There's not a lot that you can do in Yara rules that you can't do in LDB sigs... for what it's worth, here's a logical sig that detects the same thing as the Yara rules...
mbroekman@lothlorien:~$ grep MJB.JS.SendEmail clamdb/javascript_sigs.ldb| sigtool --decode-sigs VIRUS NAME: MJB.JS.SendEmailFunc-0 TDB: Engine:90-255,Target:0 LOGICAL EXPRESSION: 0>3 * SUBSIG ID 0 +-> OFFSET: ANY +-> SIGMOD: NOCASE +-> DECODED SUBSIGNATURE: <script{WILDCARD_ANY_STRING(LENGTH<=1)}type="text/javascript">{WILDCARD_ANY_STRING(LENGTH<=1)}function{WILDCARD_ANY_STRING(LENGTH<=1)}sendemail{WILDCARD_ANY_STRING(LENGTH<=1)}(){ mbroekman@lothlorien:~$ grep MJB.JS.SendEmail clamdb/javascript_sigs.ldb MJB.JS.SendEmailFunc-0;Engine:90-255,Target:0;0>3;3c736372697074{-1}747970653d22746578742f6a617661736372697074223e{-1}66756e6374696f6e{-1}73656e64656d61696c{-1}28297b::i mbroekman@lothlorien:~$ cat testfile <script type="text/javascript">functionsendemail (){ }</script> <script type="text/javascript">functionsendemail(){ }</script> <script type="text/javascript">functionsendemail (){ }</script> <script type="text/javascript">functionsendemail(){ }</script> mbroekman@lothlorien:~$ clamscan --quiet testfile mbroekman@lothlorien:~$ echo $? 1 mbroekman@lothlorien:~$ clamscan testfile Loading: 10s, ETA: 0s [========================>] 8.61M/8.61M sigs Compiling: 2s, ETA: 0s [========================>] 41/41 tasks /Users/mbroekman/testfile: MJB.JS.SendEmailFunc-0.UNOFFICIAL FOUND ----------- SCAN SUMMARY ----------- Known viruses: 8606446 Engine version: 0.104.2 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 0.00 MB Data read: 0.00 MB (ratio 0.00:1) Time: 12.433 sec (0 m 12 s) Start Date: 2022:02:25 10:54:32 End Date: 2022:02:25 10:54:45 On Fri, Feb 25, 2022 at 7:00 AM Joel Esler via clamav-users < clamav-users@lists.clamav.net> wrote: > Pretty sure you can write what you’re trying to look for with an ldb > signature anyway. > > — > Sent from my iPhone > > > On Feb 24, 2022, at 18:53, G.W. Haywood via clamav-users < > clamav-users@lists.clamav.net> wrote: > > > > Hi there, > > > >> On Thu, 24 Feb 2022, Kris Deugau wrote: > >> > >> After chasing docs back and forth and trying small variations, I think > I've found what's arguably a bug in Clam's YARA implementation. > >> ... > > > > You too, huh? > > > > In my experience ClamAV's Yara implementation is absolutely riddled. > > It's so bad (and *years* out of date) that I don't think it would be > > worth the effort of trying to fix it. I'd say start again from > > scratch. > > > > I've eventually settled on a way of living with it which is basically > > "don't try anything fancy". If you're not careful it crashes clamd. > > Most of the time it seems to manage simple regexes reasonably well, > > but one example of fancy things not to try would be leaving out the > > case-insensitive match modifier 'nocase'. > > > > Having said that when you get it settled it does do good work. Here, > > with a few hundred well-chosen strings in a couple of dozen rules, it > > catches far more spam than anything else. We don't see much malware > > in our mail, so I haven't spent much time on non-text matching and > > can't offer much insight into how well it might do there. > > > > -- > > > > 73, > > Ged. > > > > _______________________________________________ > > > > clamav-users mailing list > > clamav-users@lists.clamav.net > > https://lists.clamav.net/mailman/listinfo/clamav-users > > > > > > Help us build a comprehensive ClamAV guide: > > https://github.com/vrtadmin/clamav-faq > > > > http://www.clamav.net/contact.html#ml > > _______________________________________________ > > clamav-users mailing list > clamav-users@lists.clamav.net > https://lists.clamav.net/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml >
_______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml