Just posting a little regarding the Yara issue with 0.100.x:
After a little bit of testing last week... here's what was found:
It seems that in ClamAV 0.100.x if the yara file uses pe.imports *and* has
*multiple* rules inside the single Yara file, it seems to crash linux
versions of ClamAV.
If the Yara rule uses pe.imports (which btw, isn't supported in CLamAV)
and changed from:
all of ($user*) and pe.imports("advapi32.dll")
to:
all of ($user*)
Then ClamAV doesn't crash in 0.100.x.
Whereas leaving the rule intact (in pre 0.100.x) it just didn't crash.
There a buzilla about it here:
https://bugzilla.clamav.net/show_bug.cgi?id=12077#c14
My little issue is with this statement:
"It wasn't quite clear at the offset of this bug, but ClamAV cannot
support unofficial signatures from a development standpoint. For numerous
reasons, we do not regress against those signatures, and in cases where
sig writers publish non-functional signatures due to insufficient testing
(which then cause crashes in newer versions of clam) we cannot devote our
resources to fixing that problem." (above Bugzilla)
I can see where the above is coming from generally... *but* it's always
been known that Yara pe module import was an issue...
eg:
https://blog.clamav.net/2015/06/clamav-099b-meets-yara.html
"There are currently a few limitations of YARA rules within ClamAV 0.99
beta1, due either to nonexistent ClamAV capabilities or to YARA features
that did not fit well into the ClamAV processing model. We hope to further
evaluate and include as much of this functionality as possible in
subsequent releases. YARA rules using any of the following features will
be **** flagged in error, and the respective rules will be disabled **** :
* Modules – A YARA feature intended to provide modular extensions to the
YARA core. Modules are normally activated using the import keyword. "
So, I feel that the issue is not the fact that ClamAV isn't supporting the
import module... but the fact that now ClamAV crashes on 0.100.x where
before it didn't.
Yararules won't change their rules which need the pe.import module,
because well, that's how Yara will detect things on non-ClamAV software.
--
Cheers,
Steve
Twitter: @sanesecurity
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
