Hi,
after upgrading my Stretch mailserver with the packages from stretch-proposed-updates
clamav-daemon dies with the following error message
root@mail:~# systemctl status clamav-daemon
● clamav-daemon.service - Clam AntiVirus userspace daemon
Loaded: loaded (/lib/systemd/system/clamav-daemon.service; enabled; vendor preset: enabled)
Drop-In: /etc/systemd/system/clamav-daemon.service.d
└─extend.conf
Active: failed (Result: signal) since Tue 2018-07-03 07:40:12 CEST; 1h 18min ago
Docs: man:clamd(8)
man:clamd.conf(5)
https://www.clamav.net/documents/
Process: 21927 ExecStart=/usr/sbin/clamd --foreground=true (code=killed, signal=ABRT)
Process: 21923 ExecStartPre=/bin/chown clamav /run/clamav (code=exited, status=0/SUCCESS)
Process: 21922 ExecStartPre=/bin/mkdir /run/clamav (code=exited, status=1/FAILURE)
Main PID: 21927 (code=killed, signal=ABRT)
Jul 03 07:30:24 mail clamd[21927]: LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 544 undefined identifier "pe"
Jul 03 07:30:24 mail clamd[21927]: LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 557 undefined identifier "pe"
Jul 03 07:30:24 mail clamd[21927]: LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 603 undefined identifier "pe"
Jul 03 07:30:24 mail clamd[21927]: LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 614 undefined identifier "pe"
Jul 03 07:30:24 mail clamd[21927]: LibClamAV Warning: cli_loadyara: failed to parse or load 7 yara rules from file /var/lib/clamav/antidebug_antivm.yar, successfully
Jul 03 07:30:36 mail clamd[21927]: Tue Jul 3 07:30:36 2018 -> Database correctly reloaded (6790696 signatures)
Jul 03 07:40:12 mail clamd[21927]: clamd: yara_exec.c:177: yr_execute_code: Assertion `sp == 0' failed.
Jul 03 07:40:12 mail systemd[1]: clamav-daemon.service: Main process exited, code=killed, status=6/ABRT
Jul 03 07:40:12 mail systemd[1]: clamav-daemon.service: Unit entered failed state.
Jul 03 07:40:12 mail systemd[1]: clamav-daemon.service: Failed with result 'signal'.
0.99.4+dfsg-1+deb9u1 -> 0.100.0+dfsg-0+deb9u1
This is probably related to using third-party signatures, but still a regression.
Best Regards,
Bernhard
--- data dir ---
total 471560
-rw-r--r-- 1 clamav clamav 10889 Mar 6 22:55 EK_Angler.yar
-rw-r--r-- 1 clamav clamav 14659 Mar 6 22:55 EK_Blackhole.yar
-rw-r--r-- 1 clamav clamav 3401 Mar 6 22:55 EK_BleedingLife.yar
-rw-r--r-- 1 clamav clamav 1349 Mar 6 22:55 EK_Crimepack.yar
-rw-r--r-- 1 clamav clamav 4688 Mar 6 22:55 EK_Eleonore.yar
-rw-r--r-- 1 clamav clamav 8268 Mar 6 22:55 EK_Fragus.yar
-rw-r--r-- 1 clamav clamav 16842 Mar 6 22:55 EK_Phoenix.yar
-rw-r--r-- 1 clamav clamav 1860 Mar 6 22:55 EK_Sakura.yar
-rw-r--r-- 1 clamav clamav 8488 Mar 6 22:55 EK_ZeroAcces.yar
-rw-r--r-- 1 clamav clamav 1435 Mar 6 22:55 EK_Zerox88.yar
-rw-r--r-- 1 clamav clamav 800 Mar 6 22:55 EK_Zeus.yar
-rw-r--r-- 1 clamav clamav 1462 Jul 1 2015 Sanesecurity_sigtest.yara
-rw-r--r-- 1 clamav clamav 1233 Feb 22 2016 Sanesecurity_spam.yara
-rw-r--r-- 1 clamav clamav 47013 Mar 6 22:55 antidebug_antivm.yar
-rw-r--r-- 1 clamav clamav 7519880 Jul 3 07:11 blurl.ndb
-rw-r--r-- 1 clamav clamav 1770 Jul 1 03:02 bofhland_cracked_URL.ndb
-rw-r--r-- 1 clamav clamav 128 Jun 28 03:03 bofhland_malware_URL.ndb
-rw-r--r-- 1 clamav clamav 106188 Mar 6 22:03 bofhland_malware_attach.hdb
-rw-r--r-- 1 clamav clamav 2766 Jul 2 21:02 bofhland_phishing_URL.ndb
-rw-r--r-- 1 clamav clamav 947712 Jun 22 17:10 bytecode.cld
drwxr-xr-x 2 clamav clamav 4096 May 12 2013 clamav-0a47a4a7b96ec68cefacb0290f91268b
-rw-r--r-- 1 clamav clamav 143277568 Jul 3 07:30 daily.cld
-rw-r--r-- 1 clamav clamav 137631 Jun 29 10:10 foxhole_filename.cdb
-rw-r--r-- 1 clamav clamav 51613 Mar 26 15:11 foxhole_generic.cdb
-rw-r--r-- 1 clamav clamav 48176 Aug 5 2015 hackingteam.hsb
-rw-r--r-- 1 clamav clamav 7111512 Jul 2 09:15 junk.ndb
-rw-r--r-- 1 clamav clamav 1568640 Jul 3 07:11 jurlbl.ndb
-rw-r--r-- 1 clamav clamav 307499008 Jun 7 2017 main.cld
-rw-r--r-- 1 clamav clamav 73808 Jun 29 2017 malwarehash.hsb
-rw-r--r-- 1 clamav clamav 3900 Jul 3 08:30 mirrors.dat
-rw-r--r-- 1 clamav clamav 4038222 Jun 29 11:09 phish.ndb
-rw-r--r-- 1 clamav clamav 5108426 Jul 1 11:01 phishtank.ndb
-rw-r--r-- 1 clamav clamav 24284 Jul 3 05:01 porcupine.hsb
-rw-r--r-- 1 clamav clamav 341666 Jul 3 07:01 porcupine.ndb
-rw-r--r-- 1 clamav clamav 848077 May 9 07:36 rfxn.hdb
-rw-r--r-- 1 clamav clamav 450812 Jun 20 19:08 rfxn.ndb
-rw-r--r-- 1 clamav clamav 490895 Jul 2 16:11 rogue.hdb
-rw-r--r-- 1 clamav clamav 11098 Oct 18 2016 sanesecurity.ftm
-rw-r--r-- 1 clamav clamav 1895835 Jun 26 22:12 scam.ndb
-rw-r--r-- 1 clamav clamav 328 Jun 12 14:10 sigwhitelist.ign2
-rw-r--r-- 1 clamav clamav 1391 Apr 28 2017 spamattach.hdb
-rw-r--r-- 1 clamav clamav 15182 Jun 19 10:11 spamimg.hdb
-rw-r--r-- 1 clamav clamav 526635 Mar 5 09:00 winnow.attachments.hdb
-rw-r--r-- 1 clamav clamav 66 Mar 5 09:00 winnow_bad_cw.hdb
-rw-r--r-- 1 clamav clamav 16271 Mar 5 09:00 winnow_extended_malware.hdb
-rw-r--r-- 1 clamav clamav 18189 Mar 5 09:00 winnow_malware.hdb
-rw-r--r-- 1 clamav clamav 3782 Mar 5 09:00 winnow_malware.yara
-rw-r--r-- 1 clamav clamav 506160 Jun 26 12:27 winnow_malware_links.ndb