[clamav-users] Malformed pattern daily.ldb version 25410
David Shrimpton
d.shrimpton at its.uq.edu.au
Fri Apr 5 15:12:16 UTC 2019
I can reproduce the Malformed pattern problem with a file with just the one signature:
Xls.Downloader.Powload-6923120-0 which is an even longer one .
This is 4 signatures before Doc.Trojan.Agent-6923124-0 in daily.ldb
sigtool reports the wrong line numbering eg with a file with just Xls.Downloader.Powload-6923120-0 it reports
the problem as being on line 2. It seems to be 4 lines out when reporting on the whole daily.ldb
again sigtool --find Xls.Downloader.Powload-6923120-0 | sigtool --decode-sigs
doesn't show a problem.
clamscan --debug -d file_with_just_the_sig_above.ldb somefile
doesn't show a problem.
Xls.Downloader.Powload-6923120-0 turned up in daily 25410 which was when the problem started
Maybe sigtool --list can't handle long signatures in ClamAV 0.100.2
There does seem a pointlessness to signatures based upon exact variable names etc that are obfuscated
and likely will vary with each sample. A regex signature to get any variable name would be better.
David Shrimpton
________________________________________
From: clamav-users <clamav-users-bounces at lists.clamav.net> on behalf of Arnaud Jacques <webmaster at securiteinfo.com>
Sent: Saturday, April 6, 2019 12:27 AM
To: clamav-users at lists.clamav.net
Subject: Re: [clamav-users] Malformed pattern daily.ldb version 25410
Hello,
> sigtool --find-sigs Doc.Trojan.Agent-6923124-0 | sigtool --decode-sigs
I don't understand why this signature is so long, and why it is based on
always changing variables.
More information about the clamav-users
mailing list