On Fri, 2004-09-17 at 03:02, Tomasz Kojm wrote: > > Okay, well I've found an easier to understand source... > > http://www.funducode.com/freec/Fileformats/format3/format3b.htm > > and it seems that the particular exploit byte sequence would be unique > > within jpeg files. I've also tracked down docs on how to make a > > signature for clam, but it doesn't appear that its possible to form a > > A new signature format that will be included in 0.80rc will allow on > advanced offset and target type specification, including JPEG images.
Cool, as ever you're one step ahead! > > signature by detecting two distinct patterns in a file, or anchoring > > With older clamav versions you can use HEX1*HEX2*...*HEXn That doesn't anchor to the start of the file though (I guess I'd need to anchor the magic number to minimise false positives). I had just about guessed, by looking at the sig files after I posted, that the * was a wildcard (matching many bytes) and the ? a single unknown byte (correct?). Perhaps this information could be added to signatures.pdf? Is there a limit (and if so what is it) to how many bytes a * will match? BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. ------------------------------------------------------- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php _______________________________________________ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
