[clamav-users] How to know if yara rules are being run?
Mark Foley
mfoley at novatec-inc.com
Tue Jul 4 14:12:41 UTC 2017
On Mon, 3 Jul 2017 19:57:25 -0400 Eric Tykwinski <eric-list at truenet.com> wrote:
> >>
> >
> > Yes. I got exactly the same output as you show. Therefore, yara rules are enabled.
> >
> > So then, how can I confirm the expetr.yara I created is being run?
> >
> > ???Mark
>
> Mark,
>
> We are getting off topic for ClamAV list. I don???t know what rule that they published, and thankfully haven???t had to deal with anything locally.
> My guess would be to open the yara rule and check it out. You might be able to fake it with a hex editor to test it out, or you can search for sample files and see if they catch them. With Yara rules though you are usually only getting a small fragment of the infections, and probably a large portion of false positives. I use them for scanning backup archives personally to find web exploits, and the like, don???t deleted but find when the file was dropped.
>
> Hope this helps,
>
> Eric
>
Eric - you misunderstand my question. I'm not asking if the yara rule is
working as designed. I'm asking how I can tell if clamav-milter is actually
running the rule during its scan of incoming email. All I did was put
expetr.yara in /var/lib/clamav. That's it. I don't know if that's sufficient,
whether .yara or .yar is the proper file type (I've seen both), what the file
permissions should be ... In short, I have no feedback from clamav that it even
notices the presence of this rule.
Can I set a debug level or something in clamd.conf, clandscan.conf or
clamav-milter.conf?
--Mark
More information about the clamav-users
mailing list