DFIR 012 – Clam AV rules to Yara

This post was inspired while I was playing around with the new SIFT workstation, and I needed to get my tools and scripts on the VM. A couple of team members saw what I was doing, and did not know this was possible so I figured I would write up a quick post on how to convert your Clam AV database to a set of Yara rules that you can use during your investigations.

You can get the Python script here

# for Clam AV
# should be installed, but this is to verify
sudo apt-get install clamav clamav-freshclam
sudo freshclam

# for Yara
sudo apt-get install libpcre3 libpcre3-dev
sudo apt-get install yara

sigtool –u /var/lib/clamav/main.cvd
python -f main.ndb -o clamav.yara

There is one rule I had to manually clean up though…….

vim +199819 clamav.yara

Once that is done, you can use this file anywhere you would use your yara rule.

Pretty cool!