[Community-sigs] Creating Community signatures from MD5 hashes
Joel Esler (jesler)
jesler at cisco.com
Fri Jan 8 08:37:39 EST 2016
As of... I forget what version off the top of my head, you can write a ClamAV signature (hdb type) without a size.
I believe it's like this:
<md5>.*.<name>
One of my colleagues can correct me if I am wrong.
Sent from my iPad
> On Jan 8, 2016, at 8:25 AM, Angelo Amoruso <amoruso at netorbit.it> wrote:
>
>> On 08/01/2016 12:58, Paul David Hood wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA512
>>
>> Hi,
>>
>> I am seeking a means to produce ClamAV signatures directly from MD5
>> signatures, rather than from a sample file which is then MD5'd.
>>
>> I have found literature explaining how to create community signatures
>> from samples, but nothing that explains how to create signatures
>> directly from MD5 sigs.
> [...]
>
> I'm interested in it too.
> I've played a bit with the .HDB format as created by sigtool utility, but as far as I've understood it needs the actual sample file size in order check the MD5 against.
>
> For example this MD5 signature for a malware:
>
> b99e4e57b0f319da4578cb957f910581:89088:ebill0765017.doc
>
> The 89088 part is the original filesize, expressed in bytes.
> I guess is for false positive avoidance (and performance reasons), but if I don't know the sample size in advance, cannot write a ClamAV HDB signature!
>
> I tried creating a signature with 0 (zero) but the sample (same file) didn't get recognized at all.
>
> Didn't check the source files yet.
>
> Angelo
>
>
> _______________________________________________
> Community-sigs mailing list
> Community-sigs at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>
> http://www.clamav.net/contact.html#ml
More information about the Community-sigs
mailing list