On Mon May 15 15:06:07 2017 "Eric Tykwinski" <eric-l...@truenet.com> wrote:
>
> Here's links to sample files, ie use at your own risk:
> https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168
>
> Sincerely,
>
> Eric Tykwinski
> TrueNet, Inc.
> P: 610-429-8300
>
Well, it does seem to try and use the yara rule. Using one of the samples on the
link you gave me:
$ clamscan
CYBERed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.EXE
LibClamAV Error: yyerror(): /var/lib/clamav/wannaCry.yar line 3 non-ascii
character
LibClamAV Error: yyerror(): /var/lib/clamav/wannaCry.yar line 3 syntax error,
unexpected $end, expecting _CONDITION_
LibClamAV Error: cli_loadyara: failed to parse rules file
/var/lib/clamav/wannaCry.yar, error count 2
When I fixed the non-ascii character thing I got:
> clamscan
CYBERed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.EXE
CYBERed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.EXE:
Win.Trojan.Agent-6312832-0 FOUND
----------- SCAN SUMMARY -----------
Known viruses: 6284809
Engine version: 0.99.2
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 3.49 MB
Data read: 3.35 MB (ratio 1.04:1)
Time: 6.828 sec (0 m 6 s)
The yara rule didn't find anything.
I used sample
.hxxps://transfer.sh/PnDIl/CYBERed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.EXE
The page is headed, "WannaCry|WannaDecrypt0r NSA-Cyberweapon-Powered Ransomware
Worm"
so I would imagine the samples on this page are for wannaCry, right?
--Mark
> -----Original Message-----
> From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On Behalf
> Of Mark Foley
> Sent: Monday, May 15, 2017 2:58 PM
> To: clamav-users@lists.clamav.net
> Subject: Re: [clamav-users] Malware/ransomware and Yara signatures with
> clamav
>
> On Sat May 13 13:25:07 2017 From: Alain Zidouemba
> <azidoue...@sourcefire.com> wrote:
> >
> > Yara rules have been supported by ClamAV since 2015:
> > http://blog.clamav.net/2015/06/clamav-099b-meets-yara.html
> >
> > - Alain
>
> I'm following these instructions now. The instruction say, "just place your
> YARA rule files into the ClamAV virus database location." I've copied the
> Homland Security yara script to a file, wannaCry.yar, in my /var/lib/clamav
> directory.
>
> Is that it? No clamscan switch or config setting? Is there any way to
> confirm this rule is being used?
>
> I also downloaded and looked at the yara repo on github. There are over 400
> rules in the zipfile. To use some or all of them would I just unzip into my
> database location?
>
> The instructions also say, "Regular expressions in both YARA rules and
> ClamAV logical signatures require the Perl Compatible Regular Expressions
> (PCRE) library." Is there a way to see if my clamAV was built with this?
>
> Thanks, Mark
>
> >
> > On Sat, May 13, 2017 at 1:16 PM, Alex <mysqlstud...@gmail.com> wrote:
> >
> > > Hi,
> > >
> > > So you've probably heard of the latest ransomware dubbed WannaCry.
> > > I'm wondering if anyone has figured out a way to integrate the yara
> > > signatures for these types of exploits with spamassassin?
> > >
> > > https://www.us-cert.gov/ncas/alerts/TA17-132A
> > >
> > > What is the status of development of integration of yara rules into
> clamav?
> > >
> > > [deleted]
> > >
> > > Thanks,
> > > Alex
> > _______________________________________________
> > clamav-users mailing list
> > clamav-users@lists.clamav.net
> > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> >
> >
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml
> >
> _______________________________________________
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
>
> _______________________________________________
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
