Hi, I'm wondering if the --allmatch option/switch is useful here.
Regards, R On Sun, Aug 22, 2021 at 10:41 AM Zvi Kave via clamav-users < [email protected]> wrote: > Hi Ged, > > > Sorry. I hope you have some hair yet. > > I understand that I have to be patient. > > > Thank you, > > > Zvi > > > On 8/19/2021 9:33 PM, G.W. Haywood via clamav-users wrote: > > Hi there, > > On Thu, 19 Aug 2021, Zvi Kave via clamav-users wrote: > > I found that yara strings like this: $re = /[0-9]{9}/ > > find only first 9-digit match in file. > > This spoils my logic ... > > > After tearing out most of what remains of my hair over Yara rules in > ClamAV, my advice is not to try anything fancy until the Yara engine > is completely replaced. My list of the faults in it keeps on growing, > and AFAICT there's no prospect of any attention being paid to them in > the foreseeable future. As you have seen there are reports going back > years. If I had time I'd do it myself, but I don't. I've reached the > point where I code Yara rules in as simple a way as I possibly can and > every time I add a new rule or modify an existing one I hope not to > find another fault in the engine. Sometimes I've spent hours trying > to get it to do a single match correctly and finally given up. It's a > terrible shame, because (here at least) Yara rules by a very long way > find more spam and malicious mail content than anything else: > > $ grep FOUND /var/log/mail.debug | wc -l > 60072 > $ grep FOUND /var/log/mail.debug | grep -v YARA | wc -l > 11530 > $ grep FOUND /var/log/mail.debug | grep -v '\(YARA\|MANUAL\)' | wc -l > 2876 > $ grep FOUND /var/log/mail.debug | grep -v '\(YARA\|MANUAL\|UNOFFICIAL\)' > | wc -l > 20 > $ > > This is a single mail server, approximately 19 days of August 2021. > I'd consider it a low-volume site. For whatever reasons we see very > little malicious mail, rarely more than two or three items of malware > in a typical day, but quite a lot of spam. I don't know how this > compares with the experience of other people here on the list. > > > _______________________________________________ > > clamav-users mailing list > [email protected] > https://lists.clamav.net/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml >
_______________________________________________ clamav-users mailing list [email protected] https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
