Yara project rules

[Sanesecurity]

I think it's safer and less confusing if "Enabled by default" is changed to "Disabled by default" for the
Yara project rules.

For example, this Yara project rule is causing Errors in ClamAV engine, as it can't cope with the "pe" identifier...

Aug 15 13:42:50 mx0 clamd[12509]: LibClamAV Error: yyerror():
/var/lib/clamav/antidebug_antivm.yar line 497 undefined identifier "pe"

However, if you clamscan the database eg..

clamscan --database=antidebug_antivm.yar test.file
LibClamAV Error: yyerror(): antidebug_antivm.yar line 5 syntax error, unexpected
LT
LibClamAV Error: yyerror(): antidebug_antivm.yar line 12 unterminated regular ex
pression
LibClamAV Error: cli_loadyara: failed to parse rules file antidebug_antivm.yar,
error count 2
test.file: OK

----------- SCAN SUMMARY -----------
Known viruses: 0
Engine version: 0.99.2
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.06 MB
Data read: 0.03 MB (ratio 2.00:1)
Time: 0.140 sec (0 m 0 s)

echo %errorlevel%
0

The errorlevel is still set to 0, even though the database can't processed... and only really shows
as a "debug error"

So:

a) disable Yara project rules by default
b) maybe add some extra checks when coping Yara rules that they scan OK, eg.

clamscan --database=antidebug_antivm.yar 2> scan.log

egrep "yyerror()|yara" scan.log
check the errorlevel at this stage.

It's all down to the fact that Yara rules and the ClamAV Yara engine aren't 100% compatible.

Cheers,

Steve
Sanesecurity.com

[birkosan]

Or you can comment out these lines in the master.conf:
#email/EMAIL_Cryptowall.yar|LOW # CryptoWall Resume phish
#Antidebug_AntiVM/antidebug_antivm.yar|LOW # anti debug and anti virtualization techniques used by malware

As I see the problems are only with these two rule databases.

Levi