[clamav-users] custom signature error

demonduck demonduck at sourcefire.com
Wed Jan 30 09:18:36 EST 2019


Hi Emanuel,

When creating ClamAV signatures, refer to
https://github.com/Cisco-Talos/clamav-devel/tree/dev/0.102/docs/UserManual,
specifically:

- NDBs:
https://github.com/Cisco-Talos/clamav-devel/blob/dev/0.102/docs/UserManual/Signatures/ExtendedSignatures.md
- LDBs:
https://github.com/Cisco-Talos/clamav-devel/blob/dev/0.102/docs/UserManual/Signatures/LogicalSignatures.md

Sigtool's hex-dump does not create a NDB signature and that is why you are
receiving the error message. As stated in the ExtendedSignatures.md a NDB
signature should follow the below format:

   MalwareName:TargetType:Offset:HexSignature[:min_flevel:[max_flevel]]

and example would be:

  MyCustomSignature:2:0:d0cf11e0a1b11ae1

The above signature restricts the file types scanned to OLEs ("2") and
looks for the signature("d0cf11e0a1b11ae1") at a specific offset ("0").

Hope that helps,
demonduck


On Wed, Jan 30, 2019 at 9:04 AM Emanuel Gonzalez <
emanuel_gonzalez at live.com.ar> wrote:

> Hello,
>
> I read this document
> https://blog.clamav.net/2016/06/create-your-own-anti-virus-signatures.html
>
>
> I need add a signature to database:
>
>
> # cat 30012019_term_4373.doc | sigtool –hex-dump | head -c 2048 >
> customsig.ndb
>
> # clamdscan -d customsig.ndb 30012019_term_4373.doc
> WARNING: Ignoring unsupported option --database (-d)
> /root/30012019_term_4373.doc: lstat() failed: Permission denied. ERROR
>
> ----------- SCAN SUMMARY -----------
> Infected files: 0
> Total errors: 1
> Time: 0.000 sec (0 m 0 s)
>
> # clamscan -d customsig.ndb 30012019_term_4373.doc
> LibClamAV Error: Problem parsing database at line 1
> LibClamAV Error: Can't load customsig.ndb: Malformed database
> ERROR: Malformed database
>
> ----------- SCAN SUMMARY -----------
> Known viruses: 0
> Engine version: 0.101.1
> Scanned directories: 0
> Scanned files: 0
> Infected files: 0
> Data scanned: 0.00 MB
> Data read: 0.00 MB (ratio 0.00:1)
> Time: 0.002 sec (0 m 0 s)
>
> # freshclam
> ClamAV update process started at Wed Jan 30 11:03:14 2019
> main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, builder:
> sigmgr)
> daily.cld is up to date (version: 25343, sigs: 2228905, f-level: 63,
> builder: raynman)
> bytecode.cld is up to date (version: 328, sigs: 94, f-level: 63, builder:
> neo)
>
>
> # clamd --v
> ClamAV 0.101.1/25343/Wed Jan 30 02:04:01 2019
>
> any ideas.?
>
> _______________________________________________
> clamav-users mailing list
> clamav-users at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20190130/3c564e17/attachment.html>


More information about the clamav-users mailing list