[clamav-users] YARA rule - Fileszie

[Andrew Williams]

Nibin,

For text files, ClamAV will do normalization (which, among other things,
will condense whitespace) and scan against that file as well, so maybe the
PHP script after normalization is < 1024 bytes?  To confirm, try running
clamscan with '--debug --leave-temps' and then look for messages like
'saving normalized file to' to get the path of the normalized file(s).
What is the size of that/those file(s)?

-Andrew

On Fri, May 17, 2019 at 1:12 PM Nibin V M via clamav-users <
clamav-users at lists.clamav.net> wrote:

> Hello All,
>
> I am not sure whether its  a basic question...but I am struggling with
> this issue for a few days. I have created a rule with the following
> condition.
>
> =======
>     condition:
>     is_php and filesize < 1024 and $str1 and ($str2 or $str3 or $str4)
> ========
>
> Ideally, I want to scan the files only under 1KB. But it is triggering for
> files which is bigger than 1KB. For example.
>
> ========
> [root at server1 ~]# stat -c '%n %s' /home/gal2.php
> /home/gal2.php 3693
> [root at server1 ~]# clamscan -d me.yara /home/gal2.php
> /home/gal2.php: YARA.My_Test_Rule.UNOFFICIAL FOUND
> ===========
>
> So as you can see the file is 3K+ in size but still triggering the rule.
> If I reduce the filesize to 600 it will work fine. What can be the cause?
> But when I try using direct YARA command this issue is not happening.
>
> Any help will be appreciated...thanks in advance.
>
> --
> Regards....
>
> Nibin.
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users at lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20190523/1ff1428b/attachment.htm>