> On Jul 1, 2017, at 1:10 AM, Mark Foley <[email protected]> wrote:
>
> I've put the expetr.yara rule from Kaspersky for the recent notPetya
> ransomware
> in my /var/lib/clamav directory.
>
> I can I tell if clamav is running it? I see nothing in /var/log/clamav.log.
>
> --Mark
My first suggestion would be make sure Yara rules are enabled in clamav.
So make a couple of files:
/*** test.yara ***/
rule Test_Yara_Rules : test
{
meta:
description = "Test Yara"
strings:
$test = "YaraTest" fullword ascii
condition:
$test
}
/***********/
echo YaraTest > test.txt
clamscan -d ./test.yara test.txt
Should show you:
test.txt: YARA.Test_Yara_Rules.UNOFFICIAL FOUND
----------- SCAN SUMMARY -----------
Known viruses: 1
Engine version: 0.99.2
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 0.007 sec (0 m 0 s)
For Ubuntu 16.04, it’s enabled by default, on OSX with homebrew add --with-yara
to enable them.
PS. Talos guys, I’m loving the new website, a lot of info in there.
_______________________________________________
clamav-users mailing list
[email protected]
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
