I can recreate that same issue with daily cvd 25410, using ClamAV 0.100.1. That was the first 0.100.X I had handy to do a quick test. The problem is something specific to sigtool and only the list-sigs feature. It does not affect clamscan or clamd, and does not affect the --find-sigs option of sigtool. We do ongoing signature load testing with several different versions of ClamAV, but focus on scan testing.
It does still happen with the latest release so I'll talk with the team about opening this as a bug. Thanks for the report. Dave R. On Fri, Apr 5, 2019 at 11:12 AM David Shrimpton via clamav-users < clamav-users@lists.clamav.net> wrote: > I can reproduce the Malformed pattern problem with a file with just the > one signature: > > Xls.Downloader.Powload-6923120-0 which is an even longer one . > > This is 4 signatures before Doc.Trojan.Agent-6923124-0 in daily.ldb > > sigtool reports the wrong line numbering eg with a file with just > Xls.Downloader.Powload-6923120-0 it reports > the problem as being on line 2. It seems to be 4 lines out when reporting > on the whole daily.ldb > > again sigtool --find Xls.Downloader.Powload-6923120-0 | sigtool > --decode-sigs > > doesn't show a problem. > > clamscan --debug -d file_with_just_the_sig_above.ldb somefile > doesn't show a problem. > > Xls.Downloader.Powload-6923120-0 turned up in daily 25410 which was when > the problem started > > Maybe sigtool --list can't handle long signatures in ClamAV 0.100.2 > > There does seem a pointlessness to signatures based upon exact variable > names etc that are obfuscated > and likely will vary with each sample. A regex signature to get any > variable name would be better. > > > David Shrimpton > > ________________________________________ > From: clamav-users <clamav-users-boun...@lists.clamav.net> on behalf of > Arnaud Jacques <webmas...@securiteinfo.com> > Sent: Saturday, April 6, 2019 12:27 AM > To: clamav-users@lists.clamav.net > Subject: Re: [clamav-users] Malformed pattern daily.ldb version 25410 > > Hello, > > > sigtool --find-sigs Doc.Trojan.Agent-6923124-0 | sigtool --decode-sigs > I don't understand why this signature is so long, and why it is based on > always changing variables. > > > _______________________________________________ > > clamav-users mailing list > clamav-users@lists.clamav.net > https://lists.clamav.net/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > -- --- Dave Raynor Talos Security Intelligence and Research Group dray...@sourcefire.com
_______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
