[sanesecurity] Re: Signature news

  • From: Tom Shaw <tshaw@xxxxxxxx>
  • To: sanesecurity@xxxxxxxxxxxxx
  • Date: Fri, 23 Oct 2009 07:35:47 -0400

Tony

Check yous files: For example

clamscan --quiet --database=/path/to/winnow_phish_complete.ndb some_test_file
If these pass (Mine do) which I expect then you probably have a memory allocation issue and eed to open a bug report. 

Tom

At 12:44 PM +0200 10/23/09, tonio@xxxxxxxxxxxxxx wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Gerard a écrit :

 On Fri, 23 Oct 2009 11:46:03 +0200 tonio@xxxxxxxxxxxxxx
 <tonio@xxxxxxxxxxxxxx> replied:



 Steve Basford a écrit :

 Hi All,

 I'm pleased to announce two new signatures databases:

 New Database 1:

 Database name: spearl.ndb

 Description: phishing_links is a list of generic forms used for
  e-mail account phishing

 Provider: APER Risk of FP's: low Website: http://code DOT
 google DOT com/p/anti-phishing-email-reply/

 New Database 2:

 Database name: scamnailer.ndb

 Note: this database may use more cpu resources, due to
 extensive use of conditional signatures

 Description:  This uses far more than just the well-known list
 of phishing email addresses published on SourceForge. It also
 uses a very large list of addresses, which have been discovered
 and manually checked by a large and very well known corporation
 on the web, which you will definitely have heard of

 Provider: Julian Field/Tony Finch Risk of FP's: medium Website:
 www DOT scamnailer DOT info

 New scripts will no doubt be available soon to take advantage
 of these two new databases (unless you edit them yourself)

 In other news:

 a) Tweaks have been made to spear.ndb file to improve the
 detection rates.

 b) Lots of generic signatures to help block spear phishing have
  been added to phish.ndb (generally
 Sanesecurity.Phishing.Fake's)

 Cheers,

 Steve Sanesecurity


 hi i've the same problem with scamnailer.ndb as lately with
 signature MSRBL-SPAM and winnow_phish_complete (see previous
 thread):

 ClamAV update process started at Fri Oct 23 11:42:43 2009
 main.cvd is up to date (version: 51, sigs: 545035, f-level: 42,
 builder: sven) daily.cld is up to date (version: 9930, sigs:
 92347, f-level: 43, builder: guitar) LibClamAV Error:
 mpool_malloc(): Attempt to allocate 2097152 bytes. Please report
 to http://bugs.clamav.net LibClamAV Error: cli_ac_addpatt: Can't
 realloc ac_pattable LibClamAV Error: cli_parse_add(): Problem
 adding signature (3). LibClamAV Error: Problem parsing database
 at line 2880 LibClamAV Error: Can't load
 /var/lib/clamav/scamnailer.ndb: Malformed database ERROR:
 Malformed database

 Clamav 0.95.2


 I am not sure how the script you are using works; however, you
 could try this.

 1) Locate the offending signature file(s) A) Check if copies of the
 original downloaded files are still there 2) Delete them 3) Restart
 clamav 4) See if any errors are reported 5) Run you script with
 full logging if possible 6) Check the clamav log to see if the
 files were correctly loaded.


already done.
if i delete offendig file, clamd starting ok.

i'm using bill landry' script version 3.5

i've also tried to manually donwload signature file from original source:

wget http://www.mailscanner.eu/scamnailer.ndb

same error when i restart clamd:

LibClamAV Error: mpool_malloc(): Attempt to allocate 2097152 bytes.
Please report to http://bugs.clamav.net
LibClamAV Error: cli_ac_addpatt: Can't realloc ac_pattable
LibClamAV Error: cli_parse_add(): Problem adding signature (3).
LibClamAV Error: Problem parsing database at line 1871
LibClamAV Error: Can't load /var/lib/clamav/scamnailer.ndb: Malformed
database
ERROR: Malformed database
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkrhiRMACgkQ8FtMlUNHQIO6IACffrKPodSXtlLDpoQohTTAq4xH
pK8AoKnYyNy62XtTPbTbO7IPLMPqzh7I
=fn8a
-----END PGP SIGNATURE-----

Other related posts:

  1. Home
  2. sanesecurity
  3. Archive
  4. 10-2009