Just posting a little regarding the Yara issue with 0.100.x: After a little bit of testing last week... here's what was found:
It seems that in ClamAV 0.100.x if the yara file uses pe.imports *and* has *multiple* rules inside the single Yara file, it seems to crash linux versions of ClamAV. If the Yara rule uses pe.imports (which btw, isn't supported in CLamAV) and changed from: all of ($user*) and pe.imports("advapi32.dll") to: all of ($user*) Then ClamAV doesn't crash in 0.100.x. Whereas leaving the rule intact (in pre 0.100.x) it just didn't crash. There a buzilla about it here: https://bugzilla.clamav.net/show_bug.cgi?id=12077#c14 My little issue is with this statement: "It wasn't quite clear at the offset of this bug, but ClamAV cannot support unofficial signatures from a development standpoint. For numerous reasons, we do not regress against those signatures, and in cases where sig writers publish non-functional signatures due to insufficient testing (which then cause crashes in newer versions of clam) we cannot devote our resources to fixing that problem." (above Bugzilla) I can see where the above is coming from generally... *but* it's always been known that Yara pe module import was an issue... eg: https://blog.clamav.net/2015/06/clamav-099b-meets-yara.html "There are currently a few limitations of YARA rules within ClamAV 0.99 beta1, due either to nonexistent ClamAV capabilities or to YARA features that did not fit well into the ClamAV processing model. We hope to further evaluate and include as much of this functionality as possible in subsequent releases. YARA rules using any of the following features will be **** flagged in error, and the respective rules will be disabled **** : * Modules – A YARA feature intended to provide modular extensions to the YARA core. Modules are normally activated using the import keyword. " So, I feel that the issue is not the fact that ClamAV isn't supporting the import module... but the fact that now ClamAV crashes on 0.100.x where before it didn't. Yararules won't change their rules which need the pe.import module, because well, that's how Yara will detect things on non-ClamAV software. -- Cheers, Steve Twitter: @sanesecurity _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml