search

Cisco-Talos / clamav

ClamAV - Documentation is here: https://docs.clamav.net
https://www.clamav.net/
GNU General Public License v2.0
4.27k stars 692 forks source link

Yara keywords (uint32be & others) are not supported by (Lib)ClamAV yet... #606

Open pettai opened 2 years ago

pettai commented 2 years ago

Describe the bug

uint32be is Yara keyword that has been around since 2014 (Yara v3.2.0) and is used in some yara-rules to find malicious contents, however these rules cannot be utilized by ClamAV yet today...

This has been reported at other places too: https://forums.gentoo.org/viewtopic-t-1035172-start-0.html https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/1883857 https://www.mail-archive.com/clamav-users@lists.clamav.net/msg41480.html https://github.com/extremeshok/clamav-unofficial-sigs/issues/384

How to reproduce the problem

Download https://raw.githubusercontent.com/Yara-Rules/rules/56c5e06b41fb9a6e8331600d2ab136d426c52bf6/maldocs/Maldoc_CVE_2017_11882.yar

~ % clamscan -V
ClamAV 0.105.0

~ % clamscan -d Downloads/Maldoc_CVE_2017_11882.yar a_doc_file.doc
LibClamAV Error: yyerror(): Downloads/Maldoc_CVE_2017_11882.yar line 18 undefined identifier "uint32be"
LibClamAV Warning: cli_loadyara: failed to parse or load 1 yara rules from file Downloads/Maldoc_CVE_2017_11882.yar, successfully loaded 0 rules.
LibClamAV Warning: cli_loadyara: empty database file
Compiling:   0s, ETA:   0s [========================>]       40/40 tasks

~ % clamconf -n
Checking configuration files in /opt/homebrew/etc/clamav

clamd.conf not found

freshclam.conf not found

clamav-milter.conf not found

Software settings
-----------------
Version: 0.105.0
Optional features supported: MEMPOOL AUTOIT_EA06 BZIP2 LIBXML2 PCRE2 ICONV JSON RAR

Database information
--------------------
Database directory: /opt/homebrew/Cellar/clamav/0.105.0/share/clamav
WARNING: freshclam.conf and clamd.conf point to different database directories
Total number of signatures: 0

Platform information
--------------------
uname: Darwin 21.4.0 Darwin Kernel Version 21.4.0: Fri Mar 18 00:46:32 PDT 2022; root arm64
OS: Darwin, ARCH: arm64, CPU: arm64
zlib version: 1.2.11 (1.2.11), compile flags: a9
platform id: 0x040396960800000000040201

Build information
-----------------
Clang: Apple LLVM 13.1.6 (clang-1316.0.21.2) (4.2.1)
sizeof(void*) = 8
Engine flevel: 150, dconf: 150

Attachments

You'll find some yara-rules with this yara-keyword that won't load here: https://github.com/Yara-Rules/rules/search?q=uint32be&type=code and some more here: https://github.com/Neo23x0/signature-base/search?q=uint32be&type=code

micahsnyder commented 2 years ago

Yara's uint32be() feature is a really neat feature. ClamAV offers a similar capability through the "byte compare" subsignature for logical signatures: https://docs.clamav.net/manual/Signatures/LogicalSignatures.html#byte-compare-subsignatures ClamAV's byte compare feature allows not only raw byte comparison with different endianness, signedness, and byte width. And it also enables evaluation from decimal text and hex text numbers instead of evaluating the raw bytes.

But ClamAV's byte compare feature requires a different pattern as a trigger, with an offset from the start of that pattern match, so unfortunately it will not translate directly to Yara's uint32be() feature. That is, I don't expect we can simply map the Yara functionality to ClamAV's functionality the way we have with Yara's text and regex pattern matching. Adding the Yara feature would therefore require an entirely new feature in ClamAV to evaluate bytes at an exact offset without anchoring to a pattern match, and so is unlikely to happen soon. I'm not saying it's not a great request, just that it's not an easy translation from an existing ClamAV signature feature.

pettai commented 2 years ago

Thanks for your insights @micahsnyder

I see this mainly as an usability feature with ClamAVs Yara-scan support. New Yara-rules tend to utilize the full yara keyword "palette", and then it becomes hard to just grab and utilize the yara rules supplied form various sources nowadays, so ClamAV users have to spend time on converting them to fit (or just give up because lack of knowledge etc.)

(btw. I also noted that the documentation at https://docs.clamav.net/manual/Signatures/LogicalSignatures.html#byte-compare-subsignatures lacks examples, that would also be helpful to provide)

micahsnyder commented 2 years ago

Agreed! It definitely needs more examples. A lot of the signature types do, in fact. :(