On Mon May 15 15:06:07 2017 "Eric Tykwinski" <eric-l...@truenet.com> wrote: > > Here's links to sample files, ie use at your own risk: > https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168 > > Sincerely, > > Eric Tykwinski > TrueNet, Inc. > P: 610-429-8300 >
Well, it does seem to try and use the yara rule. Using one of the samples on the link you gave me: $ clamscan CYBERed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.EXE LibClamAV Error: yyerror(): /var/lib/clamav/wannaCry.yar line 3 non-ascii character LibClamAV Error: yyerror(): /var/lib/clamav/wannaCry.yar line 3 syntax error, unexpected $end, expecting _CONDITION_ LibClamAV Error: cli_loadyara: failed to parse rules file /var/lib/clamav/wannaCry.yar, error count 2 When I fixed the non-ascii character thing I got: > clamscan CYBERed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.EXE CYBERed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.EXE: Win.Trojan.Agent-6312832-0 FOUND ----------- SCAN SUMMARY ----------- Known viruses: 6284809 Engine version: 0.99.2 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 3.49 MB Data read: 3.35 MB (ratio 1.04:1) Time: 6.828 sec (0 m 6 s) The yara rule didn't find anything. I used sample .hxxps://transfer.sh/PnDIl/CYBERed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.EXE The page is headed, "WannaCry|WannaDecrypt0r NSA-Cyberweapon-Powered Ransomware Worm" so I would imagine the samples on this page are for wannaCry, right? --Mark > -----Original Message----- > From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On Behalf > Of Mark Foley > Sent: Monday, May 15, 2017 2:58 PM > To: clamav-users@lists.clamav.net > Subject: Re: [clamav-users] Malware/ransomware and Yara signatures with > clamav > > On Sat May 13 13:25:07 2017 From: Alain Zidouemba > <azidoue...@sourcefire.com> wrote: > > > > Yara rules have been supported by ClamAV since 2015: > > http://blog.clamav.net/2015/06/clamav-099b-meets-yara.html > > > > - Alain > > I'm following these instructions now. The instruction say, "just place your > YARA rule files into the ClamAV virus database location." I've copied the > Homland Security yara script to a file, wannaCry.yar, in my /var/lib/clamav > directory. > > Is that it? No clamscan switch or config setting? Is there any way to > confirm this rule is being used? > > I also downloaded and looked at the yara repo on github. There are over 400 > rules in the zipfile. To use some or all of them would I just unzip into my > database location? > > The instructions also say, "Regular expressions in both YARA rules and > ClamAV logical signatures require the Perl Compatible Regular Expressions > (PCRE) library." Is there a way to see if my clamAV was built with this? > > Thanks, Mark > > > > > On Sat, May 13, 2017 at 1:16 PM, Alex <mysqlstud...@gmail.com> wrote: > > > > > Hi, > > > > > > So you've probably heard of the latest ransomware dubbed WannaCry. > > > I'm wondering if anyone has figured out a way to integrate the yara > > > signatures for these types of exploits with spamassassin? > > > > > > https://www.us-cert.gov/ncas/alerts/TA17-132A > > > > > > What is the status of development of integration of yara rules into > clamav? > > > > > > [deleted] > > > > > > Thanks, > > > Alex > > _______________________________________________ > > clamav-users mailing list > > clamav-users@lists.clamav.net > > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > > > > Help us build a comprehensive ClamAV guide: > > https://github.com/vrtadmin/clamav-faq > > > > http://www.clamav.net/contact.html#ml > > > _______________________________________________ > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > > > _______________________________________________ > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml