On Tue, 4 Jul 2017 11:47:35 -0400 eric-l...@truenet.com wrote
> > Eric - you misunderstand my question. I'm not asking if the yara rule is
> > working as designed. I'm asking how I can tell if clamav-milter is actually
> > running the rule during its scan of incoming email. All I did was put
> > expetr.yara in /var/lib/clamav. That's it. I don't know if that's
> > sufficient,
> > whether .yara or .yar is the proper file type (I've seen both), what the
> > file
> > permissions should be ... In short, I have no feedback from clamav that it
> > even
> > notices the presence of this rule.
> >
> > Can I set a debug level or something in clamd.conf, clandscan.conf or
> > clamav-milter.conf?
> >
> > --Mark
>
> If your using clamav-milter, than turn on logging:
> LogFile STRING
> Enable logging to selected file.
> Default: no
>
> LogInfected STRING
> This option allows you to tune what is logged when a message is infected.
> Possible values are Off (the default - nothing is logged), Basic (minimal
> info logged), Full (verbose info logged)
> Note: For this to work properly in sendmail, make sure the msg_id, mail_addr,
> rcpt_addr and i macroes are available in eom. In other words add a line like:
> Milter.macros.eom={msg_id}, {mail_addr}, {rcpt_addr}, i to your .cf file.
> Alternatively use the macro: define(`confMILTER_MACROS_EOM', `{msg_id},
> {mail_addr}, {rcpt_addr}, i')
> Postfix should be working fine with the default settings.
> Default: disabled
>
Thanks for the response Eric. I've checked clamav-milter.conf and logging is
turned on and some of the older rotated log files do have messages about past
catches.
My LogInfected is set to Full
I did add the confMILTER_MACROS_EOM setting you suggested to my sendmail.mc,
re-genned .cf and restarted sendmail.
> Depending on your clamd.conf, it should show what DBs to load.
> DatabaseDirectory STRING
> Path to a directory containing database files.
> OfficialDatabaseOnly BOOL
> Only load the official signatures published by the ClamAV project.
> Default: no
All my clamd.conf settings are as you describe:
DatabaseDirectory /var/lib/clamav (the yara rule is here)
OfficialDatabaseOnly is default (commented out)
> I found the Yara rule I think your using, but it requires a Win32 executable:
> condition:
>
> uint16(0) == 0x5A4D and
> filesize < 1000000 and
> any of them
Yes, that appears to be correct. I got the rule from
https://securelist.com/schroedingers-petya/78870/ and it does end the way you
indicate.
> So you could use something like PAR::Packer and try to compile a quick PERL
> script, but I would just put in a test yara rule like I email previously and
> send yourself an email. It should show up in the log file, and you???ll be
> sure it???s working.
>
> Eric
Here;s where you lost me! First off, I did try creating an email containing the
string about "POWER CABLE" as defined in the rule. I sent the message, but
nothing was detected. Although, not being versed in yara, I may need more
conditions set than that.
BUT ... I'm not asking you about debugging/interpreting a yara script. I'll
check that elsewhere. I'm just trying to figure out if clamav-milter on Linux is
running this check.
What do you mean, "it requires a Win32 executable"? Does that mean this rule
will not run on Linux?
Not being a frequent Perl user, I don't know what you're saying with "you could
use something like PAR::Packer and try to compile a quick PERL script". I have a
feeling explaining that is a lot more involved than you'd care to go into, but
if you can do so in a one- or two-liner, please do.
So, will this rule run as is, or not, on Linux? Do I have to do something?
Thanks, Mark
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
