[clamav-users] How to know if yara rules are being run?
Mark Foley
mfoley at novatec-inc.com
Thu Jul 6 17:04:29 UTC 2017
On Thu, 6 Jul 2017 11:34:53 -0400 Kris Deugau <kdeugau at vianet.ca> wrote
>
> Mark Foley wrote:
>
> > So, the question posted below remains:
> >
> > Will the expetr.yara rule, described in this thread, run as is, or not, on
> > Linux?
>
> Any valid signature file will be loaded and used.
>
> Any *invalid* signature file will cause clamd to exit.
>
> If clamd is running, and you've been able to confirm the signature file
> is being loaded, the signature will be checked.
>
> Signatures are not platform-specific except in terms of what they're
> intended to match on.
>
> > I'm specifically asking about Eric's comment, "it requires a Win32 executable".
>
> To answer this specific point, one of the signature fragments checks a
> byte pattern in a certain location to help ensure that it only triggers
> on files that are Win32 executables.
>
> More generally, to confirm whether a specific signature is doing what
> it's supposed to, you need to have a file to test with that you know is
> supposed to match on that signature.
>
> -kgd
Thanks Kris, that answers my question. I somehow incorrectly took from Eric's
comment that the rule would only run on Windows, but I get that the rule is
inspecting the message for a Windows executable.
--Mark
More information about the clamav-users
mailing list