So I finally got around to writing some (well, one for now ;) custom
signatures. There's currently a highly annoying, lame phishing attempt I
want to swat early.
Anyway, while playing with the sigs and trying some optimization, the
sig broke horribly for some weird reason. Please see below for a
stripped down test case. What's so bad about it?
Instead of using the "any" offset, I tried to bound it, by setting the
offset to 0, and starting the hex signature with a limited wildcard.
Also, I noticed the parser isn't happy, if there is such a wildcard with
less than 2 bytes either at the beginning or end of the string.
Well, I could just start the sig with "From " and then anchor it at
offset 0. :) But the question remains -- why?
Another question: Does this actually make sense?
The main purpose was, to keep ClamAV from scanning the entire, possibly
large file (err, mail). And maybe even speed it up. It's good practice
to bound your REs or wildcards anyway.
I wonder, if this indeed would speed up scanning, however small, of
large-ish files. Or would the additional constraint actually impose more
CPU cycles spent?
Thanks for any insight. :)
guenther
$ cat test.ndb
local.test:4:0:{-4096}74657374
$ clamscan --quiet -d test.ndb msg
LibClamAV Error: cli_parse_add(): Problem adding signature (1).
LibClamAV Error: Problem parsing signature at line 1
LibClamAV Error: Problem parsing database at line 1
LibClamAV Error: Can't load test.ndb: Malformed database
ERROR: Malformed database
$ clamscan --version
ClamAV 0.92/5553/Fri Jan 25 22:14:29 2008
--
char *t="[EMAIL PROTECTED]";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
