Yeah, it was all these: packer.yar winnow_malware.yara CVE-2010-0887.yar maldoc_somerules.yar CVE-2010-0805.yar antidebug_antivm.yar CVE-2010-1297.yar CVE-2013-0074.yar CVE-2013-0422.yar CVE-2015-5119.yar Maldoc_Hidden_PE_file.yar EK_Zeus.yar EK_Sakura.yar EK_ZeroAcces.yar EK_Zerox88.yar EK_Fragus.yar EK_Phoenix.yar EK_BleedingLife.yar EK_Crimepack.yar EK_Eleonore.yar EK_Angler.yar EK_Blackhole.yar Zeus_EK.yar ZeroAcces_EK.yar Zerox88_EK.yar Phoenix_EK.yar Sakura_EK.yar Fragus_EK.yar Crimepack_EK.yar Eleonore_EK.yar Blackhole_EK.yar BleedingLife_EK.yar Angler_EK.yar EMAIL_Cryptowall.yar malicious_document.yar Sanesecurity_spam.yara antidebug.yar Sanesecurity_sigtest.yara
I don’t know if all of them would cause clamav to crash or just one particular one. I probably downloaded them not long after this came out: https://blog.clamav.net/2015/06/clamav-099b-meets-yara.html The clamav-unofficial-sigs script by eXtremeShok has just re-downloaded Sanesecurity_sigtest.yara and Sanesecurity_spam.yara and clamd is still running, so I presume one of the other files was corrupt? James > On 10 May 2018, at 11:50 am, Al Varnell <[email protected]> wrote: > > I'm guessing those came from some Unofficial signature database you subscribe > to as I've never seen any included in the Official database. > > -Al- > > On Wed, May 09, 2018 at 06:46 PM, James Brown wrote: >> Thanks for your replay Al. >> >> Have just got it working. This was the clue: >> >> Application Specific Information: >> Assertion failed: (sp == 0), function yr_execute_code, file yara_exec.c, >> line 177.” >> >> I deleted all the .yar and .yara files from /usr/local/clamav and it started >> fine (and is still running). >> >> Hope this helps someone else. >> >> James. >> >>> On 10 May 2018, at 11:34 am, Al Varnell <[email protected] >>> <mailto:[email protected]>> wrote: >>> >>> OS X 10.7.5 is very old, but I know it's been done successfully for 10.6.8 >>> by using several work-arounds. Looks like you have PCRE working and assume >>> you got over any OpenSSL hurdles. >>> >>> Might help if you posted the output of >>> sudo clamconf >>> >>> -Al- >>> ClamXAV User >>> >>> On Wed, May 09, 2018 at 05:40 PM, James Brown wrote: >>>> I upgraded from 0.99.3 (which worked perfectly) to 0.100.0. Everything >>>> seemed to work but today I noticed that it wasn’t actually running. No >>>> mention of there being a problem in the logs: >>>> >>>> Thu May 10 10:01:25 2018 -> +++ Started at Thu May 10 10:01:25 2018 >>>> Thu May 10 10:01:25 2018 -> Received 0 file descriptor(s) from systemd. >>>> Thu May 10 10:01:25 2018 -> clamd daemon 0.100.0 (OS: darwin11.4.2, ARCH: >>>> x86_64, CPU: x86_64) >>>> Thu May 10 10:01:25 2018 -> Log file size limited to 2097152 bytes. >>>> Thu May 10 10:01:25 2018 -> Reading databases from /usr/local/clamav >>>> Thu May 10 10:01:25 2018 -> Not loading PUA signatures. >>>> Thu May 10 10:01:25 2018 -> Bytecode: Security mode set to "TrustSigned". >>>> Thu May 10 10:02:13 2018 -> Loaded 13435987 signatures. >>>> Thu May 10 10:02:17 2018 -> LOCAL: Removing stale socket file /tmp/clamd >>>> Thu May 10 10:02:17 2018 -> LOCAL: Unix socket file /tmp/clamd >>>> Thu May 10 10:02:17 2018 -> LOCAL: Setting connection queue length to 200 >>>> Thu May 10 10:02:17 2018 -> Limits: Global size limit set to 104857600 >>>> bytes. >>>> Thu May 10 10:02:17 2018 -> Limits: File size limit set to 26214400 bytes. >>>> Thu May 10 10:02:17 2018 -> Limits: Recursion level limit set to 16. >>>> Thu May 10 10:02:17 2018 -> Limits: Files limit set to 10000. >>>> Thu May 10 10:02:17 2018 -> Limits: MaxEmbeddedPE limit set to 10485760 >>>> bytes. >>>> Thu May 10 10:02:17 2018 -> Limits: MaxHTMLNormalize limit set to 10485760 >>>> bytes. >>>> Thu May 10 10:02:17 2018 -> Limits: MaxHTMLNoTags limit set to 2097152 >>>> bytes. >>>> Thu May 10 10:02:17 2018 -> Limits: MaxScriptNormalize limit set to >>>> 5242880 bytes. >>>> Thu May 10 10:02:17 2018 -> Limits: MaxZipTypeRcg limit set to 1048576 >>>> bytes. >>>> Thu May 10 10:02:17 2018 -> Limits: MaxPartitions limit set to 50. >>>> Thu May 10 10:02:17 2018 -> Limits: MaxIconsPE limit set to 100. >>>> Thu May 10 10:02:17 2018 -> Limits: MaxRecHWP3 limit set to 16. >>>> Thu May 10 10:02:17 2018 -> Limits: PCREMatchLimit limit set to 100000. >>>> Thu May 10 10:02:17 2018 -> Limits: PCRERecMatchLimit limit set to 5000. >>>> Thu May 10 10:02:17 2018 -> Limits: PCREMaxFileSize limit set to 26214400. >>>> Thu May 10 10:02:17 2018 -> Archive support enabled. >>>> Thu May 10 10:02:17 2018 -> Archive: Blocking encrypted archives. >>>> Thu May 10 10:02:17 2018 -> BlockMax heuristic detection disabled. >>>> Thu May 10 10:02:17 2018 -> Algorithmic detection enabled. >>>> Thu May 10 10:02:17 2018 -> Portable Executable support enabled. >>>> Thu May 10 10:02:17 2018 -> ELF support enabled. >>>> Thu May 10 10:02:17 2018 -> Mail files support enabled. >>>> Thu May 10 10:02:17 2018 -> Mail: RFC1341 handling enabled. >>>> Thu May 10 10:02:17 2018 -> OLE2 support enabled. >>>> Thu May 10 10:02:17 2018 -> OLE2: Blocking all VBA macros. >>>> Thu May 10 10:02:17 2018 -> PDF support enabled. >>>> Thu May 10 10:02:17 2018 -> SWF support enabled. >>>> Thu May 10 10:02:17 2018 -> HTML support enabled. >>>> Thu May 10 10:02:17 2018 -> XMLDOCS support enabled. >>>> Thu May 10 10:02:17 2018 -> HWP3 support enabled. >>>> Thu May 10 10:02:17 2018 -> Self checking every 600 seconds. >>>> Thu May 10 10:02:17 2018 -> Set stacksize to 1048576 >>>> >>>> Mac OS cash report: >>>> >>>> <clamd_2018-05-10-100246_localhost.crash> >>>> >>>> Most useful part is probably this: >>>> >>>> "Crashed Thread: 2 >>>> >>>> Exception Type: EXC_CRASH (SIGABRT) >>>> Exception Codes: 0x0000000000000000, 0x0000000000000000 >>>> >>>> Application Specific Information: >>>> Assertion failed: (sp == 0), function yr_execute_code, file yara_exec.c, >>>> line 177." >>>> >>>> >>>> Any suggestions? >>>> >>>> Thanks, >>>> >>>> James >>> _______________________________________________ >>> clamav-users mailing list >>> [email protected] <mailto:[email protected]> >>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users >>> >>> >>> Help us build a comprehensive ClamAV guide: >>> https://github.com/vrtadmin/clamav-faq >>> >>> http://www.clamav.net/contact.html#ml >> >> >> _______________________________________________ >> clamav-users mailing list >> [email protected] <mailto:[email protected]> >> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users >> <http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users> >> >> >> Help us build a comprehensive ClamAV guide: >> https://github.com/vrtadmin/clamav-faq >> <https://github.com/vrtadmin/clamav-faq> >> >> http://www.clamav.net/contact.html#ml <http://www.clamav.net/contact.html#ml> > > -Al- > -- > Al Varnell > Mountain View, CA > > > > > _______________________________________________ > clamav-users mailing list > [email protected] > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml _______________________________________________ clamav-users mailing list [email protected] http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
