[clamav-users] Minor bug or working as intended?

[G.W. Haywood]

Hi there,

On Fri, 25 Feb 2022, Laurent S. via clamav-users wrote:

> I've had the same issue. In the last two years, I was regularly
> writing YARA sigs in ClamAV and finding that it behaves in strange
> ways... Especially the regex integration.
> 
> I specifically remember that counting regex wasn't possible and that
> I had to write those sigs either in strings or HEX.
> 
> After too many timeouts and strange stuff ...

Sounds like you and I have been through the same pain.

> I decided to rewrite all of the sigs I had written to LDB. It's not
> easy to read, less fun to write... but damn it's much more reliable
> and fast.

Execution time will be important for scanning filesystems, less so for
scanning mail (at least for scanning low-volume mail) and readability
can be hugely important if you're writing a lot of rules.  Perhaps we
should be asking the development team for readable LDB rules? :)

> PS: This YARA might technically work, but might cost you lots of CPU:
> $a3 = /(<script type="text\/javascript">functionsendemail.?\(\)\{.*){3}/

I think it's generally best to avoid things like '.*' in Yara rules,
and possibly in regexes in general for use in scanning.  Even in mail
you can find yourself scanning fairly big base64-encoded texts which
are never going to match but still cost CPU, but in a filesystem there
may be files of gigabytes+ and some regexes will be *very* expensive.

> I personally think a better project for the community would be to
> improve YARA in ClamAV ...

+1

If I'd had the time I'd have done it myself already.

-- 

73,
Ged.