Per advice on this list, I downloaded and installed the clamav-unofficial-sigs
scripts from the link on Sanesecurity.
I've not been able to get it running. Two problems:
1. The /etc/cron.d/clamav-unofficial-sigs cron script won't run from crond. I
get an email:
/bin/sh: clamav: command not found
I've searched the computer and the clamav-unofficial-sigs.sh script looking for
a
reference to a clamav command and simply cannot find such a command. I've
sprinkles `echo` statements throughout clamav-unofficial-sigs.sh and redirected
the cron script's output to a log file. I never get anything in the logfile.
Yet, if I run clamav-unofficial-sigs.sh as root manually, it runs fine.
2. I run a cron'd clamscan job to scan mail folders several time a day. I get
the following errors which are new since installing the unofficial-sigs:
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 497
undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 512
undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 528
undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 544
undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 557
undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 603
undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 614
undefined identifier "pe"
LibClamAV Error: cli_loadyara: failed to parse rules file
/var/lib/clamav/antidebug_antivm.yar, error count 7
LibClamAV Error: yyerror(): /var/lib/clamav/EMAIL_Cryptowall.yar line 34
duplicate identifier "CryptoWall_Resume_phish"
LibClamAV Error: yyerror(): /var/lib/clamav/EMAIL_Cryptowall.yar line 52
duplicate identifier "docx_macro"
LibClamAV Error: cli_loadyara: failed to parse rules file
/var/lib/clamav/EMAIL_Cryptowall.yar, error count 2
The lines at /var/lib/clamav/antidebug_antivm.yar line 497 are:
496 contition:
497 pe.imports("kernel32.dll","CheckRemoteDebuggerPresent") and
498 pe.imports("kernel32.dll","IsDebuggerPresent")
These seem like rather basic programming bugs. Nevertheless, it does appear to
catch new signatures, e.g.:
/home/HPRS/mpress/Maildir/.Deleted
Items/cur/1463485456.M955042P32209.mail,S=13067,W=13269:2,S:
Sanesecurity.Foxhole.Zip_fs226.UNOFFICIAL FOUND
/home/HPRS/mpress/Maildir/.Deleted
Items/cur/1460374151.M124643P21974.mail,S=30684,W=31217:2,S:
Sanesecurity.Spam.12404.Ml.UNOFFICIAL FOUND
/home/HPRS/shay/Maildir/.Trash/cur/1485781802.M776532P6090.mail,S=2905,W=2971:2,S!(1)MAIL:mixedtextportion:
Sanesecurity.Junk.33365.UNOFFICIAL FOUND
/home/HPRS/shay/Maildir/.Trash/cur/1486393658.M60634P26487.mail,S=48881,W=49823:2,S:
Sanesecurity.Spam.12427.FakeRenew.UNOFFICIAL FOUND
/home/HPRS/dsmith/Maildir/.Deleted
Items.Sent/cur/1443025877.M266324P18041.mail,S=22511,W=22844:2,S:
Sanesecurity.Foxhole.Zip_Wordexe.1.UNOFFICIAL FOUND
etc.
Has anyone on this list encountered the same problem and if so were you able to
fix them? I'm running Slackware.
Thanks, Mark
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
