[clamav-users] Minor bug or working as intended?
G.W. Haywood
clamav at jubileegroup.co.uk
Fri Feb 25 12:52:34 UTC 2022
Hi there,
On Fri, 25 Feb 2022, Joel Esler via clamav-users wrote:
> Pretty sure you can write what you’re trying to look for with an ldb
> signature anyway.
One can write an LDB signature which might look like this:
8<----------------------------------------------------------------------
clamav-fullword-B;Engine:81-255,Target:0;0&1;414141;68656c6c6f::fi
8<----------------------------------------------------------------------
or the same with Yara in something which looks a bit like this:
8<----------------------------------------------------------------------
rule AAA_and_hello
{
strings:
$A = "AAA"
$B = "hello"
condition:
all of them
}
8<----------------------------------------------------------------------
Efficiency/reliability aside, I know what I prefer for readability,
ease of maintenance and modification, combination with other rules
(e.g. for whitelisting), ...
--
73,
Ged.
More information about the clamav-users
mailing list