On Thu, Jun 30, 2016 at 10:06 AM, Axb <axb.li...@gmail.com> wrote:
>
> When trying to use filesize conidtion in a Yara sig
>
> rule FileSize_200KB
> {
> condition:
> filesize < 200KB
> }
>
>
Hi,
That is correct. ClamAV uses matching of yara strings to drive the yara
condition. filesize will work in a yara condition in ClamAV, but only when
there is a string match. I'd suppose something like this should work:
rule Filesize_200KB
{
strings:
$abc = "abc"
condition:
($abc and not $abc) and filesize < 200KB
}
Steve
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
