Hallo, Mich, Du meintest am 14.05.16:
> When we install ClamAV in our Amazon Linux ElasticBeanstalk instance > with yum install clamav it gets installed without PCRE support, > although the libraries are present in the instance. > LibClamAV Warning: cli_loadldb: logical signature for > Win.Trojan.ssid18332-1 uses PCREs but support is disabled, skipping > LibClamAV Warning: cli_loadldb: logical signature for > Win.Ransomware.Locky-4 uses PCREs but support is disabled, skipping > LibClamAV Warning: cli_loadldb: logical signature for > Html.Exploit.CVE_2016_0184-1 > uses PCREs but support is disabled, skipping > However PCRE is installed in the machine: [...] Same problem here, IIRC since clamav version 0.99. Kernel: 3.19.6, self compiled under Slackware. "/usr/lib/libpcre.so.1.2.4" from the "elflibs" packet, march 2015. "clamconf -n" tells Checking configuration files in /etc Config file: clamd.conf ----------------------- LogFile = "/var/log/clamav/clamd.log" LogSyslog = "yes" LogFacility = "LOG_MAIL" PidFile = "/var/run/clamav/clamd.pid" LocalSocket = "/var/run/clamav/clamd.socket" LocalSocketGroup = "clamav" LocalSocketMode = "660" ExitOnOOM = "yes" User = "clamav" AllowSupplementaryGroups = "yes" Config file: freshclam.conf --------------------------- UpdateLogFile = "/var/log/freshclam.log" Checks = "2" DatabaseMirror = "db.de.clamav.net", "database.clamav.net" Config file: clamav-milter.conf ------------------------------- Software settings ----------------- Version: 0.99.2 Optional features supported: MEMPOOL IPv6 AUTOIT_EA06 BZIP2 LIBXML2 ICONV RAR Database information -------------------- Database directory: /var/lib/clamav main.cvd: version 57, sigs: 4218790, built on Thu Mar 17 00:17:06 2016 bytecode.cld: version 277, sigs: 47, built on Fri Apr 15 20:57:09 2016 daily.cld: version 21542, sigs: 141937, built on Sat May 14 06:55:20 2016 Total number of signatures: 4360774 Platform information -------------------- uname: Linux 3.19.6-multi #1 SMP Wed May 6 10:26:05 CEST 2015 i686 OS: linux-gnu, ARCH: i386, CPU: i486 Full OS version: WARNING: zlib version mismatch: 1.2.3 (1.2.8) zlib version: 1.2.3 (1.2.8), compile flags: 55 platform id: 0x0a1152520400000000030406 Build information ----------------- GNU C: 3.4.6 (3.4.6) CPPFLAGS: CFLAGS: -O2 -march=i486 -mtune=i686 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE CXXFLAGS: LDFLAGS: Configure: '--prefix=/usr' '--libdir=/usr/lib' '--localstatedir=/var' '--sysconfdir=/etc' '--mandir=/usr/man' '--with-user=clamav' '--with-group=clamav' '--with-dbdir=/var/lib/clamav' '--enable-milter' '--enable-id-check' '--enable-clamdtop' '--disable-static' '--disable-experimental' '--build=i486-slackware-linux' 'build_alias=i486-slackware-linux' 'CFLAGS=-O2 -march=i486 -mtune=i686' 'PKG_CONFIG_PATH=/usr/local/lib/pkgconfig:/usr/lib/pkgconfig:/opt/kde/lib/pkgconfig' --enable-ltdl-convenience sizeof(void*) = 4 Engine flevel: 82, dconf: 82 ================================================================= And "clamconf 2>&1 | grep -i pcre" tells PCREMatchLimit = "10000" PCRERecMatchLimit = "5000" PCREMaxFileSize = "26214400" Adding "--disable-pcre" doesn't change anything, and also "--with-pcre=/ usr/lib" or "--with-pcre=/usr/local/lib" (and symlinking "libpcre") doesn't help. =================================================================== And tracing with "strace clamscan" tells read(5, "Eicar-Test-Signature;Target:0;0;"..., 32768) = 32768 mmap2(NULL, 262144, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x419f1000 read(5, "e.ZBot-23;Target:1;(0>20)&1&2;S0"..., 28672) = 28672 read(5, ";000000056473637000;000000066473"..., 4096) = 4096 mmap2(NULL, 262144, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x41a31000 mmap2(NULL, 262144, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x41a71000 read(5, "6361685F626167757A;7975646869406"..., 28672) = 28672 read(5, "5656565;6d6435;637261636b6572;73"..., 4096) = 4096 mmap2(NULL, 262144, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x41ab1000 mmap2(NULL, 262144, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x41af1000 read(5, "gine:51-255,Target:6;(0&1&2&3);7"..., 28672) = 28672 read(5, "P,Target:0;(0&1);0:646578;414354"..., 4096) = 4096 mmap2(NULL, 262144, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x41b31000 read(5, "_2013_3886-1;Engine:51-255,Targe"..., 28672) = 28672 read(5, "0CC744240800000000C7442404000000"..., 4096) = 4096 mmap2(NULL, 262144, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x41b71000 mmap2(NULL, 262144, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x41bb1000 read(5, "00000005B8D83FE340000890424E8691"..., 28672) = 28672 read(5, "5C84883C018488945E88B45F8489848C"..., 4096) = 4096 read(5, ";554889E541565389D04C8B350702030"..., 28672) = 28672 read(5, "an.Cryfile-12;Engine:51-255,Targ"..., 4096) = 4096 mmap2(NULL, 262144, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x41bf1000 mmap2(NULL, 262144, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x41c31000 read(5, "1;Engine:51-255,Target:1;(0&1&2&"..., 28672) = 28672 read(5, "16E61676572;67657444796E616D6963"..., 4096) = 4096 mmap2(NULL, 262144, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x41c71000 mmap2(NULL, 262144, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x41cb1000 read(5, "305c7830305c7830305c7830305c7830"..., 28672) = 28672 read(5, ";5363616e416c6c50726f63657373;67"..., 4096) = 4096 mmap2(NULL, 262144, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x41cf1000 mmap2(NULL, 262144, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x41d31000 read(5, "t.CVE_2014_7911-1;Engine:51-255,"..., 28672) = 28672 read(5, "6a75736368656431302d31395c;433a5"..., 4096) = 4096 mmap2(NULL, 262144, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x41d71000 read(5, "73202620227374656d4f626a65637422"..., 28672) = 28672 read(5, "80038003900310053004b00590050004"..., 4096) = 4096 mmap2(NULL, 262144, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x41db1000 futex(0x402826e0, FUTEX_WAKE_PRIVATE, 2147483647) = 0 write(2, "LibClamAV Warning: cli_loadldb: "..., 122LibClamAV Warning: cli_loadldb: logical signature for Win.Trojan.ssid18332-1 uses PCREs but support is disabled, skipping ) = 122 read(5, "8012a23b8fe1bd9012a23b4fe1b8b002"..., 28672) = 28672 read(5, "d08bc10bc7750689b5ccfdffff8d75f3"..., 4096) = 4096 mmap2(NULL, 262144, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x41df1000 read(5, "fb316a6695ac0497b7d4f006564ec4b1"..., 28672) = 28672 read(5, "515058595d595b\nWin.Adware.Imali-"..., 4096) = 4096 mmap2(NULL, 262144, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x41e31000 read(5, "6e3d22312e302e302e3022;520069006"..., 28672) = 28672 read(5, "065006100720063006800500072006f0"..., 4096) = 4096 mmap2(NULL, 262144, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x41e71000 read(5, "400610079002c0020003a00440062004"..., 20480) = 20480 read(5, "07800740065006e00730069006f006e0"..., 4096) = 4096 read(5, "0760061006c002c0020003a005500730"..., 24576) = 24576 read(5, "3f800720983f80977040430eb0204378"..., 4096) = 4096 read(5, "3f583f5c3f603f643f683f6c3f703f74"..., 28672) = 28672 read(5, "56e74;2e72656d6f76656e6f6465;3c7"..., 4096) = 4096 mmap2(NULL, 262144, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x41eb1000 mmap2(NULL, 262144, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x41ef1000 read(5, "65737361676557\nWin.Trojan.BlackE"..., 16384) = 16384 read(5, "70553f5e623d62767a5a244e2940345d"..., 4096) = 4096 write(2, "LibClamAV Warning: cli_loadldb: "..., 122LibClamAV Warning: cli_loadldb: logical signature for Win.Ransomware.Locky-4 uses PCREs but support is disabled, skipping ) = 122 mmap2(NULL, 262144, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x41f31000 write(2, "LibClamAV Warning: cli_loadldb: "..., 128LibClamAV Warning: cli_loadldb: logical signature for Html.Exploit.CVE_2016_0184-1 uses PCREs but support is disabled, skipping ) = 128 brk(0x80c1000) = 0x80c1000 =================================================================== Viele Gruesse! Helmut _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
