[clamav-users] Strange problem with custom Yara rule
kionez
kionez at gmail.com
Wed Apr 13 13:07:51 UTC 2016
Hi,
I'm going mad with a strange behaviour of clamav with custom yara rules.
I'm trying to match some nasty spam email, I decided to use yara for my
custom rules but i noticed a problem: if I use only string detect clamav
(either via clamscan or clamdscan) matches all the email (text +
headers) but if I use regex detect it only matches email's text.
For example:
$mail_header = /X-Mailer: PHPMailer 5\.2\./
doesn't match, but:
$mail_header = "X-Mailer: PHPMailer 5.2."
matches.. I tryed to "reduce" the match to only "ailer", but the
situation doesn't change, even appending a "nocase" flag.
Am I wrong or there's something strange? :)
k.
More information about the clamav-users
mailing list