bad signatures?

Hi,

I think there is a bug in the cli_ac_addpatt() function.

in my kernel module version of clamav, I check for wildcard characters
in the first 2 bytes of the pattern:
    for(i = 0; i < AC_MIN_LENGTH; i++) {
	// wild card characters not allowed in hash
	if (pattern->pattern[i] == CLI_IGN || pattern->pattern[i] == CLI_ALT)
		return CL_EPATSHORT;
    }

I do that because if such a node is added to the AC trie,
that node will never be found by cli_ac_scanbuff().

there are 2 examples I found in the clamav db for signatures that have
a wildcard character as the 2nd bytes of the pattern:

Trojan.Bat.DeltreeY-3:0:*:...{-1}2f(59|79)...
Trojan.IRC-Script-28:0:*:6e??...

please let me know if I got it wrong.
Thanks,
Amir.
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html

Re: bad signatures?

On 1/1/07, Amir Goldor <amir73il <at> users.sf.net> wrote:
> Hi,

Hi, please see this thread:
http://lurker.clamav.net/message/20061030.185430.688d1f47.en.html

>
> I think there is a bug in the cli_ac_addpatt() function.
>
> in my kernel module version of clamav, I check for wildcard characters

Is it based on 0.88.x? 0.90 has an improved ac engine.

>
> there are 2 examples I found in the clamav db for signatures that have
> a wildcard character as the 2nd bytes of the pattern:

TK said (in that thread) range wildcards (*,{})). "(59|79)" is not a
range wildcard.

>
> Trojan.Bat.DeltreeY-3:0:*:...{-1}2f(59|79)...
> Trojan.IRC-Script-28:0:*:6e??...

Should work in 0.90rc.

Tomasz: please correct me if I am wrong.

Best regards,
Edwin

Re: bad signatures?

On 1/1/07, Török Edvin <edwintorok <at> ???> wrote:

>
> Hi, please see this thread:
> http://lurker.clamav.net/message/20061030.185430.688d1f47.en.html
>

I am not sure this discussion is related to the bug I mentioned.

> >
> > I think there is a bug in the cli_ac_addpatt() function.
> >
> > in my kernel module version of clamav, I check for wildcard characters
>
> Is it based on 0.88.x? 0.90 has an improved ac engine.
>

0.88. I didn't check 0.90 yet.

> >
> > there are 2 examples I found in the clamav db for signatures that have
> > a wildcard character as the 2nd bytes of the pattern:
>
> TK said (in that thread) range wildcards (*,{})). "(59|79)" is not a
> range wildcard.
>

I know that a short part signature is not valid.
the problem I am pointing out is that the 2 signatures below are
"valid" according to 0.88, but they will never be detected.

umask for clamav-milter.sock creation

Hello,

I maintain clamav ports on FreeBSD systems, but I don't use clamav-milter.

Recently, a user asked me he is using clamav-milter with postfix and
postfix was asking him to change socket permissions to 700.

Is there a way to configure it to do it? If not i'll try a local
solution changing attributes after start clamav-milter.

Thanks
--

-- 
Renato Botelho
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html

Re: umask for clamav-milter.sock creation

On Tue, Jan 02, 2007 at 01:43:22PM -0200, Renato Botelho said:
> Hello,
> 
> I maintain clamav ports on FreeBSD systems, but I don't use clamav-milter.
> 
> Recently, a user asked me he is using clamav-milter with postfix and
> postfix was asking him to change socket permissions to 700.
> 
> Is there a way to configure it to do it? If not i'll try a local
> solution changing attributes after start clamav-milter.

Currently, no.  I am facing the same problem for Debian, so maybe we can
pool ideas, or get a proper patch into the milter to allow socket
permission setting.

Take care,
--

-- 
 --------------------------------------------------------------------------
|  Stephen Gran                  | "Flattery is all right -- if you don't  |
|  steve <at> lobefin.net             | inhale." -- Adlai Stevenson             |
|  http://www.lobefin.net/~steve |                                         |
 --------------------------------------------------------------------------

_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html

Signal handling in freshclam

Hi folks,

I think there are some problems with signal handling in freshclam.  I 
mentioned these in replies to a message on the clamav-users list:

Subject: Freshclam daemon dies during update process

http://lurker.clamav.net/thread/20070102.182025.9a928260.en.html

There are various problems.

1. Most of the signals caught by the custom handler (apart from SIGCHLD) 
set the 'terminate' variable to a non-zero value, and this can cause the 
main loop ("while (!terminate)") to exit if the signal is received at 
the 'wrong' time.  Perhaps use different variables for different actions?

2. The process spends some time with the SIGUSR1 and SIGALRM signals set 
to their old, default handlers that will kill the process.  In 
particular, if the pause() in main() is woken by a signal other than 
SIGALRM (e.g. SIGHUP from a log rotation script), and the SIGALRM occurs 
later, the process will be killed.  Perhaps SIGUSR1 and SIGALRM should 
never be left set to their default handlers?

3. The 'oldact' variable is used to save the old action for both the 
SIGUSR1 and SIGALRM signals.  It shouldn't matter too much as the 
default action for both signals is to kill the process, but they should 
really be using different variables.  If the solution to '2' above is to 
never use the default handlers, then there would be no reason to save 
the old settings anyway.

Re: bad signatures?

On 1/1/07, Török Edvin <edwintorok <at> gmail.com> wrote:
> >
> > I think there is a bug in the cli_ac_addpatt() function.
> >
> > in my kernel module version of clamav, I check for wildcard characters
>
> Is it based on 0.88.x? 0.90 has an improved ac engine.
>
> >
> > there are 2 examples I found in the clamav db for signatures that have
> > a wildcard character as the 2nd bytes of the pattern:
> >
> > Trojan.Bat.DeltreeY-3:0:*:...{-1}2f(59|79)...
> > Trojan.IRC-Script-28:0:*:6e??...
>
> Should work in 0.90rc.
>

I checked the 0.90RC2 code.
as far as I can tell, there is a bug and it is still in there:

cli_add_patt() does:
next = pos->trans[((unsigned char) pattern->pattern[i]) & 0xff];

which is futile is case pattern[i] == CLI_ALT or CLI_IGN

Amir.
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html

Patch for clamav-milter for opt-in/out control from sendmail

I'm working on migrating to ClamAV for virus filtering, and I have a few
addresses that I need to opt-out of virus filtering.  Here is a patch
that allows sendmail to tell clamav-milter to skip a recipient (and the
entire message if no non-skipped recipients are included).

This is against 0.90rc2.

The patch is only compile-tested so far (I don't have ClamAV in
production yet), but it is based on how I'm skipping recipients in my
current milter (that I wrote).

--

-- 
Chris Adams <cmadams <at> hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.

diff -urN clamav-0.90rc2-dist/clamav-milter/INSTALL clamav-0.90rc2/clamav-milter/INSTALL
--- clamav-0.90rc2-dist/clamav-milter/INSTALL	Wed Jan  3 13:39:27 2007
+++ clamav-0.90rc2/clamav-milter/INSTALL	Wed Jan  3 13:37:09 2007
 <at>  <at>  -237,6 +237,18  <at>  <at> 

 You should always start clamd before clamav-milter.

+To control which recipients are filtered by clamav (for example, to be able to
+opt-out recipients), add "skip_rcpt" to the list of macros passed to clamav
+	define(`confMILTER_MACROS_ENVRCPT',confMILTER_MACROS_ENVRCPT`,{skip_rcpt}')
+
+You will need to write a custom Local_check_rcpt ruleset that clears and sets
+the skip_rcpt macro as appropriate.  If it is set to any non-empty string,
+clamav-milter will not process that recipient.  If there are no non-skipped

Re: bad signatures?

On 1/3/07, Amir Goldor <amir73il <at> users.sf.net> wrote:
> On 1/1/07, Török Edvin <edwintorok <at> gmail.com> wrote:
> > >
> > > I think there is a bug in the cli_ac_addpatt() function.
> > >
> > > in my kernel module version of clamav, I check for wildcard characters
> >
> > Is it based on 0.88.x? 0.90 has an improved ac engine.
> >
> > >
> > > there are 2 examples I found in the clamav db for signatures that have
> > > a wildcard character as the 2nd bytes of the pattern:
> > >
> > > Trojan.Bat.DeltreeY-3:0:*:...{-1}2f(59|79)...
> > > Trojan.IRC-Script-28:0:*:6e??...

I checked these signatures, and they work with 0.90rc2.

> >
> > Should work in 0.90rc.
> >
>
> I checked the 0.90RC2 code.
> as far as I can tell, there is a bug and it is still in there:

If you think there still is a bug in 0.90rc2, please open a bugreport
on bugs.clamav.net, and
provide a test case  (a signature, and a file that should be detected
by clam, but isn't due to this bug).

Re: Patch for clamav-milter for opt-in/out control from sendmail

Chris Adams wrote:
> I'm working on migrating to ClamAV for virus filtering, and I have a few
> addresses that I need to opt-out of virus filtering. 

man clamav-milter:

       --whitelist-file=FILE, -W file
              This option specifies a file which contains  a  list  of  e-mail
              addresses.  E-mails sent to these addresses will NOT be checked...

-Nigel

_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html