Hi Micah,
Curiously it only seems to affect clamd/clamdscan. The standalone clamscan
doesn't appear to be affected, which means it took quite a while to track down
the file which causes the crash.
The signature in question is Email.Exploit.Efail-6641027-1
The file triggering the crash for me is 'actionmailer-2.2.2.gem' a gem within
the Ruby framework on Mac OS X 10.6.8
/System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/lib/ruby/gems/1.8/cache/actionmailer-2.2.2.gem
SHA-256 164de36ca0e858ccc9bd3e33ae1ee3d3bb9f964f7d941621b3bec725945af5fe
I've uploaded it to VirusTotal.
For what it's worth, I was wrong about the version of lib-pcre that we're
using. Our current build runs with pcre2 (10.32) but our test machine in
question was using an older version of ClamAV (0.100.1) which was compiled with
pcre 8.41
Still quite surprising that a signature can bring down clamd though.
Hope the above is useful.
Best regards
Mark
> On 5 May 2020, at 6:28 pm, Micah Snyder (micasnyd) <[email protected]> wrote:
>
> Mark,
>
> It probably won’t make much difference, though there is a possible slow scan
> time issue in pcre2 10.32 for case-insensitive patterns.
>
> If you have a sample and signature that cause the issue, I’d love a copy so I
> can investigate further.
>
> -Micah
>
> From: Mark Allan <[email protected]>
> Date: Tuesday, May 5, 2020 at 5:20 AM
> To: ClamAV users ML <[email protected]>, Micah Snyder (micasnyd)
> <[email protected]>
> Subject: Re: [clamav-users] Clamd crashes frequently - macOS Catalina
>
> Hi Micah,
>
> Al is correct, we're using 10.32. I see 10.34 is now available, so I'll
> compile against that when I get a chance and see if it makes any difference.
>
> Mark
>
>
> On 5 May 2020, at 6:25 am, Al Varnell via clamav-users
> <[email protected] <mailto:[email protected]>> wrote:
>
> Micah,
>
> Looks to be 10.32, but Mark should be along shortly to confirm.
>
> -Al-
>
>
> On May 4, 2020, at 13:23, Micah Snyder (micasnyd) via clamav-users
> <[email protected] <mailto:[email protected]>> wrote:
>
> Hi Mark,
>
> Which pcre2 version are you using?
>
> Regards,
> Micah
>
> From: clamav-users <[email protected]
> <mailto:[email protected]>>
> Date: Saturday, May 2, 2020 at 5:50 PM
> To: ClamAV users ML <[email protected]
> <mailto:[email protected]>>
> Cc: Mark Allan <[email protected] <mailto:[email protected]>>
> Subject: Re: [clamav-users] Clamd crashes frequently - macOS Catalina
>
> Hi James,
>
> Glad that seems to have helped.
>
> Al and others are correct that the distro should be updated to use pcre2, but
> I'm not convinced that's the root of the problem. We're seeing the issue with
> that signature despite already using pcre2 in our build.
>
> Mark
>
>
>
> On 2 May 2020, at 3:45 am, Al Varnell via clamav-users
> <[email protected] <mailto:[email protected]>> wrote:
>
> Although I complete support what Mark has recommended, I would caution that
> there could easily be a future signature that will cause this same issue if
> the root cause of not upgrading to pcre2 is not accomplished, and figuring
> out what signature that is won’t be easy.
>
> Sent from my iPad
>
> -Al-
>
>
>
> On May 1, 2020, at 18:38, James Brown via clamav-users
> <[email protected] <mailto:[email protected]>> wrote:
>
> On 1 May 2020, at 8:31 pm, Mark Allan via clamav-users
> <[email protected] <mailto:[email protected]>> wrote:
>
> Try excluding Email.Exploit.Efail-6641027-1 from the main ClamAV set.
>
> Thanks Mark. After over 12 hours clamd is still up and running. Looks like
> that sig was causing the problem.
>
> James.
>
> _______________________________________________
>
> clamav-users mailing list
> [email protected] <mailto:[email protected]>
> https://lists.clamav.net/mailman/listinfo/clamav-users
> <https://lists.clamav.net/mailman/listinfo/clamav-users>
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> <https://github.com/vrtadmin/clamav-faq>
>
> http://www.clamav.net/contact.html#ml <http://www.clamav.net/contact.html#ml>
>
> _______________________________________________
>
> clamav-users mailing list
> [email protected] <mailto:[email protected]>
> https://lists.clamav.net/mailman/listinfo/clamav-users
> <https://lists.clamav.net/mailman/listinfo/clamav-users>
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> <https://github.com/vrtadmin/clamav-faq>
>
> http://www.clamav.net/contact.html#ml <http://www.clamav.net/contact.html#ml>
>
>
> _______________________________________________
>
> clamav-users mailing list
> [email protected] <mailto:[email protected]>
> https://lists.clamav.net/mailman/listinfo/clamav-users
> <https://lists.clamav.net/mailman/listinfo/clamav-users>
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> <https://github.com/vrtadmin/clamav-faq>
>
> http://www.clamav.net/contact.html#ml <http://www.clamav.net/contact.html#ml>
>
>
> _______________________________________________
>
> clamav-users mailing list
> [email protected] <mailto:[email protected]>
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
_______________________________________________
clamav-users mailing list
[email protected]
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
