clamscan arguments for maldetect with yara rules
gmrfrost opened this issue · 2 comments
Hi,
Not sure this is an issue at all, but I was wondering if normalize=no
should be used in clamav for yara compatibility.
regards,
Example:
We are testing customized yara rules to detect strings like str_replace
, base64_decode
which in some shells are obfuscated as ('str', '_re', 'ce', 'pla')
, ('ode', 'e64_', 'bas', 'dec')
, 'ba'.'se'. 128/2 .'_' .'de'.'co'.'de'
and so on.
In our test, some files matchs the regexp when normalize is used. Not an issue at all, but I was wondering if normalize should be not used to enable compatibility with yara rules, as explained in the clamscan cli help:
--normalize[=yes(*)/no] Normalize html, script, and text files. Use normalize=no for yara compatibility
Thanks
In an ideal state, you are running clamd in which case maldet will inherit whatever configuration options you have set for the clamd service (such as normalize=no).
If you are not running clamd as a service, you could set clamscan_extraopts="--normalize=no" in internals/internals.conf or within one of the configuration files, such as conf.maldet.cron.