[clamav-users] Strange problem with custom Yara rule
kionez
kionez at gmail.com
Thu Apr 14 07:10:12 UTC 2016
#include <Kevin Lin.h> // created 13/04/2016 19:33
> Please refer to the bug report at:
> https://bugzilla.clamav.net/show_bug.cgi?id=11552
> for the patch to resolve the issue.
Wow, thanks for the quick solution :)
I've just tried the patch on my laptop and seems working fine, I do some
tests and I will push on production server (I think is pretty safe to
use it on production).
Some example, using files posted before and a simple rule for combining
string and regex match:
rule Header_combined // test_combined.yara
{
strings:
$match_string = "pass"
$match_regex = /pass/
condition:
$match_regex and $match_string
}
Before patch:
$ clamscan --no-summary -d test_body.yara -z test.eml
test.eml: YARA.Body_string.UNOFFICIAL FOUND
test.eml: YARA.Body_Regex.UNOFFICIAL FOUND
$ clamscan --no-summary -d test_header.yara -z test.eml
test.eml: YARA.Header_string.UNOFFICIAL FOUND
$ clamscan --no-summary -d test_combined.yara -z test.eml
test.eml: OK
After patch:
$ clamscan --no-summary -d test_body.yara -z test.eml
test.eml: YARA.Body_string.UNOFFICIAL FOUND
test.eml: YARA.Body_Regex.UNOFFICIAL FOUND
$ clamscan --no-summary -d test_header.yara -z test.eml
test.eml: YARA.Header_string.UNOFFICIAL FOUND
test.eml: YARA.Header_Regex.UNOFFICIAL FOUND
$ clamscan --no-summary -d test_combined.yara -z test.eml
test.eml: YARA.Header_combined.UNOFFICIAL FOUND
So, I confirm that is solved!
Thanks!
k.
More information about the clamav-users
mailing list