On Sat, 1 Jul 2017 09:21:50 -0400 Eric Tykwinski <[email protected]> wrote: > > On Jul 1, 2017, at 1:10 AM, Mark Foley <[email protected]> wrote: > > > > I've put the expetr.yara rule from Kaspersky for the recent notPetya > > ransomware > > in my /var/lib/clamav directory. > > > > How can I tell if clamav is running it? I see nothing in > > /var/log/clamav.log. > > > > --Mark > > > My first suggestion would be make sure Yara rules are enabled in clamav. > So make a couple of files: > /*** test.yara ***/ > rule Test_Yara_Rules : test > { > meta: > description = "Test Yara" > strings: > $test = "YaraTest" fullword ascii > condition: > $test > } > /***********/ > > echo YaraTest > test.txt > > clamscan -d ./test.yara test.txt > > Should show you: > test.txt: YARA.Test_Yara_Rules.UNOFFICIAL FOUND > > ----------- SCAN SUMMARY ----------- > Known viruses: 1 > Engine version: 0.99.2 > Scanned directories: 0 > Scanned files: 1 > Infected files: 1 > Data scanned: 0.00 MB > Data read: 0.00 MB (ratio 0.00:1) > Time: 0.007 sec (0 m 0 s) >
Yes. I got exactly the same output as you show. Therefore, yara rules are enabled. So then, I can I confirm the expetr.yara I created is being run? --Mark _______________________________________________ clamav-users mailing list [email protected] http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
