Thanks for the analysis, Steve. That is a step towards understanding how to fix it.
I don't believe it's a new bug in 0.100, but was merely revealed due to legitimate improvements in the yara sig loading behavior. Copypaste'd from my comments in the ticket you linked: > In 0.99.x some of the rules failed entirely, so the entire database was > dropped. In 0.100, some of the rules failed, but it now allows it to > partially load the ones that didn't outright fail. However, there appears to > be a bug wherein at least one that is getting loaded is causing a crash. It wouldn't be a good fix to go back and change so it drops the whole ruleset because one failed to load. The correct fix would be to detect signature features that aren't supported before we attempt to load them so we can drop them. I welcome any additional research from the community to help find a fix for this. We have a lot on our plates, and don't have any time dedicated to fix this one ourselves for 0.101. Regards, Micah Micah Snyder ClamAV Development Talos Cisco Systems, Inc. On Jul 31, 2018, at 7:50 AM, Steve Basford <steveb_cla...@sanesecurity.com<mailto:steveb_cla...@sanesecurity.com>> wrote: Just posting a little regarding the Yara issue with 0.100.x: After a little bit of testing last week... here's what was found: It seems that in ClamAV 0.100.x if the yara file uses pe.imports *and* has *multiple* rules inside the single Yara file, it seems to crash linux versions of ClamAV. If the Yara rule uses pe.imports (which btw, isn't supported in CLamAV) and changed from: all of ($user*) and pe.imports("advapi32.dll") to: all of ($user*) Then ClamAV doesn't crash in 0.100.x. Whereas leaving the rule intact (in pre 0.100.x) it just didn't crash. There a buzilla about it here: https://bugzilla.clamav.net/show_bug.cgi?id=12077#c14 My little issue is with this statement: "It wasn't quite clear at the offset of this bug, but ClamAV cannot support unofficial signatures from a development standpoint. For numerous reasons, we do not regress against those signatures, and in cases where sig writers publish non-functional signatures due to insufficient testing (which then cause crashes in newer versions of clam) we cannot devote our resources to fixing that problem." (above Bugzilla) I can see where the above is coming from generally... *but* it's always been known that Yara pe module import was an issue... eg: https://blog.clamav.net/2015/06/clamav-099b-meets-yara.html "There are currently a few limitations of YARA rules within ClamAV 0.99 beta1, due either to nonexistent ClamAV capabilities or to YARA features that did not fit well into the ClamAV processing model. We hope to further evaluate and include as much of this functionality as possible in subsequent releases. YARA rules using any of the following features will be **** flagged in error, and the respective rules will be disabled **** : * Modules – A YARA feature intended to provide modular extensions to the YARA core. Modules are normally activated using the import keyword. " So, I feel that the issue is not the fact that ClamAV isn't supporting the import module... but the fact that now ClamAV crashes on 0.100.x where before it didn't. Yararules won't change their rules which need the pe.import module, because well, that's how Yara will detect things on non-ClamAV software. -- Cheers, Steve Twitter: @sanesecurity _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
_______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
