[clamav-users] negate part of signature
Alain Zidouemba
azidouemba at sourcefire.com
Thu Oct 29 23:13:38 UTC 2015
Check out
https://github.com/vrtadmin/clamav-devel/blob/master/docs/signatures.pdf,
section 3.2.4.
You should be able to write something like:
!(not)badfunction(
FYI, PCRE support is coming in ClamAV 0.99. There is a release candidate
here if you want to try it: http://www.clamav.net/downloads
Finally, consider sharing your signature with the community, if possible:
http://blog.clamav.net/2014/02/introducing-clamav-community-signatures.html
Thanks,
- Alain
On Thu, Oct 29, 2015 at 6:05 PM, Deyan Chepishev <dchepishev at gmail.com>
wrote:
> Hello,
>
> I have a signature, which matches bad things, but also is giving me a lot
> of false positives. The reason for this is, that the bad code is actually
> subset of the good code, which gives me the false positive.
>
> What I mean:
>
> I have signature, which matches for example:
>
> badfunction(
>
> however, this signature also matches:
>
> notbadfunction(
>
> which is giving me the false positive.
>
> If I assume that, the first one is subsig0 and the second is subsig1
>
> If I make LDB signature like this:
>
> testsig;Target:0;0&1=0;subsig0;subsig1
>
> This will eliminate the false positives, but will also stop catching files
> which contains both of them, which is also bad.
>
> What I am trying to achieve is the following:
>
> file containing:
> ==========
> badfunction(
> ==========
> - should match as infected
>
> file containing:
> ==========
> notbadfunction(
> ==========
> - should NOT match
>
> file containing:
> ==========
> badfunction(
> notbadfunction(
> ==========
> - should match as infected.
>
>
> Can anyone give me a tip, how can I make this ?
>
> Thank you,
>
> Regards,
> Deyan
>
>
>
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
More information about the clamav-users
mailing list