Hi there, On Fri, 25 Feb 2022, Laurent S. via clamav-users wrote:
I've had the same issue. In the last two years, I was regularly writing YARA sigs in ClamAV and finding that it behaves in strange ways... Especially the regex integration. I specifically remember that counting regex wasn't possible and that I had to write those sigs either in strings or HEX. After too many timeouts and strange stuff ...
Sounds like you and I have been through the same pain.
I decided to rewrite all of the sigs I had written to LDB. It's not easy to read, less fun to write... but damn it's much more reliable and fast.
Execution time will be important for scanning filesystems, less so for scanning mail (at least for scanning low-volume mail) and readability can be hugely important if you're writing a lot of rules. Perhaps we should be asking the development team for readable LDB rules? :)
PS: This YARA might technically work, but might cost you lots of CPU: $a3 = /(<script type="text\/javascript">functionsendemail.?\(\)\{.*){3}/
I think it's generally best to avoid things like '.*' in Yara rules, and possibly in regexes in general for use in scanning. Even in mail you can find yourself scanning fairly big base64-encoded texts which are never going to match but still cost CPU, but in a filesystem there may be files of gigabytes+ and some regexes will be *very* expensive.
I personally think a better project for the community would be to improve YARA in ClamAV ...
+1 If I'd had the time I'd have done it myself already. -- 73, Ged. _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml