In order to minimize the amount of regex execution in ClamAV, regex signatures are usually run until the first match is detected. This means that counting regex matches do not work in the general case.
The ClamAV ldb signatures have a custom flag 'g' which specifies to the engine to find all matches of the affected regex signature; yara signatures unfortunately do not have such an option at this time. -Kevin On Wed, Apr 13, 2016 at 7:27 PM, David Shrimpton <d.shrimp...@its.uq.edu.au> wrote: > Using #match as a condition in a yara rule to > count the occurences of $match doesn't appear to > work where $match is a regex. > #match only appears to work if $match is a string literal > eg "abc123" > > Is #match intended to work with a regex ? > > -- > David Shrimpton > _______________________________________________ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
