[clamav-users] Minor bug or working as intended?

[Kris Deugau]

Laurent S. via clamav-users wrote:
> Dear Kris,
> 
> I've had the same issue. In the last two years, I was regularly writing YARA sigs in ClamAV and finding that it behaves in strange ways... Especially the regex integration.
> 
> I specifically remember that counting regex wasn't possible and that I had to write those sigs either in strings or HEX.
> 
> After too many timeouts and strange stuff, I decided to rewrite all of the sigs I had written to LDB. It's not easy to read, less fun to write... but damn it's much more reliable and fast.
> 
> Here's what your sig could look like:
> 
> KGD.LDB.JS.SENDEMAIL;Engine:81-255,Target:3;0>3;3c73637269707420747970653d22746578742f6a617661736372697074223e66756e6374696f6e73656e64656d61696c{0-1}28297b
> 
> I took the liberty to define Target:3 (HTML). You might need to change that. Adding more criteria might be good too.

*nod*  I kept at it and the full Yara sig I eventually pushed live has 
10 strings, requiring layered sets of multi-hit matches.  (Finding a 
valid syntax just for those conditions alone was a bit tedious;  it's 
not clear from the upstream Yara docs or Clam's brief commentary whether 
you can nest conditions as pseudo-strings[1], but bumping the total 
match count required and just and'ing the sub-count conditions was Good 
Enough.)

-kgd

[1] Available indications say "you can't", although supposedly you can 
reference other Yara signatures - tried, couldn't get that working either