Mark,
The pe import module of yara rules is not currently implemented in ClamAV.
Other specifics of using yara rules in Clam may be found in
docs/signatures.pdf. Also, looks like errors in EMAIL_Cryptowall.yar yara
rule?
Hope this helps,
Steve
On Fri, Mar 31, 2017 at 1:45 PM, Mark Foley <mfo...@novatec-inc.com> wrote:
> Per advice on this list, I downloaded and installed the
> clamav-unofficial-sigs
> scripts from the link on Sanesecurity.
>
> I've not been able to get it running. Two problems:
>
> 1. The /etc/cron.d/clamav-unofficial-sigs cron script won't run from
> crond. I get an email:
>
> /bin/sh: clamav: command not found
>
> I've searched the computer and the clamav-unofficial-sigs.sh script
> looking for a
> reference to a clamav command and simply cannot find such a command. I've
> sprinkles `echo` statements throughout clamav-unofficial-sigs.sh and
> redirected
> the cron script's output to a log file. I never get anything in the
> logfile.
> Yet, if I run clamav-unofficial-sigs.sh as root manually, it runs fine.
>
> 2. I run a cron'd clamscan job to scan mail folders several time a day. I
> get
> the following errors which are new since installing the unofficial-sigs:
>
> LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 497
> undefined identifier "pe"
> LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 512
> undefined identifier "pe"
> LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 528
> undefined identifier "pe"
> LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 544
> undefined identifier "pe"
> LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 557
> undefined identifier "pe"
> LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 603
> undefined identifier "pe"
> LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 614
> undefined identifier "pe"
> LibClamAV Error: cli_loadyara: failed to parse rules file
> /var/lib/clamav/antidebug_antivm.yar, error count 7
> LibClamAV Error: yyerror(): /var/lib/clamav/EMAIL_Cryptowall.yar line 34
> duplicate identifier "CryptoWall_Resume_phish"
> LibClamAV Error: yyerror(): /var/lib/clamav/EMAIL_Cryptowall.yar line 52
> duplicate identifier "docx_macro"
> LibClamAV Error: cli_loadyara: failed to parse rules file
> /var/lib/clamav/EMAIL_Cryptowall.yar, error count 2
>
> The lines at /var/lib/clamav/antidebug_antivm.yar line 497 are:
>
> 496 contition:
> 497 pe.imports("kernel32.dll","CheckRemoteDebuggerPresent")
> and
> 498 pe.imports("kernel32.dll","IsDebuggerPresent")
>
> These seem like rather basic programming bugs. Nevertheless, it does
> appear to
> catch new signatures, e.g.:
>
> /home/HPRS/mpress/Maildir/.Deleted Items/cur/1463485456.
> M955042P32209.mail,S=13067,W=13269:2,S:
> Sanesecurity.Foxhole.Zip_fs226.UNOFFICIAL
> FOUND
> /home/HPRS/mpress/Maildir/.Deleted Items/cur/1460374151.
> M124643P21974.mail,S=30684,W=31217:2,S: Sanesecurity.Spam.12404.Ml.UNOFFICIAL
> FOUND
> /home/HPRS/shay/Maildir/.Trash/cur/1485781802.M776532P6090.mail,S=2905,W=
> 2971:2,S!(1)MAIL:mixedtextportion: Sanesecurity.Junk.33365.UNOFFICIAL
> FOUND
> /home/HPRS/shay/Maildir/.Trash/cur/1486393658.M60634P26487.mail,S=48881,W=49823:2,S:
> Sanesecurity.Spam.12427.FakeRenew.UNOFFICIAL FOUND
> /home/HPRS/dsmith/Maildir/.Deleted Items.Sent/cur/1443025877.
> M266324P18041.mail,S=22511,W=22844:2,S:
> Sanesecurity.Foxhole.Zip_Wordexe.1.UNOFFICIAL
> FOUND
>
> etc.
>
> Has anyone on this list encountered the same problem and if so were you
> able to
> fix them? I'm running Slackware.
>
> Thanks, Mark
> _______________________________________________
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
