Re: [clamav-users] Clamscan crash on Mac OS X - yara rules

[Micah Snyder (micasnyd) via clamav-users]

--- Begin Message ---
Yes, please attach to https://bugzilla.clamav.net/show_bug.cgi?id=12077 and 
we'll take a look.

Unfortunately ClamAV yara support isn't as comprehensive as the full yara 
language definition.  There's no guarantee that legitimate yara rules for other 
applications will work with ClamAV without testing of each rule.  We have plans 
to improve the yara support, but I'm unsure if / when full yara support could 
be implemented.


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.


On May 17, 2018, at 1:27 AM, Al Varnell via clamav-users 
<clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>> wrote:


From: Al Varnell <alvarn...@mac.com<mailto:alvarn...@mac.com>>
Subject: Re: [clamav-users] Clamscan crash on Mac OS X - yara rules
Date: May 17, 2018 at 1:27:03 AM EDT
To: ClamAV users ML 
<clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>>


You almost certainly need to attach it to a ticket at 
<https://bugzilla.clamav.net <https://bugzilla.clamav.net/>>. I don't see how 
anybody would be able to make sense of a partial crash report.

That being said, it's almost certainly the result of a misconfigured yara rule, 
so they will need to see that, as well, if you have the time to narrow it down 
to a single list. I know there is already an open ticket on a previous rule 
from an UNOFFICIAL definition list.

-Al-
ClamXAV User

On Wed, May 16, 2018 at 07:08 PM, James Brown via clamav-users wrote:


Application Specific Information:
Assertion failed: (sp =3D=3D 0), function yr_execute_code, file =
yara_exec.c, line 177.
=20

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   libsystem_kernel.dylib 0x7fff9895d82a __kill + 10
1   libsystem_c.dylib  0x7fff92ed6a9c abort + 177
2   libsystem_c.dylib  0x7fff92f095de __assert_rtn =
+ 146
3   libclamav.7.dylib  0x00010eaa61ee =
yr_execute_code + 4638 (yara_exec.c:177)
4   libclamav.7.dylib  0x00010e9c7560 cli_exp_eval =
+ 928 (matcher.c:817)
5   libclamav.7.dylib  0x00010e9c8bbc =
cli_fmap_scandesc + 3900 (matcher.c:1220)
6   libclamav.7.dylib  0x00010e9de079 cli_scanraw + =
153 (scanners.c:2424)
7   libclamav.7.dylib  0x00010e9ddb4d =
magic_scandesc + 10333 (scanners.c:3469)
8   libclamav.7.dylib  0x00010e9e000d =
cli_base_scandesc + 365 (scanners.c:3616)
9   libclamav.7.dylib  0x00010e9e05df scan_common + =
671 (scanners.c:4016)
10  libclamav.7.dylib  0x00010e9e06b2 =
cl_scandesc_callback + 34 (scanners.c:4030)
11  clamscan   0x00010e9a1a95 scanfile + =
741 (manager.c:392)
12  clamscan   0x00010e9a12a1 scanmanager + =
5729 (manager.c:1166)
13  clamscan   0x00010e99f968 main + 680 =
(clamscan.c:161)
14  clamscan   0x00010e99aff4 start + 52

Let me know if there=E2=80=99s an email address I can send the full =
crash logs to if that would help.

Thanks,

James.


___
clamav-users mailing list
clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

--- End Message ---
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Clamscan crash on Mac OS X - yara rules

[Al Varnell via clamav-users]

--- Begin Message ---
You almost certainly need to attach it to a ticket at 
>. I don't see how 
anybody would be able to make sense of a partial crash report.

That being said, it's almost certainly the result of a misconfigured yara rule, 
so they will need to see that, as well, if you have the time to narrow it down 
to a single list. I know there is already an open ticket on a previous rule 
from an UNOFFICIAL definition list.

-Al-
ClamXAV User

On Wed, May 16, 2018 at 07:08 PM, James Brown via clamav-users wrote:
> 
> 
> Application Specific Information:
> Assertion failed: (sp =3D=3D 0), function yr_execute_code, file =
> yara_exec.c, line 177.
> =20
> 
> Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
> 0   libsystem_kernel.dylib0x7fff9895d82a __kill + 10
> 1   libsystem_c.dylib 0x7fff92ed6a9c abort + 177
> 2   libsystem_c.dylib 0x7fff92f095de __assert_rtn =
> + 146
> 3   libclamav.7.dylib 0x00010eaa61ee =
> yr_execute_code + 4638 (yara_exec.c:177)
> 4   libclamav.7.dylib 0x00010e9c7560 cli_exp_eval =
> + 928 (matcher.c:817)
> 5   libclamav.7.dylib 0x00010e9c8bbc =
> cli_fmap_scandesc + 3900 (matcher.c:1220)
> 6   libclamav.7.dylib 0x00010e9de079 cli_scanraw + =
> 153 (scanners.c:2424)
> 7   libclamav.7.dylib 0x00010e9ddb4d =
> magic_scandesc + 10333 (scanners.c:3469)
> 8   libclamav.7.dylib 0x00010e9e000d =
> cli_base_scandesc + 365 (scanners.c:3616)
> 9   libclamav.7.dylib 0x00010e9e05df scan_common + =
> 671 (scanners.c:4016)
> 10  libclamav.7.dylib 0x00010e9e06b2 =
> cl_scandesc_callback + 34 (scanners.c:4030)
> 11  clamscan  0x00010e9a1a95 scanfile + =
> 741 (manager.c:392)
> 12  clamscan  0x00010e9a12a1 scanmanager + =
> 5729 (manager.c:1166)
> 13  clamscan  0x00010e99f968 main + 680 =
> (clamscan.c:161)
> 14  clamscan  0x00010e99aff4 start + 52
> 
> Let me know if there=E2=80=99s an email address I can send the full =
> crash logs to if that would help.
> 
> Thanks,
> 
> James.
--- End Message ---
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml