I have a local ndb file containing signatures of some spear phishing
attacks targeted specifically at us.
I recently added another signature and it cause clamd to shut down!
Two points:
1) Surely clamd should log the problem but skip the faulty signature and
carry on?
I am now extremely concerned about creating new signatures because of
the risk of taking clamd out, with the serious consequences that that
entails.
2) I have gone through my new signature time and time again and
compared it with others that are fine and I can't find anything wrong
with it!
I have looked at the source code and there are numerous places where it
detects problems with signature, but they all generate the same failure
message: "Malformed database".
It is going to take me a very long time to patch the code to make it
generate different error messages for each case where a signature can be
malformed, so that I can diagnose my problem, but I see no alternative.
That is, unless there is a tool available to check signatures before
they are installed. Does anyone have any suggestions?
The failing signature is:
Email.Phishing.Exeter.0002:0:0,6:44656172{-18}537562736372696265722c{-4}
5765{-4}617265{-4}63757272656e746c79{-4}6361727279696e672d6f7574{-4}61{-
4}6d656e7461696e616e6365{-4}70726f63657373{-4}746f{-4}796f7572{-18}61636
36f756e742c{-4}746f{-4}636f6d706c657465{-4}74686973
Cheers,
Phil.
--------------------
Phil Chambers
Postmaster
University of Exeter
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
