[clamav-users] How to know if yara rules are being run?
Kris Deugau
kdeugau at vianet.ca
Thu Jul 6 15:34:53 UTC 2017
Mark Foley wrote:
> So, the question posted below remains:
>
> Will the expetr.yara rule, described in this thread, run as is, or not, on
> Linux?
Any valid signature file will be loaded and used.
Any *invalid* signature file will cause clamd to exit.
If clamd is running, and you've been able to confirm the signature file
is being loaded, the signature will be checked.
Signatures are not platform-specific except in terms of what they're
intended to match on.
> I'm specifically asking about Eric's comment, "it requires a Win32 executable".
To answer this specific point, one of the signature fragments checks a
byte pattern in a certain location to help ensure that it only triggers
on files that are Win32 executables.
More generally, to confirm whether a specific signature is doing what
it's supposed to, you need to have a file to test with that you know is
supposed to match on that signature.
-kgd
More information about the clamav-users
mailing list