[Community-sigs] ClamAV YARA parsing
Thiago Alves
thiagoralves at gmail.com
Wed Feb 24 16:32:37 UTC 2021
Hi all,
I'm trying to evaluate ClamAV's ability to parse YARA rules correctly. I've
read the limitations on
https://www.clamav.net/documents/using-yara-rules-in-clamav but still I'm
having a hard time understanding why the following rule is not being
accepted:
rule TEST
{
meta:
description = "Evaluate ClamAV YARA parsing"
strings:
$a = { 8a f4 c1 [1-4] fe ca 88 ?4 08 ?? [0-3] 48 ff c8 48 ?? ?? ??
75 ?? }
$b = { 8a ?4 c1 [1-4] fe ca 88 ?4 08 ?? [0-3] 48 ff c8 48 ?? ?? ??
75 ?? }
condition:
filesize < 4MB and ($a or $b)
}
For the rule above, string $a was accepted, while $b was not. This is the
error I'm getting on clamscan:
LibClamAV Error: cli_ac_addsig: Can't find a static subpattern of length 2
LibClamAV Error: cli_parse_add(): Problem adding signature (1).
LibClamAV Error: cli_parseadd(): Problem adding signature (1b).
LibClamAV Warning: load_oneyara[verify]: recovered from database loading
error
LibClamAV Warning: load_oneyara[verify]: string failed test insertion: $b
LibClamAV Warning: load_oneyara: clamav cannot support 1 input strings,
skipping YARA.TEST
Is this a bug or a limitation? I've tested this rule with other YARA
parsing scans with success, but I rather use ClamAV due to its
superior engine.
Thanks,
Thiago Alves
More information about the Community-sigs
mailing list