[clamav-users] negate part of signature

Deyan Chepishev dchepishev at gmail.com
Fri Oct 30 08:07:41 UTC 2015 

Hello,

Thank you for the answer.

There is probably something missing in the doc, because the signature is not 
properly working with the current clamav release 0.98.7

I tried the following signature:

testsig:0:*:!(6e6f74)62616466756e6374696f6e28
_______________not_______badfunction(

If I scan with clamav 0.98.7 I still get a match for

notbadfunction(

While if I use clamav 0.99-rc1 it works as expected.


Do you think this is a bug in 0.98.7, or it is just not specified in the doc, 
that this requires version 0.99 ?

Regards,
Deyan






Alain Zidouemba wrote:
> Check out
> https://github.com/vrtadmin/clamav-devel/blob/master/docs/signatures.pdf,
> section 3.2.4.
>
> You should be able to write something like:
>
> !(not)badfunction(
>
>
> FYI, PCRE support is coming in ClamAV 0.99. There is a release candidate
> here if you want to try it: http://www.clamav.net/downloads
>
> Finally, consider sharing your signature with the community, if possible:
> http://blog.clamav.net/2014/02/introducing-clamav-community-signatures.html
>
> Thanks,
>
> - Alain
>
> On Thu, Oct 29, 2015 at 6:05 PM, Deyan Chepishev <dchepishev at gmail.com>
> wrote:
>
>> Hello,
>>
>> I have a signature, which matches bad things, but also is giving me a lot
>> of false positives. The reason for this is, that the bad code is actually
>> subset of the good code, which gives me the false positive.
>>
>> What I mean:
>>
>> I have signature, which matches for example:
>>
>> badfunction(
>>
>> however, this signature also matches:
>>
>> notbadfunction(
>>
>> which is giving me the false positive.
>>
>> If I assume that, the first one is subsig0 and the second is subsig1
>>
>> If I make LDB signature like this:
>>
>> testsig;Target:0;0&1=0;subsig0;subsig1
>>
>> This will eliminate the false positives, but will also stop catching files
>> which contains both of them, which is also bad.
>>
>> What I am trying to achieve is the following:
>>
>> file containing:
>> ==========
>> badfunction(
>> ==========
>>     -  should match as infected
>>
>> file containing:
>> ==========
>> notbadfunction(
>> ==========
>>     -  should NOT match
>>
>> file containing:
>> ==========
>> badfunction(
>> notbadfunction(
>> ==========
>>    - should match as infected.
>>
>>
>> Can anyone give me a tip, how can I make this ?
>>
>> Thank you,
>>
>> Regards,
>> Deyan
>>

More information about the clamav-users mailing list