Amavis and ClamAV and YARA

[Olivier Nicole]

Following the discussion yesterday about ClamAV and YARA, I decided to
give it a try.

The integration of YARA into ClamAV is still very limited; ClamAV does not
support the module (plug-in) framework (many of Android rules
are based on a module), nor does it support several other features.

It would be better to run YARA as an independant scanner and integrate
it to Amavis.

So far, YARA has no daemon, it means it need to be relaunched for every
message, and for every rule file. maybe there is something that could be
worked out as YARA is supposed to be able to parse a process.

I installed YARA and YARA-rules (from
https://github.com/Yara-Rules/rules0 and I have been quite disappointed.

As it was mentioned yesterday, there are 3 set of rules that will match
for every message depending they contain or not and image, an URL or an
attachement. Of course there rules should be left out else just any
message would be tagged.

I then run all YARA-rules on a set of 176,000 messages, mostly clean
messages, having been scanned by Kaspersky and official ClamAV, as well
as been classified as not-spam by SpamAssassin. As a result of this
scan, I got about 28,000 hits, a large portion of them being false
positives.

Them I ran the same test on a set of 45 viruses messages (detected by
Kaspersky or ClamAV, the number of viruses is low because I PostGrey)
and only got 19 messages tagged.

Among the false positive I have:
- automatic security audit mail on FreeBSD
- amanda backup report
- FreeBSD mailinglist
- mailman bounce message
- MxToolBox message
- bounce message
- Drupal security announcement
- message from my registrar
- DSpace malinglist
- SpamAssassin mailinglist
- Samba mailinglist
- various valid messages (even sent by me)

So the overall result is hightly negative.

Does anyone had a positive experience to share?

Best regards,

Olivier
--