Comments (2)
Example:
We are testing customized yara rules to detect strings like str_replace
, base64_decode
which in some shells are obfuscated as ('str', '_re', 'ce', 'pla')
, ('ode', 'e64_', 'bas', 'dec')
, 'ba'.'se'. 128/2 .'_' .'de'.'co'.'de'
and so on.
In our test, some files matchs the regexp when normalize is used. Not an issue at all, but I was wondering if normalize should be not used to enable compatibility with yara rules, as explained in the clamscan cli help:
--normalize[=yes(*)/no] Normalize html, script, and text files. Use normalize=no for yara compatibility
Thanks
from linux-malware-detect.
In an ideal state, you are running clamd in which case maldet will inherit whatever configuration options you have set for the clamd service (such as normalize=no).
If you are not running clamd as a service, you could set clamscan_extraopts="--normalize=no" in internals/internals.conf or within one of the configuration files, such as conf.maldet.cron.
from linux-malware-detect.
Related Issues (20)
- Malware name not always logged to the quarantine history
- cron.daily not sourcing custom configuration files
- Add default case for WordOps installation HOT 1
- Logrotate failed Maldetect (Ubuntu v20.04) HOT 1
- Maldet signatures only update twice a week. HOT 1
- Missing path in output messages HOT 1
- Proxy/cache maldet.sigs.ver and other artefacts HOT 2
- c99.php is not detected. Signatures out of date? HOT 2
- LMD + ClavAV | /etc/passwd - issue HOT 2
- pre1-1.6.5 Failed to enable unit: Unit file maldet.service does not exist. HOT 2
- maldet upgrade kills maldet monitoring
- Regression with 1.6.5 sending emails to [email protected]? HOT 6
- Can you create a dockerfile
- [Help]Cannot start maldet HOT 1
- scan returned empty file list; check that the path exists and contains files in scope of configuration HOT 1
- Debian monitor mode not working HOT 1
- False Positive in magento-coding-standard
- maldet on Debian 12 not running as non-root user
- how come the main website www.rfxn.com/projects/linux-malware-detect/ is not behind a https
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from linux-malware-detect.