[clamav-users] human friendly signatures

Kris Deugau kdeugau at vianet.ca
Mon Mar 21 14:52:20 UTC 2022 

G.W. Haywood via clamav-users wrote:
> Hi Micah,
> 
> On Wed, 16 Mar 2022, Micah Snyder (micasnyd) wrote:
>> I'm not sure what you mean here.  Can you elaborate?  If you simply
>> want ClamAV ignore garbage rules on load and continue with the rest
>> of the file (see point #4) - that's something we can easily improve
>> regardless of what we do. And that's how our yara rule loading logic
>> works right now.
> 
> I strongly feel that if it finds a problem, rather than silently load
> some sub-optimal ruleset the parser should abandon the reload of the
> entire ruleset.  Obviously it should warn when it does that.  I guess
> this might be an issue if it's running on a machine with too little
> RAM to reload while simultaneously scanning with the previous ruleset,
> but something like a --test-ruleset option could probably handle that.

TBH I'd prefer if Clam *did* continue, just skipping malformed rules 
(and also whinging loudly in the log).

Either would be better than just exiting (it's not a hard *crash*, it's 
"just" refusing to load a file with a malformed signature - including 
things like entirely blank lines).


> While I was looking at this I also came upon another quirk that can be
> a bit of a nuisance.  AFAICT Yara strings can only be delimited by one
> of two characters, either a double-quote (for a literal string) or a
> forward-slash (for a regex).  It would help to be able to choose the
> quote character like in Perl; if not, at least having more available
> to choose from could make many expressions more readable, especially
> those which target e.g. HTML and links in mail (both of which tend to
> have many occurrences of double-quote or forward-slash characters).

Strictly speaking, four characters (the {} delimiters for hex strings). 
To my reading this is part of the upstream Yara spec, and I'd be wary of 
extending this particular bit without at least requiring some blatant, 
obvious flag in any such rule to clearly indicate that it's not stock 
Yara syntax.

-kgd

More information about the clamav-users mailing list