I don't quite understand why you think it might not detect it. Text strings are not required to have an even number of digits. The hex equivalent to that string would be: {62 63 39 62 37 35 61 33 31 31 37 37 35 38 37 32 34 35 33 30 35 63 64 34 31 38 62 38 64 66 37 38 36 35 32 64 31 63 30 33 65 39 64 61 30 63 66 63 39 31 30 64 36 64 33 38 65 65 34 31 39 31 64 34 30}. As long as the string appears in a file, it should match.
I'd have to have the actual sample file in order to say anything more about it. -Al- On Sun, Aug 12, 2018 at 04:56 AM, Alessandro Vesely wrote: > I'd be curious to know if NCCIC's Yara rule would detect it, because of: > > strings: > // This is a "text" string, although it looks like a hex dump > // (except for having an odd number of digits) > $n = > "bc9b75a31177587245305cd418b8df78652d1c03e9da0cfc910d6d38ee4191d40" > > (Recall that hex strings in Yara require curly braces, for example: > $h = > {bc9b75a31177587245305cd418b8df78652d1c03e9da0cfc910d6d38ee4191d400}
_______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml