Hello,

While updating our FileInfo Analyzer (TheHive Project) to include manalyzer binaries, we face lots of errors with the update of yara rules in clamav (bin/update_clamav_signatures.py):

[..]
Rule Win.Trojan.Emotet-9778251-0 seems to be malformed. Skipping...
Rule Win.Trojan.Generic-9778253-0 seems to be malformed. Skipping...
Rule Win.Malware.Fsysna-9778257-0 seems to be malformed. Skipping...
Rule Win.Packed.Vobfus-9778258-0 seems to be malformed. Skipping...
Rule Win.Trojan.Azorult-9778259-0 seems to be malformed. Skipping...
Rule Win.Malware.Sctk-9778260-0 seems to be malformed. Skipping...
Rule Win.Trojan.Fareit-9778261-0 seems to be malformed. Skipping...
Rule Win.Trojan.Fareit-9778262-0 seems to be malformed. Skipping...
Rule Win.Trojan.Generic-9778278-0 seems to be malformed. Skipping...
Rule Win.Malware.Zusy-9778280-0 seems to be malformed. Skipping...
[..]

I also tried to run it from the docker image and get similar results.

Hi! Thanks for creating an issue about this. The problem with ClamAV signatures is that they cannot be translated to Yara rules perfectly. That part of the program is also a pain to maintain as new ClamAV rules are pushed continuously and may break the parser. Not to mention, the ClamAV rule specification may be updated without warning, and reference documents may not be trivial to find.

In a lot of cases, I chose to skip rules that either couldn't be understood or translated - it is expected behavior. If you feel one of them should be supported, please mention which one and I will investigate the issue separately. Pull requests are also very welcome for this project, of course.

Hello,

I have no specific use case in mid that should be supported, I understand very well the problematic there. I just wanted to report if this was considered not a expected behaviour.

This issue might be closed .