#include <Steven Morgan.h> // created 13/04/2016 16:37 > Hi, > > The first question is: Do you have pcre installed and was it found by > ClamAV .\configure?
[cut] Ops, I forgot to mention my system configuration.. sorry. I'm using it on my antispam server with Debian Jessie (with clamav 0.99+dfsg-0+deb8u2 and libpcre3 8.35-3.3+deb8u4 ) and also testing on my laptop with Arch linux (clamav 0.99.1-2 and pcre 8.38-3). I try to recompile clamav on my laptop and it founds pcre in /usr, as expected. I think that pcre works fine, because I can match patterns on email's content, but not in email headers (i.e.: X-Mailer:, From: etc) I try to explain with an example, on http://pastebin.com/gixrDAXq you should find the 3 file used (a simple email and two custom ruleset) using rules from Yara: $ yara -s test_header.yara test.eml Header_string test.eml 0x1f1:$match: pass 0x2a2:$match: pass Header_Regex test.eml 0x1f1:$match: pass 0x2a2:$match: pass $ yara -s test_body.yara test.eml Body_string test.eml 0x440:$match: test mailing Body_Regex test.eml 0x440:$match: test mailing using rules from clamav: $ clamscan --no-summary -d test_header.yara -z test.eml test.eml: YARA.Header_string.UNOFFICIAL FOUND $ clamscan --no-summary -d test_body.yara -z test.eml test.eml: YARA.Body_string.UNOFFICIAL FOUND test.eml: YARA.Body_Regex.UNOFFICIAL FOUND I think that test_header.yara have to match the "pass" string in header part with that simple regex. I'm trying to debug it but my code knowledge is limited, it seems that every time a regex is used the header part is not parsed by clamav (also if I use a "string" rule with a "regex" rule, ie: $match_string and $match_regex) k. _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
