|
Hi Ged,
Sorry. I hope you have some hair yet.
I understand that I have to be patient.
Thank you,
Zvi
On 8/19/2021 9:33 PM, G.W. Haywood via
clamav-users wrote:
Hi
there,
On Thu, 19 Aug 2021, Zvi Kave via clamav-users wrote:
I found that yara strings like this: $re =
/[0-9]{9}/
find only first 9-digit match in file.
This spoils my logic ...
After tearing out most of what remains of my hair over Yara rules
in
ClamAV, my advice is not to try anything fancy until the Yara
engine
is completely replaced. My list of the faults in it keeps on
growing,
and AFAICT there's no prospect of any attention being paid to them
in
the foreseeable future. As you have seen there are reports going
back
years. If I had time I'd do it myself, but I don't. I've reached
the
point where I code Yara rules in as simple a way as I possibly can
and
every time I add a new rule or modify an existing one I hope not
to
find another fault in the engine. Sometimes I've spent hours
trying
to get it to do a single match correctly and finally given up.
It's a
terrible shame, because (here at least) Yara rules by a very long
way
find more spam and malicious mail content than anything else:
$ grep FOUND /var/log/mail.debug | wc -l
60072
$ grep FOUND /var/log/mail.debug | grep -v YARA | wc -l
11530
$ grep FOUND /var/log/mail.debug | grep -v '\(YARA\|MANUAL\)' | wc
-l
2876
$ grep FOUND /var/log/mail.debug | grep -v
'\(YARA\|MANUAL\|UNOFFICIAL\)' | wc -l
20
$
This is a single mail server, approximately 19 days of August
2021.
I'd consider it a low-volume site. For whatever reasons we see
very
little malicious mail, rarely more than two or three items of
malware
in a typical day, but quite a lot of spam. I don't know how this
compares with the experience of other people here on the list.
|
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
