Any possibility yara itself is infected?

[PeterM18]

Hi, I'm not a security researcher, but I ran clamscan on yara and an install including yara and got the following virus warnings. I'd guess that there are no actual viruses in yara, but that clamscan is reacting to virus signatures in yara. However, it seems odd that it would react only to a few signatures while yara would contain many. Just thought I'd let you know.

.../yara-4.2.2.tar.gz: Win.Trojan.Agent-6396135-0 FOUND
.../miniconda3/lib/python3.9/site-packages/quicksand/quicksand_exploits.yara: Rtf.Exploit.CVE_2017_11882-6398227-0 FOUND
.../yara-4.2.2/tests/oss-fuzz/pe_fuzzer_corpus/clusterfuzz-testcase-minimized-5839717883969536: Win.Trojan.Agent-6396135-0 FOUND

[PeterM18]

Thanks Tom, that's reassuring!

…

On Thu, Sep 15, 2022 at 2:45 AM Tom Lancaster ***@***.***> wrote: YARA does not contain a large number of signatures // data that might match on other engines, it only contains a few which are used for tests - you can see them here: https://github.com/VirusTotal/yara/tree/master/tests/data These are what are matching your clamscan test. — Reply to this email directly, view it on GitHub <#1764 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AQVBQJ3BXSJUWABI2ED6Z23V6LH2PANCNFSM56E4Z5IA> . You are receiving this because you authored the thread.Message ID: ***@***.***>

[k5711982]

Today, November 15, 2023, I ran the clamav antivirus on my debian operating system, and it found that the yara_rules.yar file is infected. That's possible ? Download it right now in version 4.4.0

curl -LO https://github.com/VirusTotal/yara/archive/v4.4.0.tar.gz

It seems to me that it is infected in virustotal and other antiviruses.

It is normal ? If it's just a text file with rules.

clamscan -r /tmp

Loading: 16s, ETA: 0s [========================>] 8.68M/8.68M sigs
Compiling: 3s, ETA: 0s [========================>] 41/41 tasks

/tmp/yara/rules/yara_rules.yar: Legacy.Trojan.Agent-37025 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 8678201
Engine version: 1.0.3
Scanned directories: 15
Scanned files: 1
Infected files: 1
Data scanned: 0.88 MB
Data read: 2.80 MB (ratio 0.31:1)
Time: 21.252 sec (0 m 21 s)
Start Date: 2023:11:15 09:16:17
End Date: 2023:11:15 09:16:38

[plusvic]

.yar files are just YARA rules in text form that can't be infected. But as many YARA rules use patterns found in malware files, antiviruses may mistakenly detect the YARA rules as if they were the original malware.