Fatal crash: "signal: aborted (core dumped)"

[seihtam]

All plugins are up to date.

I tested multiple files (both binary and text files) and all resulted in the following message from the windows defender plugin:

>> docker run --rm -v /var/run/docker.sock:/var/run/docker.sock -v `pwd`:/malice/samples --network="host" malice/engine scan --logs putty.exe

...

time="2018-11-29T09:43:40Z" level=fatal msg="signal: aborted (core dumped)" category=av path=/malware/7afb56dd48565c3c9804f683c80ef47e5333f847f2d3211ec11ed13ad36061e1 plugin=windows_defender

...

Let me know if there is a way i can provide more information to help debug the problem.

Docker version:

Docker version:
Client:
 Version:           18.09.0
 API version:       1.39
 Go version:        go1.10.4
 Git commit:        4d60db4
 Built:             Wed Nov  7 00:49:01 2018
 OS/Arch:           linux/amd64
 Experimental:      false

Server: Docker Engine - Community
 Engine:
  Version:          18.09.0
  API version:      1.39 (minimum version 1.12)
  Go version:       go1.10.4
  Git commit:       4d60db4
  Built:            Wed Nov  7 00:16:44 2018
  OS/Arch:          linux/amd64
  Experimental:     false

Docker info (with some info removed):

Docker info:
Containers: 6
 Running: 1
 Paused: 0
 Stopped: 5
Images: 26
Server Version: 18.09.0
Storage Driver: overlay2
 Backing Filesystem: extfs
 Supports d_type: true
 Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: bridge host macvlan null overlay
 Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: c4446665cb9c30056f4998ed953e6d4ff22c7c39
runc version: 4fc53a81fb7c994640722ac585fa9ca548971871
init version: fec3683
Security Options:
 apparmor
 seccomp
  Profile: default
Kernel Version: 4.15.0-39-generic
Operating System: Linux Mint 19
OSType: linux
Architecture: x86_64
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: false
Product License: Community Engine

WARNING: No swap limit support

[blacktop]

Does this happen every time you scan that file?

[blacktop]

Looks like docker (or ubuntu) changed their default seccomp profile?

This is fixed by running this plugin list this:

docker run --init --rm --security-opt seccomp=seccomp/profile.json -v $(PWD):/malware malice/windows-defender -t evil.malware

Where seccomp/profile.json is here

Once again, thank you for letting me know 👍

I will try and get custom seccomp profile support in malice soon.

[seihtam]

I can confirm that it works with the new seccomp profile.

[blacktop]

thank you! I will create an issue in malice to track the adding of seccomp profiles being added

[blacktop]

maliceio/malice#85