On Thu, 6 Jul 2017 11:34:53 -0400 Kris Deugau <[email protected]> wrote > > Mark Foley wrote: > > > So, the question posted below remains: > > > > Will the expetr.yara rule, described in this thread, run as is, or not, on > > Linux? > > Any valid signature file will be loaded and used. > > Any *invalid* signature file will cause clamd to exit. > > If clamd is running, and you've been able to confirm the signature file > is being loaded, the signature will be checked. > > Signatures are not platform-specific except in terms of what they're > intended to match on. > > > I'm specifically asking about Eric's comment, "it requires a Win32 > > executable". > > To answer this specific point, one of the signature fragments checks a > byte pattern in a certain location to help ensure that it only triggers > on files that are Win32 executables. > > More generally, to confirm whether a specific signature is doing what > it's supposed to, you need to have a file to test with that you know is > supposed to match on that signature. > > -kgd
Thanks Kris, that answers my question. I somehow incorrectly took from Eric's comment that the rule would only run on Windows, but I get that the rule is inspecting the message for a Windows executable. --Mark _______________________________________________ clamav-users mailing list [email protected] http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
