug: load_oneyara: successfully loaded YARA.phoenix_jar2 LibClamAV debug: load_oneyara: successfully loaded YARA.phoenix_jar3 LibClamAV debug: load_oneyara: successfully loaded YARA.phoenix_pdf LibClamAV debug: load_oneyara: successfully loaded YARA.phoenix_pdf2 LibClamAV debug: load_oneyara: successfully loaded YARA.phoenix_pdf3 LibClamAV debug: cli_loadyara: loaded 17 of 17 yara signatures from /var/lib/clamav/EK_Phoenix.yar LibClamAV debug: load_oneyara: successfully loaded YARA.sakura_jar LibClamAV debug: load_oneyara: successfully loaded YARA.sakura_jar2 LibClamAV debug: cli_loadyara: loaded 2 of 2 yara signatures from /var/lib/clamav/EK_Sakura.yar LibClamAV debug: load_oneyara: successfully loaded YARA.zeroaccess_css LibClamAV debug: load_oneyara: successfully loaded YARA.zeroaccess_css2 LibClamAV debug: load_oneyara: successfully loaded YARA.zeroaccess_htm LibClamAV debug: load_oneyara: successfully loaded YARA.zeroaccess_js LibClamAV debug: load_oneyara: successfully loaded YARA.zeroaccess_js2 LibClamAV debug: load_oneyara: successfully loaded YARA.zeroaccess_js3 LibClamAV debug: load_oneyara: successfully loaded YARA.zeroaccess_js4 LibClamAV debug: cli_loadyara: loaded 7 of 7 yara signatures from /var/lib/clamav/EK_ZeroAcces.yar LibClamAV debug: load_oneyara: successfully loaded YARA.zerox88_js2 LibClamAV debug: load_oneyara: successfully loaded YARA.zerox88_js3 LibClamAV debug: cli_loadyara: loaded 2 of 2 yara signatures from /var/lib/clamav/EK_Zerox88.yar LibClamAV debug: load_oneyara: successfully loaded YARA.zeus_js LibClamAV debug: cli_loadyara: loaded 1 of 1 yara signatures from /var/lib/clamav/EK_Zeus.yar LibClamAV debug: load_oneyara: successfully loaded YARA.Sanesecurity_TestSig_Type4_Hdr_2 LibClamAV debug: load_oneyara: successfully loaded YARA.Sanesecurity_TestSig_Type3_Bdy_4 LibClamAV debug: load_oneyara: successfully loaded YARA.Sanesecurity_TestSig_Type4_Bdy_3 LibClamAV debug: load_oneyara: successfully loaded YARA.Sanesecurity_PhishingTestSig_1 LibClamAV debug: cli_loadyara: loaded 4 of 4 yara signatures from /var/lib/clamav/Sanesecurity_sigtest.yara LibClamAV debug: /var/lib/clamav/Sanesecurity_sigtest.yara loaded LibClamAV debug: load_oneyara: successfully loaded YARA.Sanesecurity_Spam_test LibClamAV debug: load_oneyara: successfully loaded YARA.Sanesecurity_Spam_pornspam LibClamAV debug: cli_loadyara: loaded 2 of 2 yara signatures from /var/lib/clamav/Sanesecurity_spam.yara LibClamAV debug: /var/lib/clamav/Sanesecurity_spam.yara loaded LibClamAV debug: load_oneyara: successfully loaded YARA.OITC_pdf_with_emb_docm LibClamAV debug: load_oneyara: successfully loaded YARA.INDICATOR_IMPLANT_Loader LibClamAV debug: load_oneyara: successfully loaded YARA.INDICATOR_Implant_Loader2 LibClamAV debug: load_oneyara: generic string: [File {0} has been uploaded in {1}] => [46696c65207b307d20686173206265656e2075706c6f6164656420696e207b317d] LibClamAV debug: load_oneyara: successfully loaded YARA.IMPLANT2_3 LibClamAV debug: load_oneyara: successfully loaded YARA.CryptoWall_Resume_phish LibClamAV debug: load_oneyara: successfully loaded YARA.java_JSocket_20151217 LibClamAV debug: load_oneyara: successfully loaded YARA.detect_powershell_precursor_downloader LibClamAV debug: load_oneyara: successfully loaded YARA.kmon_cred_phish LibClamAV debug: load_oneyara: successfully loaded YARA.rtf_phishing_script_lines LibClamAV debug: cli_loadyara: loaded 9 of 9 yara signatures from /var/lib/clamav/winnow_malware.yara LibClamAV debug: /var/lib/clamav/winnow_malware.yara loaded Sincerely, Eric Tykwinski TrueNet, Inc. P: 610-429-8300 From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of Micah Snyder (micasnyd) Sent: Tuesday, July 31, 2018 8:51 AM To: steveb_cla...@sanesecurity.com; ClamAV users ML Subject: Re: [clamav-users] After 0.100.1 Update, clamd crashes Thanks for the analysis, Steve. That is a step towards understanding how to fix it. I don't believe it's a new bug in 0.100, but was merely revealed due to legitimate improvements in the yara sig loading behavior. Copypaste'd from my comments in the ticket you linked: > In 0.99.x some of the rules failed entirely, so the entire database was > dropped. In 0.100, some of the rules failed, but it now allows it to > partially load the ones that didn't outright fail. However, there appears to > be a bug wherein at least one that is getting loaded is causing a crash. It wouldn't be a good fix to go back and change so it drops the whole ruleset because one failed to load. The correct fix would be to detect signature features that aren't supported before we attempt to load them so we can drop them. I welcome any additional research from the community to help find a fix for this. We have a lot on our plates, and don't have any time dedicated to fix this one ourselves for 0.101. Regards, Micah Micah Snyder ClamAV Development Talos Cisco Systems, Inc.
_______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml