On 1/1/07, Török Edvin <[EMAIL PROTECTED]> wrote:
Hi, please see this thread:
http://lurker.clamav.net/message/20061030.185430.688d1f47.en.html
I am not sure this discussion is related to the bug I mentioned.
>
> I think there is a bug in the cli_ac_addpatt() function.
>
> in my kernel module version of clamav, I check for wildcard characters
Is it based on 0.88.x? 0.90 has an improved ac engine.
0.88. I didn't check 0.90 yet.
>
> there are 2 examples I found in the clamav db for signatures that have
> a wildcard character as the 2nd bytes of the pattern:
TK said (in that thread) range wildcards (*,{})). "(59|79)" is not a
range wildcard.
I know that a short part signature is not valid.
the problem I am pointing out is that the 2 signatures below are
"valid" according to 0.88, but they will never be detected.
because of the way that the AC trie works, if the pattern prefix is
6e?? and the input data is 6e6e (for example), it will not match it.
>
> Trojan.Bat.DeltreeY-3:0:*:...{-1}2f(59|79)...
> Trojan.IRC-Script-28:0:*:6e??...
Should work in 0.90rc.
Thanks,
I will check it.
Amir.
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
