Re: [clamav-users] After 0.100.1 Update, clamd crashes
> -Original Message- > From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On > Behalf Of Paul Kosinski > Sent: Tuesday, July 31, 2018 2:42 PM > To: clamav-users@lists.clamav.net > Subject: Re: [clamav-users] After 0.100.1 Update, clamd crashes <...> > Software should *never* crash when presented with invalid input, > especially if the input arrives via the Internet. And it's quite > conceivable that some especially clever bad guy might attack the source > of signatures to incapacitate ClamAV, or, in the worst case, to cause it > to execute arbitrary code instead of "merely" crashing. Yeah, I think everyone pretty much can agree with that. And it's not like it's uncommon, Gentoo just got wacked last month. As far as helping to fix the issue, what yara rule was causing the issue on 100.1? https://github.com/Yara-Rules/rules/blob/master/Antidebug_AntiVM/antidebug_a ntivm.yar This one always fails a few, so I tested this out. LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 497 undefined identifier "pe" LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 512 undefined identifier "pe" LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 528 undefined identifier "pe" LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 544 undefined identifier "pe" LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 557 undefined identifier "pe" LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 603 undefined identifier "pe" LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 614 undefined identifier "pe" LibClamAV Warning: cli_loadyara: failed to parse or load 7 yara rules from file /var/lib/clamav/antidebug_antivm.yar, successfully loaded 92 rules. For loaded sigs: LibClamAV Warning: cli_loadyara: failed to parse or load 7 yara rules from file /var/lib/clamav/antidebug_antivm.yar, successfully loaded 92 rules. If you guys need my config.log for versions of dependencies or anything just let me know. Running 18.04 Ubuntu with OpenSSL 1.1.1, so total dev environment, but looks like this release is 57 diffs from 100.1 release. ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] After 0.100.1 Update, clamd crashes
I must say that I agree. To have ClamAV crash on a badly formed signature is as bad (or worse) as having it crash while scanning. Since ClamAV tends to be run with automatic updates to its DB, having a bad signature cause it to crash can result in email blockage or a total lack of AV service (including perhaps letting bad emails through). Even if clamd is auto-restarted (e.g., via systemd), it will likely crash each time, and thus be unavailable. Software should *never* crash when presented with invalid input, especially if the input arrives via the Internet. And it's quite conceivable that some especially clever bad guy might attack the source of signatures to incapacitate ClamAV, or, in the worst case, to cause it to execute arbitrary code instead of "merely" crashing. On Tue, 31 Jul 2018 18:14:29 +0100 (BST) "G.W. Haywood" wrote: > Hi there, > > On Tue, 31 Jul 2018, Steve Basford wrote: > > > My little issue is with this statement: > > > > "It wasn't quite clear at the offset of this bug, but ClamAV cannot > > support unofficial signatures from a development standpoint. For > > numerous reasons, we do not regress against those signatures, and > > in cases where sig writers publish non-functional signatures due to > > insufficient testing (which then cause crashes in newer versions of > > clam) we cannot devote our resources to fixing that > > problem." (above Bugzilla) > > I'll take issue with that statement too. That's a cr@p developer > attitude. > > If an unofficial signature causes (or is even _capable_ of causing) > clam to crash, that's a fault in clam that needs to be fixed. > > If nothing else it means that you're quite likely less secure if > you're running clam on Linux than you are if you're _not_ running it. > ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] After 0.100.1 Update, clamd crashes
Hi there, On Tue, 31 Jul 2018, Steve Basford wrote: My little issue is with this statement: "It wasn't quite clear at the offset of this bug, but ClamAV cannot support unofficial signatures from a development standpoint. For numerous reasons, we do not regress against those signatures, and in cases where sig writers publish non-functional signatures due to insufficient testing (which then cause crashes in newer versions of clam) we cannot devote our resources to fixing that problem." (above Bugzilla) I'll take issue with that statement too. That's a cr@p developer attitude. If an unofficial signature causes (or is even _capable_ of causing) clam to crash, that's a fault in clam that needs to be fixed. If nothing else it means that you're quite likely less secure if you're running clam on Linux than you are if you're _not_ running it. -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] After 0.100.1 Update, clamd crashes
LibClamAV debug: load_oneyara: successfully loaded YARA.phoenix_jar2
LibClamAV debug: load_oneyara: successfully loaded YARA.phoenix_jar3
LibClamAV debug: load_oneyara: successfully loaded YARA.phoenix_pdf
LibClamAV debug: load_oneyara: successfully loaded YARA.phoenix_pdf2
LibClamAV debug: load_oneyara: successfully loaded YARA.phoenix_pdf3
LibClamAV debug: cli_loadyara: loaded 17 of 17 yara signatures from
/var/lib/clamav/EK_Phoenix.yar
LibClamAV debug: load_oneyara: successfully loaded YARA.sakura_jar
LibClamAV debug: load_oneyara: successfully loaded YARA.sakura_jar2
LibClamAV debug: cli_loadyara: loaded 2 of 2 yara signatures from
/var/lib/clamav/EK_Sakura.yar
LibClamAV debug: load_oneyara: successfully loaded YARA.zeroaccess_css
LibClamAV debug: load_oneyara: successfully loaded YARA.zeroaccess_css2
LibClamAV debug: load_oneyara: successfully loaded YARA.zeroaccess_htm
LibClamAV debug: load_oneyara: successfully loaded YARA.zeroaccess_js
LibClamAV debug: load_oneyara: successfully loaded YARA.zeroaccess_js2
LibClamAV debug: load_oneyara: successfully loaded YARA.zeroaccess_js3
LibClamAV debug: load_oneyara: successfully loaded YARA.zeroaccess_js4
LibClamAV debug: cli_loadyara: loaded 7 of 7 yara signatures from
/var/lib/clamav/EK_ZeroAcces.yar
LibClamAV debug: load_oneyara: successfully loaded YARA.zerox88_js2
LibClamAV debug: load_oneyara: successfully loaded YARA.zerox88_js3
LibClamAV debug: cli_loadyara: loaded 2 of 2 yara signatures from
/var/lib/clamav/EK_Zerox88.yar
LibClamAV debug: load_oneyara: successfully loaded YARA.zeus_js
LibClamAV debug: cli_loadyara: loaded 1 of 1 yara signatures from
/var/lib/clamav/EK_Zeus.yar
LibClamAV debug: load_oneyara: successfully loaded
YARA.Sanesecurity_TestSig_Type4_Hdr_2
LibClamAV debug: load_oneyara: successfully loaded
YARA.Sanesecurity_TestSig_Type3_Bdy_4
LibClamAV debug: load_oneyara: successfully loaded
YARA.Sanesecurity_TestSig_Type4_Bdy_3
LibClamAV debug: load_oneyara: successfully loaded
YARA.Sanesecurity_PhishingTestSig_1
LibClamAV debug: cli_loadyara: loaded 4 of 4 yara signatures from
/var/lib/clamav/Sanesecurity_sigtest.yara
LibClamAV debug: /var/lib/clamav/Sanesecurity_sigtest.yara loaded
LibClamAV debug: load_oneyara: successfully loaded YARA.Sanesecurity_Spam_test
LibClamAV debug: load_oneyara: successfully loaded
YARA.Sanesecurity_Spam_pornspam
LibClamAV debug: cli_loadyara: loaded 2 of 2 yara signatures from
/var/lib/clamav/Sanesecurity_spam.yara
LibClamAV debug: /var/lib/clamav/Sanesecurity_spam.yara loaded
LibClamAV debug: load_oneyara: successfully loaded YARA.OITC_pdf_with_emb_docm
LibClamAV debug: load_oneyara: successfully loaded YARA.INDICATOR_IMPLANT_Loader
LibClamAV debug: load_oneyara: successfully loaded
YARA.INDICATOR_Implant_Loader2
LibClamAV debug: load_oneyara: generic string: [File {0} has been uploaded in
{1}] => [46696c65207b307d20686173206265656e2075706c6f6164656420696e207b317d]
LibClamAV debug: load_oneyara: successfully loaded YARA.IMPLANT2_3
LibClamAV debug: load_oneyara: successfully loaded YARA.CryptoWall_Resume_phish
LibClamAV debug: load_oneyara: successfully loaded YARA.java_JSocket_20151217
LibClamAV debug: load_oneyara: successfully loaded
YARA.detect_powershell_precursor_downloader
LibClamAV debug: load_oneyara: successfully loaded YARA.kmon_cred_phish
LibClamAV debug: load_oneyara: successfully loaded
YARA.rtf_phishing_script_lines
LibClamAV debug: cli_loadyara: loaded 9 of 9 yara signatures from
/var/lib/clamav/winnow_malware.yara
LibClamAV debug: /var/lib/clamav/winnow_malware.yara loaded
Sincerely,
Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300
From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of
Micah Snyder (micasnyd)
Sent: Tuesday, July 31, 2018 8:51 AM
To: steveb_cla...@sanesecurity.com; ClamAV users ML
Subject: Re: [clamav-users] After 0.100.1 Update, clamd crashes
Thanks for the analysis, Steve. That is a step towards understanding how to
fix it.
I don't believe it's a new bug in 0.100, but was merely revealed due to
legitimate improvements in the yara sig loading behavior.
Copypaste'd from my comments in the ticket you linked:
> In 0.99.x some of the rules failed entirely, so the entire database was
> dropped. In 0.100, some of the rules failed, but it now allows it to
> partially load the ones that didn't outright fail. However, there appears to
> be a bug wherein at least one that is getting loaded is causing a crash.
It wouldn't be a good fix to go back and change so it drops the whole ruleset
because one failed to load. The correct fix would be to detect signature
features that aren't supported before we attempt to load them so we can drop
them.
I welcome any additional research from the community to help find a fix for
this. We have a lot on our plates, and don't have any time dedicated to fix
this one ourselves for 0.101.
Regard
Re: [clamav-users] After 0.100.1 Update, clamd crashes
Thanks for the analysis, Steve. That is a step towards understanding how to
fix it.
I don't believe it's a new bug in 0.100, but was merely revealed due to
legitimate improvements in the yara sig loading behavior.
Copypaste'd from my comments in the ticket you linked:
> In 0.99.x some of the rules failed entirely, so the entire database was
> dropped. In 0.100, some of the rules failed, but it now allows it to
> partially load the ones that didn't outright fail. However, there appears to
> be a bug wherein at least one that is getting loaded is causing a crash.
It wouldn't be a good fix to go back and change so it drops the whole ruleset
because one failed to load. The correct fix would be to detect signature
features that aren't supported before we attempt to load them so we can drop
them.
I welcome any additional research from the community to help find a fix for
this. We have a lot on our plates, and don't have any time dedicated to fix
this one ourselves for 0.101.
Regards,
Micah
Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.
On Jul 31, 2018, at 7:50 AM, Steve Basford
mailto:steveb_cla...@sanesecurity.com>> wrote:
Just posting a little regarding the Yara issue with 0.100.x:
After a little bit of testing last week... here's what was found:
It seems that in ClamAV 0.100.x if the yara file uses pe.imports *and* has
*multiple* rules inside the single Yara file, it seems to crash linux
versions of ClamAV.
If the Yara rule uses pe.imports (which btw, isn't supported in CLamAV)
and changed from:
all of ($user*) and pe.imports("advapi32.dll")
to:
all of ($user*)
Then ClamAV doesn't crash in 0.100.x.
Whereas leaving the rule intact (in pre 0.100.x) it just didn't crash.
There a buzilla about it here:
https://bugzilla.clamav.net/show_bug.cgi?id=12077#c14
My little issue is with this statement:
"It wasn't quite clear at the offset of this bug, but ClamAV cannot
support unofficial signatures from a development standpoint. For numerous
reasons, we do not regress against those signatures, and in cases where
sig writers publish non-functional signatures due to insufficient testing
(which then cause crashes in newer versions of clam) we cannot devote our
resources to fixing that problem." (above Bugzilla)
I can see where the above is coming from generally... *but* it's always
been known that Yara pe module import was an issue...
eg:
https://blog.clamav.net/2015/06/clamav-099b-meets-yara.html
"There are currently a few limitations of YARA rules within ClamAV 0.99
beta1, due either to nonexistent ClamAV capabilities or to YARA features
that did not fit well into the ClamAV processing model. We hope to further
evaluate and include as much of this functionality as possible in
subsequent releases. YARA rules using any of the following features will
be flagged in error, and the respective rules will be disabled :
* Modules – A YARA feature intended to provide modular extensions to the
YARA core. Modules are normally activated using the import keyword. "
So, I feel that the issue is not the fact that ClamAV isn't supporting the
import module... but the fact that now ClamAV crashes on 0.100.x where
before it didn't.
Yararules won't change their rules which need the pe.import module,
because well, that's how Yara will detect things on non-ClamAV software.
--
Cheers,
Steve
Twitter: @sanesecurity
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
Re: [clamav-users] After 0.100.1 Update, clamd crashes
Just posting a little regarding the Yara issue with 0.100.x:
After a little bit of testing last week... here's what was found:
It seems that in ClamAV 0.100.x if the yara file uses pe.imports *and* has
*multiple* rules inside the single Yara file, it seems to crash linux
versions of ClamAV.
If the Yara rule uses pe.imports (which btw, isn't supported in CLamAV)
and changed from:
all of ($user*) and pe.imports("advapi32.dll")
to:
all of ($user*)
Then ClamAV doesn't crash in 0.100.x.
Whereas leaving the rule intact (in pre 0.100.x) it just didn't crash.
There a buzilla about it here:
https://bugzilla.clamav.net/show_bug.cgi?id=12077#c14
My little issue is with this statement:
"It wasn't quite clear at the offset of this bug, but ClamAV cannot
support unofficial signatures from a development standpoint. For numerous
reasons, we do not regress against those signatures, and in cases where
sig writers publish non-functional signatures due to insufficient testing
(which then cause crashes in newer versions of clam) we cannot devote our
resources to fixing that problem." (above Bugzilla)
I can see where the above is coming from generally... *but* it's always
been known that Yara pe module import was an issue...
eg:
https://blog.clamav.net/2015/06/clamav-099b-meets-yara.html
"There are currently a few limitations of YARA rules within ClamAV 0.99
beta1, due either to nonexistent ClamAV capabilities or to YARA features
that did not fit well into the ClamAV processing model. We hope to further
evaluate and include as much of this functionality as possible in
subsequent releases. YARA rules using any of the following features will
be flagged in error, and the respective rules will be disabled :
* Modules – A YARA feature intended to provide modular extensions to the
YARA core. Modules are normally activated using the import keyword. "
So, I feel that the issue is not the fact that ClamAV isn't supporting the
import module... but the fact that now ClamAV crashes on 0.100.x where
before it didn't.
Yararules won't change their rules which need the pe.import module,
because well, that's how Yara will detect things on non-ClamAV software.
--
Cheers,
Steve
Twitter: @sanesecurity
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
Re: [clamav-users] After 0.100.1 Update, clamd crashes
Thanks, Vladislav for the quick reply! That´s exactly the problem, deleting *.yar and *.yara solved it! Cheers, Martin -Ursprüngliche Nachricht- Von: clamav-users Im Auftrag von Vladislav Kurz Gesendet: Dienstag, 31. Juli 2018 11:22 An: clamav-users@lists.clamav.net Betreff: Re: [clamav-users] After 0.100.1 Update, clamd crashes On 07/31/18 11:10, Fraenzl, Martin wrote: > Hi all, > > > > I'm using clamav as scanner for my Exim MTA. > > Since I updated from 0.99.4 to 0.100.1, Exim is not able to connect to > clamd. If you are using unofficial rules, disable yara rules. https://github.com/extremeshok/clamav-unofficial-sigs/issues/203 -- best Regards Vladislav Kurz ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml _ Diese Nachricht wurde vom OeNB Mailserver TLS verschluesselt empfangen Diese E-Mail kann vertrauliche Informationen enthalten und irrtümlich an Sie gelangt sein. In diesem Fall informieren Sie bitte sofort die Absenderin bzw. den Absender und vernichten Sie diese E-Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail oder von Teilen dieser Mail sind nicht gestattet. Informationen gemäß DSGVO zur Verarbeitung personenbezogener Daten durch die OeNB finden Sie unter www.oenb.at/datenschutz<https://www.oenb.at/datenschutz>. ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] After 0.100.1 Update, clamd crashes
On 07/31/18 11:10, Fraenzl, Martin wrote: > Hi all, > > > > I’m using clamav as scanner for my Exim MTA. > > Since I updated from 0.99.4 to 0.100.1, Exim is not able to connect to > clamd. If you are using unofficial rules, disable yara rules. https://github.com/extremeshok/clamav-unofficial-sigs/issues/203 -- best Regards Vladislav Kurz ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
