Hi Micah, Curiously it only seems to affect clamd/clamdscan. The standalone clamscan doesn't appear to be affected, which means it took quite a while to track down the file which causes the crash.
The signature in question is Email.Exploit.Efail-6641027-1 The file triggering the crash for me is 'actionmailer-2.2.2.gem' a gem within the Ruby framework on Mac OS X 10.6.8 /System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/lib/ruby/gems/1.8/cache/actionmailer-2.2.2.gem SHA-256 164de36ca0e858ccc9bd3e33ae1ee3d3bb9f964f7d941621b3bec725945af5fe I've uploaded it to VirusTotal. For what it's worth, I was wrong about the version of lib-pcre that we're using. Our current build runs with pcre2 (10.32) but our test machine in question was using an older version of ClamAV (0.100.1) which was compiled with pcre 8.41 Still quite surprising that a signature can bring down clamd though. Hope the above is useful. Best regards Mark > On 5 May 2020, at 6:28 pm, Micah Snyder (micasnyd) <micas...@cisco.com> wrote: > > Mark, > > It probably won’t make much difference, though there is a possible slow scan > time issue in pcre2 10.32 for case-insensitive patterns. > > If you have a sample and signature that cause the issue, I’d love a copy so I > can investigate further. > > -Micah > > From: Mark Allan <markjal...@gmail.com> > Date: Tuesday, May 5, 2020 at 5:20 AM > To: ClamAV users ML <clamav-users@lists.clamav.net>, Micah Snyder (micasnyd) > <micas...@cisco.com> > Subject: Re: [clamav-users] Clamd crashes frequently - macOS Catalina > > Hi Micah, > > Al is correct, we're using 10.32. I see 10.34 is now available, so I'll > compile against that when I get a chance and see if it makes any difference. > > Mark > > > On 5 May 2020, at 6:25 am, Al Varnell via clamav-users > <clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>> wrote: > > Micah, > > Looks to be 10.32, but Mark should be along shortly to confirm. > > -Al- > > > On May 4, 2020, at 13:23, Micah Snyder (micasnyd) via clamav-users > <clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>> wrote: > > Hi Mark, > > Which pcre2 version are you using? > > Regards, > Micah > > From: clamav-users <clamav-users-boun...@lists.clamav.net > <mailto:clamav-users-boun...@lists.clamav.net>> > Date: Saturday, May 2, 2020 at 5:50 PM > To: ClamAV users ML <clamav-users@lists.clamav.net > <mailto:clamav-users@lists.clamav.net>> > Cc: Mark Allan <markjal...@gmail.com <mailto:markjal...@gmail.com>> > Subject: Re: [clamav-users] Clamd crashes frequently - macOS Catalina > > Hi James, > > Glad that seems to have helped. > > Al and others are correct that the distro should be updated to use pcre2, but > I'm not convinced that's the root of the problem. We're seeing the issue with > that signature despite already using pcre2 in our build. > > Mark > > > > On 2 May 2020, at 3:45 am, Al Varnell via clamav-users > <clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>> wrote: > > Although I complete support what Mark has recommended, I would caution that > there could easily be a future signature that will cause this same issue if > the root cause of not upgrading to pcre2 is not accomplished, and figuring > out what signature that is won’t be easy. > > Sent from my iPad > > -Al- > > > > On May 1, 2020, at 18:38, James Brown via clamav-users > <clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>> wrote: > > On 1 May 2020, at 8:31 pm, Mark Allan via clamav-users > <clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>> wrote: > > Try excluding Email.Exploit.Efail-6641027-1 from the main ClamAV set. > > Thanks Mark. After over 12 hours clamd is still up and running. Looks like > that sig was causing the problem. > > James. > > _______________________________________________ > > clamav-users mailing list > clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net> > https://lists.clamav.net/mailman/listinfo/clamav-users > <https://lists.clamav.net/mailman/listinfo/clamav-users> > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > <https://github.com/vrtadmin/clamav-faq> > > http://www.clamav.net/contact.html#ml <http://www.clamav.net/contact.html#ml> > > _______________________________________________ > > clamav-users mailing list > clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net> > https://lists.clamav.net/mailman/listinfo/clamav-users > <https://lists.clamav.net/mailman/listinfo/clamav-users> > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > <https://github.com/vrtadmin/clamav-faq> > > http://www.clamav.net/contact.html#ml <http://www.clamav.net/contact.html#ml> > > > _______________________________________________ > > clamav-users mailing list > clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net> > https://lists.clamav.net/mailman/listinfo/clamav-users > <https://lists.clamav.net/mailman/listinfo/clamav-users> > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > <https://github.com/vrtadmin/clamav-faq> > > http://www.clamav.net/contact.html#ml <http://www.clamav.net/contact.html#ml> > > > _______________________________________________ > > clamav-users mailing list > clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net> > https://lists.clamav.net/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml
_______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml