SIFT, volatility and yarascan

[ericp502]

Anyone else having issues using volatility with the yarascan plugin with the latest SIFT? Fully updated and still getting this error:

vol.py -f mem.dat --profile=Win7SP1x64 yarascan -y "test"

Volatility Foundation Volatility Framework 2.6
Traceback (most recent call last):
File "/usr/bin/vol.py", line 192, in
main()
File "/usr/bin/vol.py", line 174, in main
command = cmdsmodule
File "/usr/lib/python2.7/dist-packages/volatility/plugins/malware/malfind.py", line 190, in init
help = 'Make the search case insensitive')
File "/usr/lib/python2.7/dist-packages/volatility/conf.py", line 363, in add_option
self.optparser.add_option("-{0}".format(short_option), "--{0}".format(option), **args)
File "/usr/lib/python2.7/optparse.py", line 1021, in add_option
File "/usr/lib/python2.7/optparse.py", line 996, in _check_conflict
optparse.OptionConflictError: option -C/--case: conflicting option string(s): -C
root@siftworkstation -> /h/s/Downloads

[ekristen]

It's because multiple plugins are conflicting with each other. You'd have to eliminate each plugin one by one to figure out which are conflicting with each other.

Have you installed any custom plugins? It's possible that the community plugin repo has created conflicts.

[ericp502]

Nothing custom. This is a fresh install. I was having the same problem with Rob Lee's 508 version. Same error. This is a fresh ova download with no modifications. After I still had the error I did a sift update and the error remains the same.

[ekristen]

Right. An updating won't fix it unless we release a patch/fix for this.

I'll have to confirm it's reproducible and then see where the conflict resides.

[dewiestr]

Just to confirm: I have the same issue with a fresh install

[ekristen]

It’s a problem with the community volatility plugins.

[Ash2440]

same errors received also while running yarascan plugin. from new SANS SIFT machine

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[azharabdullah]

I am facing the same issue on fresh Sift Workstation v3 (OVA version).
any resolution for this issue?

[evmiller-cf]

I just used the yarascan module for the first time (SIFT install was originally done last September). I received this exact same issue. Is there a resolution/workaround?

[ekristen]

I’m unsure which plugins are conflicting. That’s the fix to find and remove the conflicting one.

[azharabdullah]

I found a workaround:
Edit the malfind.py file at /usr/lib/python2.7/dist-packages/volatility/plugins/malware/malfind.py

1. change the short option at Line 189, Original is Capital C letter. In my case I change it to small c letter
   config.add_option("CASE", short_option = 'c', default = False, action = 'store_true',

2. change the short option at Line 195. Original is Capital Y Letter. In my case I change it to capital U letter
   config.add_option('YARA-RULES', short_option = 'U', default = None,

Make sure to backup the original file.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[javalireports]

I found a workaround: Edit the malfind.py file at /usr/lib/python2.7/dist-packages/volatility/plugins/malware/malfind.py

1. change the short option at Line 189, Original is Capital C letter. In my case I change it to small c letter
   config.add_option("CASE", short_option = 'c', default = False, action = 'store_true',
2. change the short option at Line 195. Original is Capital Y Letter. In my case I change it to capital U letter
   config.add_option('YARA-RULES', short_option = 'U', default = None,

Make sure to backup the original file.

This workaround worked for me., thank you

[emiltmadsen]

I just took my two practice tests and this bug appeared in both. This is still a problem. Luckily I discovered this before my exam attempt, would suck to miss out on the points from 1-2 live VM questions...