edwin at clamav
Mar 16, 2012, 6:25 AM
Post #2 of 5
On 03/16/2012 02:35 PM, Andreas Schulze wrote:
> I just compiled the new version in my autobuild system for
> multiple version of SuSE Linux Enterprise Servers.
> I noticed this RPMLINT report which I like to forward to you for inforamation:
> RPMLINT report:
> clamav.i586: W: shared-lib-calls-exit /usr/lib/libclamav.so.6.1.13 exit [at] GLIBC_2
> This library package calls exit() or _exit(), probably in a non-fork()
> context. Doing so from a library is strongly discouraged - when a library
> function calls exit(), it prevents the calling program from handling the
> error, reporting it to the user, closing files properly, and cleaning up any
> state that the program has. It is preferred for the library to return an
> actual error code and let the calling program decide how to handle the
> Could it be possible that the _exit() is intentional correct?
> Then I would like to add an exeption for my rpmlint...
It is LLVM that uses exit/_exit in Program::Execute for example.
We don't call that function though.
> Avira, a german antivirus vendor, may(*) classify the sourcecode tarball as malicious:
> clamav-0.97.4/test/.split/split.clam-pespin.exeaa <<< PCK/PESpin ; packer ; File has been compressed with an unusual runtime compression tool (PCK/PESpin). Please verify the origin of the file
That is part of the test-file for clamav's PESpin unpacker support. Obviously that is clam.exe packed by PESpin, and not malware.
> I informed avira and got the response that their av-envine finds "unusual runtime compression tool" commonly used by
> malware :-(
Yeah, thats why ClamAV has a PESpin unpacker (to unpack malware that uses it), and a testfile for it (so we make sure it actually works).
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net