Re: [Clamav-users] Signature building problem...

Sat, 24 Jun 2006 15:46:40 -0700 

Hi!

Tomasz Kojm wrote:

On Sat, 24 Jun 2006 17:33:29 -0400
Nicolas Riendeau <[EMAIL PROTECTED]> wrote:


It looks like I'm not out of the woods yet as it almost looks like every
two bytes there must be a static byte because otherwise I get FPs...


I made some additionnal tests and I'm no longer sure of that (see below)...



Could you provide some examples for such FPs?



I want to detect (in an email that could be in plain text or in html)

[EMAIL PROTECTED]
616e6e612e7377656c756e67406572696373736f6e2e636f6d
/
[EMAIL PROTECTED]
414e4e412e5357454c554e47404552494353534f4e2e434f4d

and all possible (mixed case) variants of these.
So I made the following signatures (original signature had the first two bytes non-static): 

Joke.local.EricssonHoax.1:0:*:616e(6e|4e)(61|41)2e(73|53)(77|57)(65|45)(6c|4c)(75|55)(6e|4e)(67|47)40(65|45)(72|52)(69|49)(63|43)(73|53)(73|53)(6f|4f)(6e|4e)2e(63|43)(6f|4f)(6d|4d)
Joke.local.EricssonHoax.2:0:*:414e(6e|4e)(61|41)2e(73|53)(77|57)(65|45)(6c|4c)(75|55)(6e|4e)(67|47)40(65|45)(72|52)(69|49)(63|43)(73|53)(73|53)(6f|4f)(6e|4e)2e(63|43)(6f|4f)(6d|4d)
Joke.local.EricssonHoax.3:0:*:614e(6e|4e)(61|41)2e(73|53)(77|57)(65|45)(6c|4c)(75|55)(6e|4e)(67|47)40(65|45)(72|52)(69|49)(63|43)(73|53)(73|53)(6f|4f)(6e|4e)2e(63|43)(6f|4f)(6d|4d)
Joke.local.EricssonHoax.4:0:*:416e(6e|4e)(61|41)2e(73|53)(77|57)(65|45)(6c|4c)(75|55)(6e|4e)(67|47)40(65|45)(72|52)(69|49)(63|43)(73|53)(73|53)(6f|4f)(6e|4e)2e(63|43)(6f|4f)(6d|4d)

So I run clamscan on a file called anne which contains:

#cat anne
[EMAIL PROTECTED]

and I get this

# clamscan anne
anne: Joke.local.EricssonHoax.1 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 60091
Engine version: 0.88.2
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Time: 21.289 sec (0 m 21 s)  << My tests are done on an old pc...
I'm not sure but it almost looks like once the first (xx|yy) wildcard content matches the rest are not tested (the number of bytes and the static bytes must still match though). But then it could be because I'm somehow not using the (xx|yy) wildcard correctly or sometimes is messed up in one of the system libraries on my pc... 

Thank you and have a nice day!

Nick


_______________________________________________
http://lurker.clamav.net/list/clamav-users.html

Reply via email to