Couple of pre-coffee questions...
1)
>From what I can tell Yara signature names will be generated based on
the yara rule name provided...
eg:
testname.yara:
rule Sanesecurity.test
{
strings:
$match1 = "test"
$ignore1 = "this1"
$ignore2 = "this2"
condition:
$match1 and not ($ignore1 or $ignore2)
}
So, if it matched the name will be: Sanesecurity.test.UNOFFICIAL
Would it be a good idea if ClamAV engine *auto-added* .Yara or _Yara to the
end/beginning of Yara signatures to help end-users work out if it's a
normal ClamAV database or a Yara rule:
Eg: Sanesecurity.test.Yara.UNOFFICIAL
2) I take it Yara signatures can be whitelisted using .ign2 etc.
Cheers,
Steve
Web : sanesecurity.com
Blog: sanesecurity.blogspot.com
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
