clamscan arguments for maldetect with yara rules

Question

clamscan arguments for maldetect with yara rules

gmrfrost opened this issue 3 years ago · 2 comments

Hi,

Not sure this is an issue at all, but I was wondering if normalize=no should be used in clamav for yara compatibility.

regards,

Answer 1 · 2022-03-02T08:37:09.000Z

Example:
We are testing customized yara rules to detect strings like str_replace, base64_decode which in some shells are obfuscated as ('str', '_re', 'ce', 'pla'), ('ode', 'e64_', 'bas', 'dec') , 'ba'.'se'. 128/2 .'_' .'de'.'co'.'de' and so on.
In our test, some files matchs the regexp when normalize is used. Not an issue at all, but I was wondering if normalize should be not used to enable compatibility with yara rules, as explained in the clamscan cli help:

--normalize[=yes(*)/no] Normalize html, script, and text files. Use normalize=no for yara compatibility

Thanks

Answer 2 · 2022-10-15T13:10:43.000Z

In an ideal state, you are running clamd in which case maldet will inherit whatever configuration options you have set for the clamd service (such as normalize=no).

If you are not running clamd as a service, you could set clamscan_extraopts="--normalize=no" in internals/internals.conf or within one of the configuration files, such as conf.maldet.cron.