Comments (2)
gmrfrost
commented on August 18, 2024
1
Example:
We are testing customized yara rules to detect strings like str_replace, base64_decode which in some shells are obfuscated as ('str', '_re', 'ce', 'pla'), ('ode', 'e64_', 'bas', 'dec') , 'ba'.'se'. 128/2 .'_' .'de'.'co'.'de' and so on.
In our test, some files matchs the regexp when normalize is used. Not an issue at all, but I was wondering if normalize should be not used to enable compatibility with yara rules, as explained in the clamscan cli help:
--normalize[=yes(*)/no] Normalize html, script, and text files. Use normalize=no for yara compatibility
Thanks
from linux-malware-detect.
rfxn
commented on August 18, 2024
In an ideal state, you are running clamd in which case maldet will inherit whatever configuration options you have set for the clamd service (such as normalize=no).
If you are not running clamd as a service, you could set clamscan_extraopts="--normalize=no" in internals/internals.conf or within one of the configuration files, such as conf.maldet.cron.
from linux-malware-detect.
Related Issues (20)
- Malware name not always logged to the quarantine history
- cron.daily not sourcing custom configuration files
- Add default case for WordOps installation HOT 1
- Logrotate failed Maldetect (Ubuntu v20.04) HOT 1
- Maldet signatures only update twice a week. HOT 1
- Missing path in output messages HOT 1
- Proxy/cache maldet.sigs.ver and other artefacts HOT 2
- c99.php is not detected. Signatures out of date? HOT 2
- LMD + ClavAV | /etc/passwd - issue HOT 2
- pre1-1.6.5 Failed to enable unit: Unit file maldet.service does not exist. HOT 2
- maldet upgrade kills maldet monitoring
- Regression with 1.6.5 sending emails to [email protected]? HOT 6
- Can you create a dockerfile
- [Help]Cannot start maldet HOT 1
- scan returned empty file list; check that the path exists and contains files in scope of configuration HOT 1
- Debian monitor mode not working HOT 1
- False Positive in magento-coding-standard
- maldet on Debian 12 not running as non-root user
- how come the main website www.rfxn.com/projects/linux-malware-detect/ is not behind a https
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from linux-malware-detect.