[clamav-users] Documentation for creating ndb signatures?

Kris Deugau kdeugau at vianet.ca
Wed Oct 26 10:35:00 EDT 2016


Joel Esler (jesler) wrote:
> Dave,
> 
> Check out: https://github.com/vrtadmin/clamav-devel/blob/master/docs/signatures.pdf

Unfortunately this document still leaves a number of questions, since
it's quite easy to create a signature that looks to be valid but which
ClamAV won't accept.  And the specifics of what it won't accept have
varied from version to version, and as far as I can tell are not clearly
documented anywhere but the ClamAV source.

For instance, I have regularly seen malware that I am trying to create a
signature for, where I have a pattern of 1-3 alternating known and
unknown (or small-set, eg ASCII numeric or [a-z]) bytes or byte groups.
 It is possible to generate a signature that should match this, but
which won't be accepted by the engine.  It has gotten less restrictive
in recent versions but some types of pattern are still not supported.

-kgd


> On Oct 26, 2016, at 8:45 AM, Dave McMurtrie <dave64 at andrew.cmu.edu<mailto:dave64 at andrew.cmu.edu>> wrote:
> 
> Hi,
> 
> I know it exists, because I remember reading it before.  However, I
> can't find it now.  I found the docs at
> https://github.com/vrtadmin/clamav-devel/tree/master/docs but I didn't
> find what I was looking for there.
> 
> Specifically, I'm looking for information on using pattern matching or
> regexes in an ndb signature.  I'd like to come up with a signature that
> will match any email body that contains a URL in the .top domain.
> 
> Thanks!
> 
> Dave
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
> 
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
> 




More information about the clamav-users mailing list