[clamav-users] Minor bug or working as intended?

Maarten Broekman maarten.broekman at gmail.com
Fri Feb 25 16:01:09 UTC 2022 

There's not a lot that you can do in Yara rules that you can't do in LDB
sigs... for what it's worth, here's a logical sig that detects the same
thing as the Yara rules...

mbroekman at lothlorien:~$ grep MJB.JS.SendEmail clamdb/javascript_sigs.ldb|
sigtool --decode-sigs
VIRUS NAME: MJB.JS.SendEmailFunc-0
TDB: Engine:90-255,Target:0
LOGICAL EXPRESSION: 0>3
 * SUBSIG ID 0
 +-> OFFSET: ANY
 +-> SIGMOD: NOCASE
 +-> DECODED SUBSIGNATURE:
<script{WILDCARD_ANY_STRING(LENGTH<=1)}type="text/javascript">{WILDCARD_ANY_STRING(LENGTH<=1)}function{WILDCARD_ANY_STRING(LENGTH<=1)}sendemail{WILDCARD_ANY_STRING(LENGTH<=1)}(){

mbroekman at lothlorien:~$ grep MJB.JS.SendEmail clamdb/javascript_sigs.ldb

MJB.JS.SendEmailFunc-0;Engine:90-255,Target:0;0>3;3c736372697074{-1}747970653d22746578742f6a617661736372697074223e{-1}66756e6374696f6e{-1}73656e64656d61696c{-1}28297b::i

mbroekman at lothlorien:~$ cat testfile
<script type="text/javascript">functionsendemail (){ }</script>
<script type="text/javascript">functionsendemail(){ }</script>
<script type="text/javascript">functionsendemail (){ }</script>
<script type="text/javascript">functionsendemail(){ }</script>

mbroekman at lothlorien:~$ clamscan --quiet testfile
mbroekman at lothlorien:~$ echo $?
1

mbroekman at lothlorien:~$ clamscan testfile
Loading:    10s, ETA:   0s [========================>]    8.61M/8.61M sigs

Compiling:   2s, ETA:   0s [========================>]       41/41 tasks

/Users/mbroekman/testfile: MJB.JS.SendEmailFunc-0.UNOFFICIAL FOUND

----------- SCAN SUMMARY -----------
Known viruses: 8606446
Engine version: 0.104.2
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 12.433 sec (0 m 12 s)
Start Date: 2022:02:25 10:54:32
End Date:   2022:02:25 10:54:45


On Fri, Feb 25, 2022 at 7:00 AM Joel Esler via clamav-users <
clamav-users at lists.clamav.net> wrote:

> Pretty sure you can write what you’re trying to look for with an ldb
> signature anyway.
>
>> Sent from my  iPhone
>
> > On Feb 24, 2022, at 18:53, G.W. Haywood via clamav-users <
> clamav-users at lists.clamav.net> wrote:
> >
> > Hi there,
> >
> >> On Thu, 24 Feb 2022, Kris Deugau wrote:
> >>
> >> After chasing docs back and forth and trying small variations, I think
> I've found what's arguably a bug in Clam's YARA implementation.
> >> ...
> >
> > You too, huh?
> >
> > In my experience ClamAV's Yara implementation is absolutely riddled.
> > It's so bad (and *years* out of date) that I don't think it would be
> > worth the effort of trying to fix it.  I'd say start again from
> > scratch.
> >
> > I've eventually settled on a way of living with it which is basically
> > "don't try anything fancy".  If you're not careful it crashes clamd.
> > Most of the time it seems to manage simple regexes reasonably well,
> > but one example of fancy things not to try would be leaving out the
> > case-insensitive match modifier 'nocase'.
> >
> > Having said that when you get it settled it does do good work.  Here,
> > with a few hundred well-chosen strings in a couple of dozen rules, it
> > catches far more spam than anything else.  We don't see much malware
> > in our mail, so I haven't spent much time on non-text matching and
> > can't offer much insight into how well it might do there.
> >
> > --
> >
> > 73,
> > Ged.
> >
> > _______________________________________________
> >
> > clamav-users mailing list
> > clamav-users at lists.clamav.net
> > https://lists.clamav.net/mailman/listinfo/clamav-users
> >
> >
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users at lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20220225/6229f103/attachment.htm>

More information about the clamav-users mailing list