[Community-sigs] Creating Community signatures from MD5 hashes
Angelo Amoruso
amoruso at netorbit.it
Fri Jan 8 08:24:27 EST 2016
On 08/01/2016 12:58, Paul David Hood wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Hi,
>
> I am seeking a means to produce ClamAV signatures directly from MD5
> signatures, rather than from a sample file which is then MD5'd.
>
> I have found literature explaining how to create community signatures
> from samples, but nothing that explains how to create signatures
> directly from MD5 sigs.
[...]
I'm interested in it too.
I've played a bit with the .HDB format as created by sigtool utility,
but as far as I've understood it needs the actual sample file size in
order check the MD5 against.
For example this MD5 signature for a malware:
b99e4e57b0f319da4578cb957f910581:89088:ebill0765017.doc
The 89088 part is the original filesize, expressed in bytes.
I guess is for false positive avoidance (and performance reasons), but
if I don't know the sample size in advance, cannot write a ClamAV HDB
signature!
I tried creating a signature with 0 (zero) but the sample (same file)
didn't get recognized at all.
Didn't check the source files yet.
Angelo
More information about the Community-sigs
mailing list