On Mon, 3 Jul 2017 19:57:25 -0400 Eric Tykwinski <[email protected]> wrote: > >> > > > > Yes. I got exactly the same output as you show. Therefore, yara rules are > > enabled. > > > > So then, how can I confirm the expetr.yara I created is being run? > > > > ???Mark > > Mark, > > We are getting off topic for ClamAV list. I don???t know what rule that they > published, and thankfully haven???t had to deal with anything locally. > My guess would be to open the yara rule and check it out. You might be able > to fake it with a hex editor to test it out, or you can search for sample > files and see if they catch them. With Yara rules though you are usually > only getting a small fragment of the infections, and probably a large portion > of false positives. I use them for scanning backup archives personally to > find web exploits, and the like, don???t deleted but find when the file was > dropped. > > Hope this helps, > > Eric >
Eric - you misunderstand my question. I'm not asking if the yara rule is working as designed. I'm asking how I can tell if clamav-milter is actually running the rule during its scan of incoming email. All I did was put expetr.yara in /var/lib/clamav. That's it. I don't know if that's sufficient, whether .yara or .yar is the proper file type (I've seen both), what the file permissions should be ... In short, I have no feedback from clamav that it even notices the presence of this rule. Can I set a debug level or something in clamd.conf, clandscan.conf or clamav-milter.conf? --Mark _______________________________________________ clamav-users mailing list [email protected] http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
