Re: [clamav-users] Problems with 3rd party sigs
On 31 March 2017 18:45:58 Mark Foley wrote: Per advice on this list, I downloaded and installed the clamav-unofficial-sigs scripts from the link on Sanesecurity. 2. I run a cron'd clamscan job to scan mail folders several time a day. I get the following errors which are new since installing the unofficial-sigs: See... you can comment out these lines in the master.conf: #email/EMAIL_Cryptowall.yar|LOW # CryptoWall Resume phish #Antidebug_AntiVM/antidebug_antivm.yar|LOW # anti debug and anti virtualization techniques used by malware See... issues page from here... https://github.com/extremeshok/clamav-unofficial-sigs Cheers, Steve Twitter: @sanesecurity ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Problems with 3rd party sigs
They can be ignored. For yara rules, ClamAV currently ignores any
containing errors or unsupported features.
Steve
On Fri, Mar 31, 2017 at 2:30 PM, Mark Foley wrote:
> On Fri, 31 Mar 2017 14:01:29 -0400 Steven Morgan
> wrote:
> >
>
> Thanks Steve. Is then there a way to disable the pe rules or do I just
> have to
> ignore these messages?
>
> --Mark
>
> > Mark,
> >
> > The pe import module of yara rules is not currently implemented in
> ClamAV.
> > Other specifics of using yara rules in Clam may be found in
> > docs/signatures.pdf. Also, looks like errors in EMAIL_Cryptowall.yar yara
> > rule?
> >
> > Hope this helps,
> > Steve
> >
> > On Fri, Mar 31, 2017 at 1:45 PM, Mark Foley
> wrote:
> >
> > > Per advice on this list, I downloaded and installed the
> > > clamav-unofficial-sigs
> > > scripts from the link on Sanesecurity.
> > >
> > > I've not been able to get it running. Two problems:
> > >
> > > 1. The /etc/cron.d/clamav-unofficial-sigs cron script won't run from
> > > crond. I get an email:
> > >
> > > /bin/sh: clamav: command not found
> > >
> > > I've searched the computer and the clamav-unofficial-sigs.sh script
> > > looking for a
> > > reference to a clamav command and simply cannot find such a command.
> I've
> > > sprinkles `echo` statements throughout clamav-unofficial-sigs.sh and
> > > redirected
> > > the cron script's output to a log file. I never get anything in the
> > > logfile.
> > > Yet, if I run clamav-unofficial-sigs.sh as root manually, it runs fine.
> > >
> > > 2. I run a cron'd clamscan job to scan mail folders several time a
> day. I
> > > get
> > > the following errors which are new since installing the
> unofficial-sigs:
> > >
> > > LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line
> 497
> > > undefined identifier "pe"
> > > LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line
> 512
> > > undefined identifier "pe"
> > > LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line
> 528
> > > undefined identifier "pe"
> > > LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line
> 544
> > > undefined identifier "pe"
> > > LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line
> 557
> > > undefined identifier "pe"
> > > LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line
> 603
> > > undefined identifier "pe"
> > > LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line
> 614
> > > undefined identifier "pe"
> > > LibClamAV Error: cli_loadyara: failed to parse rules file
> > > /var/lib/clamav/antidebug_antivm.yar, error count 7
> > > LibClamAV Error: yyerror(): /var/lib/clamav/EMAIL_Cryptowall.yar line
> 34
> > > duplicate identifier "CryptoWall_Resume_phish"
> > > LibClamAV Error: yyerror(): /var/lib/clamav/EMAIL_Cryptowall.yar line
> 52
> > > duplicate identifier "docx_macro"
> > > LibClamAV Error: cli_loadyara: failed to parse rules file
> > > /var/lib/clamav/EMAIL_Cryptowall.yar, error count 2
> > >
> > > The lines at /var/lib/clamav/antidebug_antivm.yar line 497 are:
> > >
> > > 496 contition:
> > > 497 pe.imports("kernel32.dll","
> CheckRemoteDebuggerPresent")
> > > and
> > > 498 pe.imports("kernel32.dll","IsDebuggerPresent")
> > >
> > > These seem like rather basic programming bugs. Nevertheless, it does
> > > appear to
> > > catch new signatures, e.g.:
> > >
> > > /home/HPRS/mpress/Maildir/.Deleted Items/cur/1463485456.
> > > M955042P32209.mail,S=13067,W=13269:2,S: Sanesecurity.Foxhole.Zip_
> fs226.UNOFFICIAL
> > > FOUND
> > > /home/HPRS/mpress/Maildir/.Deleted Items/cur/1460374151.
> > > M124643P21974.mail,S=30684,W=31217:2,S: Sanesecurity.Spam.12404.Ml.
> UNOFFICIAL
> > > FOUND
> > > /home/HPRS/shay/Maildir/.Trash/cur/1485781802.
> M776532P6090.mail,S=2905,W=
> > > 2971:2,S!(1)MAIL:mixedtextportion: Sanesecurity.Junk.33365.UNOFFICIAL
> > > FOUND
> > > /home/HPRS/shay/Maildir/.Trash/cur/1486393658.
> M60634P26487.mail,S=48881,W=49823:2,S:
> > > Sanesecurity.Spam.12427.FakeRenew.UNOFFICIAL FOUND
> > > /home/HPRS/dsmith/Maildir/.Deleted Items.Sent/cur/1443025877.
> > > M266324P18041.mail,S=22511,W=22844:2,S: Sanesecurity.Foxhole.Zip_
> Wordexe.1.UNOFFICIAL
> > > FOUND
> > >
> > > etc.
> > >
> > > Has anyone on this list encountered the same problem and if so were you
> > > able to
> > > fix them? I'm running Slackware.
> > >
> > > Thanks, Mark
> > > ___
> > > clamav-users mailing list
> > > clamav-users@lists.clamav.net
> > > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> > >
> > >
> > > Help us build a comprehensive ClamAV guide:
> > > https://github.com/vrtadmin/clamav-faq
> > >
> > > http://www.clamav.net/contact.html#ml
> > >
> > ___
> > clamav-users mailing list
> > clamav-users@lists.clamav.net
> > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> >
> >
> > Help us build a comprehensive ClamAV guide:
> > https://g
Re: [clamav-users] Problems with 3rd party sigs
On Fri, 31 Mar 2017 14:01:29 -0400 Steven Morgan wrote:
>
Thanks Steve. Is then there a way to disable the pe rules or do I just have to
ignore these messages?
--Mark
> Mark,
>
> The pe import module of yara rules is not currently implemented in ClamAV.
> Other specifics of using yara rules in Clam may be found in
> docs/signatures.pdf. Also, looks like errors in EMAIL_Cryptowall.yar yara
> rule?
>
> Hope this helps,
> Steve
>
> On Fri, Mar 31, 2017 at 1:45 PM, Mark Foley wrote:
>
> > Per advice on this list, I downloaded and installed the
> > clamav-unofficial-sigs
> > scripts from the link on Sanesecurity.
> >
> > I've not been able to get it running. Two problems:
> >
> > 1. The /etc/cron.d/clamav-unofficial-sigs cron script won't run from
> > crond. I get an email:
> >
> > /bin/sh: clamav: command not found
> >
> > I've searched the computer and the clamav-unofficial-sigs.sh script
> > looking for a
> > reference to a clamav command and simply cannot find such a command. I've
> > sprinkles `echo` statements throughout clamav-unofficial-sigs.sh and
> > redirected
> > the cron script's output to a log file. I never get anything in the
> > logfile.
> > Yet, if I run clamav-unofficial-sigs.sh as root manually, it runs fine.
> >
> > 2. I run a cron'd clamscan job to scan mail folders several time a day. I
> > get
> > the following errors which are new since installing the unofficial-sigs:
> >
> > LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 497
> > undefined identifier "pe"
> > LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 512
> > undefined identifier "pe"
> > LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 528
> > undefined identifier "pe"
> > LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 544
> > undefined identifier "pe"
> > LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 557
> > undefined identifier "pe"
> > LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 603
> > undefined identifier "pe"
> > LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 614
> > undefined identifier "pe"
> > LibClamAV Error: cli_loadyara: failed to parse rules file
> > /var/lib/clamav/antidebug_antivm.yar, error count 7
> > LibClamAV Error: yyerror(): /var/lib/clamav/EMAIL_Cryptowall.yar line 34
> > duplicate identifier "CryptoWall_Resume_phish"
> > LibClamAV Error: yyerror(): /var/lib/clamav/EMAIL_Cryptowall.yar line 52
> > duplicate identifier "docx_macro"
> > LibClamAV Error: cli_loadyara: failed to parse rules file
> > /var/lib/clamav/EMAIL_Cryptowall.yar, error count 2
> >
> > The lines at /var/lib/clamav/antidebug_antivm.yar line 497 are:
> >
> > 496 contition:
> > 497 pe.imports("kernel32.dll","CheckRemoteDebuggerPresent")
> > and
> > 498 pe.imports("kernel32.dll","IsDebuggerPresent")
> >
> > These seem like rather basic programming bugs. Nevertheless, it does
> > appear to
> > catch new signatures, e.g.:
> >
> > /home/HPRS/mpress/Maildir/.Deleted Items/cur/1463485456.
> > M955042P32209.mail,S=13067,W=13269:2,S:
> > Sanesecurity.Foxhole.Zip_fs226.UNOFFICIAL
> > FOUND
> > /home/HPRS/mpress/Maildir/.Deleted Items/cur/1460374151.
> > M124643P21974.mail,S=30684,W=31217:2,S:
> > Sanesecurity.Spam.12404.Ml.UNOFFICIAL
> > FOUND
> > /home/HPRS/shay/Maildir/.Trash/cur/1485781802.M776532P6090.mail,S=2905,W=
> > 2971:2,S!(1)MAIL:mixedtextportion: Sanesecurity.Junk.33365.UNOFFICIAL
> > FOUND
> > /home/HPRS/shay/Maildir/.Trash/cur/1486393658.M60634P26487.mail,S=48881,W=49823:2,S:
> > Sanesecurity.Spam.12427.FakeRenew.UNOFFICIAL FOUND
> > /home/HPRS/dsmith/Maildir/.Deleted Items.Sent/cur/1443025877.
> > M266324P18041.mail,S=22511,W=22844:2,S:
> > Sanesecurity.Foxhole.Zip_Wordexe.1.UNOFFICIAL
> > FOUND
> >
> > etc.
> >
> > Has anyone on this list encountered the same problem and if so were you
> > able to
> > fix them? I'm running Slackware.
> >
> > Thanks, Mark
> > ___
> > clamav-users mailing list
> > clamav-users@lists.clamav.net
> > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> >
> >
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml
> >
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
Re: [clamav-users] Problems with 3rd party sigs
Mark,
The pe import module of yara rules is not currently implemented in ClamAV.
Other specifics of using yara rules in Clam may be found in
docs/signatures.pdf. Also, looks like errors in EMAIL_Cryptowall.yar yara
rule?
Hope this helps,
Steve
On Fri, Mar 31, 2017 at 1:45 PM, Mark Foley wrote:
> Per advice on this list, I downloaded and installed the
> clamav-unofficial-sigs
> scripts from the link on Sanesecurity.
>
> I've not been able to get it running. Two problems:
>
> 1. The /etc/cron.d/clamav-unofficial-sigs cron script won't run from
> crond. I get an email:
>
> /bin/sh: clamav: command not found
>
> I've searched the computer and the clamav-unofficial-sigs.sh script
> looking for a
> reference to a clamav command and simply cannot find such a command. I've
> sprinkles `echo` statements throughout clamav-unofficial-sigs.sh and
> redirected
> the cron script's output to a log file. I never get anything in the
> logfile.
> Yet, if I run clamav-unofficial-sigs.sh as root manually, it runs fine.
>
> 2. I run a cron'd clamscan job to scan mail folders several time a day. I
> get
> the following errors which are new since installing the unofficial-sigs:
>
> LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 497
> undefined identifier "pe"
> LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 512
> undefined identifier "pe"
> LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 528
> undefined identifier "pe"
> LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 544
> undefined identifier "pe"
> LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 557
> undefined identifier "pe"
> LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 603
> undefined identifier "pe"
> LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 614
> undefined identifier "pe"
> LibClamAV Error: cli_loadyara: failed to parse rules file
> /var/lib/clamav/antidebug_antivm.yar, error count 7
> LibClamAV Error: yyerror(): /var/lib/clamav/EMAIL_Cryptowall.yar line 34
> duplicate identifier "CryptoWall_Resume_phish"
> LibClamAV Error: yyerror(): /var/lib/clamav/EMAIL_Cryptowall.yar line 52
> duplicate identifier "docx_macro"
> LibClamAV Error: cli_loadyara: failed to parse rules file
> /var/lib/clamav/EMAIL_Cryptowall.yar, error count 2
>
> The lines at /var/lib/clamav/antidebug_antivm.yar line 497 are:
>
> 496 contition:
> 497 pe.imports("kernel32.dll","CheckRemoteDebuggerPresent")
> and
> 498 pe.imports("kernel32.dll","IsDebuggerPresent")
>
> These seem like rather basic programming bugs. Nevertheless, it does
> appear to
> catch new signatures, e.g.:
>
> /home/HPRS/mpress/Maildir/.Deleted Items/cur/1463485456.
> M955042P32209.mail,S=13067,W=13269:2,S:
> Sanesecurity.Foxhole.Zip_fs226.UNOFFICIAL
> FOUND
> /home/HPRS/mpress/Maildir/.Deleted Items/cur/1460374151.
> M124643P21974.mail,S=30684,W=31217:2,S: Sanesecurity.Spam.12404.Ml.UNOFFICIAL
> FOUND
> /home/HPRS/shay/Maildir/.Trash/cur/1485781802.M776532P6090.mail,S=2905,W=
> 2971:2,S!(1)MAIL:mixedtextportion: Sanesecurity.Junk.33365.UNOFFICIAL
> FOUND
> /home/HPRS/shay/Maildir/.Trash/cur/1486393658.M60634P26487.mail,S=48881,W=49823:2,S:
> Sanesecurity.Spam.12427.FakeRenew.UNOFFICIAL FOUND
> /home/HPRS/dsmith/Maildir/.Deleted Items.Sent/cur/1443025877.
> M266324P18041.mail,S=22511,W=22844:2,S:
> Sanesecurity.Foxhole.Zip_Wordexe.1.UNOFFICIAL
> FOUND
>
> etc.
>
> Has anyone on this list encountered the same problem and if so were you
> able to
> fix them? I'm running Slackware.
>
> Thanks, Mark
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
[clamav-users] Problems with 3rd party sigs
Per advice on this list, I downloaded and installed the clamav-unofficial-sigs
scripts from the link on Sanesecurity.
I've not been able to get it running. Two problems:
1. The /etc/cron.d/clamav-unofficial-sigs cron script won't run from crond. I
get an email:
/bin/sh: clamav: command not found
I've searched the computer and the clamav-unofficial-sigs.sh script looking for
a
reference to a clamav command and simply cannot find such a command. I've
sprinkles `echo` statements throughout clamav-unofficial-sigs.sh and redirected
the cron script's output to a log file. I never get anything in the logfile.
Yet, if I run clamav-unofficial-sigs.sh as root manually, it runs fine.
2. I run a cron'd clamscan job to scan mail folders several time a day. I get
the following errors which are new since installing the unofficial-sigs:
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 497
undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 512
undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 528
undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 544
undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 557
undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 603
undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 614
undefined identifier "pe"
LibClamAV Error: cli_loadyara: failed to parse rules file
/var/lib/clamav/antidebug_antivm.yar, error count 7
LibClamAV Error: yyerror(): /var/lib/clamav/EMAIL_Cryptowall.yar line 34
duplicate identifier "CryptoWall_Resume_phish"
LibClamAV Error: yyerror(): /var/lib/clamav/EMAIL_Cryptowall.yar line 52
duplicate identifier "docx_macro"
LibClamAV Error: cli_loadyara: failed to parse rules file
/var/lib/clamav/EMAIL_Cryptowall.yar, error count 2
The lines at /var/lib/clamav/antidebug_antivm.yar line 497 are:
496 contition:
497 pe.imports("kernel32.dll","CheckRemoteDebuggerPresent") and
498 pe.imports("kernel32.dll","IsDebuggerPresent")
These seem like rather basic programming bugs. Nevertheless, it does appear to
catch new signatures, e.g.:
/home/HPRS/mpress/Maildir/.Deleted
Items/cur/1463485456.M955042P32209.mail,S=13067,W=13269:2,S:
Sanesecurity.Foxhole.Zip_fs226.UNOFFICIAL FOUND
/home/HPRS/mpress/Maildir/.Deleted
Items/cur/1460374151.M124643P21974.mail,S=30684,W=31217:2,S:
Sanesecurity.Spam.12404.Ml.UNOFFICIAL FOUND
/home/HPRS/shay/Maildir/.Trash/cur/1485781802.M776532P6090.mail,S=2905,W=2971:2,S!(1)MAIL:mixedtextportion:
Sanesecurity.Junk.33365.UNOFFICIAL FOUND
/home/HPRS/shay/Maildir/.Trash/cur/1486393658.M60634P26487.mail,S=48881,W=49823:2,S:
Sanesecurity.Spam.12427.FakeRenew.UNOFFICIAL FOUND
/home/HPRS/dsmith/Maildir/.Deleted
Items.Sent/cur/1443025877.M266324P18041.mail,S=22511,W=22844:2,S:
Sanesecurity.Foxhole.Zip_Wordexe.1.UNOFFICIAL FOUND
etc.
Has anyone on this list encountered the same problem and if so were you able to
fix them? I'm running Slackware.
Thanks, Mark
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
