First, ClamAV 0.99 supports YARA rules. YARA is another popular open source project for malware detection, analysis, and classification. YARA rules, in a nutshell, contain a list of strings and a powerful logical expression called the YARA condition. A YARA condition is typically composed of logical operations upon the YARA rule’s strings, with many other condition operators available as well. YARA strings come in three flavors: literal text strings (with modifier keywords NOCASE, FULLWORD, WIDE and ASCII), hexadecimal (including wildcard and alternates, similar to substrings in ClamAV’s logical signatures), and regular expressions. The full documentation about YARA rules may be found at http://plusvic.github.io/yara/.
One of the key benefits ClamAV brings to YARA is leveraging ClamAV’s myriad file decomposition capabilities. This enables YARA rules to automatically match on malware residing in any of the compression, archive, document, or packer formats provided by ClamAV.
Using YARA rules with ClamAV is simple - just place your YARA rule files into the ClamAV virus database location. This is /usr/local/share/clamav by default. Alternatively, you can place them in other locations and reference them with the “–database” command line option for clamscan or the clamd.conf “DatabaseDirectory” parameter if you are using clamd and clamdscan.
Additionally in ClamAV 0.99, we have added regular expression support to ClamAV’s logical signatures. This will enable signature authors to more readily reuse regular expression constructs from the Snort rule collection, thus providing more powerful malware detection for ClamAV.
Regular expressions in both YARA rules and ClamAV logical signatures require the Perl Compatible Regular Expressions (PCRE) library. Please ensure PCRE is installed on your system when configuring ClamAV. ClamAV configuration will automatically look for PCRE in /usr/lib and /usr/local/lib. If you have PCRE installed in a different location, use ‘./configure –with-pcre=DIR’ to specify the resident PCRE directory.
There are currently a few limitations of YARA rules within ClamAV 0.99 beta1, due either to nonexistent ClamAV capabilities or to YARA features that did not fit well into the ClamAV processing model. We hope to further evaluate and include as much of this functionality as possible in subsequent releases. YARA rules using any of the following features will be flagged in error, and the respective rules will be disabled:
- Single byte YARA string components – currently in the ClamAV matcher, all strings, as well as components of strings delimited by wild cards, must be at least two bytes in length
- External variables – variables referenced in YARA conditions whose value may be set using the ‘yara –d’ command line option.
- Private rules – YARA rules which do not trigger by themselves. They are intended to match only when referenced by other YARA rules. These use the private keyword.
- Global rules – YARA rules whose conditions are intended to be in effect for all other YARA rules. These use the global keyword.
- Modules – A YARA feature intended to provide modular extensions to the YARA core. Modules are normally activated using the import keyword.
- Rules precompiled with the YARA compiler – ClamAV only reads YARA rules in the original source form.
- Rule tags – intended to provide a results filtering mechanism by specifying tag names on YARA rules and then using the ‘yara –t’ command to name the matching rule tags of interest.
- References to other rules – intended to use the results from other YARA rules in a YARA condition.
- YARA rules containing only a YARA condition – YARA rules in ClamAV currently must contain at least one string.