On Sat, 24 Jun 2006 18:41:13 -0400 Nicolas Riendeau <[EMAIL PROTECTED]> wrote:
> Hi!
>
> Tomasz Kojm wrote:
> > On Sat, 24 Jun 2006 17:33:29 -0400
> > Nicolas Riendeau <[EMAIL PROTECTED]> wrote:
> >
> >>It looks like I'm not out of the woods yet as it almost looks like every
> >>two bytes there must be a static byte because otherwise I get FPs...
>
> I made some additionnal tests and I'm no longer sure of that (see below)...
>
> >
> > Could you provide some examples for such FPs?
> >
>
> I want to detect (in an email that could be in plain text or in html)
>
> [EMAIL PROTECTED]
> 616e6e612e7377656c756e67406572696373736f6e2e636f6d
> /
> [EMAIL PROTECTED]
> 414e4e412e5357454c554e47404552494353534f4e2e434f4d
>
> and all possible (mixed case) variants of these.
>
> So I made the following signatures (original signature had the first two
> bytes non-static):
>
> Joke.local.EricssonHoax.1:0:*:616e(6e|4e)(61|41)2e(73|53)(77|57)(65|45)(6c|4c)(75|55)(6e|4e)(67|47)40(65|45)(72|52)(69|49)(63|43)(73|53)(73|53)(6f|4f)(6e|4e)2e(63|43)(6f|4f)(6d|4d)
> Joke.local.EricssonHoax.2:0:*:414e(6e|4e)(61|41)2e(73|53)(77|57)(65|45)(6c|4c)(75|55)(6e|4e)(67|47)40(65|45)(72|52)(69|49)(63|43)(73|53)(73|53)(6f|4f)(6e|4e)2e(63|43)(6f|4f)(6d|4d)
> Joke.local.EricssonHoax.3:0:*:614e(6e|4e)(61|41)2e(73|53)(77|57)(65|45)(6c|4c)(75|55)(6e|4e)(67|47)40(65|45)(72|52)(69|49)(63|43)(73|53)(73|53)(6f|4f)(6e|4e)2e(63|43)(6f|4f)(6d|4d)
> Joke.local.EricssonHoax.4:0:*:416e(6e|4e)(61|41)2e(73|53)(77|57)(65|45)(6c|4c)(75|55)(6e|4e)(67|47)40(65|45)(72|52)(69|49)(63|43)(73|53)(73|53)(6f|4f)(6e|4e)2e(63|43)(6f|4f)(6d|4d)
>
> So I run clamscan on a file called anne which contains:
>
> #cat anne
> [EMAIL PROTECTED]
>
> and I get this
>
> # clamscan anne
> anne: Joke.local.EricssonHoax.1 FOUND
>
> ----------- SCAN SUMMARY -----------
> Known viruses: 60091
> Engine version: 0.88.2
> Scanned directories: 0
> Scanned files: 1
> Infected files: 1
> Data scanned: 0.00 MB
> Time: 21.289 sec (0 m 21 s) << My tests are done on an old pc...
>
> I'm not sure but it almost looks like once the first (xx|yy) wildcard
> content matches the rest are not tested (the number of bytes and the static
> bytes must still match though). But then it could be because I'm somehow
> not using the (xx|yy) wildcard correctly or sometimes is messed up in one
> of the system libraries on my pc...
Hi Nicolas,
there's a bug in the pattern matcher, the following patch should fix it:
--- matcher-ac.c.old 2006-06-25 11:37:14.000000000 +0200
+++ matcher-ac.c 2006-06-25 11:37:25.000000000 +0200
@@ -242,6 +242,7 @@
return 0;
if(pattern->pattern[i] == CLI_ALT) {
+ found = 0;
for(j = 0; j < pattern->altn[alt]; j++) {
if(pattern->altc[alt][j] == buffer[bufferpos])
found = 1;
Thanks for the report,
--
oo ..... Tomasz Kojm <[EMAIL PROTECTED]>
(\/)\......... http://www.ClamAV.net/gpg/tkojm.gpg
\..........._ 0DCA5A08407D5288279DB43454822DC8985A444B
//\ /\ Sun Jun 25 11:40:29 CEST 2006
signature.asc
Description: PGP signature
_______________________________________________ http://lurker.clamav.net/list/clamav-users.html
