Description of problem: Problem with libclamav: # clamscan /home/XXXXXXXXXXXXXXXXXX/ LibClamAV Error: yyerror(): /var/lib/clamav/rfxn.yara line 429 syntax error, unexpected _NUMBER_ LibClamAV Warning: cli_loadyara: failed to parse or load 1 yara rules from file /var/lib/clamav/rfxn.yara, successfully loaded 78 rules. and that rule does not even have a _NUMBER_ tag: /var/lib/clamav/rfxn.yara 426:rule gate_php_js { 427: /* token=KjsS29Msl&host= */ 428: strings: 429: $ = /\/gate.php\?token=.{,10}&host=/ 430: condition: any of them 431:} Version-Release number of selected component (if applicable): exim-clamav-4.94-1 clamd-0.102.4-1 clamav-0.102.4-1 clamav-update-0.102.4-1 clamav-data-0.102.4-1 clamav-filesystem-0.102.4-1 clamav-lib-0.102.4-1
FYI: # /usr/bin/freshclam Sat Aug 15 10:21:42 2020 -> ClamAV update process started at Sat Aug 15 10:21:42 2020 Sat Aug 15 10:21:42 2020 -> daily.cld database is up to date (version: 25901, sigs: 3835550, f-level: 63, builder: raynman) Sat Aug 15 10:21:42 2020 -> main.cvd database is up to date (version: 59, sigs: 4564902, f-level: 60, builder: sigmgr) Sat Aug 15 10:21:42 2020 -> bytecode.cvd database is up to date (version: 331, sigs: 94, f-level: 63, builder: anvilleg)
But it does have a number on that line. Are you sure that the syntax is valid (I don't know yara). I would suggest asking on the clamav list. And then if the clamav devs say it's a bug file a bug at bugzilla.clamav.net. I'd be surprised if it was an issue with how Fedora compiles clamav.
i'm not sure if that syntax is valid at all, as i have seen it for the first time ;) It looks like the ruleset was defective, as a test today did not show any sign of it anymore. The rule in question is now at a different position and looks different too: rule gate_php_js { /* token=KjsS29Msl&host= */ strings: $re =/\/gate.php\?token=.{,10}&host=/ nocase condition: any of them } Case closed.