Mailing List Archive

ClamAV 0.97.4 - 2 notices
Hello,

1.
I just compiled the new version in my autobuild system for
multiple version of SuSE Linux Enterprise Servers.

I noticed this RPMLINT report which I like to forward to you for inforamation:

RPMLINT report:
===============
clamav.i586: W: shared-lib-calls-exit /usr/lib/libclamav.so.6.1.13 exit@GLIBC_2.0
This library package calls exit() or _exit(), probably in a non-fork()
context. Doing so from a library is strongly discouraged - when a library
function calls exit(), it prevents the calling program from handling the
error, reporting it to the user, closing files properly, and cleaning up any
state that the program has. It is preferred for the library to return an
actual error code and let the calling program decide how to handle the
situation.

Could it be possible that the _exit() is intentional correct?
Then I would like to add an exeption for my rpmlint...

2.
Avira, a german antivirus vendor, may(*) classify the sourcecode tarball as malicious:

clamav-0.97.4/test/.split/split.clam-pespin.exeaa <<< PCK/PESpin ; packer ; File has been compressed with an unusual runtime compression tool (PCK/PESpin). Please verify the origin of the file

I informed avira and got the response that their av-envine finds "unusual runtime compression tool" commonly used by
malware :-(


Andreas




(*) depends how aggressive the scanner is configured

--
Andreas Schulze
Internetdienste | P252

DATEV eG
90329 Nürnberg | Telefon +49 911 319-0 | Telefax +49 911 319-3196
E-Mail info @datev.de | Internet www.datev.de
Sitz: 90429 Nürnberg, Paumgartnerstr. 6-14 | Registergericht Nürnberg, GenReg Nr.70
Vorstand
Prof. Dieter Kempf (Vorsitzender)
Dipl.-Kfm. Wolfgang Stegmann (stellvertretender Vorsitzender)
Dipl.-Kfm. Michael Leistenschneider
Dipl.-Kfm. Dr. Robert Mayr
Jörg Rabe v. Pappenheim
Dipl.-Vw. Eckhard Schwarzer
Vorsitzender des Aufsichtsrates: Reinhard Verholen
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: ClamAV 0.97.4 - 2 notices [ In reply to ]
On 03/16/2012 02:35 PM, Andreas Schulze wrote:
> Hello,
>
> 1.
> I just compiled the new version in my autobuild system for
> multiple version of SuSE Linux Enterprise Servers.
>
> I noticed this RPMLINT report which I like to forward to you for inforamation:
>
> RPMLINT report:
> ===============
> clamav.i586: W: shared-lib-calls-exit /usr/lib/libclamav.so.6.1.13 exit@GLIBC_2.0
> This library package calls exit() or _exit(), probably in a non-fork()
> context. Doing so from a library is strongly discouraged - when a library
> function calls exit(), it prevents the calling program from handling the
> error, reporting it to the user, closing files properly, and cleaning up any
> state that the program has. It is preferred for the library to return an
> actual error code and let the calling program decide how to handle the
> situation.
>
> Could it be possible that the _exit() is intentional correct?
> Then I would like to add an exeption for my rpmlint...

It is LLVM that uses exit/_exit in Program::Execute for example.
We don't call that function though.

>
> 2.
> Avira, a german antivirus vendor, may(*) classify the sourcecode tarball as malicious:
>
> clamav-0.97.4/test/.split/split.clam-pespin.exeaa <<< PCK/PESpin ; packer ; File has been compressed with an unusual runtime compression tool (PCK/PESpin). Please verify the origin of the file

That is part of the test-file for clamav's PESpin unpacker support. Obviously that is clam.exe packed by PESpin, and not malware.

>
> I informed avira and got the response that their av-envine finds "unusual runtime compression tool" commonly used by
> malware :-(

Yeah, thats why ClamAV has a PESpin unpacker (to unpack malware that uses it), and a testfile for it (so we make sure it actually works).

Best regards,
--Edwin
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: ClamAV 0.97.4 - 2 notices [ In reply to ]
Am 16.03.2012 13:35, schrieb Andreas Schulze:
> 2.
> Avira, a german antivirus vendor, may(*) classify the sourcecode tarball as malicious:
>
> clamav-0.97.4/test/.split/split.clam-pespin.exeaa <<< PCK/PESpin ; packer ; File has been compressed with an unusual runtime compression tool (PCK/PESpin). Please verify the origin of the file

IMHO it is only to be expected that virus scanners identify each others'
test files as malicious. You can hardly blame either side for that.
After all, both are just doing what they are designed for.

Just ignore it.

Jm2¢
Tilman
Re: ClamAV 0.97.4 - 2 notices [ In reply to ]
On 03/16/2012 05:31 PM, Tilman Schmidt wrote:
> Am 16.03.2012 13:35, schrieb Andreas Schulze:
>> 2.
>> Avira, a german antivirus vendor, may(*) classify the sourcecode tarball as malicious:
>>
>> clamav-0.97.4/test/.split/split.clam-pespin.exeaa<<< PCK/PESpin ; packer ; File has been compressed with an unusual runtime compression tool (PCK/PESpin). Please verify the origin of the file
> IMHO it is only to be expected that virus scanners identify each others'
> test files as malicious. You can hardly blame either side for that.
> After all, both are just doing what they are designed for.
>
> Just ignore it.
>
> Jm2¢
> Tilman
>
And be glad it is able to detect it :-)

--
Jim Preston


_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: ClamAV 0.97.4 - 2 notices [ In reply to ]
On Sat, Mar 17, 2012 at 11:11:29AM -0700, Jim Preston wrote:
> On 03/16/2012 05:31 PM, Tilman Schmidt wrote:
> >Am 16.03.2012 13:35, schrieb Andreas Schulze:
> >>2.
> >>Avira, a german antivirus vendor, may(*) classify the sourcecode tarball as malicious:
> >>
> >>clamav-0.97.4/test/.split/split.clam-pespin.exeaa<<< PCK/PESpin ; packer ; File has been compressed with an unusual runtime compression tool (PCK/PESpin). Please verify the origin of the file
> >IMHO it is only to be expected that virus scanners identify each others'
> >test files as malicious. You can hardly blame either side for that.
> >After all, both are just doing what they are designed for.
> >
> >Just ignore it.
> >
> >Jm2¢
> >Tilman
> >
> And be glad it is able to detect it :-)

What's the point of detecting a split broken exe? I assume it's not
executable in any way?

ClamAV could obfuscate those files better in many other ways than splitting
anyway..
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml