[clamav-users] How to know if yara rules are being run?

Mark Foley mfoley at novatec-inc.com
Wed Jul 5 21:52:03 UTC 2017 

On Tue, 4 Jul 2017 11:47:35 -0400 eric-list at truenet.com  wrote
> > Eric - you misunderstand my question.  I'm not asking if the yara rule is
> > working as designed.  I'm asking how I can tell if clamav-milter is actually
> > running the rule during its scan of incoming email.  All I did was put
> > expetr.yara in /var/lib/clamav.  That's it.  I don't know if that's sufficient,
> > whether .yara or .yar is the proper file type (I've seen both), what the file
> > permissions should be ...  In short, I have no feedback from clamav that it even
> > notices the presence of this rule.
> > 
> > Can I set a debug level or something in clamd.conf, clandscan.conf or
> > clamav-milter.conf?
> > 
> > --Mark
>
> If your using clamav-milter, than turn on logging:
> LogFile STRING
> Enable logging to selected file. 
> Default: no
>
> LogInfected STRING
> This option allows you to tune what is logged when a message is infected. Possible values are Off (the default - nothing is logged), Basic (minimal info logged), Full (verbose info logged) 
> Note: For this to work properly in sendmail, make sure the msg_id, mail_addr, rcpt_addr and i macroes are available in eom. In other words add a line like: Milter.macros.eom={msg_id}, {mail_addr}, {rcpt_addr}, i to your .cf file. Alternatively use the macro: define(`confMILTER_MACROS_EOM', `{msg_id}, {mail_addr}, {rcpt_addr}, i') 
> Postfix should be working fine with the default settings. 
> Default: disabled
>

Thanks for the response Eric. I've checked clamav-milter.conf and logging is
turned on and some of the older rotated log files do have messages about past
catches.

My LogInfected is set to Full

I did add the confMILTER_MACROS_EOM setting you suggested to my sendmail.mc,
re-genned .cf and restarted sendmail.

> Depending on your clamd.conf, it should show what DBs to load.
> DatabaseDirectory STRING
> Path to a directory containing database files.
> OfficialDatabaseOnly BOOL
> Only load the official signatures published by the ClamAV project.
> Default: no

All my clamd.conf settings are as you describe:
DatabaseDirectory /var/lib/clamav (the yara rule is here)
OfficialDatabaseOnly is default (commented out)

> I found the Yara rule I think your using, but it requires a Win32 executable:
> condition:
>
>     uint16(0) == 0x5A4D and
>     filesize < 1000000 and
>     any of them

Yes, that appears to be correct. I got the rule from
https://securelist.com/schroedingers-petya/78870/ and it does end the way you
indicate.

> So you could use something like PAR::Packer and try to compile a quick PERL script, but I would just put in a test yara rule like I email previously and send yourself an email.  It should show up in the log file, and you???ll be sure it???s working.
>
> Eric

Here;s where you lost me! First off, I did try creating an email containing the
string about "POWER CABLE" as defined in the rule.  I sent the message, but
nothing was detected.  Although, not being versed in yara, I may need more
conditions set than that. 

BUT ... I'm not asking you about debugging/interpreting a yara script. I'll
check that elsewhere. I'm just trying to figure out if clamav-milter on Linux is
running this check.

What do you mean, "it requires a Win32 executable"? Does that mean this rule
will not run on Linux?

Not being a frequent Perl user, I don't know what you're saying with "you could
use something like PAR::Packer and try to compile a quick PERL script". I have a
feeling explaining that is a lot more involved than you'd care to go into, but
if you can do so in a one- or two-liner, please do.

So, will this rule run as is, or not, on Linux? Do I have to do something?

Thanks, Mark

More information about the clamav-users mailing list