Mailing List Archive

Hi there,

On Fri, 1 May 2020, James Brown via clamav-users wrote:

> Getting lots of crashes of clamd. No indication of an issue in the clamd.log.
> ...
> --> STACK GUARD 0000700000a1c000-0000700000a1d000 [ 4K] ---/rwx SM=NUL stack guard for thread 2
> Stack 0000700000a1d000-0000700000b1f000 [ 1032K] rw-/rwx SM=COW thread 2
> ...
> Thread 2 Crashed:
> 0 libpcre.0.dylib 0x00007fff6e41eae6 0x7fff6e40a000 + 84710
> ...

I'm unfamiliar with some of the tools that you're using but many here
can relate their experiences of the outstandingly good stability of
clamd under what I'll call normal circumstances. Some of us have even
pushed the envelope a little with no stability issues at all.

Unfortunately I have no experience of anything on a Mac that's under
20 years old so you'll need to treat my guesses with caution, but it
looks like a PCRE library is bashing the stack there. It's the sort
of thing that a dodgy PCRE library might easily be expected to do.
Where did it come from? This is the library I'm using on a Raspberry
Pi4b, old but not very old by the standards of the distribution:

$ pldd `pidof clamd` | grep libpcre | xargs ls -lL
-rw-r--r-- 1 root root 485200 Mar 25 2019 /usr/lib/arm-linux-gnueabihf/libpcre2-8.so.0

I looked at

https://www.apple.com/uk/macos/catalina/

and it gave me the impression that the OS is "for entertainment only"
but I guess I'm just an old grouch.

> I use a number of the third party sigs, securite.info, sanesecurity,
> Malware Patrol, etc. Updating those or running Freshclam does not
> crash clamd.

Do the clamd crashes happen at particular times, such as when clamd is
reloading its databases, or is it while scanning?

> Any ideas what could be causing this?

It's probably easier to say what it's likely not to be. :( My guess is
that it's likely not to be a fault in clamd itself, but in something in
your OS to which clamd is linking, but I think there's less testing of
ClamAV on Macs generally than on e.g. Linux, so anything's possible.

How much RAM is in the machine? You'll need at least 2G free before
starting clamd and freshclam, likely more with many 3rd party sigs.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Try excluding Email.Exploit.Efail-6641027-1 from the main ClamAV set. You can do that by adding the signature name to a file called anything_you_like.ign2 and putting it in your database directory.

We had an issue with something crashing clamd and we strongly suspect that signature is to blame. It hasn't crashed since we started excluding it from the DB.

Mark

> On 1 May 2020, at 7:15 am, James Brown via clamav-users <clamav-users@lists.clamav.net> wrote:
>
> Getting lots of crashes of clamd. No indication of an issue in the clamd.log.
>
> Installed via Homebrew.
>
> Crash Report has:
> Process: clamd [29231]
> Path: /usr/local/Cellar/clamav/0.102.2/sbin/clamd
> Identifier: clamd
> Version: 0
> Code Type: X86-64 (Native)
>
> Crashed Thread: 2
>
> Exception Type: EXC_BAD_ACCESS (SIGBUS)
> Exception Codes: KERN_PROTECTION_FAILURE at 0x0000700000a1cfa8
> Exception Note: EXC_CORPSE_NOTIFY
>
> Termination Signal: Bus error: 10
> Termination Reason: Namespace SIGNAL, Code 0xa
> Terminating Process: exc handler [29231]
>
> VM Regions Near 0x700000a1cfa8:
> Stack 000070000099a000-0000700000a1c000 [ 520K] rw-/rwx SM=COW thread 1
> --> STACK GUARD 0000700000a1c000-0000700000a1d000 [ 4K] ---/rwx SM=NUL stack guard for thread 2
> Stack 0000700000a1d000-0000700000b1f000 [ 1032K] rw-/rwx SM=COW thread 2
>
> Application Specific Information:
> crashed on child side of fork pre-exec
>
> Thread 0:: Dispatch queue: com.apple.main-thread
> 0 libsystem_kernel.dylib 0x00007fff6f6883d6 poll + 10
> 1 clamd 0x00000001001c2bbe fds_poll_recv + 426
> 2 clamd 0x00000001001c06c1 recvloop_th + 9039
> 3 clamd 0x00000001001bb76b main + 5428
> 4 libdyld.dylib 0x00007fff6f540cc9 start + 1
>
> Thread 1:
> 0 libsystem_kernel.dylib 0x00007fff6f6883d6 poll + 10
> 1 clamd 0x00000001001c2bbe fds_poll_recv + 426
> 2 clamd 0x00000001001c0b57 acceptloop_th + 114
> 3 libsystem_pthread.dylib 0x00007fff6f745109 _pthread_start + 148
> 4 libsystem_pthread.dylib 0x00007fff6f740b8b thread_start + 15
>
> Thread 2 Crashed:
> 0 libpcre.0.dylib 0x00007fff6e41eae6 0x7fff6e40a000 + 84710
> 1 libpcre.0.dylib 0x00007fff6e41edea 0x7fff6e40a000 + 85482
> 2 libpcre.0.dylib 0x00007fff6e42d10c 0x7fff6e40a000 + 143628
> 3 libpcre.0.dylib 0x00007fff6e42d10c 0x7fff6e40a000 + 143628
> 4 libpcre.0.dylib 0x00007fff6e42d10c 0x7fff6e40a000 + 143628
>
> Etc
>
> Thread 2 crashed with X86 Thread State (64-bit):
> rax: 0x000000000000076c rbx: 0x00007fda45f3b432 rcx: 0x0000000000000006 rdx: 0x00000001047437ab
> rdi: 0x0000000104743f2d rsi: 0x00007fda45f3b435 rbp: 0x0000700000a1d0d0 rsp: 0x0000700000a1cec0
> r8: 0x0000700000b196a0 r9: 0x0000000000000006 r10: 0x000000000000007e r11: 0x0080000000000083
> r12: 0x0000000104743f2d r13: 0x0000000000000000 r14: 0x0000000000000000 r15: 0x0000000000000000
> rip: 0x00007fff6e41eae6 rfl: 0x0000000000010206 cr2: 0x0000700000a1cfa8
>
> Logical CPU: 8
> Error Code: 0x00000006 (no mapping for user data write)
> Trap Number: 14
>
>
> I use a number of the third party sigs, securite.info, sanesecurity, Malware Patrol, etc. Updating those or running Freshclam does not crash clamd.
>
> Any ideas what could be causing this?
>
> Thanks,
>
> James.
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml


_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

On 1 May 2020, at 7:20 pm, G.W. Haywood via clamav-users <clamav-users@lists.clamav.net> wrote:
>
> it gave me the impression that the OS is "for entertainment only”


Some people think that, but it does have BSD Unix as its base.

> Do the clamd crashes happen at particular times, such as when clamd is
> reloading its databases, or is it while scanning?

It doesn’t happen when loading the databases. It will go for sometime hours, sometimes less. It finds and blocks viruses, etc.

> How much RAM is in the machine? You'll need at least 2G free before
> starting clamd and freshclam, likely more with many 3rd party sigs.


clamd is using 1.70GB of RAM. Machine has 34 GB total, of which there is still 13 GB free.

I’ll try ignoring the signature that Mark suggested and hope that does the trick.

Thanks.

> On 1 May 2020, at 8:31 pm, Mark Allan via clamav-users <clamav-users@lists.clamav.net> wrote:
>
> Try excluding Email.Exploit.Efail-6641027-1 from the main ClamAV set. You can do that by adding the signature name to a file called anything_you_like.ign2 and putting it in your database directory.
>
> We had an issue with something crashing clamd and we strongly suspect that signature is to blame. It hasn't crashed since we started excluding it from the DB.
>
> Mark

Thanks Mark. Have created the file with "Email.Exploit.Efail-6641027-1” in it. Databases have been reloaded. Will see how it goes over the next 12 hours.

Thanks again,

James.

Ged,

This may be an excellent observation. I also see that you?re using libpcre instead of libpcre2. Libcpre and libcpre2 versions earlier than 10.30 use recursive function calls for backtracking.

From the release notes (https://www.pcre.org/changelog.txt):


? 1. The main interpreter, pcre2_match(), has been refactored into a new version

? that does not use recursive function calls (and therefore the stack) for

? remembering backtracking positions. This makes --disable-stack-for-recursion a

? NOOP. The new implementation allows backtracking into recursive group calls in

? patterns, making it more compatible with Perl, and also fixes some other

? hard-to-do issues such as #1887 in Bugzilla. The code is also cleaner because

? the old code had a number of fudges to try to reduce stack usage. It seems to

? run no slower than the old code.

We?ve observed crashes in specific files due when using regex/pcre signatures as a result of stack exhaustion and updating to a modern version of libcpre2 resolves it. I have a suspicion it may resolve the issue for you as well.

If you installed from homebrew though, perhaps the homebrew package needs to be updated to use pcre2 instead of pcre.

CC?ing the clamav-binary mailing list for other package maintainers.

Regards,
Micah


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.




From: clamav-users <clamav-users-bounces@lists.clamav.net>
Date: Friday, May 1, 2020 at 5:21 AM
To: James Brown via clamav-users <clamav-users@lists.clamav.net>
Cc: G.W. Haywood <clamav@jubileegroup.co.uk>
Subject: Re: [clamav-users] Clamd crashes frequently - macOS Catalina
Hi there,

On Fri, 1 May 2020, James Brown via clamav-users wrote:

> Getting lots of crashes of clamd. No indication of an issue in the clamd.log.
> ...
> --> STACK GUARD 0000700000a1c000-0000700000a1d000 [ 4K] ---/rwx SM=NUL stack guard for thread 2
> Stack 0000700000a1d000-0000700000b1f000 [ 1032K] rw-/rwx SM=COW thread 2
> ...
> Thread 2 Crashed:
> 0 libpcre.0.dylib 0x00007fff6e41eae6 0x7fff6e40a000 + 84710
> ...

I'm unfamiliar with some of the tools that you're using but many here
can relate their experiences of the outstandingly good stability of
clamd under what I'll call normal circumstances. Some of us have even
pushed the envelope a little with no stability issues at all.

Unfortunately I have no experience of anything on a Mac that's under
20 years old so you'll need to treat my guesses with caution, but it
looks like a PCRE library is bashing the stack there. It's the sort
of thing that a dodgy PCRE library might easily be expected to do.
Where did it come from? This is the library I'm using on a Raspberry
Pi4b, old but not very old by the standards of the distribution:

$ pldd `pidof clamd` | grep libpcre | xargs ls -lL
-rw-r--r-- 1 root root 485200 Mar 25 2019 /usr/lib/arm-linux-gnueabihf/libpcre2-8.so.0

I looked at

https://www.apple.com/uk/macos/catalina/

and it gave me the impression that the OS is "for entertainment only"
but I guess I'm just an old grouch.

> I use a number of the third party sigs, securite.info, sanesecurity,
> Malware Patrol, etc. Updating those or running Freshclam does not
> crash clamd.

Do the clamd crashes happen at particular times, such as when clamd is
reloading its databases, or is it while scanning?

> Any ideas what could be causing this?

It's probably easier to say what it's likely not to be. :( My guess is
that it's likely not to be a fault in clamd itself, but in something in
your OS to which clamd is linking, but I think there's less testing of
ClamAV on Macs generally than on e.g. Linux, so anything's possible.

How much RAM is in the machine? You'll need at least 2G free before
starting clamd and freshclam, likely more with many 3rd party sigs.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

It doesn?t appear that there is a primary maintainer for homebrew?s clamav package, so I?ve placed a PR with the homebrew-core project to try to switch the brew clamav package from pcre to pcre2:
https://github.com/Homebrew/homebrew-core/pull/54096

-Micah


From: clamav-users <clamav-users-bounces@lists.clamav.net>
Date: Friday, May 1, 2020 at 3:55 PM
To: ClamAV users ML <clamav-users@lists.clamav.net>
Cc: Micah Snyder (micasnyd) <micasnyd@cisco.com>, G.W. Haywood <clamav@jubileegroup.co.uk>, ClamAV Binary package maintainers <clamav-binary@lists.clamav.net>
Subject: Re: [clamav-users] Clamd crashes frequently - macOS Catalina
Ged,

This may be an excellent observation. I also see that you?re using libpcre instead of libpcre2. Libcpre and libcpre2 versions earlier than 10.30 use recursive function calls for backtracking.

From the release notes (https://www.pcre.org/changelog.txt):


* 1. The main interpreter, pcre2_match(), has been refactored into a new version
* that does not use recursive function calls (and therefore the stack) for
* remembering backtracking positions. This makes --disable-stack-for-recursion a
* NOOP. The new implementation allows backtracking into recursive group calls in
* patterns, making it more compatible with Perl, and also fixes some other
* hard-to-do issues such as #1887 in Bugzilla. The code is also cleaner because
* the old code had a number of fudges to try to reduce stack usage. It seems to
* run no slower than the old code.

We?ve observed crashes in specific files due when using regex/pcre signatures as a result of stack exhaustion and updating to a modern version of libcpre2 resolves it. I have a suspicion it may resolve the issue for you as well.

If you installed from homebrew though, perhaps the homebrew package needs to be updated to use pcre2 instead of pcre.

CC?ing the clamav-binary mailing list for other package maintainers.

Regards,
Micah


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.




From: clamav-users <clamav-users-bounces@lists.clamav.net>
Date: Friday, May 1, 2020 at 5:21 AM
To: James Brown via clamav-users <clamav-users@lists.clamav.net>
Cc: G.W. Haywood <clamav@jubileegroup.co.uk>
Subject: Re: [clamav-users] Clamd crashes frequently - macOS Catalina
Hi there,

On Fri, 1 May 2020, James Brown via clamav-users wrote:

> Getting lots of crashes of clamd. No indication of an issue in the clamd.log.
> ...
> --> STACK GUARD 0000700000a1c000-0000700000a1d000 [ 4K] ---/rwx SM=NUL stack guard for thread 2
> Stack 0000700000a1d000-0000700000b1f000 [ 1032K] rw-/rwx SM=COW thread 2
> ...
> Thread 2 Crashed:
> 0 libpcre.0.dylib 0x00007fff6e41eae6 0x7fff6e40a000 + 84710
> ...

I'm unfamiliar with some of the tools that you're using but many here
can relate their experiences of the outstandingly good stability of
clamd under what I'll call normal circumstances. Some of us have even
pushed the envelope a little with no stability issues at all.

Unfortunately I have no experience of anything on a Mac that's under
20 years old so you'll need to treat my guesses with caution, but it
looks like a PCRE library is bashing the stack there. It's the sort
of thing that a dodgy PCRE library might easily be expected to do.
Where did it come from? This is the library I'm using on a Raspberry
Pi4b, old but not very old by the standards of the distribution:

$ pldd `pidof clamd` | grep libpcre | xargs ls -lL
-rw-r--r-- 1 root root 485200 Mar 25 2019 /usr/lib/arm-linux-gnueabihf/libpcre2-8.so.0

I looked at

https://www.apple.com/uk/macos/catalina/

and it gave me the impression that the OS is "for entertainment only"
but I guess I'm just an old grouch.

> I use a number of the third party sigs, securite.info, sanesecurity,
> Malware Patrol, etc. Updating those or running Freshclam does not
> crash clamd.

Do the clamd crashes happen at particular times, such as when clamd is
reloading its databases, or is it while scanning?

> Any ideas what could be causing this?

It's probably easier to say what it's likely not to be. :( My guess is
that it's likely not to be a fault in clamd itself, but in something in
your OS to which clamd is linking, but I think there's less testing of
ClamAV on Macs generally than on e.g. Linux, so anything's possible.

How much RAM is in the machine? You'll need at least 2G free before
starting clamd and freshclam, likely more with many 3rd party sigs.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

On 1 May 2020, at 8:31 pm, Mark Allan via clamav-users <clamav-users@lists.clamav.net> wrote:
>
> Try excluding Email.Exploit.Efail-6641027-1 from the main ClamAV set.

Thanks Mark. After over 12 hours clamd is still up and running. Looks like that sig was causing the problem.

James.

Nice
On Fri, May 1, 2020, 9:38 PM James Brown via clamav-users <
clamav-users@lists.clamav.net> wrote:

> On 1 May 2020, at 8:31 pm, Mark Allan via clamav-users <
> clamav-users@lists.clamav.net> wrote:
>
>
> Try excluding Email.Exploit.Efail-6641027-1 from the main ClamAV set.
>
>
> Thanks Mark. After over 12 hours clamd is still up and running. Looks like
> that sig was causing the problem.
>
> James.
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>

Although I complete support what Mark has recommended, I would caution that there could easily be a future signature that will cause this same issue if the root cause of not upgrading to pcre2 is not accomplished, and figuring out what signature that is won’t be easy.

Sent from my iPad

-Al-

> On May 1, 2020, at 18:38, James Brown via clamav-users <clamav-users@lists.clamav.net> wrote:
>
> ?On 1 May 2020, at 8:31 pm, Mark Allan via clamav-users <clamav-users@lists.clamav.net> wrote:
>>
>> Try excluding Email.Exploit.Efail-6641027-1 from the main ClamAV set.
>
> Thanks Mark. After over 12 hours clamd is still up and running. Looks like that sig was causing the problem.
>
> James.
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

Hi James,

Glad that seems to have helped.

Al and others are correct that the distro should be updated to use pcre2, but I'm not convinced that's the root of the problem. We're seeing the issue with that signature despite already using pcre2 in our build.

Mark

> On 2 May 2020, at 3:45 am, Al Varnell via clamav-users <clamav-users@lists.clamav.net> wrote:
>
> Although I complete support what Mark has recommended, I would caution that there could easily be a future signature that will cause this same issue if the root cause of not upgrading to pcre2 is not accomplished, and figuring out what signature that is won’t be easy.
>
> Sent from my iPad
>
> -Al-
>
>> On May 1, 2020, at 18:38, James Brown via clamav-users <clamav-users@lists.clamav.net> wrote:
>>
>> ?On 1 May 2020, at 8:31 pm, Mark Allan via clamav-users <clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>> wrote:
>>>
>>> Try excluding Email.Exploit.Efail-6641027-1 from the main ClamAV set.
>>
>> Thanks Mark. After over 12 hours clamd is still up and running. Looks like that sig was causing the problem.
>>
>> James.
>>
>> _______________________________________________
>>
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

Hi Mark,

Which pcre2 version are you using?

Regards,
Micah

From: clamav-users <clamav-users-bounces@lists.clamav.net>
Date: Saturday, May 2, 2020 at 5:50 PM
To: ClamAV users ML <clamav-users@lists.clamav.net>
Cc: Mark Allan <markjallan@gmail.com>
Subject: Re: [clamav-users] Clamd crashes frequently - macOS Catalina
Hi James,

Glad that seems to have helped.

Al and others are correct that the distro should be updated to use pcre2, but I'm not convinced that's the root of the problem. We're seeing the issue with that signature despite already using pcre2 in our build.

Mark


On 2 May 2020, at 3:45 am, Al Varnell via clamav-users <clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>> wrote:

Although I complete support what Mark has recommended, I would caution that there could easily be a future signature that will cause this same issue if the root cause of not upgrading to pcre2 is not accomplished, and figuring out what signature that is won’t be easy.
Sent from my iPad

-Al-


On May 1, 2020, at 18:38, James Brown via clamav-users <clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>> wrote:
?On 1 May 2020, at 8:31 pm, Mark Allan via clamav-users <clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>> wrote:

Try excluding Email.Exploit.Efail-6641027-1 from the main ClamAV set.

Thanks Mark. After over 12 hours clamd is still up and running. Looks like that sig was causing the problem.

James.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Micah,

Looks to be 10.32, but Mark should be along shortly to confirm.

-Al-

> On May 4, 2020, at 13:23, Micah Snyder (micasnyd) via clamav-users <clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>> wrote:
>
> Hi Mark,
>
> Which pcre2 version are you using?
>
> Regards,
> Micah
>
> From: clamav-users <clamav-users-bounces@lists.clamav.net <mailto:clamav-users-bounces@lists.clamav.net>>
> Date: Saturday, May 2, 2020 at 5:50 PM
> To: ClamAV users ML <clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>>
> Cc: Mark Allan <markjallan@gmail.com <mailto:markjallan@gmail.com>>
> Subject: Re: [clamav-users] Clamd crashes frequently - macOS Catalina
>
> Hi James,
>
> Glad that seems to have helped.
>
> Al and others are correct that the distro should be updated to use pcre2, but I'm not convinced that's the root of the problem. We're seeing the issue with that signature despite already using pcre2 in our build.
>
> Mark
>
>
> On 2 May 2020, at 3:45 am, Al Varnell via clamav-users <clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>> wrote:
>
> Although I complete support what Mark has recommended, I would caution that there could easily be a future signature that will cause this same issue if the root cause of not upgrading to pcre2 is not accomplished, and figuring out what signature that is won’t be easy.
>
> Sent from my iPad
>
> -Al-
>
>
> On May 1, 2020, at 18:38, James Brown via clamav-users <clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>> wrote:
>
> ?On 1 May 2020, at 8:31 pm, Mark Allan via clamav-users <clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>> wrote:
>
> Try excluding Email.Exploit.Efail-6641027-1 from the main ClamAV set.
>
> Thanks Mark. After over 12 hours clamd is still up and running. Looks like that sig was causing the problem.
>
> James.
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>
> https://lists.clamav.net/mailman/listinfo/clamav-users <https://lists.clamav.net/mailman/listinfo/clamav-users>
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq <https://github.com/vrtadmin/clamav-faq>
>
> http://www.clamav.net/contact.html#ml <http://www.clamav.net/contact.html#ml>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>
> https://lists.clamav.net/mailman/listinfo/clamav-users <https://lists.clamav.net/mailman/listinfo/clamav-users>
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>
> https://lists.clamav.net/mailman/listinfo/clamav-users <https://lists.clamav.net/mailman/listinfo/clamav-users>
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq <https://github.com/vrtadmin/clamav-faq>
>
> http://www.clamav.net/contact.html#ml <http://www.clamav.net/contact.html#ml>

Hi Micah,

Al is correct, we're using 10.32. I see 10.34 is now available, so I'll compile against that when I get a chance and see if it makes any difference.

Mark

> On 5 May 2020, at 6:25 am, Al Varnell via clamav-users <clamav-users@lists.clamav.net> wrote:
>
> Micah,
>
> Looks to be 10.32, but Mark should be along shortly to confirm.
>
> -Al-
>
>> On May 4, 2020, at 13:23, Micah Snyder (micasnyd) via clamav-users <clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>> wrote:
>>
>> Hi Mark,
>>
>> Which pcre2 version are you using?
>>
>> Regards,
>> Micah
>>
>> From: clamav-users <clamav-users-bounces@lists.clamav.net <mailto:clamav-users-bounces@lists.clamav.net>>
>> Date: Saturday, May 2, 2020 at 5:50 PM
>> To: ClamAV users ML <clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>>
>> Cc: Mark Allan <markjallan@gmail.com <mailto:markjallan@gmail.com>>
>> Subject: Re: [clamav-users] Clamd crashes frequently - macOS Catalina
>>
>> Hi James,
>>
>> Glad that seems to have helped.
>>
>> Al and others are correct that the distro should be updated to use pcre2, but I'm not convinced that's the root of the problem. We're seeing the issue with that signature despite already using pcre2 in our build.
>>
>> Mark
>>
>>
>> On 2 May 2020, at 3:45 am, Al Varnell via clamav-users <clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>> wrote:
>>
>> Although I complete support what Mark has recommended, I would caution that there could easily be a future signature that will cause this same issue if the root cause of not upgrading to pcre2 is not accomplished, and figuring out what signature that is won’t be easy.
>>
>> Sent from my iPad
>>
>> -Al-
>>
>>
>> On May 1, 2020, at 18:38, James Brown via clamav-users <clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>> wrote:
>>
>> ?On 1 May 2020, at 8:31 pm, Mark Allan via clamav-users <clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>> wrote:
>>
>> Try excluding Email.Exploit.Efail-6641027-1 from the main ClamAV set.
>>
>> Thanks Mark. After over 12 hours clamd is still up and running. Looks like that sig was causing the problem.
>>
>> James.
>>
>> _______________________________________________
>>
>> clamav-users mailing list
>> clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>
>> https://lists.clamav.net/mailman/listinfo/clamav-users <https://lists.clamav.net/mailman/listinfo/clamav-users>
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq <https://github.com/vrtadmin/clamav-faq>
>>
>> http://www.clamav.net/contact.html#ml <http://www.clamav.net/contact.html#ml>
>>
>> _______________________________________________
>>
>> clamav-users mailing list
>> clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>
>> https://lists.clamav.net/mailman/listinfo/clamav-users <https://lists.clamav.net/mailman/listinfo/clamav-users>
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq <https://github.com/vrtadmin/clamav-faq>
>>
>> http://www.clamav.net/contact.html#ml
>>
>>
>> _______________________________________________
>>
>> clamav-users mailing list
>> clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>
>> https://lists.clamav.net/mailman/listinfo/clamav-users <https://lists.clamav.net/mailman/listinfo/clamav-users>
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq <https://github.com/vrtadmin/clamav-faq>
>>
>> http://www.clamav.net/contact.html#ml <http://www.clamav.net/contact.html#ml>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

Mark,

It probably won’t make much difference, though there is a possible slow scan time issue in pcre2 10.32 for case-insensitive patterns.

If you have a sample and signature that cause the issue, I’d love a copy so I can investigate further.

-Micah

From: Mark Allan <markjallan@gmail.com>
Date: Tuesday, May 5, 2020 at 5:20 AM
To: ClamAV users ML <clamav-users@lists.clamav.net>, Micah Snyder (micasnyd) <micasnyd@cisco.com>
Subject: Re: [clamav-users] Clamd crashes frequently - macOS Catalina
Hi Micah,

Al is correct, we're using 10.32. I see 10.34 is now available, so I'll compile against that when I get a chance and see if it makes any difference.

Mark


On 5 May 2020, at 6:25 am, Al Varnell via clamav-users <clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>> wrote:

Micah,

Looks to be 10.32, but Mark should be along shortly to confirm.

-Al-


On May 4, 2020, at 13:23, Micah Snyder (micasnyd) via clamav-users <clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>> wrote:

Hi Mark,

Which pcre2 version are you using?

Regards,
Micah

From: clamav-users <clamav-users-bounces@lists.clamav.net<mailto:clamav-users-bounces@lists.clamav.net>>
Date: Saturday, May 2, 2020 at 5:50 PM
To: ClamAV users ML <clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>>
Cc: Mark Allan <markjallan@gmail.com<mailto:markjallan@gmail.com>>
Subject: Re: [clamav-users] Clamd crashes frequently - macOS Catalina
Hi James,

Glad that seems to have helped.

Al and others are correct that the distro should be updated to use pcre2, but I'm not convinced that's the root of the problem. We're seeing the issue with that signature despite already using pcre2 in our build.

Mark



On 2 May 2020, at 3:45 am, Al Varnell via clamav-users <clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>> wrote:

Although I complete support what Mark has recommended, I would caution that there could easily be a future signature that will cause this same issue if the root cause of not upgrading to pcre2 is not accomplished, and figuring out what signature that is won’t be easy.
Sent from my iPad

-Al-



On May 1, 2020, at 18:38, James Brown via clamav-users <clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>> wrote:
?On 1 May 2020, at 8:31 pm, Mark Allan via clamav-users <clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>> wrote:

Try excluding Email.Exploit.Efail-6641027-1 from the main ClamAV set.

Thanks Mark. After over 12 hours clamd is still up and running. Looks like that sig was causing the problem.

James.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hi there,

On Tue, 5 May 2020, Micah Snyder (micasnyd) via clamav-users wrote:

> If you have a sample and signature that cause the issue, I’d love a
> copy so I can investigate further.

If it will help I'd be happy to run it past my scanners too - I've
taken no action on the offending signature, but seen no problems.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

On 2 May 2020, at 9:32 am, Micah Snyder (micasnyd) via clamav-users <clamav-users@lists.clamav.net> wrote:
>
> It doesn’t appear that there is a primary maintainer for homebrew’s clamav package, so I’ve placed a PR with the homebrew-core project to try to switch the brew clamav package from pcre to pcre2:
> https://github.com/Homebrew/homebrew-core/pull/54096 <https://github.com/Homebrew/homebrew-core/pull/54096>
>
> -Micah

Just checked and there is now 0.102.2_2 available on Homebrew. Hopefully it includes your pull request Micah.

(It’s been stable since ignoring that sig).

James.

Hi Micah,

Curiously it only seems to affect clamd/clamdscan. The standalone clamscan doesn't appear to be affected, which means it took quite a while to track down the file which causes the crash.

The signature in question is Email.Exploit.Efail-6641027-1

The file triggering the crash for me is 'actionmailer-2.2.2.gem' a gem within the Ruby framework on Mac OS X 10.6.8

/System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/lib/ruby/gems/1.8/cache/actionmailer-2.2.2.gem

SHA-256 164de36ca0e858ccc9bd3e33ae1ee3d3bb9f964f7d941621b3bec725945af5fe

I've uploaded it to VirusTotal.

For what it's worth, I was wrong about the version of lib-pcre that we're using. Our current build runs with pcre2 (10.32) but our test machine in question was using an older version of ClamAV (0.100.1) which was compiled with pcre 8.41

Still quite surprising that a signature can bring down clamd though.

Hope the above is useful.

Best regards
Mark

> On 5 May 2020, at 6:28 pm, Micah Snyder (micasnyd) <micasnyd@cisco.com> wrote:
>
> Mark,
>
> It probably won’t make much difference, though there is a possible slow scan time issue in pcre2 10.32 for case-insensitive patterns.
>
> If you have a sample and signature that cause the issue, I’d love a copy so I can investigate further.
>
> -Micah
>
> From: Mark Allan <markjallan@gmail.com>
> Date: Tuesday, May 5, 2020 at 5:20 AM
> To: ClamAV users ML <clamav-users@lists.clamav.net>, Micah Snyder (micasnyd) <micasnyd@cisco.com>
> Subject: Re: [clamav-users] Clamd crashes frequently - macOS Catalina
>
> Hi Micah,
>
> Al is correct, we're using 10.32. I see 10.34 is now available, so I'll compile against that when I get a chance and see if it makes any difference.
>
> Mark
>
>
> On 5 May 2020, at 6:25 am, Al Varnell via clamav-users <clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>> wrote:
>
> Micah,
>
> Looks to be 10.32, but Mark should be along shortly to confirm.
>
> -Al-
>
>
> On May 4, 2020, at 13:23, Micah Snyder (micasnyd) via clamav-users <clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>> wrote:
>
> Hi Mark,
>
> Which pcre2 version are you using?
>
> Regards,
> Micah
>
> From: clamav-users <clamav-users-bounces@lists.clamav.net <mailto:clamav-users-bounces@lists.clamav.net>>
> Date: Saturday, May 2, 2020 at 5:50 PM
> To: ClamAV users ML <clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>>
> Cc: Mark Allan <markjallan@gmail.com <mailto:markjallan@gmail.com>>
> Subject: Re: [clamav-users] Clamd crashes frequently - macOS Catalina
>
> Hi James,
>
> Glad that seems to have helped.
>
> Al and others are correct that the distro should be updated to use pcre2, but I'm not convinced that's the root of the problem. We're seeing the issue with that signature despite already using pcre2 in our build.
>
> Mark
>
>
>
> On 2 May 2020, at 3:45 am, Al Varnell via clamav-users <clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>> wrote:
>
> Although I complete support what Mark has recommended, I would caution that there could easily be a future signature that will cause this same issue if the root cause of not upgrading to pcre2 is not accomplished, and figuring out what signature that is won’t be easy.
>
> Sent from my iPad
>
> -Al-
>
>
>
> On May 1, 2020, at 18:38, James Brown via clamav-users <clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>> wrote:
>
> ?On 1 May 2020, at 8:31 pm, Mark Allan via clamav-users <clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>> wrote:
>
> Try excluding Email.Exploit.Efail-6641027-1 from the main ClamAV set.
>
> Thanks Mark. After over 12 hours clamd is still up and running. Looks like that sig was causing the problem.
>
> James.
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>
> https://lists.clamav.net/mailman/listinfo/clamav-users <https://lists.clamav.net/mailman/listinfo/clamav-users>
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq <https://github.com/vrtadmin/clamav-faq>
>
> http://www.clamav.net/contact.html#ml <http://www.clamav.net/contact.html#ml>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>
> https://lists.clamav.net/mailman/listinfo/clamav-users <https://lists.clamav.net/mailman/listinfo/clamav-users>
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq <https://github.com/vrtadmin/clamav-faq>
>
> http://www.clamav.net/contact.html#ml <http://www.clamav.net/contact.html#ml>
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>
> https://lists.clamav.net/mailman/listinfo/clamav-users <https://lists.clamav.net/mailman/listinfo/clamav-users>
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq <https://github.com/vrtadmin/clamav-faq>
>
> http://www.clamav.net/contact.html#ml <http://www.clamav.net/contact.html#ml>
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml