Mailing List Archive

Meaning of the exit code -1073740791
Dear Sir or Madam,

I am using ClamAV for work in my company and am contacting you to inquire about an exit code, which the software returns at my attempt to scan an ordinary, virus-free PDF file:

-1073740791.

Could you, please, tell me, what the exit code stands for, as I have not found any information on it in the documentation on your website.

Thank you in advance.

Kind regards,
Anastasiia Korzhylova
Software Developer


RIEPING SoftwareConsulting GmbH
Gewerbepark Gr?ner Weg 26
59269 Beckum
Germany

Phone: +49 2521 823725-0

Email: anastasiia.korzhylova@r-sc.de
Website: http://www.r-sc.de<http://www.r-sc.de/>

Managing Director Dr. Ingo Rieping
M?nster District Court, HRB 14351
Re: Meaning of the exit code -1073740791 [ In reply to ]
Hi there,

On Tue, 9 Aug 2022, Anastasiia Korzhylova wrote:

> I am using ClamAV for work in my company and am contacting you to inquire about an exit code, which the software returns at my attempt to scan an ordinary, virus-free PDF file:
>
> -1073740791.
>
> Could you, please, tell me, what the exit code stands for, as I have not found any information on it in the documentation on your website.

It's possible that something in ClamAV is having difficulty with some
part of the PDF file, but you have not given enough information for us
to know what you have done so that we could reproduce it if necessary.

If you can repeat the command using verbose logging or verbose output
(see the documentation for how to do that) ClamAV might might provide
more information to you which might help you.

If you can put a copy of the PDF file somewhere on the Web for us so
that we can scan it in the same way that you do that might help too.

But we really need you to tell us exactly what you did. When you do
that, please include information about your operating system(s), the
version of ClamAV which you are using, how you obtained and installed
it, which parts of it you are using (for example clamd and clamdscan,
or clamscan), the command(s) which you gave when ClamAV gave the exit
code, and the *entire* output of the command.

The output of

clamconf -n

will include much of the information we need and would help us.

Incidentally

1073740791 - 2^30 + 2^10 + 2^3 + 2^0 = 0

Which tells me that a number of flags is set in the return code, but
at the moment I do not know what they are nor why they are being set
because I have no idea what is producing the return code. :/

--

73,
Ged.
_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat
Re: Meaning of the exit code -1073740791 [ In reply to ]
Hi Anastasiia,

The exit code `-1073740791` means the program crashed (on Windows). This type of issue may be a security vulnerability, depending on what is going on.

If you could share the PDF file with my team privately, I would like to investigate. You can email it to me directly in an encrypted / password protected zip archive, or send it to Cisco PSIRT using these instructions, and they will relay it to me for investigation: https://github.com/Cisco-Talos/clamav/security/policy#vulnerability-reporting-best-practices
[https://github.githubassets.com/images/modules/open_graph/github-logo.png]<https://github.com/Cisco-Talos/clamav/security/policy#vulnerability-reporting-best-practices>
Security Policy ? Cisco-Talos/clamav ? GitHub<https://github.com/Cisco-Talos/clamav/security/policy#vulnerability-reporting-best-practices>
ClamAV Security Policy What constitutes a security issue / vulnerability? A security issue, or vulnerability, may be any bug that represents a threat to the security of the ClamAV users or any issue that a malicious person could use to cause a Denial of Service (DoS) attack on a network service running ClamAV, such as a mail filter or file upload scanner.
github.com

Regards,
Micah

Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.
________________________________
From: clamav-users <clamav-users-bounces@lists.clamav.net> on behalf of Anastasiia Korzhylova <anastasiia.korzhylova@r-sc.de>
Sent: Tuesday, August 9, 2022 2:12 AM
To: clamav-users@lists.clamav.net <clamav-users@lists.clamav.net>
Cc: Ingo Rieping <rieping@r-sc.de>
Subject: [clamav-users] Meaning of the exit code -1073740791


Dear Sir or Madam,



I am using ClamAV for work in my company and am contacting you to inquire about an exit code, which the software returns at my attempt to scan an ordinary, virus-free PDF file:



-1073740791.



Could you, please, tell me, what the exit code stands for, as I have not found any information on it in the documentation on your website.



Thank you in advance.



Kind regards,

Anastasiia Korzhylova

Software Developer





RIEPING SoftwareConsulting GmbH

Gewerbepark Gr?ner Weg 26

59269 Beckum

Germany



Phone: +49 2521 823725-0



Email: anastasiia.korzhylova@r-sc.de

Website: http://www.r-sc.de<http://www.r-sc.de/>



Managing Director Dr. Ingo Rieping

M?nster District Court, HRB 14351
Re: Meaning of the exit code -1073740791 [ In reply to ]
Hello Ged,

thank you for your reply!

And for your tip - I will try doing verbose logging and will see if it provides me with any new information!

As to the PDF file, ClamAV crushes in the attempt to scan any, unfortunately... For example, I've been using the file in the attachment ("Test.pdf") for testing purposes - and the scan failed.

As a matter of fact, I am using ClamAV as a tool in a C# project (.NET Framework 4.6.2) - in the following context:

try
{
ProcessStartInfo startInfo = new ProcessStartInfo
{
FileName = @"""" + virusScanCommand + @"""",
Arguments = @"""" + fullFilename + @"""",
UseShellExecute = false,
RedirectStandardOutput = true,
CreateNoWindow = true,
WorkingDirectory = Path.GetDirectoryName(virusScanCommand)
};
Process scan = Process.Start(startInfo);

string output = scan.StandardOutput.ReadToEnd();
...
}
catch (Exception exp) {...}

where virusScanCommand is @"C:\Program Files\ClamAV\clamscan.exe" and fullFilename is a PDF file in Windows Temp folder, which is different every time. For example: @"C:\Users\anastasiia\AppData\Local\Temp\tmp4F0A.tmp".

The program doesn't catch any errors and runs normally after starting the process, it's the variable output that is for some reason empty. That's why I've only found out about the exit code when started logging.

As to the other information you requested, I am using:

- Windows 10 Enterprise, version 21H1, build 19043.1766, 64-bit OS, x64-based processor,

- clamscan (version 0.105.0.0), which I downloaded from https://www.clamav.net/downloads and activated by strictly following these instructions: https://blog.didierstevens.com/2017/08/24/quickpost-using-clamav-on-windows/.

And the output of "clamconf -n" is the following:

"
Config file: clamd.conf
-----------------------
TCPSocket = "3310"
TCPAddr = "localhost"

Config file: freshclam.conf
---------------------------
DatabaseMirror = "database.clamav.net"

clamav-milter.conf not found

Software settings
-----------------
Version: 0.105.0
Optional features supported: MEMPOOL AUTOIT_EA06 BZIP2 LIBXML2 PCRE2 JSON RAR

Database information
--------------------
Database directory: C:\Program Files\ClamAV\database
bytecode.cvd: version 333, sigs: 92, built on Mon Mar 8 16:21:51 2021
daily.cvd: version 26566, sigs: 1985565, built on Wed Jun 8 10:05:45 2022
main.cvd: version 62, sigs: 6647427, built on Thu Sep 16 14:32:42 2021
Total number of signatures: 8633084

Platform information
--------------------
uname: Microsoft Windows 6.2 SP0.0 Build 9200
OS: Windows, ARCH: AMD64, CPU: AMD64
zlib version: 1.2.12 (1.2.12), compile flags: 65
platform id: 0x10259696080000000000077c

Build information
-----------------
Microsoft Visual C++: (0.7.124)
sizeof(void*) = 8
Engine flevel: 150, dconf: 150
".

It might seem at the first sight that the problem lies somewhere in the C# code, but it doesn't. I have used a .cmd file (a primitive scan simulation) to test Process.Start() and it worked perfectly. Moreover, ClamAV does return an output, when I run the program in debug mode, but it doesn't when the software is run in release, which makes the problem even more obscure.

I hope you can help me with it! I will be happy to provide you with any further information, if needed.

Kind regards,

Anastasiia


-----Urspr?ngliche Nachricht-----
Von: clamav-users <clamav-users-bounces@lists.clamav.net> Im Auftrag von G.W. Haywood via clamav-users
Gesendet: Dienstag, 9. August 2022 12:12
An: ClamAV users ML <clamav-users@lists.clamav.net>
Cc: G.W. Haywood <clamav@jubileegroup.co.uk>; Ingo Rieping <rieping@r-sc.de>
Betreff: Re: [clamav-users] Meaning of the exit code -1073740791

Hi there,

On Tue, 9 Aug 2022, Anastasiia Korzhylova wrote:

> I am using ClamAV for work in my company and am contacting you to inquire about an exit code, which the software returns at my attempt to scan an ordinary, virus-free PDF file:
>
> -1073740791.
>
> Could you, please, tell me, what the exit code stands for, as I have not found any information on it in the documentation on your website.

It's possible that something in ClamAV is having difficulty with some part of the PDF file, but you have not given enough information for us to know what you have done so that we could reproduce it if necessary.

If you can repeat the command using verbose logging or verbose output (see the documentation for how to do that) ClamAV might might provide more information to you which might help you.

If you can put a copy of the PDF file somewhere on the Web for us so that we can scan it in the same way that you do that might help too.

But we really need you to tell us exactly what you did. When you do that, please include information about your operating system(s), the version of ClamAV which you are using, how you obtained and installed it, which parts of it you are using (for example clamd and clamdscan, or clamscan), the command(s) which you gave when ClamAV gave the exit code, and the *entire* output of the command.

The output of

clamconf -n

will include much of the information we need and would help us.

Incidentally

1073740791 - 2^30 + 2^10 + 2^3 + 2^0 = 0

Which tells me that a number of flags is set in the return code, but at the moment I do not know what they are nor why they are being set because I have no idea what is producing the return code. :/

--

73,
Ged.
_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat
Re: Meaning of the exit code -1073740791 [ In reply to ]
Hello Micah,

thank you for your reply and readiness to help!

Ged (G.W. Haywood clamav@jubileegroup.co.uk<mailto:clamav@jubileegroup.co.uk>) has already contacted me to help me with my problem.

Kind regards,

Anastasiia


Von: clamav-users <clamav-users-bounces@lists.clamav.net> Im Auftrag von Micah Snyder (micasnyd) via clamav-users
Gesendet: Dienstag, 9. August 2022 20:50
An: clamav-users@lists.clamav.net
Cc: Micah Snyder (micasnyd) <micasnyd@cisco.com>; Ingo Rieping <rieping@r-sc.de>
Betreff: Re: [clamav-users] Meaning of the exit code -1073740791

Hi Anastasiia,

The exit code `-1073740791` means the program crashed (on Windows). This type of issue may be a security vulnerability, depending on what is going on.

If you could share the PDF file with my team privately, I would like to investigate. You can email it to me directly in an encrypted / password protected zip archive, or send it to Cisco PSIRT using these instructions, and they will relay it to me for investigation: https://github.com/Cisco-Talos/clamav/security/policy#vulnerability-reporting-best-practices
[https://github.githubassets.com/images/modules/open_graph/github-logo.png]<https://github.com/Cisco-Talos/clamav/security/policy#vulnerability-reporting-best-practices>
Security Policy ? Cisco-Talos/clamav ? GitHub<https://github.com/Cisco-Talos/clamav/security/policy#vulnerability-reporting-best-practices>
ClamAV Security Policy What constitutes a security issue / vulnerability? A security issue, or vulnerability, may be any bug that represents a threat to the security of the ClamAV users or any issue that a malicious person could use to cause a Denial of Service (DoS) attack on a network service running ClamAV, such as a mail filter or file upload scanner.
github.com

Regards,
Micah

Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.
________________________________
From: clamav-users <clamav-users-bounces@lists.clamav.net<mailto:clamav-users-bounces@lists.clamav.net>> on behalf of Anastasiia Korzhylova <anastasiia.korzhylova@r-sc.de<mailto:anastasiia.korzhylova@r-sc.de>>
Sent: Tuesday, August 9, 2022 2:12 AM
To: clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net> <clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>>
Cc: Ingo Rieping <rieping@r-sc.de<mailto:rieping@r-sc.de>>
Subject: [clamav-users] Meaning of the exit code -1073740791


Dear Sir or Madam,



I am using ClamAV for work in my company and am contacting you to inquire about an exit code, which the software returns at my attempt to scan an ordinary, virus-free PDF file:



-1073740791.



Could you, please, tell me, what the exit code stands for, as I have not found any information on it in the documentation on your website.



Thank you in advance.



Kind regards,

Anastasiia Korzhylova

Software Developer





RIEPING SoftwareConsulting GmbH

Gewerbepark Gr?ner Weg 26

59269 Beckum

Germany



Phone: +49 2521 823725-0



Email: anastasiia.korzhylova@r-sc.de

Website: http://www.r-sc.de<http://www.r-sc.de/>



Managing Director Dr. Ingo Rieping

M?nster District Court, HRB 14351
Re: Meaning of the exit code -1073740791 [ In reply to ]
Hello again Anastasiia,

On Wed, 10 Aug 2022, Anastasiia Korzhylova wrote:

> ... ClamAV crushes in the attempt to scan any, unfortunately... For
> example, I've been using the file in the attachment ("Test.pdf") for
> testing purposes - and the scan failed.

As Micah said in his reply to you, if ClamAV is crashing there could
be security implications. It's best if you follow his advice and make
a report through the channel he suggested. We are still using the LTS
version (0.103.x) here, and only on Linux, but your sample PDF scanned
here just fine using both clamscan and clamdscan+clamd:

8<----------------------------------------------------------------------
$ clamscan ~/Test.pdf
/home/ged/Test.pdf: OK

----------- SCAN SUMMARY -----------
Known viruses: 8809962
Engine version: 0.103.7
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.17 MB
...
...
$ clamdscan ~/Test.pdf
/home/ged/Test.pdf: OK

----------- SCAN SUMMARY -----------
Infected files: 0
Time: 1.736 sec (0 m 1 s)
8<----------------------------------------------------------------------

Having said that I'm not sure that you've found a problem in ClamAV.
Perhaps there are issues with your build and/or implementation processes.

> ... virusScanCommand is @"C:\Program Files\ClamAV\clamscan.exe" ...

You might want to consider using clamdscan and clamd instead of
clamscan, because clamscan will reload the signature database every
time it runs and that takes some time whereas clamdscan uses clamd,
which is a persistent daemon and only loads the database at startup.

> The program doesn't catch any errors and runs normally after
> starting the process, it's the variable output that is for some
> reason empty.

I guess that's because of the crash - it isn't getting as far as
writing the output.

> ... downloaded from https://www.clamav.net/downloads and activated
> by strictly following these instructions:
> https://blog.didierstevens.com/2017/08/24/quickpost-using-clamav-on-windows/.

That post is five years old. The build system has changed a lot since
2017, and in any case I have very little or no confidence in "Me Too"
Websites, "I did this" blogs and other such hangers-on in the security
world. I believe it's best to follow the official documentation,
which in this case is to be found at

https://docs.clamav.net

Note especially the instructions for updating the signature database,
see my comments below about your 'daily' database.

> TCPSocket = "3310"
> TCPAddr = "localhost"

Unless you're planning to both use clamd on the local host, and access
it remotely, I'm not sure that you will want to use TCP. Clamd's TCP
socket is unprotected, so you would most probably want to firewall it
to prevent possible abuse.

> Database information
> --------------------
> Database directory: C:\Program Files\ClamAV\database
> bytecode.cvd: version 333, sigs: 92, built on Mon Mar 8 16:21:51 2021
> daily.cvd: version 26566, sigs: 1985565, built on Wed Jun 8 10:05:45 2022
> main.cvd: version 62, sigs: 6647427, built on Thu Sep 16 14:32:42 2021
> Total number of signatures: 8633084

Your daily database is two months out of date. Have you run freshclam?
The 'daily' database really is updated more-or-less daily. :)

> ...
> I am using: ... Windows 10 Enterprise,
> ...
> Platform information
> --------------------
> uname: Microsoft Windows 6.2 SP0.0 Build 9200

I'm unfamiliar with the output of the platform information on Windows
but I shouldn't have expected to see "Build 9200" on a Win10 system.

> ... ClamAV does return an output, when I run the program in debug
> mode, but it doesn't when the software is run in release, which
> makes the problem even more obscure.

It is not at all unusual for things to run in debug mode and crash in
production. And of course vice-versa. :(

I'm sure that many thousands of people successfully use ClamAV on
Windows 10 systems, so I feel sure that if something in your build or
install isn't broken then the way that you're trying to use it has
shown up something unexpected, and Micah will be able to help you find
and fix the problem although that may take some time. In the meantime
I suggest that you remove all the ClamAV code, libraries and binaries
from your machine and re-install ClamAV with reference to the current
official documentation, then try scanning your PDF files again. It's
important to clean out old libraries etc. because you don't want a new
ClamAV using versions of libraries from an old one. That's a possible
source of problems which can be difficult to diagnose.

If you still have trouble please do get back to us.

--

73,
Ged.
_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat