Mailing List Archive

Hi there,

On Sun, 10 Nov 2019, Philippe Lef?vre wrote:

> Since some time (less than a month I think) I now get this message when I
> launch a directory scan.
>
> ================================================
> LibClamAV Error: yyerror(): /var/lib/clamav/rfxn.yara line 8955 undefined
> identifier "is__elf"
> LibClamAV Warning: cli_loadyara: failed to parse or load 1 yara rules from
> file /var/lib/clamav/rfxn.yara, successfully loaded 784 rules.

Please post the output of

grep -n is__elf /var/lib/clamav/rfxn.yara

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hello,

thanks for your reply :-)

here is:
=================================
# grep -n is__elf /var/lib/clamav/rfxn.yara
9112:        is__elf and all of ($s*)
=================================


Le 11/11/2019 à 01:02, G.W. Haywood via clamav-users a écrit :
> grep -n is__elf /var/lib/clamav/rfxn.yara


_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

I'm not entirely familiar with yara, but based on
https://yara.readthedocs.io/en/latest/modules/elf.html , there is no
such function as "is__elf".
Based on a whole search in the yara doc, there's only is_dll, is_32bit
and is_64bit.
Further googling shows this:
https://github.com/Yara-Rules/rules/commit/8130cda6a3cd1b470b59e29a769162600bf1efab
It seems is__elf is a private function now, so you can't use it
directly anymore I guess.


Franky


Op Maandag, 11-11-2019 om 09:10 schreef Philippe Lefèvre:


Hello,

thanks for your reply :-)

here is:
=================================
# grep -n is__elf /var/lib/clamav/rfxn.yara
9112:        is__elf and all of ($s*)
=================================


Le 11/11/2019 à 01:02, G.W. Haywood via clamav-users a écrit :
> grep -n is__elf /var/lib/clamav/rfxn.yara


_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hi there,

On Mon, 11 Nov 2019, Philippe Lefèvre wrote:

> # grep -n is__elf /var/lib/clamav/rfxn.yara
> 9112:        is__elf and all of ($s*)

Maybe this will help:

https://www.rfxn.com/downloads/maldetect-current.tar.gz

8<----------------------------------------------------------------------
laptop3:~$ >>> grep -n is__elf ~/Downloads/maldetect-1.6.4/files/sigs/rfxn.yara
9068:private rule is__elf
9105: is__elf and all of ($s*)
laptop3:~$ >>>
8<----------------------------------------------------------------------

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hi all,
thanks for your post Ged.

I have a maldet 6.1.4 installed under /usr/local:
#maldet -version
=======================
Linux Malware Detect v1.6.4
            (C) 2002-2019, R-fx Networks <proj@rfxn.com>
            (C) 2019, Ryan MacDonald <ryan@rfxn.com>
This program may be freely redistributed under the terms of the GNU GPL v2
=======================

but when I do
# grep -n is__elf /usr/local/maldetect/sigs/rfxn.yara
I get
=======================
9112:        is__elf and all of ($s*)
=======================

same when I do
# grep -n is__elf /var/lib/clamav/rfxn.yara
=======================
9112:        is__elf and all of ($s*)
=======================

I just downloaded maldet 1.6.4 and had a look into my downlowds dir, I
can see
# grep -n is__elf ~/telechargements/maldetect-1.6.4/files/sigs/rfxn.yara
=======================
9068:private rule is__elf
9105:        is__elf and all of ($s*)
=======================

So it seems that neither Clamav nor Maldet installed on my Debian box
have the right rfxn.* files

I'm not familiar with these programs but I would like to understand if
clamav is delivered with an instance of rfxn files or if those files are
installed with Maldet (part of Maldet package?) or something else.
May be something is/was broken somewhere and it would save me time
reinstall maldet or clamav, both, copy the rfxn.* files?

Please your advise.

Thanks



Le 11/11/2019 à 14:41, G.W. Haywood via clamav-users a écrit :
> Hi there,
>
> On Mon, 11 Nov 2019, Philippe Lefèvre wrote:
>
>> # grep -n is__elf /var/lib/clamav/rfxn.yara
>> 9112:        is__elf and all of ($s*)
>
> Maybe this will help:
>
> https://www.rfxn.com/downloads/maldetect-current.tar.gz
>
> 8<----------------------------------------------------------------------
> laptop3:~$ >>> grep -n is__elf
> ~/Downloads/maldetect-1.6.4/files/sigs/rfxn.yara
> 9068:private rule is__elf
> 9105:        is__elf and all of ($s*)
> laptop3:~$ >>>
> 8<----------------------------------------------------------------------
>


_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hello again,

On Mon, 11 Nov 2019, Philippe Lef?vre wrote:

> thanks for your post Ged.

You're very welcome. :)

> ... it seems that neither Clamav nor Maldet installed on my Debian box
> have the right rfxn.* files
>
> I'm not familiar with these programs but I would like to understand if
> clamav is delivered with an instance of rfxn files or if those files are
> installed with Maldet (part of Maldet package?) or something else.

There are Debian packages for ClamAV. I don't think Debian has its
own package for the rfxn signatures but I haven't looked carefully.
If you are using a Debian system I would suggest that using the Debian
ClamAV packages would be the simplest way to install ClamAV. Then you
can install extra signatures very simply, more or less by copying
files to the ClamAV database directory. ClamAV does not supply the
Maldet files, they are what the supplier of ClamAV calls 'third-party'
or 'unofficial' signatures. There are many such sets of signatures
which essentially add functionality to ClamAV, for example I use the
Sanesecurity signatures on mail servers to catch a lot of spam; I'm
less interested in malware as I rule my systems with a rod of iron. :)

> May be something is/was broken somewhere and it would save me time
> reinstall maldet or clamav, both, copy the rfxn.* files?
>
> Please your advise.

The people who produce the Maldet files should be able to help you
better than I can, I'm afraid I know nothing about the installation
process for Maldet. If ClamAV is scanning files normally then I don't
think you need to reinstall it. If ClamAV finds a set of signatures
in a suitable form in its database directory then it will try to load
and use them unless you tell it otherwise. I looked briefly at the
documentation at https://www.rfxn.com/projects/linux-malware-detect/
and I'm afraid it left me asking more questions rather than fewer.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Ok Ged,
many thanks again for your reply.
As far as I can see, CLAMAV works well. Only this Maldet error seems to
me strange as it appeared recently.
Until now, I did not even see that link between clamav and maldet.
I'm going to look at Maldet installation and YARA integration more
precisely and follow your advise.
Kind regards,
Philippe


Le 11/11/2019 à 21:54, G.W. Haywood via clamav-users a écrit :
> Hello again,
>
> On Mon, 11 Nov 2019, Philippe Lefèvre wrote:
>
>> thanks for your post Ged.
>
> You're very welcome. :)
>
>> ... it seems that neither Clamav nor Maldet installed on my Debian
>> box have the right rfxn.* files
>>
>> I'm not familiar with these programs but I would like to understand
>> if clamav is delivered with an instance of rfxn files or if those
>> files are installed with Maldet (part of Maldet package?) or
>> something else.
>
> There are Debian packages for ClamAV.  I don't think Debian has its
> own package for the rfxn signatures but I haven't looked carefully.
> If you are using a Debian system I would suggest that using the Debian
> ClamAV packages would be the simplest way to install ClamAV.  Then you
> can install extra signatures very simply, more or less by copying
> files to the ClamAV database directory.  ClamAV does not supply the
> Maldet files, they are what the supplier of ClamAV calls 'third-party'
> or 'unofficial' signatures.  There are many such sets of signatures
> which essentially add functionality to ClamAV, for example I use the
> Sanesecurity signatures on mail servers to catch a lot of spam; I'm
> less interested in malware as I rule my systems with a rod of iron. :)
>
>> May be something is/was broken somewhere and it would save me time
>> reinstall maldet or clamav, both, copy the rfxn.* files?
>>
>> Please your advise.
>
> The people who produce the Maldet files should be able to help you
> better than I can, I'm afraid I know nothing about the installation
> process for Maldet.  If ClamAV is scanning files normally then I don't
> think you need to reinstall it.  If ClamAV finds a set of signatures
> in a suitable form in its database directory then it will try to load
> and use them unless you tell it otherwise.  I looked briefly at the
> documentation at https://www.rfxn.com/projects/linux-malware-detect/
> and I'm afraid it left me asking more questions rather than fewer.
>


_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml