Hi Micah,
Curiously it only seems to affect clamd/clamdscan. The standalone clamscan
doesn't appear to be affected, which means it took quite a while to track down
the file which causes the crash.
The signature in question is Email.Exploit.Efail-6641027-1
The file triggering the crash for me is 'actionmailer-2.2.2.gem' a gem within
the Ruby framework on Mac OS X 10.6.8
/System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/lib/ruby/gems/1.8/cache/actionmailer-2.2.2.gem
SHA-256 164de36ca0e858ccc9bd3e33ae1ee3d3bb9f964f7d941621b3bec725945af5fe
I've uploaded it to VirusTotal.
For what it's worth, I was wrong about the version of lib-pcre that we're
using. Our current build runs with pcre2 (10.32) but our test machine in
question was using an older version of ClamAV (0.100.1) which was compiled with
pcre 8.41
Still quite surprising that a signature can bring down clamd though.
Hope the above is useful.
Best regards
Mark
> On 5 May 2020, at 6:28 pm, Micah Snyder (micasnyd) <micas...@cisco.com> wrote:
>
> Mark,
>
> It probably won’t make much difference, though there is a possible slow scan
> time issue in pcre2 10.32 for case-insensitive patterns.
>
> If you have a sample and signature that cause the issue, I’d love a copy so I
> can investigate further.
>
> -Micah
>
> From: Mark Allan <markjal...@gmail.com>
> Date: Tuesday, May 5, 2020 at 5:20 AM
> To: ClamAV users ML <clamav-users@lists.clamav.net>, Micah Snyder (micasnyd)
> <micas...@cisco.com>
> Subject: Re: [clamav-users] Clamd crashes frequently - macOS Catalina
>
> Hi Micah,
>
> Al is correct, we're using 10.32. I see 10.34 is now available, so I'll
> compile against that when I get a chance and see if it makes any difference.
>
> Mark
>
>
> On 5 May 2020, at 6:25 am, Al Varnell via clamav-users
> <clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>> wrote:
>
> Micah,
>
> Looks to be 10.32, but Mark should be along shortly to confirm.
>
> -Al-
>
>
> On May 4, 2020, at 13:23, Micah Snyder (micasnyd) via clamav-users
> <clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>> wrote:
>
> Hi Mark,
>
> Which pcre2 version are you using?
>
> Regards,
> Micah
>
> From: clamav-users <clamav-users-boun...@lists.clamav.net
> <mailto:clamav-users-boun...@lists.clamav.net>>
> Date: Saturday, May 2, 2020 at 5:50 PM
> To: ClamAV users ML <clamav-users@lists.clamav.net
> <mailto:clamav-users@lists.clamav.net>>
> Cc: Mark Allan <markjal...@gmail.com <mailto:markjal...@gmail.com>>
> Subject: Re: [clamav-users] Clamd crashes frequently - macOS Catalina
>
> Hi James,
>
> Glad that seems to have helped.
>
> Al and others are correct that the distro should be updated to use pcre2, but
> I'm not convinced that's the root of the problem. We're seeing the issue with
> that signature despite already using pcre2 in our build.
>
> Mark
>
>
>
> On 2 May 2020, at 3:45 am, Al Varnell via clamav-users
> <clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>> wrote:
>
> Although I complete support what Mark has recommended, I would caution that
> there could easily be a future signature that will cause this same issue if
> the root cause of not upgrading to pcre2 is not accomplished, and figuring
> out what signature that is won’t be easy.
>
> Sent from my iPad
>
> -Al-
>
>
>
> On May 1, 2020, at 18:38, James Brown via clamav-users
> <clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>> wrote:
>
> On 1 May 2020, at 8:31 pm, Mark Allan via clamav-users
> <clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>> wrote:
>
> Try excluding Email.Exploit.Efail-6641027-1 from the main ClamAV set.
>
> Thanks Mark. After over 12 hours clamd is still up and running. Looks like
> that sig was causing the problem.
>
> James.
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>
> https://lists.clamav.net/mailman/listinfo/clamav-users
> <https://lists.clamav.net/mailman/listinfo/clamav-users>
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> <https://github.com/vrtadmin/clamav-faq>
>
> http://www.clamav.net/contact.html#ml <http://www.clamav.net/contact.html#ml>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>
> https://lists.clamav.net/mailman/listinfo/clamav-users
> <https://lists.clamav.net/mailman/listinfo/clamav-users>
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> <https://github.com/vrtadmin/clamav-faq>
>
> http://www.clamav.net/contact.html#ml <http://www.clamav.net/contact.html#ml>
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>
> https://lists.clamav.net/mailman/listinfo/clamav-users
> <https://lists.clamav.net/mailman/listinfo/clamav-users>
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> <https://github.com/vrtadmin/clamav-faq>
>
> http://www.clamav.net/contact.html#ml <http://www.clamav.net/contact.html#ml>
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
