[clamav-users] Clamav error using YARA

Philippe Lefèvre ph.l at libertysurf.fr
Mon Nov 11 20:07:04 UTC 2019 

Hi all,
thanks for your post Ged.

I have a maldet 6.1.4 installed under /usr/local:
#maldet -version
=======================
Linux Malware Detect v1.6.4
             (C) 2002-2019, R-fx Networks <proj at rfxn.com>
             (C) 2019, Ryan MacDonald <ryan at rfxn.com>
This program may be freely redistributed under the terms of the GNU GPL v2
=======================

but when I do
# grep -n is__elf /usr/local/maldetect/sigs/rfxn.yara
I get
=======================
9112:        is__elf and all of ($s*)
=======================

same when I do
# grep -n is__elf /var/lib/clamav/rfxn.yara
=======================
9112:        is__elf and all of ($s*)
=======================

I just downloaded maldet 1.6.4 and had a look into my downlowds dir, I 
can see
# grep -n is__elf ~/telechargements/maldetect-1.6.4/files/sigs/rfxn.yara
=======================
9068:private rule is__elf
9105:        is__elf and all of ($s*)
=======================

So it seems that neither Clamav nor Maldet installed on my Debian box 
have the right rfxn.* files

I'm not familiar with these programs but I would like to understand if 
clamav is delivered with an instance of rfxn files or if those files are 
installed with Maldet (part of Maldet package?) or something else.
May be something is/was broken somewhere and it would save me time 
reinstall maldet or clamav, both, copy the rfxn.* files?

Please your advise.

Thanks



Le 11/11/2019 à 14:41, G.W. Haywood via clamav-users a écrit :
> Hi there,
>
> On Mon, 11 Nov 2019, Philippe Lefèvre wrote:
>
>> # grep -n is__elf /var/lib/clamav/rfxn.yara
>> 9112:        is__elf and all of ($s*)
>
> Maybe this will help:
>
> https://www.rfxn.com/downloads/maldetect-current.tar.gz
>
> 8<----------------------------------------------------------------------
> laptop3:~$ >>> grep -n is__elf 
> ~/Downloads/maldetect-1.6.4/files/sigs/rfxn.yara
> 9068:private rule is__elf
> 9105:        is__elf and all of ($s*)
> laptop3:~$ >>> 
> 8<----------------------------------------------------------------------
>

More information about the clamav-users mailing list