[clamav-users] How to know if yara rules are being run?
Mark Foley
mfoley at novatec-inc.com
Mon Jul 3 20:58:29 UTC 2017
On Sat, 1 Jul 2017 09:21:50 -0400 Eric Tykwinski <eric-list at truenet.com> wrote:
> > On Jul 1, 2017, at 1:10 AM, Mark Foley <mfoley at novatec-inc.com> wrote:
> >
> > I've put the expetr.yara rule from Kaspersky for the recent notPetya ransomware
> > in my /var/lib/clamav directory.
> >
> > How can I tell if clamav is running it? I see nothing in /var/log/clamav.log.
> >
> > --Mark
>
>
> My first suggestion would be make sure Yara rules are enabled in clamav.
> So make a couple of files:
> /*** test.yara ***/
> rule Test_Yara_Rules : test
> {
> meta:
> description = "Test Yara"
> strings:
> $test = "YaraTest" fullword ascii
> condition:
> $test
> }
> /***********/
>
> echo YaraTest > test.txt
>
> clamscan -d ./test.yara test.txt
>
> Should show you:
> test.txt: YARA.Test_Yara_Rules.UNOFFICIAL FOUND
>
> ----------- SCAN SUMMARY -----------
> Known viruses: 1
> Engine version: 0.99.2
> Scanned directories: 0
> Scanned files: 1
> Infected files: 1
> Data scanned: 0.00 MB
> Data read: 0.00 MB (ratio 0.00:1)
> Time: 0.007 sec (0 m 0 s)
>
Yes. I got exactly the same output as you show. Therefore, yara rules are enabled.
So then, I can I confirm the expetr.yara I created is being run?
--Mark
More information about the clamav-users
mailing list