Nibin, For text files, ClamAV will do normalization (which, among other things, will condense whitespace) and scan against that file as well, so maybe the PHP script after normalization is < 1024 bytes? To confirm, try running clamscan with '--debug --leave-temps' and then look for messages like 'saving normalized file to' to get the path of the normalized file(s). What is the size of that/those file(s)?
-Andrew On Fri, May 17, 2019 at 1:12 PM Nibin V M via clamav-users < clamav-users@lists.clamav.net> wrote: > Hello All, > > I am not sure whether its a basic question...but I am struggling with > this issue for a few days. I have created a rule with the following > condition. > > ======= > condition: > is_php and filesize < 1024 and $str1 and ($str2 or $str3 or $str4) > ======== > > Ideally, I want to scan the files only under 1KB. But it is triggering for > files which is bigger than 1KB. For example. > > ======== > [root@server1 ~]# stat -c '%n %s' /home/gal2.php > /home/gal2.php 3693 > [root@server1 ~]# clamscan -d me.yara /home/gal2.php > /home/gal2.php: YARA.My_Test_Rule.UNOFFICIAL FOUND > =========== > > So as you can see the file is 3K+ in size but still triggering the rule. > If I reduce the filesize to 600 it will work fine. What can be the cause? > But when I try using direct YARA command this issue is not happening. > > Any help will be appreciated...thanks in advance. > > -- > Regards.... > > Nibin. > > > _______________________________________________ > > clamav-users mailing list > clamav-users@lists.clamav.net > https://lists.clamav.net/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml >
_______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
