[clamav-users] Issue with clamav logical signature generation

Mon Feb 25 13:38:08 UTC 2019

I just took a peek at the code to try to answer your question. I'm not sure why, exactly, but yes there is an explicit MAX_LDB_SUBSIGS set to 64.

Regards,
-Micah

> On Feb 24, 2019, at 9:35 PM, Al Varnell via clamav-users <clamav-users at lists.clamav.net> wrote:
> 
> I can’t comment on whether or not there is a 65 field limit or not, though it appears to me to be obviously so based on your experience.
> 
> What I will comment on is that your approach is rather unique compared to most the .ldb signatures I’ve observed in the ClamAV database. Most all of the latter use ‘and' rather than ‘or' rules as well as longer ascii strings to ensure against False Positives. I have to believe there is a very significant chance that or’ing that many short strings together will result in many False Positive hits.
> 
> Additionally, the strings you provided appear to contain an extra digit. I thought hex strings always contain an even number of digits?
> 
> -Al-
> ClamXAV User
> 
>> On Feb 24, 2019, at 3:12 PM, Satwik B via clamav-users <clamav-users at lists.clamav.net> wrote:
>> 
>> Hello,
>> 
>> I am trying to generate clamav signatures for a malware dataset that I have. 
>> 
>> Initially I have recognized some strings which are prominent in a class of malware, hence, those are considered and a ldb signature is generated using the below method.
>> 
>> The name of the signature, Engine version, Target as 0. We further have 'x' number of sub-signatures here x is 100 each with logical or. All the strings are converted to hex representation. Below is the example which is generated.
>> 
>> ramnit.Signature;Engine:0-500,Target:0;0|1|2|3|4|5|6|7|8|9|10|11|12|13|14|15|16|17|18|19|20|21|22|23|24|25|26|27|28|29|30|31|32|33|34|35|36|37|38|39|40|41|42|43|44|45|46|47|48|49|50|51|52|53|54|55|56|57|58|59|60|61|62|63|64|65|66|67|68|69|70|71|72|73|74|75|76|77|78|79|80|81|82|83|84|85|86|87|88|89|90|91|92|93|94|95|96|97|98|99;636f6e6e6;686b65795;363530393;52656c656;633a5c5c7;436f6e766;313937313;6c6f63616;576169744;363337363;686b65795;353238363;736c65657;633a5c5c7;636f6e6e6;686b65795;633a5c5c7;737663686;363030363;633a5c5c7;313935353;633a5c5c7;636f6e6e6;6765746d6;536574437;313933393;686b65795;633a5c5c7;323232363;353537363;686b65795;686b65795;686b65795;686b65795;686b65795;686b65795;686b65795;686b65795;353130363;64656c657;633a5c5c7;633a5c5c7;686b65795;53656e644;6b7975666;6c6f63616;494d41474;686b65795;686b65795;686b65795;696573716;737663686;313237303;363033353;363039383;686b65795;686b65795;633a5c5c7;686b65795;333139313;686b65795;437265617;686b65795;476574546;353631323;633a5c5c7;686b65795;496e74657;686b65795;686b65795;686b65795;686b65795;3f7365745;633a5c5c7;476574537;527063426;686b65795;686b65795;566572517;353630353;686b65795;4f70656e5;353138343;4c6f6f6b7;633a5c5c7;476574546;363139393;633a5c5c7;686b65795;353638333;676574707;6f6c65333;5065656b4;343230353;536574576;5c5c3f3f5;5265674f7;633a5c5c7;686b65795;686b65795
>> 
>> Now, the problem is in case there are <=65 sub-signatures then everything works fine however, if they increase beyond that, it results in the following error.
>> 
>> LibClamAV Error: cli_loadldb: The number of subsignatures (== 65) doesn't match the IDs in the logical expression (== 100)
>> LibClamAV Error: Problem parsing database at line 1
>> LibClamAV Error: Can't load ramnit.ldb: Malformed database
>> ERROR: Malformed database
>> 
>> Is it that the ldb signatures are limited to only 65 conditions? If not what causes this issue and how to solve it?
>> 
>> --
>> Satwik
> 
> _______________________________________________
> 
> clamav-users mailing list
> clamav-users at lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml