[clamav-users] negate part of signature
Deyan Chepishev
dchepishev at gmail.com
Thu Oct 29 22:05:32 UTC 2015
Hello,
I have a signature, which matches bad things, but also is giving me a lot of
false positives. The reason for this is, that the bad code is actually subset of
the good code, which gives me the false positive.
What I mean:
I have signature, which matches for example:
badfunction(
however, this signature also matches:
notbadfunction(
which is giving me the false positive.
If I assume that, the first one is subsig0 and the second is subsig1
If I make LDB signature like this:
testsig;Target:0;0&1=0;subsig0;subsig1
This will eliminate the false positives, but will also stop catching files which
contains both of them, which is also bad.
What I am trying to achieve is the following:
file containing:
==========
badfunction(
==========
- should match as infected
file containing:
==========
notbadfunction(
==========
- should NOT match
file containing:
==========
badfunction(
notbadfunction(
==========
- should match as infected.
Can anyone give me a tip, how can I make this ?
Thank you,
Regards,
Deyan
More information about the clamav-users
mailing list