G.W. Haywood via clamav-users wrote:
Hi Micah,
On Wed, 16 Mar 2022, Micah Snyder (micasnyd) wrote:
I'm not sure what you mean here. Can you elaborate? If you simply
want ClamAV ignore garbage rules on load and continue with the rest
of the file (see point #4) - that's something we can easily improve
regardless of what we do. And that's how our yara rule loading logic
works right now.
I strongly feel that if it finds a problem, rather than silently load
some sub-optimal ruleset the parser should abandon the reload of the
entire ruleset. Obviously it should warn when it does that. I guess
this might be an issue if it's running on a machine with too little
RAM to reload while simultaneously scanning with the previous ruleset,
but something like a --test-ruleset option could probably handle that.
TBH I'd prefer if Clam *did* continue, just skipping malformed rules
(and also whinging loudly in the log).
Either would be better than just exiting (it's not a hard *crash*, it's
"just" refusing to load a file with a malformed signature - including
things like entirely blank lines).
While I was looking at this I also came upon another quirk that can be
a bit of a nuisance. AFAICT Yara strings can only be delimited by one
of two characters, either a double-quote (for a literal string) or a
forward-slash (for a regex). It would help to be able to choose the
quote character like in Perl; if not, at least having more available
to choose from could make many expressions more readable, especially
those which target e.g. HTML and links in mail (both of which tend to
have many occurrences of double-quote or forward-slash characters).
Strictly speaking, four characters (the {} delimiters for hex strings).
To my reading this is part of the upstream Yara spec, and I'd be wary of
extending this particular bit without at least requiring some blatant,
obvious flag in any such rule to clearly indicate that it's not stock
Yara syntax.
-kgd
_______________________________________________
clamav-users mailing list
[email protected]
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
