Ubuntu
clamav package

Bug #1818211
Comment #14

Comment 14 for bug 1818211

Revision history for this message

In bugzilla.clamav.net/ #12077, Micasnyd (micasnyd) wrote on 2018-05-21:

#14

It seems to me that the assertion fail 'crash' when using antidebug_antivm.yar comes about after this commit:

https://github.com/Cisco-Talos/clamav-devel/commit/5891f83422e699f70e9f9bdcbcc9633f9a4cd5ef

Derived from:
https://bugzilla.clamav.net/show_bug.cgi?id=11567

I am guessing that what's going on is that before the change, it would abandon antidebug_antivm.yar rules when any of them failed to load, and that with the change, it only skips the ones that fail to load.

Before the change, I see:
LibClamAV Error: cli_loadyara: failed to parse rules file /Users/micasnyd/antidebug_antivm.yar, error count 7

With the change, I see:
LibClamAV Warning: cli_loadyara: failed to parse or load 7 yara rules from file /Users/micasnyd/antidebug_antivm.yar, successfully loaded 92 rules.

I haven't yet taken the time to identify which rules in antidebug_antivm.yar are failing, remove them, and verify if one of them still causes a crash in 0.99 and 0.100

Ubuntuclamav package

Comment 14 for bug 1818211

Ubuntu
clamav package