[clamav-users] Minor bug or working as intended?

[G.W. Haywood]

Hi there,

On Thu, 24 Feb 2022, Kris Deugau wrote:

> After chasing docs back and forth and trying small variations, I think I've 
> found what's arguably a bug in Clam's YARA implementation.
> ...

You too, huh?

In my experience ClamAV's Yara implementation is absolutely riddled.
It's so bad (and *years* out of date) that I don't think it would be
worth the effort of trying to fix it.  I'd say start again from
scratch.

I've eventually settled on a way of living with it which is basically
"don't try anything fancy".  If you're not careful it crashes clamd.
Most of the time it seems to manage simple regexes reasonably well,
but one example of fancy things not to try would be leaving out the
case-insensitive match modifier 'nocase'.

Having said that when you get it settled it does do good work.  Here,
with a few hundred well-chosen strings in a couple of dozen rules, it
catches far more spam than anything else.  We don't see much malware
in our mail, so I haven't spent much time on non-text matching and
can't offer much insight into how well it might do there.

-- 

73,
Ged.