1. clamav-devel
  2. Commit 26f4fc8fcfc703f7d314116ef496613f704b7d54
Browse code

Additional documentation on using yara in ClamAV.

Steven Morgan authored on 2016/07/06 04:32:03
Showing 2 changed files
docs/signatures.pdf
History View file @ 26f4fc8
1 1 
Binary files a/docs/signatures.pdf and b/docs/signatures.pdf differ
docs/signatures.tex
History View file @ 26f4fc8
... ... 
@@ -940,6 +940,33 @@ Eicar-Test-Signature:bc356bae4c42f19a3de16e333ba3569c
940 940 
         \item YARA rules in ClamAV must contain at least one literal, hexadecimal, or
941 941 
         regular expression string.
942 942 
     \end{itemize}
943 
+    In addition, there are a few more ClamAV processing modes that may affect the outcome of YARA rules.
944 
+    \begin{itemize}
945 
+        \item \emph{File decomposition and decompression} - Since ClamAV uses file decomposition and decompression
946 
+               to find viruses within de-archived and uncompressed inner files, YARA rules executed by ClamAV
947 
+               will match against these files as well.
948 
+        \item \emph{Normalization} - By default, ClamAV normalizes HTML, JavaScript, and ASCII text files.
949 
+              YARA rules in ClamAV will match against the normalized result. The effects of normalization
950 
+              of these file types may be captured using \verb+clamscan --leave-temps --tempdir=mytempdir+.
951 
+              YARA rules may then be written using the normalized file(s) found in \verb+mytempdir+.
952 
+              Alternatively, starting with ClamAV 0.99.3, \verb+clamscan --normalize=no+ will prevent
953 
+              normalization and only scan the raw file. To obtain similar behavior prior to 0.99.2, use
954 
+              \verb+clamscan --scan-html=no+. The corresponding parameters for clamd.conf are \verb+Normalize+
955 
+              and \verb+ScanHTML+.
956 
+        \item \emph{YARA conditions driven by string matches} - All YARA conditions are driven by string matches in
957 
+              ClamAV. This saves from executing every YARA rule on every file. Any YARA condition may be augmented
958 
+              with a string match clause which is always true, such as:
959 
+        \begin{verbatim}
960 
+          rule CheckFileSize
961 
+          {
962 
+            strings:
963 
+              $abc = "abc"
964 
+            condition:
965 
+              ($abc or not $abc) and filesize < 200KB
966 
+          }
967 
+        \end{verbatim}
968 
+        This will ensure that the YARA condition always performs the desired action (checking the file size in this example),
969 
+    \end{itemize}
943 970
944 971 
     \subsection{Passwords for archive files [experimental]}
945 972 
     ClamAV 0.99 allows for users to specify password attempts for certain password-compatible archives.