Hi there,
On Thu, 19 Aug 2021, Zvi Kave via clamav-users wrote:
I found that yara strings like this: $re = /[0-9]{9}/
find only first 9-digit match in file.
This spoils my logic ...
After tearing out most of what remains of my hair over Yara rules in
ClamAV, my advice is not to try anything fancy until the Yara engine
is completely replaced. My list of the faults in it keeps on growing,
and AFAICT there's no prospect of any attention being paid to them in
the foreseeable future. As you have seen there are reports going back
years. If I had time I'd do it myself, but I don't. I've reached the
point where I code Yara rules in as simple a way as I possibly can and
every time I add a new rule or modify an existing one I hope not to
find another fault in the engine. Sometimes I've spent hours trying
to get it to do a single match correctly and finally given up. It's a
terrible shame, because (here at least) Yara rules by a very long way
find more spam and malicious mail content than anything else:
$ grep FOUND /var/log/mail.debug | wc -l
60072
$ grep FOUND /var/log/mail.debug | grep -v YARA | wc -l
11530
$ grep FOUND /var/log/mail.debug | grep -v '\(YARA\|MANUAL\)' | wc -l
2876
$ grep FOUND /var/log/mail.debug | grep -v '\(YARA\|MANUAL\|UNOFFICIAL\)' | wc
-l
20
$
This is a single mail server, approximately 19 days of August 2021.
I'd consider it a low-volume site. For whatever reasons we see very
little malicious mail, rarely more than two or three items of malware
in a typical day, but quite a lot of spam. I don't know how this
compares with the experience of other people here on the list.
--
73,
Ged.
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
