search

mandiant / sunburst_countermeasures

BSD 2-Clause "Simplified" License
561 stars 201 forks source link

ClamAV malformed database for Raw64 dropper #35

Open siemhermans opened 3 years ago

siemhermans commented 3 years ago

ClamAV seems to experience issues when reading the ruleset from APT_Dropper_Raw64_TEARDROP_1.yar on Ubuntu 18.04.5 LTS. All other Yara rulesets work without issues.

$ clamscan -ir -d APT_Dropper_Raw64_TEARDROP_1.yar /
LibClamAV Error: parse_yara_hex_string: Single byte subpatterns unsupported in ClamAV
LibClamAV Error: load_oneyara: error in parsing yara hex string
LibClamAV Warning: load_oneyara: clamav cannot support 1 input strings, skipping YARA.APT_Dropper_Raw64_TEARDROP_1
LibClamAV Warning: cli_loadyara: problem parsing yara file APT_Dropper_Raw64_TEARDROP_1.yar, yara rule APT_Dropper_Raw64_TEARDROP_1
LibClamAV Error: Can't load APT_Dropper_Raw64_TEARDROP_1.yar: Malformed database
ERROR: Malformed database

----------- SCAN SUMMARY -----------
Known viruses: 0
Engine version: 0.102.4
Scanned directories: 0
Scanned files: 0
Infected files: 0
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 0.006 sec (0 m 0 s)                                                                                                                                                                                                                                                                                                 

$  clamscan --version                                                            
ClamAV 0.102.4/26024/Mon Dec 21 13:48:10 2020