Nicolas Riendeau wrote: > It is part of the message (which could be in text/plain or text/html)... > > [there is a risk that QP or base64 could make it not work I guess (does > Clamav takes care of this?) but the test file I'm using doesn't use > either...]
Yup, Clamav will decode that. > > To be sure my signature would match I made an extended signature with a > "TargetType" of "0" (which seems to include the others) and an offset > set to "*" *any) > > [eg Joke.local.EricssonHoax:0:*:(61|41)(6e|4e)(6e|4e)(61|41)... ] This thingy's not going to work, sorry. If it's HTML just use a proper TargetType and rely on the ClamAV html normalizer which will turn all the text into lower case. If not, bad luck. :( -aCaB _______________________________________________ http://lurker.clamav.net/list/clamav-users.html
