[clamav-users] Limitation or bug in ClamAV's processing of Yara rules?

[Kris Deugau]

I'm still chasing signatures for a certain class of (very) oversized 
spam with malformed HTML.  I've found an issue that is either an 
implementation limit or a bug in ClamAV's handling of Yara rules.

I've narrowed it down to an issue with the "#" condition variant.

For a rule like so:

rule badstyle {
   strings:
     $a = /[~!@#$%^&*\(\)_+`\[\]\{\}\|<>\/\?]{10}/
   condition:
     #a > 1
}

and a message like https://pastebin.com/Hs3jcj9i, ClamAV *should* flag 
the message.  (Note, this isn't what I'd use as a live signature!)

If I change the condition to "$a" instead, it flags the message, so the 
expression for $a is valid and correct.

Since this particular series of spams will require "#a > 100" (or higher 
counts) for safety, and none of the other signature types lend 
themselves very well to this particular type of pattern matching, I'm 
unable to use just a few signatures as above.  Instead I've been using a 
crude workaround of setting up closing-on-hundreds of very similar 
logical signatures, or an extended list of 3-6 hex-coded character 
sequences in a single logical signature.

-kgd