Re: [clamav-users] How to know if yara rules are being run?
On Thu, 6 Jul 2017 11:34:53 -0400 Kris Deugauwrote > > Mark Foley wrote: > > > So, the question posted below remains: > > > > Will the expetr.yara rule, described in this thread, run as is, or not, on > > Linux? > > Any valid signature file will be loaded and used. > > Any *invalid* signature file will cause clamd to exit. > > If clamd is running, and you've been able to confirm the signature file > is being loaded, the signature will be checked. > > Signatures are not platform-specific except in terms of what they're > intended to match on. > > > I'm specifically asking about Eric's comment, "it requires a Win32 > > executable". > > To answer this specific point, one of the signature fragments checks a > byte pattern in a certain location to help ensure that it only triggers > on files that are Win32 executables. > > More generally, to confirm whether a specific signature is doing what > it's supposed to, you need to have a file to test with that you know is > supposed to match on that signature. > > -kgd Thanks Kris, that answers my question. I somehow incorrectly took from Eric's comment that the rule would only run on Windows, but I get that the rule is inspecting the message for a Windows executable. --Mark ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] How to know if yara rules are being run?
Mark Foley wrote: So, the question posted below remains: Will the expetr.yara rule, described in this thread, run as is, or not, on Linux? Any valid signature file will be loaded and used. Any *invalid* signature file will cause clamd to exit. If clamd is running, and you've been able to confirm the signature file is being loaded, the signature will be checked. Signatures are not platform-specific except in terms of what they're intended to match on. I'm specifically asking about Eric's comment, "it requires a Win32 executable". To answer this specific point, one of the signature fragments checks a byte pattern in a certain location to help ensure that it only triggers on files that are Win32 executables. More generally, to confirm whether a specific signature is doing what it's supposed to, you need to have a file to test with that you know is supposed to match on that signature. -kgd ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] How to know if yara rules are being run?
From: Mark FoleyDate: Wed, 05 Jul 2017 17:52:03 -0400 Organization: Novatec Software Engineering, LLC To: clamav-users@lists.clamav.net Subject: Re: [clamav-users] How to know if yara rules are being run? I'm following up to my own message. I've confirmed that my clamav-milter *is* running yara rules. I created the following rule: rule testme { strings: $st1 = "How now brown cow" condition: $st1 } and put it in /var/lib/clamav/testme.yara. I had to make it owned by clamav.clamav (owned by root failed), and I had to restart clamav-milter. I sent an email containing the "brown cow" string to a recipient on this host and clamav-milter caught it: clamav-milter.log: Wed Jul 5 18:06:46 2017 -> Message v65M6iRh026596 from to with subject 'test4' message-id '<201707052206.v65m6gzc025...@server.novatec-inc.com>' date 'Wed, 05 Jul 2017 18:06:42 -0400' infected by YARA.testme.UNOFFICIAL So, the question posted below remains: Will the expetr.yara rule, described in this thread, run as is, or not, on Linux? I'm specifically asking about Eric's comment, "it requires a Win32 executable". --Mark On Tue, 4 Jul 2017 11:47:35 -0400 eric-l...@truenet.com wrote > > Eric - you misunderstand my question. I'm not asking if the yara rule is > > working as designed. I'm asking how I can tell if clamav-milter is actually > > running the rule during its scan of incoming email. All I did was put > > expetr.yara in /var/lib/clamav. That's it. I don't know if that's > > sufficient, > > whether .yara or .yar is the proper file type (I've seen both), what the > > file > > permissions should be ... In short, I have no feedback from clamav that it > > even > > notices the presence of this rule. > > > > Can I set a debug level or something in clamd.conf, clandscan.conf or > > clamav-milter.conf? > > > > --Mark > > If your using clamav-milter, than turn on logging: > LogFile STRING > Enable logging to selected file. > Default: no > > LogInfected STRING > This option allows you to tune what is logged when a message is infected. > Possible values are Off (the default - nothing is logged), Basic (minimal > info logged), Full (verbose info logged) > Note: For this to work properly in sendmail, make sure the msg_id, mail_addr, > rcpt_addr and i macroes are available in eom. In other words add a line like: > Milter.macros.eom={msg_id}, {mail_addr}, {rcpt_addr}, i to your .cf file. > Alternatively use the macro: define(`confMILTER_MACROS_EOM', `{msg_id}, > {mail_addr}, {rcpt_addr}, i') > Postfix should be working fine with the default settings. > Default: disabled > Thanks for the response Eric. I've checked clamav-milter.conf and logging is turned on and some of the older rotated log files do have messages about past catches. My LogInfected is set to Full I did add the confMILTER_MACROS_EOM setting you suggested to my sendmail.mc, re-genned .cf and restarted sendmail. > Depending on your clamd.conf, it should show what DBs to load. > DatabaseDirectory STRING > Path to a directory containing database files. > OfficialDatabaseOnly BOOL > Only load the official signatures published by the ClamAV project. > Default: no All my clamd.conf settings are as you describe: DatabaseDirectory /var/lib/clamav (the yara rule is here) OfficialDatabaseOnly is default (commented out) > I found the Yara rule I think your using, but it requires a Win32 executable: > condition: > > uint16(0) == 0x5A4D and > filesize < 100 and > any of them Yes, that appears to be correct. I got the rule from https://securelist.com/schroedingers-petya/78870/ and it does end the way you indicate. > So you could use something like PAR::Packer and try to compile a quick PERL > script, but I would just put in a test yara rule like I email previously and > send yourself an email. It should show up in the log file, and you???ll be > sure it???s working. > > Eric Here;s where you lost me! First off, I did try creating an email containing the string about "POWER CABLE" as defined in the rule. I sent the message, but nothing was detected. Although, not being versed in yara, I may need more conditions set than that. BUT ... I'm not asking you about debugging/interpreting a yara script. I'll check that elsewhere. I'm just trying to figure out if clamav-milter on Linux is running this check. What do you mean, "it requires a Win32 executable"? Does that mean this rule will not run on Linux? Not being a frequent Perl user, I don't know what you're saying with "you could use something like PAR::Packer and try to compile a quick PERL script". I have a feeling explaining that is a lot more involved than you'd care to go into, but if you can do so in a one- or two-liner, please do. So, will this rule run as is, or not, on Linux? Do I have to do something? Thanks, Mark ___ clamav-users mailing list
Re: [clamav-users] How to know if yara rules are being run?
On Tue, 4 Jul 2017 11:47:35 -0400 eric-l...@truenet.com wrote > > Eric - you misunderstand my question. I'm not asking if the yara rule is > > working as designed. I'm asking how I can tell if clamav-milter is actually > > running the rule during its scan of incoming email. All I did was put > > expetr.yara in /var/lib/clamav. That's it. I don't know if that's > > sufficient, > > whether .yara or .yar is the proper file type (I've seen both), what the > > file > > permissions should be ... In short, I have no feedback from clamav that it > > even > > notices the presence of this rule. > > > > Can I set a debug level or something in clamd.conf, clandscan.conf or > > clamav-milter.conf? > > > > --Mark > > If your using clamav-milter, than turn on logging: > LogFile STRING > Enable logging to selected file. > Default: no > > LogInfected STRING > This option allows you to tune what is logged when a message is infected. > Possible values are Off (the default - nothing is logged), Basic (minimal > info logged), Full (verbose info logged) > Note: For this to work properly in sendmail, make sure the msg_id, mail_addr, > rcpt_addr and i macroes are available in eom. In other words add a line like: > Milter.macros.eom={msg_id}, {mail_addr}, {rcpt_addr}, i to your .cf file. > Alternatively use the macro: define(`confMILTER_MACROS_EOM', `{msg_id}, > {mail_addr}, {rcpt_addr}, i') > Postfix should be working fine with the default settings. > Default: disabled > Thanks for the response Eric. I've checked clamav-milter.conf and logging is turned on and some of the older rotated log files do have messages about past catches. My LogInfected is set to Full I did add the confMILTER_MACROS_EOM setting you suggested to my sendmail.mc, re-genned .cf and restarted sendmail. > Depending on your clamd.conf, it should show what DBs to load. > DatabaseDirectory STRING > Path to a directory containing database files. > OfficialDatabaseOnly BOOL > Only load the official signatures published by the ClamAV project. > Default: no All my clamd.conf settings are as you describe: DatabaseDirectory /var/lib/clamav (the yara rule is here) OfficialDatabaseOnly is default (commented out) > I found the Yara rule I think your using, but it requires a Win32 executable: > condition: > > uint16(0) == 0x5A4D and > filesize < 100 and > any of them Yes, that appears to be correct. I got the rule from https://securelist.com/schroedingers-petya/78870/ and it does end the way you indicate. > So you could use something like PAR::Packer and try to compile a quick PERL > script, but I would just put in a test yara rule like I email previously and > send yourself an email. It should show up in the log file, and you???ll be > sure it???s working. > > Eric Here;s where you lost me! First off, I did try creating an email containing the string about "POWER CABLE" as defined in the rule. I sent the message, but nothing was detected. Although, not being versed in yara, I may need more conditions set than that. BUT ... I'm not asking you about debugging/interpreting a yara script. I'll check that elsewhere. I'm just trying to figure out if clamav-milter on Linux is running this check. What do you mean, "it requires a Win32 executable"? Does that mean this rule will not run on Linux? Not being a frequent Perl user, I don't know what you're saying with "you could use something like PAR::Packer and try to compile a quick PERL script". I have a feeling explaining that is a lot more involved than you'd care to go into, but if you can do so in a one- or two-liner, please do. So, will this rule run as is, or not, on Linux? Do I have to do something? Thanks, Mark ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] How to know if yara rules are being run?
On Mon, 3 Jul 2017 19:57:25 -0400 Eric Tykwinskiwrote: > >> > > > > Yes. I got exactly the same output as you show. Therefore, yara rules are > > enabled. > > > > So then, how can I confirm the expetr.yara I created is being run? > > > > ???Mark > > Mark, > > We are getting off topic for ClamAV list. I don???t know what rule that they > published, and thankfully haven???t had to deal with anything locally. > My guess would be to open the yara rule and check it out. You might be able > to fake it with a hex editor to test it out, or you can search for sample > files and see if they catch them. With Yara rules though you are usually > only getting a small fragment of the infections, and probably a large portion > of false positives. I use them for scanning backup archives personally to > find web exploits, and the like, don???t deleted but find when the file was > dropped. > > Hope this helps, > > Eric > Eric - you misunderstand my question. I'm not asking if the yara rule is working as designed. I'm asking how I can tell if clamav-milter is actually running the rule during its scan of incoming email. All I did was put expetr.yara in /var/lib/clamav. That's it. I don't know if that's sufficient, whether .yara or .yar is the proper file type (I've seen both), what the file permissions should be ... In short, I have no feedback from clamav that it even notices the presence of this rule. Can I set a debug level or something in clamd.conf, clandscan.conf or clamav-milter.conf? --Mark ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] How to know if yara rules are being run?
On Sat, 1 Jul 2017 09:21:50 -0400 Eric Tykwinskiwrote: > > On Jul 1, 2017, at 1:10 AM, Mark Foley wrote: > > > > I've put the expetr.yara rule from Kaspersky for the recent notPetya > > ransomware > > in my /var/lib/clamav directory. > > > > How can I tell if clamav is running it? I see nothing in > > /var/log/clamav.log. > > > > --Mark > > > My first suggestion would be make sure Yara rules are enabled in clamav. > So make a couple of files: > /*** test.yara ***/ > rule Test_Yara_Rules : test > { > meta: > description = "Test Yara" > strings: > $test = "YaraTest" fullword ascii > condition: > $test > } > /***/ > > echo YaraTest > test.txt > > clamscan -d ./test.yara test.txt > > Should show you: > test.txt: YARA.Test_Yara_Rules.UNOFFICIAL FOUND > > --- SCAN SUMMARY --- > Known viruses: 1 > Engine version: 0.99.2 > Scanned directories: 0 > Scanned files: 1 > Infected files: 1 > Data scanned: 0.00 MB > Data read: 0.00 MB (ratio 0.00:1) > Time: 0.007 sec (0 m 0 s) > Yes. I got exactly the same output as you show. Therefore, yara rules are enabled. So then, I can I confirm the expetr.yara I created is being run? --Mark ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] How to know if yara rules are being run?
> On Jul 1, 2017, at 1:10 AM, Mark Foleywrote: > > I've put the expetr.yara rule from Kaspersky for the recent notPetya > ransomware > in my /var/lib/clamav directory. > > I can I tell if clamav is running it? I see nothing in /var/log/clamav.log. > > --Mark My first suggestion would be make sure Yara rules are enabled in clamav. So make a couple of files: /*** test.yara ***/ rule Test_Yara_Rules : test { meta: description = "Test Yara" strings: $test = "YaraTest" fullword ascii condition: $test } /***/ echo YaraTest > test.txt clamscan -d ./test.yara test.txt Should show you: test.txt: YARA.Test_Yara_Rules.UNOFFICIAL FOUND --- SCAN SUMMARY --- Known viruses: 1 Engine version: 0.99.2 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 0.00 MB Data read: 0.00 MB (ratio 0.00:1) Time: 0.007 sec (0 m 0 s) For Ubuntu 16.04, it’s enabled by default, on OSX with homebrew add --with-yara to enable them. PS. Talos guys, I’m loving the new website, a lot of info in there. ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] How to know if yara rules are being run?
I've put the expetr.yara rule from Kaspersky for the recent notPetya ransomware in my /var/lib/clamav directory. I can I tell if clamav is running it? I see nothing in /var/log/clamav.log. --Mark ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml