clamav-users August 2007 archive
Main Archive Page > Month Archives  > clamav-users archives
clamav-users: [Clamav-users] Message hangs PhishingScanURLs on S

[Clamav-users] Message hangs PhishingScanURLs on Solaris 10

From: Ian G Batten <ian.batten_at_nospam>
Date: Wed Aug 22 2007 - 17:33:20 GMT
To: ClamAV users ML <clamav-users@lists.clamav.net>


It appears that in 0.91.1 and 0.91.2 PhishingScanURLs is on by default even in non-experimental builds. If the line

H:nationwide.co.uk

is present in daily.pdb (indeed, if it is the _only_ line in daily.pdb, and that is the only pattern file in use) then the attached piece of mail hangs 0.91.1 and 0.91.2 on Solaris 10 Sparc unless --no-phishing-scan-urls or its clamd.conf equivalent is set.

My workaround is to put

PhishingScanURLs no

into clamd.conf, because I'm not confident that the nationwide.co.uk is anything other than one manifestation of a more general problem.

dmzsrv-6.ftel.co.uk# uname -a
SunOS dmzsrv-6.ftel.co.uk 5.10 Generic_118833-36 sun4u sparc SUNW,Sun- Fire-V210
dmzsrv-6.ftel.co.uk# ls
daily.pdb
dmzsrv-6.ftel.co.uk# cat daily.pdb
H:nationwide.co.uk
dmzsrv-6.ftel.co.uk# clamscan --database=. /var/tmp/testmessage [[ hangs ]]
^Cdmzsrv-6.ftel.co.uk# clamscan --no-phishing-scan-urls --database=. / var/tmp/testmessage
/var/tmp/testmessage: OK

  • SCAN SUMMARY ----------- Known viruses: 0 Engine version: 0.91.1 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 0.00 MB Time: 0.014 sec (0 m 0 s) dmzsrv-6.ftel.co.uk# echo H:zzz.co.uk > daily.pdb dmzsrv-6.ftel.co.uk# clamscan --database=. /var/tmp/testmessage /var/tmp/testmessage: OK
  • SCAN SUMMARY ----------- Known viruses: 0 Engine version: 0.91.1 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 0.00 MB Time: 0.020 sec (0 m 0 s) dmzsrv-6.ftel.co.uk#

It doesn't appear to cause a problem on my desktop OSX machine:

dhcp-172-16-44-202:~ igb$ uname -a
Darwin dhcp-172-16-44-202.ftel.co.uk 8.10.0 Darwin Kernel Version 8.10.0: Wed May 23 16:50:59 PDT 2007; root:xnu-792.21.3~1/RELEASE_PPC Power Macintosh powerpc
dhcp-172-16-44-202:~ igb$ ls /tmp/db
daily.pdb
dhcp-172-16-44-202:~ igb$ cat /tmp/db/daily.pdb H:nationwide.co.uk
dhcp-172-16-44-202:~ igb$ clamav-0.91.1/clamscan/clamscan --database=/ tmp/db ./testcase
./testcase: Phishing.Heuristics.Email.SpoofedDomain FOUND

  • SCAN SUMMARY ----------- Known viruses: 0 Engine version: 0.91.1 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 0.00 MB Time: 0.280 sec (0 m 0 s) dhcp-172-16-44-202:~ igb$

Back on the Solaris machine, looking at the coredump generated with Control-Backslash shows that it's recursing infinitely:

(gdb) bt
#0 0xff050a80 in memcpy () from /platform/SUNW,Sun-Fire-V210/lib/
libc_psr.so.1
#1 0xff0fb2ec in match_re_C () from /lib/libc.so.1
#2 0xff0fb33c in match_re_C () from /lib/libc.so.1
#3 0xff0fc69c in match_re_C () from /lib/libc.so.1
#4 0xff0fb780 in match_re_C () from /lib/libc.so.1
#5 0xff0fb33c in match_re_C () from /lib/libc.so.1
#6 0xff0fb33c in match_re_C () from /lib/libc.so.1
#7 0xff0fc69c in match_re_C () from /lib/libc.so.1
#8 0xff0fb780 in match_re_C () from /lib/libc.so.1
#9 0xff0fb33c in match_re_C () from /lib/libc.so.1
#10 0xff0fb33c in match_re_C () from /lib/libc.so.1
#11 0xff0fc69c in match_re_C () from /lib/libc.so.1
#12 0xff0fb780 in match_re_C () from /lib/libc.so.1
#13 0xff0fb33c in match_re_C () from /lib/libc.so.1

The bottom of the stack looks like this:

#467 0xff0fb33c in match_re_C () from /lib/libc.so.1
#468 0xff0fb780 in match_re_C () from /lib/libc.so.1
#469 0xff0fb33c in match_re_C () from /lib/libc.so.1
#470 0xff0fcad4 in match_re_C () from /lib/libc.so.1
#471 0xff0faa0c in __regexec_C () from /lib/libc.so.1
#472 0xff2eb9d0 in isURL (pchk=0xffbfaa00,

     URL=0x426d0 "http://allnations.nu/design/base/olb2.nationet/ olb2.nationet.com/update?
3441_3769473_414_1662_480_0_722_1148_2726403610&Idx=2&YY=1123&inc=25&ord er=down&sort=date&pos2_1148_2726403610&Idx=2&YY=1123&inc"...) at phishcheck.c:977
#473 0xff2ec628 in phishingScan (m=0x2e418, dir=0x3ca88 "/var/tmp//
clamav-a40c39784d010e5305fb4f99f288021e", ctx=0xffbfd540, hrefs=0xffbfae48) at phishcheck.c:1207
#474 0xff2a4e30 in checkURLs (mainMessage=0x3a240, mctx=0xffbfccb8,
rc=0xffbfaf44, is_html=1) at mbox.c:3903
#475 0xff2a6aa4 in parseEmailBody (messageIn=0x3a240, textIn=0x0,
mctx=0xffbfccb8, recursion_level=0) at mbox.c:2037
#476 0xff2a88dc in cli_mbox (dir=0x3ca88 "/var/tmp//clamav-
a40c39784d010e5305fb4f99f288021e", desc=0, ctx=0xffbfd540) at mbox.c: 1400
#477 0xff29fc98 in cli_scanmail (desc=3, ctx=0xffbfd540) at
scanners.c:1644
#478 0xff29d8e4 in cli_magic_scandesc (desc=3, ctx=0xffbfd540) at
scanners.c:1973
#479 0xff2a1248 in cl_scandesc (desc=3, virname=0xffbfd5dc,
scanned=0x2cbf8, engine=0x2d9d0, limits=0xffbffca0, options=26167) at scanners.c:2114
#480 0x00015e18 in checkfile (filename=0x3c250 "/var/tmp/
testmessage", engine=0x2d9d0, limits=0xffbffca0, options=26167, printclean=1) at manager.c:640
#481 0x00016300 in scanfile (filename=0x3c250 "/var/tmp/testmessage",
engine=0x2d9d0, user=0x0, opt=0x2cf70, limits=0xffbffca0, options=26167) at manager.c:1082
#482 0x000176c8 in scanmanager (opt=0x2cf70) at manager.c:363
#483 0x000150d8 in main (argc=3, argv=0x2cf70) at clamscan.c:213
(gdb)
(gdb)

URL doesn't contain `nationwide.co.uk':

$2 = 0x426d0 "http://allnations.nu/design/base/olb2.nationet/ olb2.nationet.com/update?
3441_3769473_414_1662_480_0_722_1148_2726403610&Idx=2&YY=1123&inc=25&ord er=down&sort=date&pos2_1148_2726403610&Idx=2&YY=1123&inc=25&order=down&s "

phishcheck.c:977 is just a call to regexec:

static int isURL(const struct phishcheck* pchk,const char* URL) {

         return URL ? !regexec(&pchk->preg,URL,0,NULL,0) : 0; /* this is line 977 */
}

So my money says that the problem is a difference between Sun's regexec and whatever platform clamav is developed on (presumably Linux). I've run the bogus message through tr 'a-z' 'b-za' in order to avoid causing people pain (and I've checked that sanitised form doesn't hang things). convert it back with tr 'b-za' 'a-z'.

ian



Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html