Chambers, Phil wrote:
> I have a local ndb file containing signatures of some spear phishing
> attacks targeted specifically at us.
>
> I recently added another signature and it cause clamd to shut down!
I'm afraid I can't help much with solving your problem, but I certainly
know what you're going through. FWIW, I *always* tested new local
signatures as suggested further down the thread before loading them into
the live production servers for exactly this reason.
Look back in the list archives to late October 2006 for a thread I
started in a similar vein; "Complexity limit on (custom) signatures".
> 1) Surely clamd should log the problem but skip the faulty signature and
> carry on?
Apparently not; ClamAV has behaved this way for quite some time.
> 2) I have gone through my new signature time and time again and
> compared it with others that are fine and I can't find anything wrong
> with it!
Here are some of the theories I came up with while creating sigs for
image-based spam:
Signature may be too long (unlikely, I found a few that were ~2K
characters IIRC). FWIW some of the autogenerated sigs I created at one
time went from "don't work" to "works" just by trimming bytes off the
end of the sig - I don't think this was an absolute length issue though
as several longer sigs worked just fine.
Signature has too many {nn} gaps.
Signature has too many fixed blocks separated by variable-content/length
blocks.
Signature has a {nn} gap too close to one end or the other of the fixed
data.
Signature has a {nn} gap that's too big.
> I have looked at the source code and there are numerous places where it
> detects problems with signature, but they all generate the same failure
> message: "Malformed database".
>
> It is going to take me a very long time to patch the code to make it
> generate different error messages for each case where a signature can be
> malformed, so that I can diagnose my problem, but I see no alternative.
If you do this, submit it upstream please!
-kgd
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
