Hi there,
On Fri, 25 Feb 2022, Joel Esler via clamav-users wrote:
Pretty sure you can write what you’re trying to look for with an ldb
signature anyway.
One can write an LDB signature which might look like this:
8<----------------------------------------------------------------------
clamav-fullword-B;Engine:81-255,Target:0;0&1;414141;68656c6c6f::fi
8<----------------------------------------------------------------------
or the same with Yara in something which looks a bit like this:
8<----------------------------------------------------------------------
rule AAA_and_hello
{
strings:
$A = "AAA"
$B = "hello"
condition:
all of them
}
8<----------------------------------------------------------------------
Efficiency/reliability aside, I know what I prefer for readability,
ease of maintenance and modification, combination with other rules
(e.g. for whitelisting), ...
--
73,
Ged.
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
