@@ -1258,10 +1258,22 @@ int cli_ac_initdata(struct cli_ac_data *data, uint32_t partsigs, uint32_t lsigs,

         }

         for(i = 1; i < lsigs; i++)

             data->lsigcnt[i] = data->lsigcnt[0] + 64 * i;

+        data->yr_matches = (uint8_t *) cli_calloc(lsigs, sizeof(uint8_t));

+        if (data->yr_matches == NULL) {

+            free(data->lsigcnt[0]);

+            free(data->lsigcnt);

+            if(partsigs)

+                free(data->offmatrix);

+            

+            if(reloffsigs)

+                free(data->offset);

+            return CL_EMEM;

+        }

         /* subsig offsets */

-        data->lsig_matches = (struct cli_lsig_matches **) cli_calloc(lsigs * sizeof(struct cli_lsig_matches *), sizeof(struct cli_lsig_matches *));

+        data->lsig_matches = (struct cli_lsig_matches **) cli_calloc(lsigs, sizeof(struct cli_lsig_matches *));

         if(!data->lsig_matches) {

+            free(data->yr_matches);

             free(data->lsigcnt[0]);

             free(data->lsigcnt);

             if(partsigs)

@@ -1279,6 +1291,7 @@ int cli_ac_initdata(struct cli_ac_data *data, uint32_t partsigs, uint32_t lsigs,

             free(data->lsig_matches);

             free(data->lsigsuboff_last);

             free(data->lsigsuboff_first);

+            free(data->yr_matches);

             free(data->lsigcnt[0]);

             free(data->lsigcnt);

             if(partsigs)

@@ -1298,6 +1311,7 @@ int cli_ac_initdata(struct cli_ac_data *data, uint32_t partsigs, uint32_t lsigs,

             free(data->lsigsuboff_first[0]);

             free(data->lsigsuboff_last);

             free(data->lsigsuboff_first);

+            free(data->yr_matches);

             free(data->lsigcnt[0]);

             free(data->lsigcnt);

             if(partsigs)

@@ -1392,6 +1406,7 @@ void cli_ac_freedata(struct cli_ac_data *data)

             free(data->lsig_matches);

             data->lsig_matches = 0;

         }

+        free(data->yr_matches);

         free(data->lsigcnt[0]);

         free(data->lsigcnt);

         free(data->lsigsuboff_last[0]);

@@ -61,6 +61,7 @@ struct cli_ac_data {

     uint32_t **lsigcnt;

     uint32_t **lsigsuboff_last, **lsigsuboff_first;

     struct cli_lsig_matches **lsig_matches;

+    uint8_t *yr_matches;

     uint32_t *offset;

     uint32_t macro_lastmatch[32];

     /** Hashset for versioninfo matching */

@@ -766,8 +766,7 @@ static int lsig_eval(cli_ctx *ctx, struct cli_matcher *root, struct cli_ac_data

 static int yara_eval(cli_ctx *ctx, struct cli_matcher *root, struct cli_ac_data *acdata, struct cli_target_info *target_info, const char *hash, uint32_t lsid)

 {

     struct cli_ac_lsig *ac_lsig = root->ac_lsigtable[lsid];

-    uint8_t * code_start = ac_lsig->u.code_start;

-    int rc = 0;

+    int rc;

     YR_SCAN_CONTEXT context = {0};

     if (target_info != NULL) {

@@ -779,9 +778,13 @@ static int yara_eval(cli_ctx *ctx, struct cli_matcher *root, struct cli_ac_data

     rc = yr_execute_code(ac_lsig, acdata, &context, 0, 0);

-    if (rc == CL_VIRUS)

-        cli_append_virus(ctx, ac_lsig->virname);

-

+    if (rc == CL_VIRUS) {

+        if (ac_lsig->flag & CLI_LSIG_FLAG_PRIVATE) {

+            rc = CL_CLEAN;

+        } else {

+            cli_append_virus(ctx, ac_lsig->virname);

+        }

+    }

     return rc;

 }

@@ -77,6 +77,8 @@ struct cli_lsig_tdb {

 #endif

 };

+#define CLI_LSIG_FLAG_PRIVATE 0x01

+

 struct cli_bc;

 struct cli_ac_lsig {

 #define CLI_LSIG_NORMAL 0

@@ -85,6 +87,7 @@ struct cli_ac_lsig {

     uint32_t id;

     unsigned bc_idx;

     uint8_t type;

+    uint8_t flag;

     union {

         char *logic;

         uint8_t *code_start;

@@ -3764,6 +3764,8 @@ static int load_oneyara(YR_RULE *rule, int chkpua, struct cl_engine *engine, uns

     } else {

         if (NULL != (lsig->u.code_start = rule->code_start)) {

             lsig->type = (rule->cl_flags & RULE_OFFSETS) ? CLI_YARA_OFFSET : CLI_YARA_NORMAL;

+            if (RULE_IS_PRIVATE(rule))

+                lsig->flag |= CLI_LSIG_FLAG_PRIVATE;

         } else {

             cli_errmsg("load_oneyara: code start is NULL\n");

             FREE_TDB(tdb);

@@ -3815,6 +3817,7 @@ static int load_oneyara(YR_RULE *rule, int chkpua, struct cl_engine *engine, uns

     memcpy(&lsig->tdb, &tdb, sizeof(tdb));

     ytable_delete(&ytable);

+    rule->lsigid = root->ac_lsigs - 1;

     yara_loaded++;

     cli_yaramsg("load_oneyara: successfully loaded %s\n", rule->identifier);

     return CL_SUCCESS;

@@ -456,6 +456,7 @@ struct _yc_rule {

     uint32_t g_flags;

     uint32_t cl_flags;

     uint8_t * code_start;

+    uint32_t lsigid;

 };

 typedef struct _yc_rule yc_rule;

 typedef struct _yc_string {

@@ -157,6 +157,9 @@ int yr_execute_code(

   int cycle = 0;

 #if REAL_YARA

   int tidx = yr_get_tidx();

+#else

+

+  cli_dbgmsg("yara_exec: beginning execution for lsig %i\n", aclsig->id);

 #endif

   #ifdef PROFILING_ENABLED

@@ -422,8 +425,7 @@ int yr_execute_code(

 #if REAL_YARA

         push(rule->t_flags[tidx] & RULE_TFLAGS_MATCH ? 1 : 0);

 #else

-        //tbd clamav

-        push(rule->g_flags & RULE_TFLAGS_MATCH ? 1 : 0);

+        push(acdata->yr_matches[rule->lsigid]);

 #endif

         break;

@@ -436,7 +438,10 @@ int yr_execute_code(

 #if REAL_YARA

           rule->t_flags[tidx] |= RULE_TFLAGS_MATCH;

 #else

-          rule_matches++;

+        {

+            rule_matches++;

+            acdata->yr_matches[aclsig->id] = 1;

+        }

 #endif

         #ifdef PROFILING_ENABLED