Can we get the status plx
On Thursday, June 25, 2015 9:30 PM,
"clamav-users-requ...@lists.clamav.net" <clamav-users-requ...@lists.clamav.net>
wrote:
Send clamav-users mailing list submissions to
clamav-users@lists.clamav.net
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
or, via email, send a message with subject or body 'help' to
clamav-users-requ...@lists.clamav.net
You can reach the person managing the list at
clamav-users-ow...@lists.clamav.net
When replying, please edit your Subject line so it is more specific
than "Re: Contents of clamav-users digest..."
Today's Topics:
1. clamav 0.99 beta yara (Steve Basford)
2. Re: clamav 0.99 beta yara (Steve Basford)
----------------------------------------------------------------------
Message: 1
Date: Thu, 25 Jun 2015 08:22:01 +0100
From: "Steve Basford" <steveb_cla...@sanesecurity.com>
To: clamav-users@lists.clamav.net
Subject: [clamav-users] clamav 0.99 beta yara
Message-ID:
<6a3b534faa9cb86ddd7924374d9642f1.squir...@sirius.servers.eqx.misp.co.uk>
Content-Type: text/plain;charset=iso-8859-1
Couple of pre-coffee questions...
1)
>From what I can tell Yara signature names will be generated based on
the yara rule name provided...
eg:
testname.yara:
rule Sanesecurity.test
{
strings:
$match1 = "test"
$ignore1 = "this1"
$ignore2 = "this2"
condition:
$match1 and not ($ignore1 or $ignore2)
}
So, if it matched the name will be: Sanesecurity.test.UNOFFICIAL
Would it be a good idea if ClamAV engine *auto-added* .Yara or _Yara to the
end/beginning of Yara signatures to help end-users work out if it's a
normal ClamAV database or a Yara rule:
Eg: Sanesecurity.test.Yara.UNOFFICIAL
2) I take it Yara signatures can be whitelisted using .ign2 etc.
Cheers,
Steve
Web : sanesecurity.com
Blog: sanesecurity.blogspot.com
------------------------------
Message: 2
Date: Thu, 25 Jun 2015 11:35:48 +0100
From: "Steve Basford" <steveb_cla...@sanesecurity.com>
To: "ClamAV users ML" <clamav-users@lists.clamav.net>
Subject: Re: [clamav-users] clamav 0.99 beta yara
Message-ID:
<25413be99c1bf35e1a4bfa5d1bd66c91.squir...@sirius.servers.eqx.misp.co.uk>
Content-Type: text/plain;charset=iso-8859-1
Just a few more question to think about...
3) Clamscan --official-db-only=yes
Will that only apply to ndb's or to Yara too... or do we need
--official-yara-only=yes?
4) Clamscan --yara-signatures=no
Will there be an option like the above to disable Yara sigs
5) Will there be an option to *only* use Yara sigs,
eg. --only-yara-dbs=yes and ignore ndb's
So, options in both clamd.conf and clamscan... just to give people
flexability?
Cheers,
Steve
Web : sanesecurity.com
Blog: sanesecurity.blogspot.com
------------------------------
Subject: Digest Footer
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
------------------------------
End of clamav-users Digest, Vol 129, Issue 18
*********************************************
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
