There's not a lot that you can do in Yara rules that you can't do in LDB
sigs... for what it's worth, here's a logical sig that detects the same
thing as the Yara rules...
mbroekman@lothlorien:~$ grep MJB.JS.SendEmail clamdb/javascript_sigs.ldb|
sigtool --decode-sigs
VIRUS NAME: MJB.JS.SendEmailFunc-0
TDB: Engine:90-255,Target:0
LOGICAL EXPRESSION: 0>3
* SUBSIG ID 0
+-> OFFSET: ANY
+-> SIGMOD: NOCASE
+-> DECODED SUBSIGNATURE:
<script{WILDCARD_ANY_STRING(LENGTH<=1)}type="text/javascript">{WILDCARD_ANY_STRING(LENGTH<=1)}function{WILDCARD_ANY_STRING(LENGTH<=1)}sendemail{WILDCARD_ANY_STRING(LENGTH<=1)}(){
mbroekman@lothlorien:~$ grep MJB.JS.SendEmail clamdb/javascript_sigs.ldb
MJB.JS.SendEmailFunc-0;Engine:90-255,Target:0;0>3;3c736372697074{-1}747970653d22746578742f6a617661736372697074223e{-1}66756e6374696f6e{-1}73656e64656d61696c{-1}28297b::i
mbroekman@lothlorien:~$ cat testfile
<script type="text/javascript">functionsendemail (){ }</script>
<script type="text/javascript">functionsendemail(){ }</script>
<script type="text/javascript">functionsendemail (){ }</script>
<script type="text/javascript">functionsendemail(){ }</script>
mbroekman@lothlorien:~$ clamscan --quiet testfile
mbroekman@lothlorien:~$ echo $?
1
mbroekman@lothlorien:~$ clamscan testfile
Loading: 10s, ETA: 0s [========================>] 8.61M/8.61M sigs
Compiling: 2s, ETA: 0s [========================>] 41/41 tasks
/Users/mbroekman/testfile: MJB.JS.SendEmailFunc-0.UNOFFICIAL FOUND
----------- SCAN SUMMARY -----------
Known viruses: 8606446
Engine version: 0.104.2
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 12.433 sec (0 m 12 s)
Start Date: 2022:02:25 10:54:32
End Date: 2022:02:25 10:54:45
On Fri, Feb 25, 2022 at 7:00 AM Joel Esler via clamav-users <
clamav-users@lists.clamav.net> wrote:
> Pretty sure you can write what you’re trying to look for with an ldb
> signature anyway.
>
> —
> Sent from my iPhone
>
> > On Feb 24, 2022, at 18:53, G.W. Haywood via clamav-users <
> clamav-users@lists.clamav.net> wrote:
> >
> > Hi there,
> >
> >> On Thu, 24 Feb 2022, Kris Deugau wrote:
> >>
> >> After chasing docs back and forth and trying small variations, I think
> I've found what's arguably a bug in Clam's YARA implementation.
> >> ...
> >
> > You too, huh?
> >
> > In my experience ClamAV's Yara implementation is absolutely riddled.
> > It's so bad (and *years* out of date) that I don't think it would be
> > worth the effort of trying to fix it. I'd say start again from
> > scratch.
> >
> > I've eventually settled on a way of living with it which is basically
> > "don't try anything fancy". If you're not careful it crashes clamd.
> > Most of the time it seems to manage simple regexes reasonably well,
> > but one example of fancy things not to try would be leaving out the
> > case-insensitive match modifier 'nocase'.
> >
> > Having said that when you get it settled it does do good work. Here,
> > with a few hundred well-chosen strings in a couple of dozen rules, it
> > catches far more spam than anything else. We don't see much malware
> > in our mail, so I haven't spent much time on non-text matching and
> > can't offer much insight into how well it might do there.
> >
> > --
> >
> > 73,
> > Ged.
> >
> > _______________________________________________
> >
> > clamav-users mailing list
> > clamav-users@lists.clamav.net
> > https://lists.clamav.net/mailman/listinfo/clamav-users
> >
> >
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
