[clamav-users] Malware/ransomware and Yara signatures with clamav
Mark Foley
mfoley at novatec-inc.com
Mon May 15 18:58:05 UTC 2017
On Sat May 13 13:25:07 2017 From: Alain Zidouemba <azidouemba at sourcefire.com> wrote:
>
> Yara rules have been supported by ClamAV since 2015:
> http://blog.clamav.net/2015/06/clamav-099b-meets-yara.html
>
> - Alain
I'm following these instructions now. The instruction say, "just place your
YARA rule files into the ClamAV virus database location." I've copied the
Homland Security yara script to a file, wannaCry.yar, in my /var/lib/clamav
directory.
Is that it? No clamscan switch or config setting? Is there any way to confirm
this rule is being used?
I also downloaded and looked at the yara repo on github. There are over 400
rules in the zipfile. To use some or all of them would I just unzip into my
database location?
The instructions also say, "Regular expressions in both YARA rules and ClamAV
logical signatures require the Perl Compatible Regular Expressions (PCRE)
library." Is there a way to see if my clamAV was built with this?
Thanks, Mark
>
> On Sat, May 13, 2017 at 1:16 PM, Alex <mysqlstudent at gmail.com> wrote:
>
> > Hi,
> >
> > So you've probably heard of the latest ransomware dubbed WannaCry. I'm
> > wondering if anyone has figured out a way to integrate the yara
> > signatures for these types of exploits with spamassassin?
> >
> > https://www.us-cert.gov/ncas/alerts/TA17-132A
> >
> > What is the status of development of integration of yara rules into clamav?
> >
> > [deleted]
> >
> > Thanks,
> > Alex
> _______________________________________________
> clamav-users mailing list
> clamav-users at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
More information about the clamav-users
mailing list