Hi there, The documentation on ClamAV's implementation of Yara points to
http://plusvic.github.io/yara/ which describes several important differences between the different versions of what might be called the reference Yara engine. When we write Yara rules, it's obviously important to know which features of the Yara language are supported by ClamAV and which are not. I'm not sure if the 'word boundary' atoms (\b, \B) are supported or not - I don't even know how to find out, except perhaps at the risk of crashing clamd. I *think* I managed to do that with bad Yara rule. :( Although it wasn't one which used \b or \B, that promted this message. AFAICT the ClamAV Yara implementation hasn't changed a great deal since it was first released - meaning that we will be working with approximately Yara version 2.1.0. That's based on this quote from .../libclamav/yara_clam.h, which is present in the ClamAV sources since clamav-0.99 (1st December 2015): /* Most of this file was derived from Yara 2.1.0 libyara/yara.h and * other YARA header files. Following is the YARA copyright. */ Perhaps the Yara version to which the ClamAV implementation adheres should be documented in https://www.clamav.net/documents/using-yara-rules-in-clamav and the section on limitations should be extended. Is there a way to test Yara rules before asking ClamAV to apply them? At the moment I simply send a RELOAD command to clamd - and hope that it survives. -- 73, Ged. _______________________________________________ clamav-devel mailing list clamav-devel@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-devel Please submit your patches to our Github: https://github.com/Cisco-Talos/clamav-devel/pulls Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
