For some additional info about running YARA rules in ClamAV, please see section 3.11 in the ClamAV signatures manual:
https://github.com/vrtadmin/clamav-devel/blob/master/docs/signatures.pdf On Mon, May 15, 2017 at 4:04 PM, Mark Foley <mfo...@novatec-inc.com> wrote: > On Mon May 15 15:06:07 2017 "Eric Tykwinski" <eric-l...@truenet.com> > wrote: > > > > Here's links to sample files, ie use at your own risk: > > https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168 > > > > Sincerely, > > > > Eric Tykwinski > > TrueNet, Inc. > > P: 610-429-8300 > > > > Well, it does seem to try and use the yara rule. Using one of the samples > on the > link you gave me: > > $ clamscan CYBERed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8 > e080e41aa.EXE > LibClamAV Error: yyerror(): /var/lib/clamav/wannaCry.yar line 3 non-ascii > character > LibClamAV Error: yyerror(): /var/lib/clamav/wannaCry.yar line 3 syntax > error, unexpected $end, expecting _CONDITION_ > LibClamAV Error: cli_loadyara: failed to parse rules file > /var/lib/clamav/wannaCry.yar, error count 2 > > When I fixed the non-ascii character thing I got: > > > clamscan > CYBERed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.EXE > > CYBERed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.EXE: > Win.Trojan.Agent-6312832-0 FOUND > > ----------- SCAN SUMMARY ----------- > Known viruses: 6284809 > Engine version: 0.99.2 > Scanned directories: 0 > Scanned files: 1 > Infected files: 1 > Data scanned: 3.49 MB > Data read: 3.35 MB (ratio 1.04:1) > Time: 6.828 sec (0 m 6 s) > > The yara rule didn't find anything. > > I used sample .hxxps://transfer.sh/PnDIl/CYBERed01ebfbc9eb5bbea545af4d0 > 1bf5f1071661840480439c6e5babe8e080e41aa.EXE > > The page is headed, "WannaCry|WannaDecrypt0r NSA-Cyberweapon-Powered > Ransomware Worm" > so I would imagine the samples on this page are for wannaCry, right? > > --Mark > > > -----Original Message----- > > From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On > Behalf > > Of Mark Foley > > Sent: Monday, May 15, 2017 2:58 PM > > To: clamav-users@lists.clamav.net > > Subject: Re: [clamav-users] Malware/ransomware and Yara signatures with > > clamav > > > > On Sat May 13 13:25:07 2017 From: Alain Zidouemba > > <azidoue...@sourcefire.com> wrote: > > > > > > Yara rules have been supported by ClamAV since 2015: > > > http://blog.clamav.net/2015/06/clamav-099b-meets-yara.html > > > > > > - Alain > > > > I'm following these instructions now. The instruction say, "just place > your > > YARA rule files into the ClamAV virus database location." I've copied the > > Homland Security yara script to a file, wannaCry.yar, in my > /var/lib/clamav > > directory. > > > > Is that it? No clamscan switch or config setting? Is there any way to > > confirm this rule is being used? > > > > I also downloaded and looked at the yara repo on github. There are over > 400 > > rules in the zipfile. To use some or all of them would I just unzip > into my > > database location? > > > > The instructions also say, "Regular expressions in both YARA rules and > > ClamAV logical signatures require the Perl Compatible Regular Expressions > > (PCRE) library." Is there a way to see if my clamAV was built with this? > > > > Thanks, Mark > > > > > > > > On Sat, May 13, 2017 at 1:16 PM, Alex <mysqlstud...@gmail.com> wrote: > > > > > > > Hi, > > > > > > > > So you've probably heard of the latest ransomware dubbed WannaCry. > > > > I'm wondering if anyone has figured out a way to integrate the yara > > > > signatures for these types of exploits with spamassassin? > > > > > > > > https://www.us-cert.gov/ncas/alerts/TA17-132A > > > > > > > > What is the status of development of integration of yara rules into > > clamav? > > > > > > > > [deleted] > > > > > > > > Thanks, > > > > Alex > > > _______________________________________________ > > > clamav-users mailing list > > > clamav-users@lists.clamav.net > > > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > > > > > > > Help us build a comprehensive ClamAV guide: > > > https://github.com/vrtadmin/clamav-faq > > > > > > http://www.clamav.net/contact.html#ml > > > > > _______________________________________________ > > clamav-users mailing list > > clamav-users@lists.clamav.net > > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > > > > Help us build a comprehensive ClamAV guide: > > https://github.com/vrtadmin/clamav-faq > > > > http://www.clamav.net/contact.html#ml > > > > > > _______________________________________________ > > clamav-users mailing list > > clamav-users@lists.clamav.net > > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > > > > Help us build a comprehensive ClamAV guide: > > https://github.com/vrtadmin/clamav-faq > > > > http://www.clamav.net/contact.html#ml > > > _______________________________________________ > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
