Bug#902899: me too
On Tue, Jul 10, 2018 at 08:01:56AM +0200, Sebastian Andrzej Siewior wrote: > On 2018-07-09 22:45:15 [+0200], Matija Nalis wrote: > > I got bitten by this too in jessie-updates (after wasting some time > > being *sure* local signature I was just creating at the time made > > clamd crash silently)... > > wasn't there an assert which made clamd exit? no, /var/log/clamav* does not contain any info about clamd crash (which made it hard to debug), and that system does not use systemd (so no information from systemd journal like the OP). Only when one runs "clamscan" manually (or debugs clamd+clamdscan manually outside the Debian startup scripts) did I see: "clamscan: yara_exec.c:177: yr_execute_code: Assertion `sp == 0' failed." -- Opinions above are GNU-copylefted.
Bug#902899: me too
I got bitten by this too in jessie-updates (after wasting some time being *sure* local signature I was just creating at the time made clamd crash silently)... I did: rm -f /var/lib/clamav/*.yar (just removing "antidebug_antivm.yar was not enough) and put: enable_yararules="" in /etc/clamav-unofficial-sigs/user.conf and after restarting clamd, it seems to work fine... Hopefully it won't download them again. Still wondering how much of protection is lost without YARA rules?
Bug#902899: me too
On 2018-07-09 22:45:15 [+0200], Matija Nalis wrote: > I got bitten by this too in jessie-updates (after wasting some time > being *sure* local signature I was just creating at the time made > clamd crash silently)... wasn't there an assert which made clamd exit? … > Still wondering how much of protection is lost without YARA rules? Go though your log files and check for yourself how many mails where checked positiv with one of the rules. I don't know if all rules were broken or just one. The earlier release just ignored the broken/wrong rule. Sebastian
