They can be ignored. For yara rules, ClamAV currently ignores any
containing errors or unsupported features.
Steve
On Fri, Mar 31, 2017 at 2:30 PM, Mark Foley <mfo...@novatec-inc.com> wrote:
> On Fri, 31 Mar 2017 14:01:29 -0400 Steven Morgan <smor...@sourcefire.com>
> wrote:
> >
>
> Thanks Steve. Is then there a way to disable the pe rules or do I just
> have to
> ignore these messages?
>
> --Mark
>
> > Mark,
> >
> > The pe import module of yara rules is not currently implemented in
> ClamAV.
> > Other specifics of using yara rules in Clam may be found in
> > docs/signatures.pdf. Also, looks like errors in EMAIL_Cryptowall.yar yara
> > rule?
> >
> > Hope this helps,
> > Steve
> >
> > On Fri, Mar 31, 2017 at 1:45 PM, Mark Foley <mfo...@novatec-inc.com>
> wrote:
> >
> > > Per advice on this list, I downloaded and installed the
> > > clamav-unofficial-sigs
> > > scripts from the link on Sanesecurity.
> > >
> > > I've not been able to get it running. Two problems:
> > >
> > > 1. The /etc/cron.d/clamav-unofficial-sigs cron script won't run from
> > > crond. I get an email:
> > >
> > > /bin/sh: clamav: command not found
> > >
> > > I've searched the computer and the clamav-unofficial-sigs.sh script
> > > looking for a
> > > reference to a clamav command and simply cannot find such a command.
> I've
> > > sprinkles `echo` statements throughout clamav-unofficial-sigs.sh and
> > > redirected
> > > the cron script's output to a log file. I never get anything in the
> > > logfile.
> > > Yet, if I run clamav-unofficial-sigs.sh as root manually, it runs fine.
> > >
> > > 2. I run a cron'd clamscan job to scan mail folders several time a
> day. I
> > > get
> > > the following errors which are new since installing the
> unofficial-sigs:
> > >
> > > LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line
> 497
> > > undefined identifier "pe"
> > > LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line
> 512
> > > undefined identifier "pe"
> > > LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line
> 528
> > > undefined identifier "pe"
> > > LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line
> 544
> > > undefined identifier "pe"
> > > LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line
> 557
> > > undefined identifier "pe"
> > > LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line
> 603
> > > undefined identifier "pe"
> > > LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line
> 614
> > > undefined identifier "pe"
> > > LibClamAV Error: cli_loadyara: failed to parse rules file
> > > /var/lib/clamav/antidebug_antivm.yar, error count 7
> > > LibClamAV Error: yyerror(): /var/lib/clamav/EMAIL_Cryptowall.yar line
> 34
> > > duplicate identifier "CryptoWall_Resume_phish"
> > > LibClamAV Error: yyerror(): /var/lib/clamav/EMAIL_Cryptowall.yar line
> 52
> > > duplicate identifier "docx_macro"
> > > LibClamAV Error: cli_loadyara: failed to parse rules file
> > > /var/lib/clamav/EMAIL_Cryptowall.yar, error count 2
> > >
> > > The lines at /var/lib/clamav/antidebug_antivm.yar line 497 are:
> > >
> > > 496 contition:
> > > 497 pe.imports("kernel32.dll","
> CheckRemoteDebuggerPresent")
> > > and
> > > 498 pe.imports("kernel32.dll","IsDebuggerPresent")
> > >
> > > These seem like rather basic programming bugs. Nevertheless, it does
> > > appear to
> > > catch new signatures, e.g.:
> > >
> > > /home/HPRS/mpress/Maildir/.Deleted Items/cur/1463485456.
> > > M955042P32209.mail,S=13067,W=13269:2,S: Sanesecurity.Foxhole.Zip_
> fs226.UNOFFICIAL
> > > FOUND
> > > /home/HPRS/mpress/Maildir/.Deleted Items/cur/1460374151.
> > > M124643P21974.mail,S=30684,W=31217:2,S: Sanesecurity.Spam.12404.Ml.
> UNOFFICIAL
> > > FOUND
> > > /home/HPRS/shay/Maildir/.Trash/cur/1485781802.
> M776532P6090.mail,S=2905,W=
> > > 2971:2,S!(1)MAIL:mixedtextportion: Sanesecurity.Junk.33365.UNOFFICIAL
> > > FOUND
> > > /home/HPRS/shay/Maildir/.Trash/cur/1486393658.
> M60634P26487.mail,S=48881,W=49823:2,S:
> > > Sanesecurity.Spam.12427.FakeRenew.UNOFFICIAL FOUND
> > > /home/HPRS/dsmith/Maildir/.Deleted Items.Sent/cur/1443025877.
> > > M266324P18041.mail,S=22511,W=22844:2,S: Sanesecurity.Foxhole.Zip_
> Wordexe.1.UNOFFICIAL
> > > FOUND
> > >
> > > etc.
> > >
> > > Has anyone on this list encountered the same problem and if so were you
> > > able to
> > > fix them? I'm running Slackware.
> > >
> > > Thanks, Mark
> > > _______________________________________________
> > > clamav-users mailing list
> > > clamav-users@lists.clamav.net
> > > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> > >
> > >
> > > Help us build a comprehensive ClamAV guide:
> > > https://github.com/vrtadmin/clamav-faq
> > >
> > > http://www.clamav.net/contact.html#ml
> > >
> > _______________________________________________
> > clamav-users mailing list
> > clamav-users@lists.clamav.net
> > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> >
> >
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml
> >
> _______________________________________________
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
