[clamav-users] How to know if yara rules are being run?
Eric Tykwinski
eric-list at truenet.com
Sat Jul 1 13:21:50 UTC 2017
> On Jul 1, 2017, at 1:10 AM, Mark Foley <mfoley at novatec-inc.com> wrote:
>
> I've put the expetr.yara rule from Kaspersky for the recent notPetya ransomware
> in my /var/lib/clamav directory.
>
> I can I tell if clamav is running it? I see nothing in /var/log/clamav.log.
>
> --Mark
My first suggestion would be make sure Yara rules are enabled in clamav.
So make a couple of files:
/*** test.yara ***/
rule Test_Yara_Rules : test
{
meta:
description = "Test Yara"
strings:
$test = "YaraTest" fullword ascii
condition:
$test
}
/***********/
echo YaraTest > test.txt
clamscan -d ./test.yara test.txt
Should show you:
test.txt: YARA.Test_Yara_Rules.UNOFFICIAL FOUND
----------- SCAN SUMMARY -----------
Known viruses: 1
Engine version: 0.99.2
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 0.007 sec (0 m 0 s)
For Ubuntu 16.04, it’s enabled by default, on OSX with homebrew add --with-yara to enable them.
PS. Talos guys, I’m loving the new website, a lot of info in there.
More information about the clamav-users
mailing list