Re: [clamav-users] Problems with 3rd party sigs
On 31 March 2017 18:45:58 Mark Foleywrote: Per advice on this list, I downloaded and installed the clamav-unofficial-sigs scripts from the link on Sanesecurity. 2. I run a cron'd clamscan job to scan mail folders several time a day. I get the following errors which are new since installing the unofficial-sigs: See... you can comment out these lines in the master.conf: #email/EMAIL_Cryptowall.yar|LOW # CryptoWall Resume phish #Antidebug_AntiVM/antidebug_antivm.yar|LOW # anti debug and anti virtualization techniques used by malware See... issues page from here... https://github.com/extremeshok/clamav-unofficial-sigs Cheers, Steve Twitter: @sanesecurity ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Problems with 3rd party sigs
They can be ignored. For yara rules, ClamAV currently ignores any containing errors or unsupported features. Steve On Fri, Mar 31, 2017 at 2:30 PM, Mark Foleywrote: > On Fri, 31 Mar 2017 14:01:29 -0400 Steven Morgan > wrote: > > > > Thanks Steve. Is then there a way to disable the pe rules or do I just > have to > ignore these messages? > > --Mark > > > Mark, > > > > The pe import module of yara rules is not currently implemented in > ClamAV. > > Other specifics of using yara rules in Clam may be found in > > docs/signatures.pdf. Also, looks like errors in EMAIL_Cryptowall.yar yara > > rule? > > > > Hope this helps, > > Steve > > > > On Fri, Mar 31, 2017 at 1:45 PM, Mark Foley > wrote: > > > > > Per advice on this list, I downloaded and installed the > > > clamav-unofficial-sigs > > > scripts from the link on Sanesecurity. > > > > > > I've not been able to get it running. Two problems: > > > > > > 1. The /etc/cron.d/clamav-unofficial-sigs cron script won't run from > > > crond. I get an email: > > > > > > /bin/sh: clamav: command not found > > > > > > I've searched the computer and the clamav-unofficial-sigs.sh script > > > looking for a > > > reference to a clamav command and simply cannot find such a command. > I've > > > sprinkles `echo` statements throughout clamav-unofficial-sigs.sh and > > > redirected > > > the cron script's output to a log file. I never get anything in the > > > logfile. > > > Yet, if I run clamav-unofficial-sigs.sh as root manually, it runs fine. > > > > > > 2. I run a cron'd clamscan job to scan mail folders several time a > day. I > > > get > > > the following errors which are new since installing the > unofficial-sigs: > > > > > > LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line > 497 > > > undefined identifier "pe" > > > LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line > 512 > > > undefined identifier "pe" > > > LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line > 528 > > > undefined identifier "pe" > > > LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line > 544 > > > undefined identifier "pe" > > > LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line > 557 > > > undefined identifier "pe" > > > LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line > 603 > > > undefined identifier "pe" > > > LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line > 614 > > > undefined identifier "pe" > > > LibClamAV Error: cli_loadyara: failed to parse rules file > > > /var/lib/clamav/antidebug_antivm.yar, error count 7 > > > LibClamAV Error: yyerror(): /var/lib/clamav/EMAIL_Cryptowall.yar line > 34 > > > duplicate identifier "CryptoWall_Resume_phish" > > > LibClamAV Error: yyerror(): /var/lib/clamav/EMAIL_Cryptowall.yar line > 52 > > > duplicate identifier "docx_macro" > > > LibClamAV Error: cli_loadyara: failed to parse rules file > > > /var/lib/clamav/EMAIL_Cryptowall.yar, error count 2 > > > > > > The lines at /var/lib/clamav/antidebug_antivm.yar line 497 are: > > > > > > 496 contition: > > > 497 pe.imports("kernel32.dll"," > CheckRemoteDebuggerPresent") > > > and > > > 498 pe.imports("kernel32.dll","IsDebuggerPresent") > > > > > > These seem like rather basic programming bugs. Nevertheless, it does > > > appear to > > > catch new signatures, e.g.: > > > > > > /home/HPRS/mpress/Maildir/.Deleted Items/cur/1463485456. > > > M955042P32209.mail,S=13067,W=13269:2,S: Sanesecurity.Foxhole.Zip_ > fs226.UNOFFICIAL > > > FOUND > > > /home/HPRS/mpress/Maildir/.Deleted Items/cur/1460374151. > > > M124643P21974.mail,S=30684,W=31217:2,S: Sanesecurity.Spam.12404.Ml. > UNOFFICIAL > > > FOUND > > > /home/HPRS/shay/Maildir/.Trash/cur/1485781802. > M776532P6090.mail,S=2905,W= > > > 2971:2,S!(1)MAIL:mixedtextportion: Sanesecurity.Junk.33365.UNOFFICIAL > > > FOUND > > > /home/HPRS/shay/Maildir/.Trash/cur/1486393658. > M60634P26487.mail,S=48881,W=49823:2,S: > > > Sanesecurity.Spam.12427.FakeRenew.UNOFFICIAL FOUND > > > /home/HPRS/dsmith/Maildir/.Deleted Items.Sent/cur/1443025877. > > > M266324P18041.mail,S=22511,W=22844:2,S: Sanesecurity.Foxhole.Zip_ > Wordexe.1.UNOFFICIAL > > > FOUND > > > > > > etc. > > > > > > Has anyone on this list encountered the same problem and if so were you > > > able to > > > fix them? I'm running Slackware. > > > > > > Thanks, Mark > > > ___ > > > clamav-users mailing list > > > clamav-users@lists.clamav.net > > > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > > > > > > > Help us build a comprehensive ClamAV guide: > > > https://github.com/vrtadmin/clamav-faq > > > > > > http://www.clamav.net/contact.html#ml > > > > > ___ > > clamav-users mailing list > > clamav-users@lists.clamav.net > >
Re: [clamav-users] Problems with 3rd party sigs
On Fri, 31 Mar 2017 14:01:29 -0400 Steven Morganwrote: > Thanks Steve. Is then there a way to disable the pe rules or do I just have to ignore these messages? --Mark > Mark, > > The pe import module of yara rules is not currently implemented in ClamAV. > Other specifics of using yara rules in Clam may be found in > docs/signatures.pdf. Also, looks like errors in EMAIL_Cryptowall.yar yara > rule? > > Hope this helps, > Steve > > On Fri, Mar 31, 2017 at 1:45 PM, Mark Foley wrote: > > > Per advice on this list, I downloaded and installed the > > clamav-unofficial-sigs > > scripts from the link on Sanesecurity. > > > > I've not been able to get it running. Two problems: > > > > 1. The /etc/cron.d/clamav-unofficial-sigs cron script won't run from > > crond. I get an email: > > > > /bin/sh: clamav: command not found > > > > I've searched the computer and the clamav-unofficial-sigs.sh script > > looking for a > > reference to a clamav command and simply cannot find such a command. I've > > sprinkles `echo` statements throughout clamav-unofficial-sigs.sh and > > redirected > > the cron script's output to a log file. I never get anything in the > > logfile. > > Yet, if I run clamav-unofficial-sigs.sh as root manually, it runs fine. > > > > 2. I run a cron'd clamscan job to scan mail folders several time a day. I > > get > > the following errors which are new since installing the unofficial-sigs: > > > > LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 497 > > undefined identifier "pe" > > LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 512 > > undefined identifier "pe" > > LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 528 > > undefined identifier "pe" > > LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 544 > > undefined identifier "pe" > > LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 557 > > undefined identifier "pe" > > LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 603 > > undefined identifier "pe" > > LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 614 > > undefined identifier "pe" > > LibClamAV Error: cli_loadyara: failed to parse rules file > > /var/lib/clamav/antidebug_antivm.yar, error count 7 > > LibClamAV Error: yyerror(): /var/lib/clamav/EMAIL_Cryptowall.yar line 34 > > duplicate identifier "CryptoWall_Resume_phish" > > LibClamAV Error: yyerror(): /var/lib/clamav/EMAIL_Cryptowall.yar line 52 > > duplicate identifier "docx_macro" > > LibClamAV Error: cli_loadyara: failed to parse rules file > > /var/lib/clamav/EMAIL_Cryptowall.yar, error count 2 > > > > The lines at /var/lib/clamav/antidebug_antivm.yar line 497 are: > > > > 496 contition: > > 497 pe.imports("kernel32.dll","CheckRemoteDebuggerPresent") > > and > > 498 pe.imports("kernel32.dll","IsDebuggerPresent") > > > > These seem like rather basic programming bugs. Nevertheless, it does > > appear to > > catch new signatures, e.g.: > > > > /home/HPRS/mpress/Maildir/.Deleted Items/cur/1463485456. > > M955042P32209.mail,S=13067,W=13269:2,S: > > Sanesecurity.Foxhole.Zip_fs226.UNOFFICIAL > > FOUND > > /home/HPRS/mpress/Maildir/.Deleted Items/cur/1460374151. > > M124643P21974.mail,S=30684,W=31217:2,S: > > Sanesecurity.Spam.12404.Ml.UNOFFICIAL > > FOUND > > /home/HPRS/shay/Maildir/.Trash/cur/1485781802.M776532P6090.mail,S=2905,W= > > 2971:2,S!(1)MAIL:mixedtextportion: Sanesecurity.Junk.33365.UNOFFICIAL > > FOUND > > /home/HPRS/shay/Maildir/.Trash/cur/1486393658.M60634P26487.mail,S=48881,W=49823:2,S: > > Sanesecurity.Spam.12427.FakeRenew.UNOFFICIAL FOUND > > /home/HPRS/dsmith/Maildir/.Deleted Items.Sent/cur/1443025877. > > M266324P18041.mail,S=22511,W=22844:2,S: > > Sanesecurity.Foxhole.Zip_Wordexe.1.UNOFFICIAL > > FOUND > > > > etc. > > > > Has anyone on this list encountered the same problem and if so were you > > able to > > fix them? I'm running Slackware. > > > > Thanks, Mark > > ___ > > clamav-users mailing list > > clamav-users@lists.clamav.net > > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > > > > Help us build a comprehensive ClamAV guide: > > https://github.com/vrtadmin/clamav-faq > > > > http://www.clamav.net/contact.html#ml > > > ___ > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] Problems with 3rd party sigs
Per advice on this list, I downloaded and installed the clamav-unofficial-sigs scripts from the link on Sanesecurity. I've not been able to get it running. Two problems: 1. The /etc/cron.d/clamav-unofficial-sigs cron script won't run from crond. I get an email: /bin/sh: clamav: command not found I've searched the computer and the clamav-unofficial-sigs.sh script looking for a reference to a clamav command and simply cannot find such a command. I've sprinkles `echo` statements throughout clamav-unofficial-sigs.sh and redirected the cron script's output to a log file. I never get anything in the logfile. Yet, if I run clamav-unofficial-sigs.sh as root manually, it runs fine. 2. I run a cron'd clamscan job to scan mail folders several time a day. I get the following errors which are new since installing the unofficial-sigs: LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 497 undefined identifier "pe" LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 512 undefined identifier "pe" LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 528 undefined identifier "pe" LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 544 undefined identifier "pe" LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 557 undefined identifier "pe" LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 603 undefined identifier "pe" LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 614 undefined identifier "pe" LibClamAV Error: cli_loadyara: failed to parse rules file /var/lib/clamav/antidebug_antivm.yar, error count 7 LibClamAV Error: yyerror(): /var/lib/clamav/EMAIL_Cryptowall.yar line 34 duplicate identifier "CryptoWall_Resume_phish" LibClamAV Error: yyerror(): /var/lib/clamav/EMAIL_Cryptowall.yar line 52 duplicate identifier "docx_macro" LibClamAV Error: cli_loadyara: failed to parse rules file /var/lib/clamav/EMAIL_Cryptowall.yar, error count 2 The lines at /var/lib/clamav/antidebug_antivm.yar line 497 are: 496 contition: 497 pe.imports("kernel32.dll","CheckRemoteDebuggerPresent") and 498 pe.imports("kernel32.dll","IsDebuggerPresent") These seem like rather basic programming bugs. Nevertheless, it does appear to catch new signatures, e.g.: /home/HPRS/mpress/Maildir/.Deleted Items/cur/1463485456.M955042P32209.mail,S=13067,W=13269:2,S: Sanesecurity.Foxhole.Zip_fs226.UNOFFICIAL FOUND /home/HPRS/mpress/Maildir/.Deleted Items/cur/1460374151.M124643P21974.mail,S=30684,W=31217:2,S: Sanesecurity.Spam.12404.Ml.UNOFFICIAL FOUND /home/HPRS/shay/Maildir/.Trash/cur/1485781802.M776532P6090.mail,S=2905,W=2971:2,S!(1)MAIL:mixedtextportion: Sanesecurity.Junk.33365.UNOFFICIAL FOUND /home/HPRS/shay/Maildir/.Trash/cur/1486393658.M60634P26487.mail,S=48881,W=49823:2,S: Sanesecurity.Spam.12427.FakeRenew.UNOFFICIAL FOUND /home/HPRS/dsmith/Maildir/.Deleted Items.Sent/cur/1443025877.M266324P18041.mail,S=22511,W=22844:2,S: Sanesecurity.Foxhole.Zip_Wordexe.1.UNOFFICIAL FOUND etc. Has anyone on this list encountered the same problem and if so were you able to fix them? I'm running Slackware. Thanks, Mark ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml