[clamav-users] Minor bug or working as intended?
Laurent S.
110ef9e3086d8405c2929e34be5b4340 at protonmail.ch
Fri Feb 25 16:11:19 UTC 2022
Dear Kris,
I've had the same issue. In the last two years, I was regularly writing YARA sigs in ClamAV and finding that it behaves in strange ways... Especially the regex integration.
I specifically remember that counting regex wasn't possible and that I had to write those sigs either in strings or HEX.
After too many timeouts and strange stuff, I decided to rewrite all of the sigs I had written to LDB. It's not easy to read, less fun to write... but damn it's much more reliable and fast.
Here's what your sig could look like:
KGD.LDB.JS.SENDEMAIL;Engine:81-255,Target:3;0>3;3c73637269707420747970653d22746578742f6a617661736372697074223e66756e6374696f6e73656e64656d61696c{0-1}28297b
I took the liberty to define Target:3 (HTML). You might need to change that. Adding more criteria might be good too.
Best,
Laurent
PS: This YARA might technically work, but might cost you lots of CPU:
$a3 = /(<script type="text\/javascript">functionsendemail.?\(\)\{.*){3}/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 855 bytes
Desc: OpenPGP digital signature
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20220225/9c29587a/attachment.sig>
More information about the clamav-users
mailing list