LinuxQuestions.org - [SOLVED] Merge clamAV with YARA and Python3

- Programming (https://www.linuxquestions.org/questions/programming-9/)

- - Merge clamAV with YARA and Python3 (https://www.linuxquestions.org/questions/programming-9/merge-clamav-with-yara-and-python3-4175613262/)

anagnostou_j@yahoo.com

09-05-2017 03:55 AM

Merge clamAV with YARA and Python3

I want to merge clamAV python and YARA rules. The target is to, on demand, scan with YARA rules that i have made. I wrote this simple script and work just fine

Code:

import pyclamd

cd=pyclamd.ClamdAgnostic()

x=cd.scan_file('/home/john/Desktop/workSpace/yara/2.pdf')

if x is False: 

    print ("no ")

else :

    print ("Yes")

is there a way to scan the same .pdf file using YARA rules BUT through pyclamd?

Sefyir

09-05-2017 12:18 PM

A quick look at pyclamd documentation had no string of "yara" in it.
I would suggest examining the below links to see if there is some reference to using other sources or filing a bug report on bitbucket to see if the author could implement it?

https://pypi.python.org/pypi/pyClamd
https://bitbucket.org/xael/pyclamd
http://xael.org/pages/pyclamd-en.html
http://xael.org/pages/python-module-pyclamd.html

anagnostou_j@yahoo.com

09-06-2017 01:50 AM

Problem Solved

I figure out the answer. It seems that ClamAV can read *.yara files and search additionally to the existed virus database. The solution is to put a yara rule to the /var/lib/clamav directory. The code need a little modification just to reload the ClamdAgnostic() and voila.

Code:

import pyclamd

cd=pyclamd.ClamdAgnostic()

cd.reload()

x=cd.scan_file('/home/john/Desktop/workSpace/yara/2.pdf)

print (x)

If the rule is true then you will see a print output with the rule that is used

Code:

{'/home/john/Desktop/workSpace/yara/2.pdf': ('FOUND', 'YARA.testFor2.UNOFFICIAL')}

else the output will be Null

All times are GMT -5. The time now is 08:02 AM.