Re: [clamav-users] [ext] ERROR: listdb: Error listing database /var/lib/clamav/daily.cvd

Wed, 24 Nov 2021 08:34:42 -0800 

I've opened https://github.com/Cisco-Talos/clamav/issues/389 for this
issue. The issue *shouldn't* be causing problems with scanning (it wasn't
causing a problem for me), but if it is please add a comment to the issue
to that effect.

--Maarten

On Wed, Nov 24, 2021 at 11:19 AM Maarten Broekman <
maarten.broek...@gmail.com> wrote:

>
>
> On Wed, Nov 24, 2021 at 10:42 AM Maarten Broekman <
> maarten.broek...@gmail.com> wrote:
>
>>
>>
>> On Wed, Nov 24, 2021 at 10:14 AM Ralf Hildebrandt via clamav-users <
>> clamav-users@lists.clamav.net> wrote:
>>
>>> * Arnaud Jacques via clamav-users <clamav-users@lists.clamav.net>:
>>> > Is it just me, or?
>>>
>>> Same here:
>>>
>>> # clamdscan -V
>>> ClamAV 0.103.4/26363/Wed Nov 24 10:19:30 2021
>>>
>>> # sigtool -l|tail
>>> Doc.Malware.Valyria-6923115-0
>>> Xls.Malware.Generic-6923116-0
>>> Doc.Malware.00536d-6923117-0
>>> Doc.Malware.Valyria-6923118-0
>>> Xls.Malware.Sload-6923119-0
>>> Xls.Downloader.Powload-6923120-0
>>> ERROR: listdb: Malformed pattern line 32300 (file
>>> /tmp/clamav-2aa50bd01844b36b876433804b298d0b.tmp/main.ldb)
>>> ERROR: listdb: Error listing database
>>> /tmp/clamav-2aa50bd01844b36b876433804b298d0b.tmp/main.ldb
>>> ERROR: listdb: Can't list directory /var/lib/clamav/main.cld
>>> ERROR: listdb: Error listing database /var/lib/clamav/main.cld
>>>
>>
>> I get the same errors, yet clamscan loads things just fine and sigtool is
>> able to decode the signature on line 32300 (Doc.Trojan.Agent-6923124-0)
>> without a problem.
>>
>> It definitely seems like an issue with the list-sigs functionality
>> though, given the disparity in counts between a count of the lines output
>> by sigtool -l and the number of known viruses reported by clamscan (version
>> 0.103.3).
>>
>> $ sigtool -l | wc -l
>>  6640592
>>
>> $ clamscan test.txt
>> /Users/mbroekman/Security/test/test.txt: OK
>>
>> ----------- SCAN SUMMARY -----------
>> Known viruses: 8579605
>>
>> One curious thing is that the Powload signature is *exactly* 8192
>> characters in length. From past experience with older versions of ClamAV, I
>> thought 8k was the size limit for signatures, including the EOL for the
>> database line. I wonder if there's still an issue in the list-sigs
>> functionality around that, since clamscan doesn't report database errors.
>>
>>
> A little more information:
> There are only 4 signatures in the main.ldb that are over 8k in size. That
> powload one is the only one that causes problems. I separated them out into
> a new file:
>
> $ wc -l ./test.ldb
>        4 ./test.ldb
>
> $ cat test.ldb | awk -F\; '{ print $1 }'
> Doc.Dropper.Generic-6922945-0
> Win.Adware.Linkury-16152
> Win.Adware.Linkury-16148
> Xls.Downloader.Powload-6923120-0
>
> When I run "sigtool -l./test.ldb", however, sigtool does something ... odd:
> Doc.Dropper.Generic-6922945-0
>
> 6c652e577269746520223466343735323431376533323266343332643436353234353435376533313266366436393665363737373266366336393632326636373633363332663664363936653637373733333332326633333334333834323339333237653331326533353266363936653633366337353634363532663733373436343631373236373265363830303566356636373665373536333566373636313566366336393733373433613734323833353263333132393364323833303263333233303239303035663639366636323735363633613534373432383331326333313239336437333333333235663730373437323361323833313263333232393364326132383330326333313339323932633330326333333332336235663633366537343361323833303263333332393263333333323263333333323362356636323631373336353361323833313263333232393263333633343263333333323362356636363663363136373361323833303263333332393263333933363263333333323362356636363639366336353361323833303263333332393263333133323338326333333332336235663633363836313732363237353636336132383330326333333239326333313336333032633333333233623566363237353636373336393761336132383330326333333239326333313339333232633333333233623566373436643730363636653631366436353361323833313263333232393263333233323334326333333332336236663730363537323631373436663732336433613361323833313263333332393364323332383331326333313239326332383331326333343239336432363238333132633331323932633238333132633335323933643261323833313263333132393263323833313263333632393364323632383331326333373239336436623238333132633331323932633238333032633336323933623361356635613465333635663639366636323735363636313533343535323462353335663362333234313265336235663566363236313733363535663633373436663732336133613238333132633338323933643233323833313263333132393263323833303263333632393263323833313263333532393263323833313263333632393263323833303263333632393362336135663561346533363566363936663632373536363433333234353532346235333566336233323431326533623566356636333666366437303566363337343666373233613361323833313263333832393361356635613465333635663639366636323735363634333331343535323462353335663362333234313265336235663566363236313733363535663633373436663732336122
> Win.Adware.Linkury-16152
>
> 00720063006800550072006c004300680072006f006d0065002c0020003a00500072006f0074006500630074006f007200730048006f006d0065005000610067006500550052004c004300680072006f006d0065002c0020003a00500072006f0074006500630074006f00720073004e0065007700540061006200550052004c004300680072006f006d0065002c0020003a00500072006f0074006500630074006f0072007300530065006100720063006800550072006c00460046002c0020003a00500072006f0074006500630074006f007200730048006f006d0065005000610067006500550052004c00460046002c0020003a00500072006f0074006500630074006f00720073004e0065007700540061006200550052004c00460046002c0020003a00500072006f0074006500630074006f007200730053006500610072006300680044006f006d00610069006e002c0020003a00500072006f0074006500630074006f007200730048006f006d0065005000610067006500550052004c00490045002c0020003a00500072006f0074006500630074006f0072007300530065006100720063006800550072006c00490045002c0020003a0048006f00730074007300460069006c0065004d006f006e00690074006f0072004c0069006e006b0075007200790044006f006d00610069006e0073002c0020003a00420061007300690063004c0069006e006b0054006f004f00660066006500720073004d0061006e00610067006500720043006c006f007500640053006500720076006900630065002c0020003a00470065007400420075006e0064006c0069006e0067004100700070006c00690063006100740069006f006e00730054006f0049006e007300740061006c006c00460075006e006300740069006f006e002c0020003a0047006500740041007000700072006f0076006500640049006e00730074006c006c006100740069006f006e00460075006e006300740069006f006e002c0020003a005400610073006b006200610072004e006f0074006900660069006500720045007800650050006100740068002c0020003a00440065006600610075006c0074004d00610078004f00720064006500720073002c0020003a00440065006600610075006c00740049006e00740065007200760061006c002c0020003a0043006800650063006b0069006e0067004f006600660065007200730049006e00740065007200760061006c0049006e004d0069006e0075007400650073002c0020003a00500072006900760061007400650049006e007600650073007400690067006100740069006f006e0045006e00640070006f0069006e0074002c0020003a00530068006f007200740049006e00740065007200760061006c0054006f0055007000640061007400650046006c0061006700730049006e004d0069006e0075007400650073002c0020003a004c006f006e00670049006e00740065007200760061006c0054006f0055007000640061007400650046006c0061006700730049006e004d0069006e0075007400650073002c0020003a0052004f00540058006d006c004f007000650072006100740069006f006e007300550072006c002c0020003a0044006c006c0049006e006a0065006300740069006f006e00550072006c002c0020003a005400720061007900570069006e0064006f0077004800650061006400650072004c006100620065006c002c0020003a005400720061007900570069006e0064006f00770049006e0066006f004c006100620065006c002c0020003a005400720061007900570069006e0064006f00770049006e0066006f0032004c006100620065006c002c0020003a005400720061007900570069006e0064006f00770049006e0066006f004e0054004c006100620065006c002c0020003a005400720061007900570069006e0064006f00770049006e0066006f00440053004c006100620065006c002c0020003a00540061006b006500440065006600610075006c0074005300650061007200630068002c0020003a00540061006b0065004e00650077005400610062002c0020003a00540061006b00650048006f006d0065005000610067006500
> Win.Adware.Linkury-16148
>
> 00072006f0074006500630074006f007200730048006f006d0065005000610067006500550052004c004300680072006f006d0065002c0020003a00500072006f0074006500630074006f00720073004e0065007700540061006200550052004c004300680072006f006d0065002c0020003a00500072006f0074006500630074006f0072007300530065006100720063006800550072006c00460046002c0020003a00500072006f0074006500630074006f007200730048006f006d0065005000610067006500550052004c00460046002c0020003a00500072006f0074006500630074006f00720073004e0065007700540061006200550052004c00460046002c0020003a00500072006f0074006500630074006f007200730053006500610072006300680044006f006d00610069006e002c0020003a00500072006f0074006500630074006f007200730048006f006d0065005000610067006500550052004c00490045002c0020003a00500072006f0074006500630074006f0072007300530065006100720063006800550072006c00490045002c0020003a0048006f00730074007300460069006c0065004d006f006e00690074006f0072004c0069006e006b0075007200790044006f006d00610069006e0073002c0020003a00420061007300690063004c0069006e006b0054006f004f00660066006500720073004d0061006e00610067006500720043006c006f007500640053006500720076006900630065002c0020003a00470065007400420075006e0064006c0069006e0067004100700070006c00690063006100740069006f006e00730054006f0049006e007300740061006c006c00460075006e006300740069006f006e002c0020003a0047006500740041007000700072006f0076006500640049006e00730074006c006c006100740069006f006e00460075006e006300740069006f006e002c0020003a005400610073006b006200610072004e006f0074006900660069006500720045007800650050006100740068002c0020003a00440065006600610075006c0074004d00610078004f00720064006500720073002c0020003a00440065006600610075006c00740049006e00740065007200760061006c002c0020003a0043006800650063006b0069006e0067004f006600660065007200730049006e00740065007200760061006c0049006e004d0069006e0075007400650073002c0020003a00500072006900760061007400650049006e007600650073007400690067006100740069006f006e0045006e00640070006f0069006e0074002c0020003a00530068006f007200740049006e00740065007200760061006c0054006f0055007000640061007400650046006c0061006700730049006e004d0069006e0075007400650073002c0020003a004c006f006e00670049006e00740065007200760061006c0054006f0055007000640061007400650046006c0061006700730049006e004d0069006e0075007400650073002c0020003a0052004f00540058006d006c004f007000650072006100740069006f006e007300550072006c002c0020003a0044006c006c0049006e006a0065006300740069006f006e00550072006c002c0020003a005400720061007900570069006e0064006f0077004800650061006400650072004c006100620065006c002c0020003a005400720061007900570069006e0064006f00770049006e0066006f004c006100620065006c002c0020003a005400720061007900570069006e0064006f00770049006e0066006f0032004c006100620065006c002c0020003a005400720061007900570069006e0064006f00770049006e0066006f004e0054004c006100620065006c002c0020003a005400720061007900570069006e0064006f00770049006e0066006f00440053004c006100620065006c002c0020003a00540061006b006500440065006600610075006c0074005300650061007200630068002c0020003a00540061006b0065004e00650077005400610062002c0020003a00540061006b00650048006f006d0065005000610067006500
> Xls.Downloader.Powload-6923120-0
> ERROR: listdb: Malformed pattern line 8 (file ./test.ldb)
>
> This seems to indicate that:
>
>    - sigtool isn't reading the entire line from the database file, rather
>    it's only reading 8k.
>    - The error is *NOT* triggering on those other long signatures because
>    there *is* a semi-colon further in the signature file which allows
>    sigtool to "think" those long strings of numbers are actually the virus
>    names.
>    - The error IS triggering on the powload signature because the very
>    next read (line 1615: 'while (fgets(buffer, CLI_DEFAULT_LSIG_BUFSIZE, fh))
>    {' ) is hitting a newline.
>
>
> --Maarten
>
>
>> Ralf Hildebrandt
>>> Charité - Universitätsmedizin Berlin
>>> Geschäftsbereich IT | Abteilung Netzwerk
>>>
>>> Campus Benjamin Franklin (CBF)
>>> Haus I | 1. OG | Raum 105
>>> Hindenburgdamm 30 | D-12203 Berlin
>>>
>>> Tel. +49 30 450 570 155
>>> ralf.hildebra...@charite.de
>>> https://www.charite.de
>>>
>>> _______________________________________________
>>>
>>> clamav-users mailing list
>>> clamav-users@lists.clamav.net
>>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>>
>>>
>>> Help us build a comprehensive ClamAV guide:
>>> https://github.com/vrtadmin/clamav-faq
>>>
>>> http://www.clamav.net/contact.html#ml
>>>
>>

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Reply via email to