On Wed, Nov 24, 2021 at 10:42 AM Maarten Broekman <
maarten.broek...@gmail.com> wrote:
>
>
> On Wed, Nov 24, 2021 at 10:14 AM Ralf Hildebrandt via clamav-users <
> clamav-users@lists.clamav.net> wrote:
>
>> * Arnaud Jacques via clamav-users <clamav-users@lists.clamav.net>:
>> > Is it just me, or?
>>
>> Same here:
>>
>> # clamdscan -V
>> ClamAV 0.103.4/26363/Wed Nov 24 10:19:30 2021
>>
>> # sigtool -l|tail
>> Doc.Malware.Valyria-6923115-0
>> Xls.Malware.Generic-6923116-0
>> Doc.Malware.00536d-6923117-0
>> Doc.Malware.Valyria-6923118-0
>> Xls.Malware.Sload-6923119-0
>> Xls.Downloader.Powload-6923120-0
>> ERROR: listdb: Malformed pattern line 32300 (file
>> /tmp/clamav-2aa50bd01844b36b876433804b298d0b.tmp/main.ldb)
>> ERROR: listdb: Error listing database
>> /tmp/clamav-2aa50bd01844b36b876433804b298d0b.tmp/main.ldb
>> ERROR: listdb: Can't list directory /var/lib/clamav/main.cld
>> ERROR: listdb: Error listing database /var/lib/clamav/main.cld
>>
>
> I get the same errors, yet clamscan loads things just fine and sigtool is
> able to decode the signature on line 32300 (Doc.Trojan.Agent-6923124-0)
> without a problem.
>
> It definitely seems like an issue with the list-sigs functionality though,
> given the disparity in counts between a count of the lines output by
> sigtool -l and the number of known viruses reported by clamscan (version
> 0.103.3).
>
> $ sigtool -l | wc -l
> 6640592
>
> $ clamscan test.txt
> /Users/mbroekman/Security/test/test.txt: OK
>
> ----------- SCAN SUMMARY -----------
> Known viruses: 8579605
>
> One curious thing is that the Powload signature is *exactly* 8192
> characters in length. From past experience with older versions of ClamAV, I
> thought 8k was the size limit for signatures, including the EOL for the
> database line. I wonder if there's still an issue in the list-sigs
> functionality around that, since clamscan doesn't report database errors.
>
>
A little more information:
There are only 4 signatures in the main.ldb that are over 8k in size. That
powload one is the only one that causes problems. I separated them out into
a new file:
$ wc -l ./test.ldb
4 ./test.ldb
$ cat test.ldb | awk -F\; '{ print $1 }'
Doc.Dropper.Generic-6922945-0
Win.Adware.Linkury-16152
Win.Adware.Linkury-16148
Xls.Downloader.Powload-6923120-0
When I run "sigtool -l./test.ldb", however, sigtool does something ... odd:
Doc.Dropper.Generic-6922945-0
6c652e577269746520223466343735323431376533323266343332643436353234353435376533313266366436393665363737373266366336393632326636373633363332663664363936653637373733333332326633333334333834323339333237653331326533353266363936653633366337353634363532663733373436343631373236373265363830303566356636373665373536333566373636313566366336393733373433613734323833353263333132393364323833303263333233303239303035663639366636323735363633613534373432383331326333313239336437333333333235663730373437323361323833313263333232393364326132383330326333313339323932633330326333333332336235663633366537343361323833303263333332393263333333323263333333323362356636323631373336353361323833313263333232393263333633343263333333323362356636363663363136373361323833303263333332393263333933363263333333323362356636363639366336353361323833303263333332393263333133323338326333333332336235663633363836313732363237353636336132383330326333333239326333313336333032633333333233623566363237353636373336393761336132383330326333333239326333313339333232633333333233623566373436643730363636653631366436353361323833313263333232393263333233323334326333333332336236663730363537323631373436663732336433613361323833313263333332393364323332383331326333313239326332383331326333343239336432363238333132633331323932633238333132633335323933643261323833313263333132393263323833313263333632393364323632383331326333373239336436623238333132633331323932633238333032633336323933623361356635613465333635663639366636323735363636313533343535323462353335663362333234313265336235663566363236313733363535663633373436663732336133613238333132633338323933643233323833313263333132393263323833303263333632393263323833313263333532393263323833313263333632393263323833303263333632393362336135663561346533363566363936663632373536363433333234353532346235333566336233323431326533623566356636333666366437303566363337343666373233613361323833313263333832393361356635613465333635663639366636323735363634333331343535323462353335663362333234313265336235663566363236313733363535663633373436663732336122
Win.Adware.Linkury-16152
00720063006800550072006c004300680072006f006d0065002c0020003a00500072006f0074006500630074006f007200730048006f006d0065005000610067006500550052004c004300680072006f006d0065002c0020003a00500072006f0074006500630074006f00720073004e0065007700540061006200550052004c004300680072006f006d0065002c0020003a00500072006f0074006500630074006f0072007300530065006100720063006800550072006c00460046002c0020003a00500072006f0074006500630074006f007200730048006f006d0065005000610067006500550052004c00460046002c0020003a00500072006f0074006500630074006f00720073004e0065007700540061006200550052004c00460046002c0020003a00500072006f0074006500630074006f007200730053006500610072006300680044006f006d00610069006e002c0020003a00500072006f0074006500630074006f007200730048006f006d0065005000610067006500550052004c00490045002c0020003a00500072006f0074006500630074006f0072007300530065006100720063006800550072006c00490045002c0020003a0048006f00730074007300460069006c0065004d006f006e00690074006f0072004c0069006e006b0075007200790044006f006d00610069006e0073002c0020003a00420061007300690063004c0069006e006b0054006f004f00660066006500720073004d0061006e00610067006500720043006c006f007500640053006500720076006900630065002c0020003a00470065007400420075006e0064006c0069006e0067004100700070006c00690063006100740069006f006e00730054006f0049006e007300740061006c006c00460075006e006300740069006f006e002c0020003a0047006500740041007000700072006f0076006500640049006e00730074006c006c006100740069006f006e00460075006e006300740069006f006e002c0020003a005400610073006b006200610072004e006f0074006900660069006500720045007800650050006100740068002c0020003a00440065006600610075006c0074004d00610078004f00720064006500720073002c0020003a00440065006600610075006c00740049006e00740065007200760061006c002c0020003a0043006800650063006b0069006e0067004f006600660065007200730049006e00740065007200760061006c0049006e004d0069006e0075007400650073002c0020003a00500072006900760061007400650049006e007600650073007400690067006100740069006f006e0045006e00640070006f0069006e0074002c0020003a00530068006f007200740049006e00740065007200760061006c0054006f0055007000640061007400650046006c0061006700730049006e004d0069006e0075007400650073002c0020003a004c006f006e00670049006e00740065007200760061006c0054006f0055007000640061007400650046006c0061006700730049006e004d0069006e0075007400650073002c0020003a0052004f00540058006d006c004f007000650072006100740069006f006e007300550072006c002c0020003a0044006c006c0049006e006a0065006300740069006f006e00550072006c002c0020003a005400720061007900570069006e0064006f0077004800650061006400650072004c006100620065006c002c0020003a005400720061007900570069006e0064006f00770049006e0066006f004c006100620065006c002c0020003a005400720061007900570069006e0064006f00770049006e0066006f0032004c006100620065006c002c0020003a005400720061007900570069006e0064006f00770049006e0066006f004e0054004c006100620065006c002c0020003a005400720061007900570069006e0064006f00770049006e0066006f00440053004c006100620065006c002c0020003a00540061006b006500440065006600610075006c0074005300650061007200630068002c0020003a00540061006b0065004e00650077005400610062002c0020003a00540061006b00650048006f006d0065005000610067006500
Win.Adware.Linkury-16148
00072006f0074006500630074006f007200730048006f006d0065005000610067006500550052004c004300680072006f006d0065002c0020003a00500072006f0074006500630074006f00720073004e0065007700540061006200550052004c004300680072006f006d0065002c0020003a00500072006f0074006500630074006f0072007300530065006100720063006800550072006c00460046002c0020003a00500072006f0074006500630074006f007200730048006f006d0065005000610067006500550052004c00460046002c0020003a00500072006f0074006500630074006f00720073004e0065007700540061006200550052004c00460046002c0020003a00500072006f0074006500630074006f007200730053006500610072006300680044006f006d00610069006e002c0020003a00500072006f0074006500630074006f007200730048006f006d0065005000610067006500550052004c00490045002c0020003a00500072006f0074006500630074006f0072007300530065006100720063006800550072006c00490045002c0020003a0048006f00730074007300460069006c0065004d006f006e00690074006f0072004c0069006e006b0075007200790044006f006d00610069006e0073002c0020003a00420061007300690063004c0069006e006b0054006f004f00660066006500720073004d0061006e00610067006500720043006c006f007500640053006500720076006900630065002c0020003a00470065007400420075006e0064006c0069006e0067004100700070006c00690063006100740069006f006e00730054006f0049006e007300740061006c006c00460075006e006300740069006f006e002c0020003a0047006500740041007000700072006f0076006500640049006e00730074006c006c006100740069006f006e00460075006e006300740069006f006e002c0020003a005400610073006b006200610072004e006f0074006900660069006500720045007800650050006100740068002c0020003a00440065006600610075006c0074004d00610078004f00720064006500720073002c0020003a00440065006600610075006c00740049006e00740065007200760061006c002c0020003a0043006800650063006b0069006e0067004f006600660065007200730049006e00740065007200760061006c0049006e004d0069006e0075007400650073002c0020003a00500072006900760061007400650049006e007600650073007400690067006100740069006f006e0045006e00640070006f0069006e0074002c0020003a00530068006f007200740049006e00740065007200760061006c0054006f0055007000640061007400650046006c0061006700730049006e004d0069006e0075007400650073002c0020003a004c006f006e00670049006e00740065007200760061006c0054006f0055007000640061007400650046006c0061006700730049006e004d0069006e0075007400650073002c0020003a0052004f00540058006d006c004f007000650072006100740069006f006e007300550072006c002c0020003a0044006c006c0049006e006a0065006300740069006f006e00550072006c002c0020003a005400720061007900570069006e0064006f0077004800650061006400650072004c006100620065006c002c0020003a005400720061007900570069006e0064006f00770049006e0066006f004c006100620065006c002c0020003a005400720061007900570069006e0064006f00770049006e0066006f0032004c006100620065006c002c0020003a005400720061007900570069006e0064006f00770049006e0066006f004e0054004c006100620065006c002c0020003a005400720061007900570069006e0064006f00770049006e0066006f00440053004c006100620065006c002c0020003a00540061006b006500440065006600610075006c0074005300650061007200630068002c0020003a00540061006b0065004e00650077005400610062002c0020003a00540061006b00650048006f006d0065005000610067006500
Xls.Downloader.Powload-6923120-0
ERROR: listdb: Malformed pattern line 8 (file ./test.ldb)
This seems to indicate that:
- sigtool isn't reading the entire line from the database file, rather
it's only reading 8k.
- The error is *NOT* triggering on those other long signatures because
there *is* a semi-colon further in the signature file which allows
sigtool to "think" those long strings of numbers are actually the virus
names.
- The error IS triggering on the powload signature because the very next
read (line 1615: 'while (fgets(buffer, CLI_DEFAULT_LSIG_BUFSIZE, fh)) {' )
is hitting a newline.
--Maarten
> Ralf Hildebrandt
>> Charité - Universitätsmedizin Berlin
>> Geschäftsbereich IT | Abteilung Netzwerk
>>
>> Campus Benjamin Franklin (CBF)
>> Haus I | 1. OG | Raum 105
>> Hindenburgdamm 30 | D-12203 Berlin
>>
>> Tel. +49 30 450 570 155
>> ralf.hildebra...@charite.de
>> https://www.charite.de
>>
>> _______________________________________________
>>
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>>
>
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
