[clamav-users] Minor bug or working as intended?
Joel Esler
joel.esler at me.com
Fri Feb 25 11:59:09 UTC 2022
Pretty sure you can write what you’re trying to look for with an ldb signature anyway.
—
Sent from my iPhone
> On Feb 24, 2022, at 18:53, G.W. Haywood via clamav-users <clamav-users at lists.clamav.net> wrote:
>
> Hi there,
>
>> On Thu, 24 Feb 2022, Kris Deugau wrote:
>>
>> After chasing docs back and forth and trying small variations, I think I've found what's arguably a bug in Clam's YARA implementation.
>> ...
>
> You too, huh?
>
> In my experience ClamAV's Yara implementation is absolutely riddled.
> It's so bad (and *years* out of date) that I don't think it would be
> worth the effort of trying to fix it. I'd say start again from
> scratch.
>
> I've eventually settled on a way of living with it which is basically
> "don't try anything fancy". If you're not careful it crashes clamd.
> Most of the time it seems to manage simple regexes reasonably well,
> but one example of fancy things not to try would be leaving out the
> case-insensitive match modifier 'nocase'.
>
> Having said that when you get it settled it does do good work. Here,
> with a few hundred well-chosen strings in a couple of dozen rules, it
> catches far more spam than anything else. We don't see much malware
> in our mail, so I haven't spent much time on non-text matching and
> can't offer much insight into how well it might do there.
>
> --
>
> 73,
> Ged.
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users at lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
More information about the clamav-users
mailing list