[Community-sigs] Creating Community signatures from MD5 hashes
Mark Allan
mark at clamxav.com
Fri Jan 8 08:38:54 EST 2016
> On 8 Jan 2016, at 1:24 pm, Angelo Amoruso <amoruso at netorbit.it> wrote:
> I'm interested in it too.
> I've played a bit with the .HDB format as created by sigtool utility, but as far as I've understood it needs the actual sample file size in order check the MD5 against.
>
> For example this MD5 signature for a malware:
>
> b99e4e57b0f319da4578cb957f910581:89088:ebill0765017.doc
>
> The 89088 part is the original filesize, expressed in bytes.
> I guess is for false positive avoidance (and performance reasons), but if I don't know the sample size in advance, cannot write a ClamAV HDB signature!
>
> I tried creating a signature with 0 (zero) but the sample (same file) didn't get recognized at all.
>
> Didn't check the source files yet.
You can create a hash sig from an unseen sample file by using an asterisk in place of the filesize in the signature. See the following from the docs:
ClamAV 0.98 has also added support for hash signatures where the size is not known but the hash is. It is much more performance-efficient to use signatures with specific sizes, so be cautious when using this feature. For these cases, the '*' character can be used in the size field. To ensure proper backwards compatibility with older versions of ClamAV, these signatures must have a minimum functional level of 73 or higher. Signatures that use the wildcard size without this level set will be rejected as malformed.
Sample .hdb signature matching any size
HashString:*:MalwareName:73
Mark
More information about the Community-sigs
mailing list