I can reproduce the Malformed pattern problem with a file with just the one  signature:

Xls.Downloader.Powload-6923120-0     which is an even longer one .

This is 4 signatures before Doc.Trojan.Agent-6923124-0 in daily.ldb

sigtool reports the wrong line numbering eg with a file with just Xls.Downloader.Powload-6923120-0 it reports
the problem as being on line 2.  It seems to be 4 lines out when reporting on the whole daily.ldb

again sigtool --find Xls.Downloader.Powload-6923120-0  | sigtool --decode-sigs

doesn't show a problem.

clamscan --debug -d file_with_just_the_sig_above.ldb somefile
doesn't show a problem.

Xls.Downloader.Powload-6923120-0 turned up in daily 25410 which was when the problem started

Maybe sigtool --list can't handle long signatures in ClamAV 0.100.2

There does seem a pointlessness to signatures based upon exact variable names etc that are obfuscated
and  likely will vary with each sample.  A regex signature to get any variable name would be better.


David Shrimpton

________________________________________
From: clamav-users <clamav-users-bounces@lists.clamav.net> on behalf of Arnaud Jacques <webmaster@securiteinfo.com>
Sent: Saturday, April 6, 2019 12:27 AM
To: clamav-users@lists.clamav.net
Subject: Re: [clamav-users] Malformed pattern daily.ldb version 25410

Hello,

> sigtool --find-sigs Doc.Trojan.Agent-6923124-0 | sigtool --decode-sigs
I don't understand why this signature is so long, and why it is based on
always changing variables.


_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml