Hi there,
On Fri, 25 Feb 2022, Laurent S. via clamav-users wrote:
I've had the same issue. In the last two years, I was regularly
writing YARA sigs in ClamAV and finding that it behaves in strange
ways... Especially the regex integration.
I specifically remember that counting regex wasn't possible and that
I had to write those sigs either in strings or HEX.
After too many timeouts and strange stuff ...
Sounds like you and I have been through the same pain.
I decided to rewrite all of the sigs I had written to LDB. It's not
easy to read, less fun to write... but damn it's much more reliable
and fast.
Execution time will be important for scanning filesystems, less so for
scanning mail (at least for scanning low-volume mail) and readability
can be hugely important if you're writing a lot of rules. Perhaps we
should be asking the development team for readable LDB rules? :)
PS: This YARA might technically work, but might cost you lots of CPU:
$a3 = /(<script type="text\/javascript">functionsendemail.?\(\)\{.*){3}/
I think it's generally best to avoid things like '.*' in Yara rules,
and possibly in regexes in general for use in scanning. Even in mail
you can find yourself scanning fairly big base64-encoded texts which
are never going to match but still cost CPU, but in a filesystem there
may be files of gigabytes+ and some regexes will be *very* expensive.
I personally think a better project for the community would be to
improve YARA in ClamAV ...
+1
If I'd had the time I'd have done it myself already.
--
73,
Ged.
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
