Hi, I think there is a bug in the cli_ac_addpatt() function.
in my kernel module version of clamav, I check for wildcard characters in the first 2 bytes of the pattern: for(i = 0; i < AC_MIN_LENGTH; i++) { // wild card characters not allowed in hash if (pattern->pattern[i] == CLI_IGN || pattern->pattern[i] == CLI_ALT) return CL_EPATSHORT; } I do that because if such a node is added to the AC trie, that node will never be found by cli_ac_scanbuff(). there are 2 examples I found in the clamav db for signatures that have a wildcard character as the 2nd bytes of the pattern: Trojan.Bat.DeltreeY-3:0:*:...{-1}2f(59|79)... Trojan.IRC-Script-28:0:*:6e??... please let me know if I got it wrong. Thanks, Amir. _______________________________________________ http://lurker.clamav.net/list/clamav-devel.html