In order to minimize the amount of regex execution in ClamAV, regex
signatures are usually run until the first match is detected. This means
that counting regex matches do not work in the general case.
The ClamAV ldb signatures have a custom flag 'g' which specifies to the
engine to find all
Using #match as a condition in a yara rule to
count the occurences of $match doesn't appear to
work where $match is a regex.
#match only appears to work if $match is a string literal
eg "abc123"
Is #match intended to work with a regex ?
--
David Shrimpton
