[clamav-users] own hex-based rules do not match if more complex strings are used
Stefan Bauer
cubewerk at gmail.com
Fri Aug 14 09:31:02 UTC 2020
Arnaud, you made my day. Thank you. that's it. :)
Am Fr., 14. Aug. 2020 um 11:27 Uhr schrieb Arnaud Jacques <
webmaster at securiteinfo.com>:
> Hello
>
> Maybe use "echo -n" to avoid final carriage return in string.
>
>
> Le 14/08/2020 à 10:16, Stefan Bauer via clamav-users a écrit :
> > Hi,
> >
> > given is a very simple example test-file:
> >
> > # more BAD.file
> > %PDF-1.7
> > 5 0 obj
> > /F << /Type /FileSpec /F (http://bad.url/crap.xlsx) /V true /FS
> > /URL >>
> > >>
> > another bad string
> > 5 0 obj
> >
> >
> > Now i add a string to a new test.db file:
> > # SIG=`echo "another bad string" | sigtool --hex-dump` && echo
> > "sig1=$SIG" > test.db
> >
> > and let it scan:
> >
> > # clamscan -d /root/test.db /root/BAD.file
> > /root/BAD.file: sig1.UNOFFICIAL FOUND
> >
> > ----------- SCAN SUMMARY -----------
> > Known viruses: 1
> > Engine version: 0.102.4
> > Scanned directories: 0
> > Scanned files: 1
> > Infected files: 1
> > Data scanned: 0.00 MB
> > Data read: 0.00 MB (ratio 0.00:1)
> > Time: 0.004 sec (0 m 0 s)
> >
> > Works. However using a more complex string, does not:
> >
> > SIG=`echo "/F << /Type /FileSpec /F (http" | sigtool --hex-dump` && echo
> > "sig1=$SIG" > test.db
> >
> > # clamscan -d /root/test.db /root/BAD.file
> > /root/BAD.file: OK
> >
> > ----------- SCAN SUMMARY -----------
> > Known viruses: 1
> > Engine version: 0.102.4
> > Scanned directories: 0
> > Scanned files: 1
> > Infected files: 0
> > Data scanned: 0.00 MB
> > Data read: 0.00 MB (ratio 0.00:1)
> > Time: 0.004 sec (0 m 0 s)
> >
> > What am I doing wrong?
> >
> > Thank you.
> >
> >
> > _______________________________________________
> >
> > clamav-users mailing list
> > clamav-users at lists.clamav.net
> > https://lists.clamav.net/mailman/listinfo/clamav-users
> >
> >
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml
> >
>
> --
> Cordialement / Best regards,
>
> Arnaud Jacques
> Gérant de SecuriteInfo.com
>
> Téléphone : +33-(0)3.60.47.09.81
> E-mail : aj at securiteinfo.com
> Site web : https://www.securiteinfo.com
> Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286
> Twitter : @SecuriteInfoCom
> Signatures for ClamAV antivirus : http://ow.ly/LqfdL
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users at lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20200814/7ce1f7f2/attachment.htm>
More information about the clamav-users
mailing list