...
|
...
|
@@ -940,6 +940,33 @@ Eicar-Test-Signature:bc356bae4c42f19a3de16e333ba3569c
|
940
|
940
|
\item YARA rules in ClamAV must contain at least one literal, hexadecimal, or
|
941
|
941
|
regular expression string.
|
942
|
942
|
\end{itemize}
|
|
943
|
+ In addition, there are a few more ClamAV processing modes that may affect the outcome of YARA rules.
|
|
944
|
+ \begin{itemize}
|
|
945
|
+ \item \emph{File decomposition and decompression} - Since ClamAV uses file decomposition and decompression
|
|
946
|
+ to find viruses within de-archived and uncompressed inner files, YARA rules executed by ClamAV
|
|
947
|
+ will match against these files as well.
|
|
948
|
+ \item \emph{Normalization} - By default, ClamAV normalizes HTML, JavaScript, and ASCII text files.
|
|
949
|
+ YARA rules in ClamAV will match against the normalized result. The effects of normalization
|
|
950
|
+ of these file types may be captured using \verb+clamscan --leave-temps --tempdir=mytempdir+.
|
|
951
|
+ YARA rules may then be written using the normalized file(s) found in \verb+mytempdir+.
|
|
952
|
+ Alternatively, starting with ClamAV 0.99.3, \verb+clamscan --normalize=no+ will prevent
|
|
953
|
+ normalization and only scan the raw file. To obtain similar behavior prior to 0.99.2, use
|
|
954
|
+ \verb+clamscan --scan-html=no+. The corresponding parameters for clamd.conf are \verb+Normalize+
|
|
955
|
+ and \verb+ScanHTML+.
|
|
956
|
+ \item \emph{YARA conditions driven by string matches} - All YARA conditions are driven by string matches in
|
|
957
|
+ ClamAV. This saves from executing every YARA rule on every file. Any YARA condition may be augmented
|
|
958
|
+ with a string match clause which is always true, such as:
|
|
959
|
+ \begin{verbatim}
|
|
960
|
+ rule CheckFileSize
|
|
961
|
+ {
|
|
962
|
+ strings:
|
|
963
|
+ $abc = "abc"
|
|
964
|
+ condition:
|
|
965
|
+ ($abc or not $abc) and filesize < 200KB
|
|
966
|
+ }
|
|
967
|
+ \end{verbatim}
|
|
968
|
+ This will ensure that the YARA condition always performs the desired action (checking the file size in this example),
|
|
969
|
+ \end{itemize}
|
943
|
970
|
|
944
|
971
|
\subsection{Passwords for archive files [experimental]}
|
945
|
972
|
ClamAV 0.99 allows for users to specify password attempts for certain password-compatible archives.
|