On Tue, 4 Jul 2017 11:47:35 -0400 eric-l...@truenet.com wrote > > Eric - you misunderstand my question. I'm not asking if the yara rule is > > working as designed. I'm asking how I can tell if clamav-milter is actually > > running the rule during its scan of incoming email. All I did was put > > expetr.yara in /var/lib/clamav. That's it. I don't know if that's > > sufficient, > > whether .yara or .yar is the proper file type (I've seen both), what the > > file > > permissions should be ... In short, I have no feedback from clamav that it > > even > > notices the presence of this rule. > > > > Can I set a debug level or something in clamd.conf, clandscan.conf or > > clamav-milter.conf? > > > > --Mark > > If your using clamav-milter, than turn on logging: > LogFile STRING > Enable logging to selected file. > Default: no > > LogInfected STRING > This option allows you to tune what is logged when a message is infected. > Possible values are Off (the default - nothing is logged), Basic (minimal > info logged), Full (verbose info logged) > Note: For this to work properly in sendmail, make sure the msg_id, mail_addr, > rcpt_addr and i macroes are available in eom. In other words add a line like: > Milter.macros.eom={msg_id}, {mail_addr}, {rcpt_addr}, i to your .cf file. > Alternatively use the macro: define(`confMILTER_MACROS_EOM', `{msg_id}, > {mail_addr}, {rcpt_addr}, i') > Postfix should be working fine with the default settings. > Default: disabled >
Thanks for the response Eric. I've checked clamav-milter.conf and logging is turned on and some of the older rotated log files do have messages about past catches. My LogInfected is set to Full I did add the confMILTER_MACROS_EOM setting you suggested to my sendmail.mc, re-genned .cf and restarted sendmail. > Depending on your clamd.conf, it should show what DBs to load. > DatabaseDirectory STRING > Path to a directory containing database files. > OfficialDatabaseOnly BOOL > Only load the official signatures published by the ClamAV project. > Default: no All my clamd.conf settings are as you describe: DatabaseDirectory /var/lib/clamav (the yara rule is here) OfficialDatabaseOnly is default (commented out) > I found the Yara rule I think your using, but it requires a Win32 executable: > condition: > > uint16(0) == 0x5A4D and > filesize < 1000000 and > any of them Yes, that appears to be correct. I got the rule from https://securelist.com/schroedingers-petya/78870/ and it does end the way you indicate. > So you could use something like PAR::Packer and try to compile a quick PERL > script, but I would just put in a test yara rule like I email previously and > send yourself an email. It should show up in the log file, and you???ll be > sure it???s working. > > Eric Here;s where you lost me! First off, I did try creating an email containing the string about "POWER CABLE" as defined in the rule. I sent the message, but nothing was detected. Although, not being versed in yara, I may need more conditions set than that. BUT ... I'm not asking you about debugging/interpreting a yara script. I'll check that elsewhere. I'm just trying to figure out if clamav-milter on Linux is running this check. What do you mean, "it requires a Win32 executable"? Does that mean this rule will not run on Linux? Not being a frequent Perl user, I don't know what you're saying with "you could use something like PAR::Packer and try to compile a quick PERL script". I have a feeling explaining that is a lot more involved than you'd care to go into, but if you can do so in a one- or two-liner, please do. So, will this rule run as is, or not, on Linux? Do I have to do something? Thanks, Mark _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml