Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

antidebug_antivm.yar & EMAIL_Cryptowall.yar crashes ClamAV 0.100 on Solaris #203

Open
awatkins1966 opened this issue Apr 16, 2018 · 13 comments

Comments

Projects
None yet
@awatkins1966
Copy link

commented Apr 16, 2018

Hi,
Has anyone getting the same.

If EMAIL_Cryptowall.yar & antidebug_antivm.yar are used I get core dump on clamav 0.100. Previous versions gave errors but never crashed.

$ /usr/local/clamav0100/bin/clamscan   -r /home/andrew/public/mdefang-l8HAMKFh010488/Work
LibClamAV Error: yyerror(): /usr/local/clamav0100/share/clamav/winnow_malware.yara line 84 duplicate identifier "CryptoWall_Resume_phish"
LibClamAV Warning: cli_loadyara: failed to parse or load 1 yara rules from file /usr/local/clamav0100/share/clamav/winnow_malware.yara, successfully loaded 8 rules.
LibClamAV Error: yyerror(): /usr/local/clamav0100/share/clamav/antidebug_antivm.yar line 497 undefined identifier "pe"
LibClamAV Error: yyerror(): /usr/local/clamav0100/share/clamav/antidebug_antivm.yar line 512 undefined identifier "pe"
LibClamAV Error: yyerror(): /usr/local/clamav0100/share/clamav/antidebug_antivm.yar line 528 undefined identifier "pe"
LibClamAV Error: yyerror(): /usr/local/clamav0100/share/clamav/antidebug_antivm.yar line 544 undefined identifier "pe"
LibClamAV Error: yyerror(): /usr/local/clamav0100/share/clamav/antidebug_antivm.yar line 557 undefined identifier "pe"
LibClamAV Error: yyerror(): /usr/local/clamav0100/share/clamav/antidebug_antivm.yar line 603 undefined identifier "pe"
LibClamAV Error: yyerror(): /usr/local/clamav0100/share/clamav/antidebug_antivm.yar line 614 undefined identifier "pe"
LibClamAV Warning: cli_loadyara: failed to parse or load 7 yara rules from file /usr/local/clamav0100/share/clamav/antidebug_antivm.yar, successfully loaded 92 rules.
/home/andrew/public/mdefang-l8HAMKFh010488/Work/e/WormVirus: Win.Worm.Mydoom-90 FOUND
/home/andrew/public/mdefang-l8HAMKFh010488/Work/WormVirus: Win.Worm.Mydoom-90 FOUND
Assertion failed: sp == 0, file yara_exec.c, line 177
Abort (core dumped)

Jusr proof it works without these 2 files:

$ cd /usr/local/clamav0100/share/clamav/
$ rm antidebug_antivm.yar EMAIL_Cryptowall.yar

$ /usr/local/clamav0100/bin/clamscan   -r /home/andrew/public/mdefang-l8HAMKFh010488/Work
/home/andrew/public/mdefang-l8HAMKFh010488/Work/e/WormVirus: Win.Worm.Mydoom-90 FOUND
/home/andrew/public/mdefang-l8HAMKFh010488/Work/WormVirus: Win.Worm.Mydoom-90 FOUND
/home/andrew/public/mdefang-l8HAMKFh010488/Work/virus.zip: OK
/home/andrew/public/mdefang-l8HAMKFh010488/Work/WormVirus.zip: Win.Worm.Mydoom-90 FOUND
/home/andrew/public/mdefang-l8HAMKFh010488/Work/PhishingMail: Heuristics.Phishing.Email.SpoofedDomain FOUND
/home/andrew/public/mdefang-l8HAMKFh010488/Work/PhishingMail: Heuristics.Phishing.Email.SpoofedDomain FOUND
/home/andrew/public/mdefang-l8HAMKFh010488/Work/PhishingMail: Sanesecurity.Phishing.Cur.835.UNOFFICIAL FOUND

----------- SCAN SUMMARY -----------
Known viruses: 10619139
Engine version: 0.100.0
Scanned directories: 2
Scanned files: 5
Infected files: 4
Data scanned: 0.11 MB
Data read: 0.11 MB (ratio 1.07:1)
Time: 39.081 sec (0 m 39 s)

Any comments.

Cheers
Andrew

@Warter21

This comment has been minimized.

Copy link

commented Apr 17, 2018

It is the same on Linux (Slackware).

@amishmm

This comment has been minimized.

Copy link

commented May 11, 2018

same on Arch linux - clamd fails with
clamd[1893]: clamd: yara_exec.c:177: yr_execute_code: Assertion `sp == 0' failed.

Since clamav 0.100 (which I updated today)

@vladki77

This comment has been minimized.

Copy link

commented Jun 25, 2018

Same on debian 8 after last update (0.99 -> 0.100).
There were other warnings/errors about broken yara rules even before, but none of them fatal.

@Whichcraft

This comment has been minimized.

Copy link

commented Jun 25, 2018

can confirm for Debian Jessie.

libclamav7:amd64 (0.99.2+dfsg-0+deb8u3, 0.100.0+dfsg-0+deb8u1)
clamav-daemon:amd64 (0.99.2+dfsg-0+deb8u3, 0.100.0+dfsg-0+deb8u1)
clamav-freshclam:amd64 (0.99.2+dfsg-0+deb8u3, 0.100.0+dfsg-0+deb8u1)

syslog:

Jun 25 19:12:57 mail amavis[3777]: (03777-16) (!)ClamAV-clamd: Empty result from /var/run/clamav/clamd.ctl, retrying (2)
Jun 25 19:12:57 mail amavis[3774]: (03774-17) (!)ClamAV-clamd: Empty result from /var/run/clamav/clamd.ctl, retrying (2)
Jun 25 19:12:57 mail amavis[3775]: (03775-14) (!)ClamAV-clamd: Empty result from /var/run/clamav/clamd.ctl, retrying (2)
Jun 25 19:12:57 mail amavis[3778]: (03778-12) (!)ClamAV-clamd: Empty result from /var/run/clamav/clamd.ctl, retrying (2)
Jun 25 19:13:14 mail clamd[11406]: LibClamAV Error: yyerror(): /var/lib/clamav/maldoc_somerules.yar line 235 undefined identifier "uint32be"
Jun 25 19:13:14 mail clamd[11406]: LibClamAV Warning: cli_loadyara: failed to parse or load 1 yara rules from file /var/lib/clamav/maldoc_somerules.yar, successfully loaded 14 rules.
Jun 25 19:13:14 mail clamd[11406]: LibClamAV Error: yyerror(): /var/lib/clamav/packer.yar line 103 undefined identifier "pe"
[...]
Jun 25 19:13:17 mail clamd[11406]: LibClamAV Error: yyerror(): /var/lib/clamav/packer.yar line 20171 undefined identifier "pe"
Jun 25 19:13:17 mail clamd[11406]: LibClamAV Error: cli_ac_addsig: Can't find a static subpattern of length 2
Jun 25 19:13:17 mail clamd[11406]: LibClamAV Error: cli_parse_add(): Problem adding signature (3).
Jun 25 19:13:17 mail clamd[11406]: LibClamAV Warning: load_oneyara[verify]: recovered from database loading error
Jun 25 19:13:17 mail clamd[11406]: LibClamAV Warning: load_oneyara[verify]: string failed test insertion: $a0
Jun 25 19:13:17 mail clamd[11406]: LibClamAV Warning: load_oneyara: clamav cannot support 1 input strings, skipping YARA.AsCryptv01SToRM1
Jun 25 19:13:17 mail clamd[11406]: LibClamAV Warning: cli_loadyara: problem parsing yara file /var/lib/clamav/packer.yar, yara rule AsCryptv01SToRM1
Jun 25 19:13:17 mail clamd[11406]: LibClamAV Error: parse_yara_hex_string: Single byte subpatterns unsupported in ClamAV
Jun 25 19:13:17 mail clamd[11406]: LibClamAV Error: load_oneyara: error in parsing yara hex string
Jun 25 19:13:17 mail clamd[11406]: LibClamAV Warning: load_oneyara: clamav cannot support 1 input strings, skipping YARA.winrar_sfx
Jun 25 19:13:17 mail clamd[11406]: LibClamAV Warning: cli_loadyara: problem parsing yara file /var/lib/clamav/packer.yar, yara rule winrar_sfx
Jun 25 19:13:17 mail clamd[11406]: LibClamAV Error: parse_yara_hex_string: Single byte subpatterns unsupported in ClamAV
Jun 25 19:13:17 mail clamd[11406]: LibClamAV Error: load_oneyara: error in parsing yara hex string
Jun 25 19:13:17 mail clamd[11406]: LibClamAV Warning: load_oneyara: clamav cannot support 1 input strings, skipping YARA.mew_11_xx
Jun 25 19:13:17 mail clamd[11406]: LibClamAV Warning: cli_loadyara: problem parsing yara file /var/lib/clamav/packer.yar, yara rule mew_11_xx
Jun 25 19:13:17 mail clamd[11406]: LibClamAV Warning: cli_loadyara: failed to parse or load 1398 yara rules from file /var/lib/clamav/packer.yar, successfully loaded 265 rules.
Jun 25 19:13:18 mail clamd[11406]: LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 497 undefined identifier "pe"
Jun 25 19:13:18 mail clamd[11406]: LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 512 undefined identifier "pe"
Jun 25 19:13:18 mail clamd[11406]: LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 528 undefined identifier "pe"
Jun 25 19:13:18 mail clamd[11406]: LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 544 undefined identifier "pe"
Jun 25 19:13:18 mail clamd[11406]: LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 557 undefined identifier "pe"
Jun 25 19:13:18 mail clamd[11406]: LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 603 undefined identifier "pe"
Jun 25 19:13:18 mail clamd[11406]: LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 614 undefined identifier "pe"
Jun 25 19:13:18 mail clamd[11406]: LibClamAV Warning: cli_loadyara: failed to parse or load 7 yara rules from file /var/lib/clamav/antidebug_antivm.yar, successfully loaded 92 rules.
Jun 25 19:13:47 mail clamd[11406]: Mon Jun 25 19:13:47 2018 -> Limits: Global size limit set to 104857600 bytes.
Jun 25 19:13:47 mail clamd[11406]: Mon Jun 25 19:13:47 2018 -> Limits: File size limit set to 26214400 bytes.
Jun 25 19:13:47 mail clamd[11406]: Mon Jun 25 19:13:47 2018 -> Limits: Recursion level limit set to 10.
Jun 25 19:13:47 mail clamd[11406]: Mon Jun 25 19:13:47 2018 -> Limits: Files limit set to 10000.
Jun 25 19:13:47 mail clamd[11406]: Mon Jun 25 19:13:47 2018 -> Limits: MaxEmbeddedPE limit set to 10485760 bytes.
Jun 25 19:13:47 mail clamd[11406]: Mon Jun 25 19:13:47 2018 -> Limits: MaxHTMLNormalize limit set to 10485760 bytes.
Jun 25 19:13:47 mail clamd[11406]: Mon Jun 25 19:13:47 2018 -> Limits: MaxHTMLNoTags limit set to 2097152 bytes.
Jun 25 19:13:47 mail clamd[11406]: Mon Jun 25 19:13:47 2018 -> Limits: MaxScriptNormalize limit set to 5242880 bytes.
Jun 25 19:13:47 mail clamd[11406]: Mon Jun 25 19:13:47 2018 -> Limits: MaxZipTypeRcg limit set to 1048576 bytes.
Jun 25 19:13:47 mail clamd[11406]: Mon Jun 25 19:13:47 2018 -> Limits: MaxPartitions limit set to 50.
Jun 25 19:13:47 mail clamd[11406]: Mon Jun 25 19:13:47 2018 -> Limits: MaxIconsPE limit set to 100.
Jun 25 19:13:47 mail clamd[11406]: Mon Jun 25 19:13:47 2018 -> Limits: MaxRecHWP3 limit set to 16.
Jun 25 19:13:47 mail clamd[11406]: Mon Jun 25 19:13:47 2018 -> Limits: PCREMatchLimit limit set to 10000.
Jun 25 19:13:47 mail clamd[11406]: Mon Jun 25 19:13:47 2018 -> Limits: PCRERecMatchLimit limit set to 5000.
Jun 25 19:13:47 mail clamd[11406]: Mon Jun 25 19:13:47 2018 -> Limits: PCREMaxFileSize limit set to 26214400.
Jun 25 19:13:47 mail clamd[11406]: Mon Jun 25 19:13:47 2018 -> Archive support enabled.
Jun 25 19:13:47 mail clamd[11406]: Mon Jun 25 19:13:47 2018 -> BlockMax heuristic detection disabled.
Jun 25 19:13:47 mail clamd[11406]: Mon Jun 25 19:13:47 2018 -> Algorithmic detection enabled.
Jun 25 19:13:47 mail clamd[11406]: Mon Jun 25 19:13:47 2018 -> Portable Executable support enabled.
Jun 25 19:13:47 mail clamd[11406]: Mon Jun 25 19:13:47 2018 -> ELF support enabled.
Jun 25 19:13:47 mail clamd[11406]: Mon Jun 25 19:13:47 2018 -> Mail files support enabled.
Jun 25 19:13:47 mail clamd[11406]: Mon Jun 25 19:13:47 2018 -> OLE2 support enabled.
Jun 25 19:13:47 mail clamd[11406]: Mon Jun 25 19:13:47 2018 -> PDF support enabled.
Jun 25 19:13:47 mail clamd[11406]: Mon Jun 25 19:13:47 2018 -> SWF support enabled.
Jun 25 19:13:47 mail clamd[11406]: Mon Jun 25 19:13:47 2018 -> HTML support enabled.
Jun 25 19:13:47 mail clamd[11406]: Mon Jun 25 19:13:47 2018 -> XMLDOCS support enabled.
Jun 25 19:13:47 mail clamd[11406]: Mon Jun 25 19:13:47 2018 -> HWP3 support enabled.
Jun 25 19:13:47 mail clamd[11406]: Mon Jun 25 19:13:47 2018 -> Self checking every 3600 seconds.
Jun 25 19:13:47 mail clamd[11406]: clamd: yara_exec.c:177: yr_execute_code: Assertion `sp == 0' failed.
Jun 25 19:13:47 mail amavis[3775]: (03775-14) (!)ClamAV-clamd av-scanner FAILED: run_av error: Too many retries to talk to /var/run/clamav/clamd.ctl (Empty result from /var/run/clamav/clamd.ctl) at (eval 102) line 613.\n
Jun 25 19:13:47 mail amavis[3778]: (03778-12) (!)ClamAV-clamd av-scanner FAILED: run_av error: Too many retries to talk to /var/run/clamav/clamd.ctl (Empty result from /var/run/clamav/clamd.ctl) at (eval 102) line 613.\n
Jun 25 19:13:47 mail amavis[3774]: (03774-17) (!)ClamAV-clamd av-scanner FAILED: run_av error: Too many retries to talk to /var/run/clamav/clamd.ctl (Empty result from /var/run/clamav/clamd.ctl) at (eval 102) line 613.\n
Jun 25 19:13:47 mail amavis[3777]: (03777-16) (!)ClamAV-clamd av-scanner FAILED: run_av error: Too many retries to talk to /var/run/clamav/clamd.ctl (Empty result from /var/run/clamav/clamd.ctl) at (eval 102) line 613.\n

@Whichcraft

This comment has been minimized.

Copy link

commented Jun 25, 2018

downgraded to 0.99.2+dfsg-0+deb8u3 and

apt-mark hold clamav-freshclam clamav-base clamav clamav-daemon

issue currently worked-around.

@vladki77

This comment has been minimized.

Copy link

commented Jun 26, 2018

It seems that it is enough to disable yara rules, and keep the fresh clamav version:
Set in /etc/clamav-unofficial-sigs/master.conf
yararulesproject_enabled="no"
enable_yararules="no"
And delete *.yar and *.yara from /var/lib/clamav/

@GabrieleV

This comment has been minimized.

Copy link

commented Jun 27, 2018

Is this project still alive ? How could we fix the problem with yara rules ?
Thanks

@enekux

This comment has been minimized.

Copy link

commented Jul 16, 2018

Hi,
we run into the same issue. The temporal solution provided by @vladki77 helped.
I also ask, how can we fix the problem with Yara rules?
Thank you,

@rephlex

This comment has been minimized.

Copy link

commented Jul 18, 2018

same problem here,
(14-456 smtpout03) smtpout-03 ~ # cat /etc/*release
CentOS Linux release 7.5.1804 (Core)

(14-456 smtpout03) smtpout-03 ~ # rpm -qa | grep clamav
clamav-server-systemd-0.100.0-2.el7.x86_64
clamav-unofficial-sigs-3.7.2-1.el7.noarch
clamav-data-0.100.0-2.el7.noarch
clamav-0.100.0-2.el7.x86_64
clamav-filesystem-0.100.0-2.el7.noarch
clamav-lib-0.100.0-2.el7.x86_64
clamav-milter-systemd-0.100.0-2.el7.x86_64
clamav-scanner-systemd-0.100.0-2.el7.x86_64
clamav-update-0.100.0-2.el7.x86_64
clamav-milter-0.100.0-2.el7.x86_64

strace says:

[...] blah blah
[pid 8030] mprotect(0x7fbe000ce000, 4096, PROT_READ|PROT_WRITE) = 0
[pid 8030] write(2, "clamd: yara_exec.c:177: yr_execu"..., 69) = 69
[pid 8030] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fbe5bcb6000
[pid 8030] rt_sigprocmask(SIG_UNBLOCK, [ABRT], NULL, 8) = 0
[pid 8030] tgkill(8022, 8030, SIGABRT) = 0
[pid 8030] --- SIGABRT {si_signo=SIGABRT, si_code=SI_TKILL, si_pid=8022, si_uid=93} ---
[pid 8031] +++ killed by SIGABRT +++
[pid 8030] +++ killed by SIGABRT +++
[pid 8023] +++ killed by SIGABRT +++
+++ killed by SIGABRT +++

@dominicraf

This comment has been minimized.

Copy link

commented Jul 25, 2018

It's now a problem in Ubuntu (16.04 and 18.04) too following recent apt-get upgrade.

@lephisto

This comment has been minimized.

Copy link

commented Jul 25, 2018

Same issue over here... yara rules are an issue as it seems..

@RobbieTheK

This comment has been minimized.

Copy link

commented Jul 30, 2018

Fedora 28, same:

ClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 614 undefined identifier "pe"
LibClamAV Warning: cli_loadyara: failed to parse or load 7 yara rules from file /var/lib/clamav/antidebug_antivm.yar, successfully loaded 92 rules.
LibClamAV Error: yyerror(): /var/lib/clamav/maldoc_somerules.yar line 245 undefined identifier "uint32be"
LibClamAV Warning: cli_loadyara: failed to parse or load 1 yara rules from file /var/lib/clamav/maldoc_somerules.yar, successfully loaded 15 rules.

@mmaday

This comment has been minimized.

Copy link

commented Jul 30, 2018

There's looks to be a bug in the yara rule parsing, which is filed here: https://bugzilla.clamav.net/show_bug.cgi?id=12077 No ETA on a fix. I have removed the yara rules as per @vladki77 's suggestion in #203 (comment) to resolve the issue. According to https://bugzilla.clamav.net/show_bug.cgi?id=12077#c14, the offending yara rule is in Antidebug_AntiVM/antidebug_antivm.yar, so you can be more granular and exclude that to resolve this. If someone has any luck identifying the actual signature, getting a PR/Issue filed at https://github.com/Yara-Rules/rules/issues may be in order.

@hardware hardware referenced this issue Aug 10, 2018

Merged

Update README.md about Yara rules #280

0 of 2 tasks complete

mirtouf added a commit to mirtouf/mailserver that referenced this issue Aug 10, 2018

Update README.md
Added extremeshok/clamav-unofficial-sigs#203 reference for Yara rules bug with clamav > 0.100
Added yararulesproject_enabled="no"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.