[clamav-users] Custom signature question

alex at alb.de alex at alb.de
Tue Jul 8 10:41:19 EDT 2014


Hello,

I'm trying to create signatures for clamav, to detect exe and mp3
files. Seems to work for exe, but strangely not for mp3, despite
the fact I did excatly the same in both cases:

Getting signatures for both files:

alex:~$ dd if=exefile.exe count=1 | sigtool --hex-dum 
1+0 Datensätze ein
1+0 Datensätze aus
512 Bytes (512 B) kopiert, 2.9117e-05 s, 17.6 MB/s
4d5a90000300000004000000ffff0000b8000000000000004000000000[...]

alex:~$ dd if=mp3file.mp3 count=1 | sigtool --hex-dump
1+0 Datensätze ein
1+0 Datensätze aus
512 Bytes (512 B) kopiert, 2.9032e-05 s, 17.6 MB/s
49443303000000000e4c5452434b00000005000000322d303954454e43[...]

Creating custom ndb:

alex:~$ cat /var/lib/clamav/notallowed.ndb 
filetype.not.allowed.mp3:0:*:4944??
filetype.not.allowed.exe:0:*:4d5a??

Testing:

alex:~$ clamscan exefile.exe 
exefile.exe: filetype.not.allowed.exe.UNOFFICIAL FOUND

----------- SCAN SUMMARY -----------
Known viruses: 3494613
Engine version: 0.98.1
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.07 MB
Data read: 0.07 MB (ratio 1.00:1)
Time: 6.339 sec (0 m 6 s)

alex:~$ clamscan mp3file.exe 
mp3file.exe: OK

----------- SCAN SUMMARY -----------
Known viruses: 3494613
Engine version: 0.98.1
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.00 MB
Data read: 4.87 MB (ratio 0.00:1)
Time: 6.332 sec (0 m 6 s)


What did I do wrong?



alex



More information about the clamav-users mailing list