[clamav-users] custom signatures wont work :(

Tom Judge tjudge at sourcefire.com
Thu Mar 13 22:17:12 EDT 2014


I think you will find that you file is too small, try making the file
larger than 6 bytes.

Tom


On Thu, Mar 13, 2014 at 6:44 PM, krzf83 at gmail.com <krzf83 at gmail.com> wrote:

> I've spend on this about 6 hours without any effect. Please help :(
> I had it working some time ago but today I've found out that it
> stopped working (maybe after one of the clamav updates)
>
> root at sv1 [/root/test]# echo test > test.exe
> root at sv1 [/root/test]# cat test.exe
> test
> root at sv1 [/root/test]# sigtool --md5 test.exe > test.hdb
> root at sv1 [/root/test]# clamscan -d test.hdb test.exe
> test.exe: OK
>
> ----------- SCAN SUMMARY -----------
> Known viruses: 1
> Engine version: 0.98.1
> Scanned directories: 0
> Scanned files: 1
> Infected files: 0
> Data scanned: 0.00 MB
> Data read: 0.00 MB (ratio 0.00:1)
> Time: 0.002 sec (0 m 0 s)
>
>
> --
>
> root at sv1 [/root/test]# echo test > test.exe
> root at sv1 [/root/test]# cat test.exe
> test
> root at sv1 [/root/test]# printf test|sigtool --hex-dump
> 74657374
> root at sv1 [/root/test]# cat test.ndb
> test:0:*:74657374
> root at sv1 [/root/test]# clamscan -d test.ndb test.exe
> test.exe: OK
>
> ----------- SCAN SUMMARY -----------
> Known viruses: 1
> Engine version: 0.98.1
> Scanned directories: 0
> Scanned files: 1
> Infected files: 0
> Data scanned: 0.00 MB
> Data read: 0.00 MB (ratio 0.00:1)
> Time: 0.002 sec (0 m 0 s)
>
> root at sv1 [/root/test]# sigtool --test-sigs=test.ndb test.exe
> VIRUS NAME: test
> TARGET TYPE: ANY FILE
> OFFSET: *
> MATCH: ** YES ** (1 match at offset: 0)
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> http://www.clamav.net/support/ml
>



-- 
Senior Research Engineer
SourceFire Vulnerability Research Team



More information about the clamav-users mailing list