They can be ignored. For yara rules, ClamAV currently ignores any containing errors or unsupported features.
Steve On Fri, Mar 31, 2017 at 2:30 PM, Mark Foley <mfo...@novatec-inc.com> wrote: > On Fri, 31 Mar 2017 14:01:29 -0400 Steven Morgan <smor...@sourcefire.com> > wrote: > > > > Thanks Steve. Is then there a way to disable the pe rules or do I just > have to > ignore these messages? > > --Mark > > > Mark, > > > > The pe import module of yara rules is not currently implemented in > ClamAV. > > Other specifics of using yara rules in Clam may be found in > > docs/signatures.pdf. Also, looks like errors in EMAIL_Cryptowall.yar yara > > rule? > > > > Hope this helps, > > Steve > > > > On Fri, Mar 31, 2017 at 1:45 PM, Mark Foley <mfo...@novatec-inc.com> > wrote: > > > > > Per advice on this list, I downloaded and installed the > > > clamav-unofficial-sigs > > > scripts from the link on Sanesecurity. > > > > > > I've not been able to get it running. Two problems: > > > > > > 1. The /etc/cron.d/clamav-unofficial-sigs cron script won't run from > > > crond. I get an email: > > > > > > /bin/sh: clamav: command not found > > > > > > I've searched the computer and the clamav-unofficial-sigs.sh script > > > looking for a > > > reference to a clamav command and simply cannot find such a command. > I've > > > sprinkles `echo` statements throughout clamav-unofficial-sigs.sh and > > > redirected > > > the cron script's output to a log file. I never get anything in the > > > logfile. > > > Yet, if I run clamav-unofficial-sigs.sh as root manually, it runs fine. > > > > > > 2. I run a cron'd clamscan job to scan mail folders several time a > day. I > > > get > > > the following errors which are new since installing the > unofficial-sigs: > > > > > > LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line > 497 > > > undefined identifier "pe" > > > LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line > 512 > > > undefined identifier "pe" > > > LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line > 528 > > > undefined identifier "pe" > > > LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line > 544 > > > undefined identifier "pe" > > > LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line > 557 > > > undefined identifier "pe" > > > LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line > 603 > > > undefined identifier "pe" > > > LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line > 614 > > > undefined identifier "pe" > > > LibClamAV Error: cli_loadyara: failed to parse rules file > > > /var/lib/clamav/antidebug_antivm.yar, error count 7 > > > LibClamAV Error: yyerror(): /var/lib/clamav/EMAIL_Cryptowall.yar line > 34 > > > duplicate identifier "CryptoWall_Resume_phish" > > > LibClamAV Error: yyerror(): /var/lib/clamav/EMAIL_Cryptowall.yar line > 52 > > > duplicate identifier "docx_macro" > > > LibClamAV Error: cli_loadyara: failed to parse rules file > > > /var/lib/clamav/EMAIL_Cryptowall.yar, error count 2 > > > > > > The lines at /var/lib/clamav/antidebug_antivm.yar line 497 are: > > > > > > 496 contition: > > > 497 pe.imports("kernel32.dll"," > CheckRemoteDebuggerPresent") > > > and > > > 498 pe.imports("kernel32.dll","IsDebuggerPresent") > > > > > > These seem like rather basic programming bugs. Nevertheless, it does > > > appear to > > > catch new signatures, e.g.: > > > > > > /home/HPRS/mpress/Maildir/.Deleted Items/cur/1463485456. > > > M955042P32209.mail,S=13067,W=13269:2,S: Sanesecurity.Foxhole.Zip_ > fs226.UNOFFICIAL > > > FOUND > > > /home/HPRS/mpress/Maildir/.Deleted Items/cur/1460374151. > > > M124643P21974.mail,S=30684,W=31217:2,S: Sanesecurity.Spam.12404.Ml. > UNOFFICIAL > > > FOUND > > > /home/HPRS/shay/Maildir/.Trash/cur/1485781802. > M776532P6090.mail,S=2905,W= > > > 2971:2,S!(1)MAIL:mixedtextportion: Sanesecurity.Junk.33365.UNOFFICIAL > > > FOUND > > > /home/HPRS/shay/Maildir/.Trash/cur/1486393658. > M60634P26487.mail,S=48881,W=49823:2,S: > > > Sanesecurity.Spam.12427.FakeRenew.UNOFFICIAL FOUND > > > /home/HPRS/dsmith/Maildir/.Deleted Items.Sent/cur/1443025877. > > > M266324P18041.mail,S=22511,W=22844:2,S: Sanesecurity.Foxhole.Zip_ > Wordexe.1.UNOFFICIAL > > > FOUND > > > > > > etc. > > > > > > Has anyone on this list encountered the same problem and if so were you > > > able to > > > fix them? I'm running Slackware. > > > > > > Thanks, Mark > > > _______________________________________________ > > > clamav-users mailing list > > > clamav-users@lists.clamav.net > > > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > > > > > > > Help us build a comprehensive ClamAV guide: > > > https://github.com/vrtadmin/clamav-faq > > > > > > http://www.clamav.net/contact.html#ml > > > > > _______________________________________________ > > clamav-users mailing list > > clamav-users@lists.clamav.net > > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > > > > Help us build a comprehensive ClamAV guide: > > https://github.com/vrtadmin/clamav-faq > > > > http://www.clamav.net/contact.html#ml > > > _______________________________________________ > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml