Re: [clamav-users] After 0.100.1 Update, clamd crashes
> -Original Message- > From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On > Behalf Of Paul Kosinski > Sent: Tuesday, July 31, 2018 2:42 PM > To: clamav-users@lists.clamav.net > Subject: Re: [clamav-users] After 0.100.1 Update, clamd crashes <...> > Software should *never* crash when presented with invalid input, > especially if the input arrives via the Internet. And it's quite > conceivable that some especially clever bad guy might attack the source > of signatures to incapacitate ClamAV, or, in the worst case, to cause it > to execute arbitrary code instead of "merely" crashing. Yeah, I think everyone pretty much can agree with that. And it's not like it's uncommon, Gentoo just got wacked last month. As far as helping to fix the issue, what yara rule was causing the issue on 100.1? https://github.com/Yara-Rules/rules/blob/master/Antidebug_AntiVM/antidebug_a ntivm.yar This one always fails a few, so I tested this out. LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 497 undefined identifier "pe" LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 512 undefined identifier "pe" LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 528 undefined identifier "pe" LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 544 undefined identifier "pe" LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 557 undefined identifier "pe" LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 603 undefined identifier "pe" LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 614 undefined identifier "pe" LibClamAV Warning: cli_loadyara: failed to parse or load 7 yara rules from file /var/lib/clamav/antidebug_antivm.yar, successfully loaded 92 rules. For loaded sigs: LibClamAV Warning: cli_loadyara: failed to parse or load 7 yara rules from file /var/lib/clamav/antidebug_antivm.yar, successfully loaded 92 rules. If you guys need my config.log for versions of dependencies or anything just let me know. Running 18.04 Ubuntu with OpenSSL 1.1.1, so total dev environment, but looks like this release is 57 diffs from 100.1 release. ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] After 0.100.1 Update, clamd crashes
I must say that I agree. To have ClamAV crash on a badly formed signature is as bad (or worse) as having it crash while scanning. Since ClamAV tends to be run with automatic updates to its DB, having a bad signature cause it to crash can result in email blockage or a total lack of AV service (including perhaps letting bad emails through). Even if clamd is auto-restarted (e.g., via systemd), it will likely crash each time, and thus be unavailable. Software should *never* crash when presented with invalid input, especially if the input arrives via the Internet. And it's quite conceivable that some especially clever bad guy might attack the source of signatures to incapacitate ClamAV, or, in the worst case, to cause it to execute arbitrary code instead of "merely" crashing. On Tue, 31 Jul 2018 18:14:29 +0100 (BST) "G.W. Haywood" wrote: > Hi there, > > On Tue, 31 Jul 2018, Steve Basford wrote: > > > My little issue is with this statement: > > > > "It wasn't quite clear at the offset of this bug, but ClamAV cannot > > support unofficial signatures from a development standpoint. For > > numerous reasons, we do not regress against those signatures, and > > in cases where sig writers publish non-functional signatures due to > > insufficient testing (which then cause crashes in newer versions of > > clam) we cannot devote our resources to fixing that > > problem." (above Bugzilla) > > I'll take issue with that statement too. That's a cr@p developer > attitude. > > If an unofficial signature causes (or is even _capable_ of causing) > clam to crash, that's a fault in clam that needs to be fixed. > > If nothing else it means that you're quite likely less secure if > you're running clam on Linux than you are if you're _not_ running it. > ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] After 0.100.1 Update, clamd crashes
Hi there, On Tue, 31 Jul 2018, Steve Basford wrote: My little issue is with this statement: "It wasn't quite clear at the offset of this bug, but ClamAV cannot support unofficial signatures from a development standpoint. For numerous reasons, we do not regress against those signatures, and in cases where sig writers publish non-functional signatures due to insufficient testing (which then cause crashes in newer versions of clam) we cannot devote our resources to fixing that problem." (above Bugzilla) I'll take issue with that statement too. That's a cr@p developer attitude. If an unofficial signature causes (or is even _capable_ of causing) clam to crash, that's a fault in clam that needs to be fixed. If nothing else it means that you're quite likely less secure if you're running clam on Linux than you are if you're _not_ running it. -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] After 0.100.1 Update, clamd crashes
LibClamAV debug: load_oneyara: successfully loaded YARA.phoenix_jar2 LibClamAV debug: load_oneyara: successfully loaded YARA.phoenix_jar3 LibClamAV debug: load_oneyara: successfully loaded YARA.phoenix_pdf LibClamAV debug: load_oneyara: successfully loaded YARA.phoenix_pdf2 LibClamAV debug: load_oneyara: successfully loaded YARA.phoenix_pdf3 LibClamAV debug: cli_loadyara: loaded 17 of 17 yara signatures from /var/lib/clamav/EK_Phoenix.yar LibClamAV debug: load_oneyara: successfully loaded YARA.sakura_jar LibClamAV debug: load_oneyara: successfully loaded YARA.sakura_jar2 LibClamAV debug: cli_loadyara: loaded 2 of 2 yara signatures from /var/lib/clamav/EK_Sakura.yar LibClamAV debug: load_oneyara: successfully loaded YARA.zeroaccess_css LibClamAV debug: load_oneyara: successfully loaded YARA.zeroaccess_css2 LibClamAV debug: load_oneyara: successfully loaded YARA.zeroaccess_htm LibClamAV debug: load_oneyara: successfully loaded YARA.zeroaccess_js LibClamAV debug: load_oneyara: successfully loaded YARA.zeroaccess_js2 LibClamAV debug: load_oneyara: successfully loaded YARA.zeroaccess_js3 LibClamAV debug: load_oneyara: successfully loaded YARA.zeroaccess_js4 LibClamAV debug: cli_loadyara: loaded 7 of 7 yara signatures from /var/lib/clamav/EK_ZeroAcces.yar LibClamAV debug: load_oneyara: successfully loaded YARA.zerox88_js2 LibClamAV debug: load_oneyara: successfully loaded YARA.zerox88_js3 LibClamAV debug: cli_loadyara: loaded 2 of 2 yara signatures from /var/lib/clamav/EK_Zerox88.yar LibClamAV debug: load_oneyara: successfully loaded YARA.zeus_js LibClamAV debug: cli_loadyara: loaded 1 of 1 yara signatures from /var/lib/clamav/EK_Zeus.yar LibClamAV debug: load_oneyara: successfully loaded YARA.Sanesecurity_TestSig_Type4_Hdr_2 LibClamAV debug: load_oneyara: successfully loaded YARA.Sanesecurity_TestSig_Type3_Bdy_4 LibClamAV debug: load_oneyara: successfully loaded YARA.Sanesecurity_TestSig_Type4_Bdy_3 LibClamAV debug: load_oneyara: successfully loaded YARA.Sanesecurity_PhishingTestSig_1 LibClamAV debug: cli_loadyara: loaded 4 of 4 yara signatures from /var/lib/clamav/Sanesecurity_sigtest.yara LibClamAV debug: /var/lib/clamav/Sanesecurity_sigtest.yara loaded LibClamAV debug: load_oneyara: successfully loaded YARA.Sanesecurity_Spam_test LibClamAV debug: load_oneyara: successfully loaded YARA.Sanesecurity_Spam_pornspam LibClamAV debug: cli_loadyara: loaded 2 of 2 yara signatures from /var/lib/clamav/Sanesecurity_spam.yara LibClamAV debug: /var/lib/clamav/Sanesecurity_spam.yara loaded LibClamAV debug: load_oneyara: successfully loaded YARA.OITC_pdf_with_emb_docm LibClamAV debug: load_oneyara: successfully loaded YARA.INDICATOR_IMPLANT_Loader LibClamAV debug: load_oneyara: successfully loaded YARA.INDICATOR_Implant_Loader2 LibClamAV debug: load_oneyara: generic string: [File {0} has been uploaded in {1}] => [46696c65207b307d20686173206265656e2075706c6f6164656420696e207b317d] LibClamAV debug: load_oneyara: successfully loaded YARA.IMPLANT2_3 LibClamAV debug: load_oneyara: successfully loaded YARA.CryptoWall_Resume_phish LibClamAV debug: load_oneyara: successfully loaded YARA.java_JSocket_20151217 LibClamAV debug: load_oneyara: successfully loaded YARA.detect_powershell_precursor_downloader LibClamAV debug: load_oneyara: successfully loaded YARA.kmon_cred_phish LibClamAV debug: load_oneyara: successfully loaded YARA.rtf_phishing_script_lines LibClamAV debug: cli_loadyara: loaded 9 of 9 yara signatures from /var/lib/clamav/winnow_malware.yara LibClamAV debug: /var/lib/clamav/winnow_malware.yara loaded Sincerely, Eric Tykwinski TrueNet, Inc. P: 610-429-8300 From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of Micah Snyder (micasnyd) Sent: Tuesday, July 31, 2018 8:51 AM To: steveb_cla...@sanesecurity.com; ClamAV users ML Subject: Re: [clamav-users] After 0.100.1 Update, clamd crashes Thanks for the analysis, Steve. That is a step towards understanding how to fix it. I don't believe it's a new bug in 0.100, but was merely revealed due to legitimate improvements in the yara sig loading behavior. Copypaste'd from my comments in the ticket you linked: > In 0.99.x some of the rules failed entirely, so the entire database was > dropped. In 0.100, some of the rules failed, but it now allows it to > partially load the ones that didn't outright fail. However, there appears to > be a bug wherein at least one that is getting loaded is causing a crash. It wouldn't be a good fix to go back and change so it drops the whole ruleset because one failed to load. The correct fix would be to detect signature features that aren't supported before we attempt to load them so we can drop them. I welcome any additional research from the community to help find a fix for this. We have a lot on our plates, and don't have any time dedicated to fix this one ourselves for 0.101. Regard
Re: [clamav-users] After 0.100.1 Update, clamd crashes
Thanks for the analysis, Steve. That is a step towards understanding how to fix it. I don't believe it's a new bug in 0.100, but was merely revealed due to legitimate improvements in the yara sig loading behavior. Copypaste'd from my comments in the ticket you linked: > In 0.99.x some of the rules failed entirely, so the entire database was > dropped. In 0.100, some of the rules failed, but it now allows it to > partially load the ones that didn't outright fail. However, there appears to > be a bug wherein at least one that is getting loaded is causing a crash. It wouldn't be a good fix to go back and change so it drops the whole ruleset because one failed to load. The correct fix would be to detect signature features that aren't supported before we attempt to load them so we can drop them. I welcome any additional research from the community to help find a fix for this. We have a lot on our plates, and don't have any time dedicated to fix this one ourselves for 0.101. Regards, Micah Micah Snyder ClamAV Development Talos Cisco Systems, Inc. On Jul 31, 2018, at 7:50 AM, Steve Basford mailto:steveb_cla...@sanesecurity.com>> wrote: Just posting a little regarding the Yara issue with 0.100.x: After a little bit of testing last week... here's what was found: It seems that in ClamAV 0.100.x if the yara file uses pe.imports *and* has *multiple* rules inside the single Yara file, it seems to crash linux versions of ClamAV. If the Yara rule uses pe.imports (which btw, isn't supported in CLamAV) and changed from: all of ($user*) and pe.imports("advapi32.dll") to: all of ($user*) Then ClamAV doesn't crash in 0.100.x. Whereas leaving the rule intact (in pre 0.100.x) it just didn't crash. There a buzilla about it here: https://bugzilla.clamav.net/show_bug.cgi?id=12077#c14 My little issue is with this statement: "It wasn't quite clear at the offset of this bug, but ClamAV cannot support unofficial signatures from a development standpoint. For numerous reasons, we do not regress against those signatures, and in cases where sig writers publish non-functional signatures due to insufficient testing (which then cause crashes in newer versions of clam) we cannot devote our resources to fixing that problem." (above Bugzilla) I can see where the above is coming from generally... *but* it's always been known that Yara pe module import was an issue... eg: https://blog.clamav.net/2015/06/clamav-099b-meets-yara.html "There are currently a few limitations of YARA rules within ClamAV 0.99 beta1, due either to nonexistent ClamAV capabilities or to YARA features that did not fit well into the ClamAV processing model. We hope to further evaluate and include as much of this functionality as possible in subsequent releases. YARA rules using any of the following features will be flagged in error, and the respective rules will be disabled : * Modules – A YARA feature intended to provide modular extensions to the YARA core. Modules are normally activated using the import keyword. " So, I feel that the issue is not the fact that ClamAV isn't supporting the import module... but the fact that now ClamAV crashes on 0.100.x where before it didn't. Yararules won't change their rules which need the pe.import module, because well, that's how Yara will detect things on non-ClamAV software. -- Cheers, Steve Twitter: @sanesecurity ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] After 0.100.1 Update, clamd crashes
Just posting a little regarding the Yara issue with 0.100.x: After a little bit of testing last week... here's what was found: It seems that in ClamAV 0.100.x if the yara file uses pe.imports *and* has *multiple* rules inside the single Yara file, it seems to crash linux versions of ClamAV. If the Yara rule uses pe.imports (which btw, isn't supported in CLamAV) and changed from: all of ($user*) and pe.imports("advapi32.dll") to: all of ($user*) Then ClamAV doesn't crash in 0.100.x. Whereas leaving the rule intact (in pre 0.100.x) it just didn't crash. There a buzilla about it here: https://bugzilla.clamav.net/show_bug.cgi?id=12077#c14 My little issue is with this statement: "It wasn't quite clear at the offset of this bug, but ClamAV cannot support unofficial signatures from a development standpoint. For numerous reasons, we do not regress against those signatures, and in cases where sig writers publish non-functional signatures due to insufficient testing (which then cause crashes in newer versions of clam) we cannot devote our resources to fixing that problem." (above Bugzilla) I can see where the above is coming from generally... *but* it's always been known that Yara pe module import was an issue... eg: https://blog.clamav.net/2015/06/clamav-099b-meets-yara.html "There are currently a few limitations of YARA rules within ClamAV 0.99 beta1, due either to nonexistent ClamAV capabilities or to YARA features that did not fit well into the ClamAV processing model. We hope to further evaluate and include as much of this functionality as possible in subsequent releases. YARA rules using any of the following features will be flagged in error, and the respective rules will be disabled : * Modules – A YARA feature intended to provide modular extensions to the YARA core. Modules are normally activated using the import keyword. " So, I feel that the issue is not the fact that ClamAV isn't supporting the import module... but the fact that now ClamAV crashes on 0.100.x where before it didn't. Yararules won't change their rules which need the pe.import module, because well, that's how Yara will detect things on non-ClamAV software. -- Cheers, Steve Twitter: @sanesecurity ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] After 0.100.1 Update, clamd crashes
Thanks, Vladislav for the quick reply! That´s exactly the problem, deleting *.yar and *.yara solved it! Cheers, Martin -Ursprüngliche Nachricht- Von: clamav-users Im Auftrag von Vladislav Kurz Gesendet: Dienstag, 31. Juli 2018 11:22 An: clamav-users@lists.clamav.net Betreff: Re: [clamav-users] After 0.100.1 Update, clamd crashes On 07/31/18 11:10, Fraenzl, Martin wrote: > Hi all, > > > > I'm using clamav as scanner for my Exim MTA. > > Since I updated from 0.99.4 to 0.100.1, Exim is not able to connect to > clamd. If you are using unofficial rules, disable yara rules. https://github.com/extremeshok/clamav-unofficial-sigs/issues/203 -- best Regards Vladislav Kurz ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml _ Diese Nachricht wurde vom OeNB Mailserver TLS verschluesselt empfangen Diese E-Mail kann vertrauliche Informationen enthalten und irrtümlich an Sie gelangt sein. In diesem Fall informieren Sie bitte sofort die Absenderin bzw. den Absender und vernichten Sie diese E-Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail oder von Teilen dieser Mail sind nicht gestattet. Informationen gemäß DSGVO zur Verarbeitung personenbezogener Daten durch die OeNB finden Sie unter www.oenb.at/datenschutz<https://www.oenb.at/datenschutz>. ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] After 0.100.1 Update, clamd crashes
On 07/31/18 11:10, Fraenzl, Martin wrote: > Hi all, > > > > I’m using clamav as scanner for my Exim MTA. > > Since I updated from 0.99.4 to 0.100.1, Exim is not able to connect to > clamd. If you are using unofficial rules, disable yara rules. https://github.com/extremeshok/clamav-unofficial-sigs/issues/203 -- best Regards Vladislav Kurz ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml