Pretty sure you can write what you’re trying to look for with an ldb signature anyway.
— Sent from my iPhone > On Feb 24, 2022, at 18:53, G.W. Haywood via clamav-users > <clamav-users@lists.clamav.net> wrote: > > Hi there, > >> On Thu, 24 Feb 2022, Kris Deugau wrote: >> >> After chasing docs back and forth and trying small variations, I think I've >> found what's arguably a bug in Clam's YARA implementation. >> ... > > You too, huh? > > In my experience ClamAV's Yara implementation is absolutely riddled. > It's so bad (and *years* out of date) that I don't think it would be > worth the effort of trying to fix it. I'd say start again from > scratch. > > I've eventually settled on a way of living with it which is basically > "don't try anything fancy". If you're not careful it crashes clamd. > Most of the time it seems to manage simple regexes reasonably well, > but one example of fancy things not to try would be leaving out the > case-insensitive match modifier 'nocase'. > > Having said that when you get it settled it does do good work. Here, > with a few hundred well-chosen strings in a couple of dozen rules, it > catches far more spam than anything else. We don't see much malware > in our mail, so I haven't spent much time on non-text matching and > can't offer much insight into how well it might do there. > > -- > > 73, > Ged. > > _______________________________________________ > > clamav-users mailing list > clamav-users@lists.clamav.net > https://lists.clamav.net/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml