Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. ClamAV>
  3. win32
[clamav-users] YARA rule - Fileszie
clamav-users at lists
May 17, 2019, 10:10 AM
Post #1 of 2 (236 views)
Permalink
Hello All,

I am not sure whether its a basic question...but I am struggling with this
issue for a few days. I have created a rule with the following condition.

=======
condition:
is_php and filesize < 1024 and $str1 and ($str2 or $str3 or $str4)
========

Ideally, I want to scan the files only under 1KB. But it is triggering for
files which is bigger than 1KB. For example.

========
[root@server1 ~]# stat -c '%n %s' /home/gal2.php
/home/gal2.php 3693
[root@server1 ~]# clamscan -d me.yara /home/gal2.php
/home/gal2.php: YARA.My_Test_Rule.UNOFFICIAL FOUND
===========

So as you can see the file is 3K+ in size but still triggering the rule. If
I reduce the filesize to 600 it will work fine. What can be the cause? But
when I try using direct YARA command this issue is not happening.

Any help will be appreciated...thanks in advance.

--
Regards....

Nibin.
Re: [clamav-users] YARA rule - Fileszie [ In reply to ]
awillia2 at sourcefire
May 23, 2019, 7:19 AM
Post #2 of 2 (232 views)
Permalink
Nibin,

For text files, ClamAV will do normalization (which, among other things,
will condense whitespace) and scan against that file as well, so maybe the
PHP script after normalization is < 1024 bytes? To confirm, try running
clamscan with '--debug --leave-temps' and then look for messages like
'saving normalized file to' to get the path of the normalized file(s).
What is the size of that/those file(s)?

-Andrew

On Fri, May 17, 2019 at 1:12 PM Nibin V M via clamav-users <
clamav-users@lists.clamav.net> wrote:

> Hello All,
>
> I am not sure whether its a basic question...but I am struggling with
> this issue for a few days. I have created a rule with the following
> condition.
>
> =======
> condition:
> is_php and filesize < 1024 and $str1 and ($str2 or $str3 or $str4)
> ========
>
> Ideally, I want to scan the files only under 1KB. But it is triggering for
> files which is bigger than 1KB. For example.
>
> ========
> [root@server1 ~]# stat -c '%n %s' /home/gal2.php
> /home/gal2.php 3693
> [root@server1 ~]# clamscan -d me.yara /home/gal2.php
> /home/gal2.php: YARA.My_Test_Rule.UNOFFICIAL FOUND
> ===========
>
> So as you can see the file is 3K+ in size but still triggering the rule.
> If I reduce the filesize to 600 it will work fine. What can be the cause?
> But when I try using direct YARA command this issue is not happening.
>
> Any help will be appreciated...thanks in advance.
>
> --
> Regards....
>
> Nibin.
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal