Hi,
I'm going mad with a strange behaviour of clamav with custom yara rules.
I'm trying to match some nasty spam email, I decided to use yara for my
custom rules but i noticed a problem: if I use only string detect clamav
(either via clamscan or clamdscan) matches all the email (text +
headers) but if I use regex detect it only matches email's text.
For example:
$mail_header = /X-Mailer: PHPMailer 5\.2\./
doesn't match, but:
$mail_header = "X-Mailer: PHPMailer 5.2."
matches.. I tryed to "reduce" the match to only "ailer", but the
situation doesn't change, even appending a "nocase" flag.
Am I wrong or there's something strange? :)
k.
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
