[clamav-users] Malware/ransomware and Yara signatures with clamav

Eric Tykwinski eric-list at truenet.com
Mon May 15 19:05:47 UTC 2017 

Here's links to sample files, ie use at your own risk:
https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168

Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300


-----Original Message-----
From: clamav-users [mailto:clamav-users-bounces at lists.clamav.net] On Behalf
Of Mark Foley
Sent: Monday, May 15, 2017 2:58 PM
To: clamav-users at lists.clamav.net
Subject: Re: [clamav-users] Malware/ransomware and Yara signatures with
clamav

On Sat May 13 13:25:07 2017 From: Alain Zidouemba
<azidouemba at sourcefire.com> wrote:
>
> Yara rules have been supported by ClamAV since 2015:
> http://blog.clamav.net/2015/06/clamav-099b-meets-yara.html
>
> - Alain

I'm following these instructions now.  The instruction say, "just place your
YARA rule files into the ClamAV virus database location." I've copied the
Homland Security yara script to a file, wannaCry.yar, in my /var/lib/clamav
directory. 

Is that it? No clamscan switch or config setting? Is there any way to
confirm this rule is being used?

I also downloaded and looked at the yara repo on github.  There are over 400
rules in the zipfile.  To use some or all of them would I just unzip into my
database location?

The instructions also say, "Regular expressions in both YARA rules and
ClamAV logical signatures require the Perl Compatible Regular Expressions
(PCRE) library." Is there a way to see if my clamAV was built with this?

Thanks, Mark

>
> On Sat, May 13, 2017 at 1:16 PM, Alex <mysqlstudent at gmail.com> wrote:
>
> > Hi,
> >
> > So you've probably heard of the latest ransomware dubbed WannaCry. 
> > I'm wondering if anyone has figured out a way to integrate the yara 
> > signatures for these types of exploits with spamassassin?
> >
> > https://www.us-cert.gov/ncas/alerts/TA17-132A
> >
> > What is the status of development of integration of yara rules into
clamav?
> >
> > [deleted]
> >
> > Thanks,
> > Alex
> _______________________________________________
> clamav-users mailing list
> clamav-users at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
_______________________________________________
clamav-users mailing list
clamav-users at lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

More information about the clamav-users mailing list