[clamav-users] Custom signature question
alex at alb.de
alex at alb.de
Tue Jul 8 14:41:19 UTC 2014
Hello,
I'm trying to create signatures for clamav, to detect exe and mp3
files. Seems to work for exe, but strangely not for mp3, despite
the fact I did excatly the same in both cases:
Getting signatures for both files:
alex:~$ dd if=exefile.exe count=1 | sigtool --hex-dum
1+0 Datensätze ein
1+0 Datensätze aus
512 Bytes (512 B) kopiert, 2.9117e-05 s, 17.6 MB/s
4d5a90000300000004000000ffff0000b8000000000000004000000000[...]
alex:~$ dd if=mp3file.mp3 count=1 | sigtool --hex-dump
1+0 Datensätze ein
1+0 Datensätze aus
512 Bytes (512 B) kopiert, 2.9032e-05 s, 17.6 MB/s
49443303000000000e4c5452434b00000005000000322d303954454e43[...]
Creating custom ndb:
alex:~$ cat /var/lib/clamav/notallowed.ndb
filetype.not.allowed.mp3:0:*:4944??
filetype.not.allowed.exe:0:*:4d5a??
Testing:
alex:~$ clamscan exefile.exe
exefile.exe: filetype.not.allowed.exe.UNOFFICIAL FOUND
----------- SCAN SUMMARY -----------
Known viruses: 3494613
Engine version: 0.98.1
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.07 MB
Data read: 0.07 MB (ratio 1.00:1)
Time: 6.339 sec (0 m 6 s)
alex:~$ clamscan mp3file.exe
mp3file.exe: OK
----------- SCAN SUMMARY -----------
Known viruses: 3494613
Engine version: 0.98.1
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.00 MB
Data read: 4.87 MB (ratio 0.00:1)
Time: 6.332 sec (0 m 6 s)
What did I do wrong?
alex
More information about the clamav-users
mailing list