I have run into some problems creating rules. I am trying to create phish rules as
R[Filter]:RealURL:DisplayedURL[:FuncLevelSpec] or MalwareName:TargetType:Offset:HexSignature[:MinEngineFunctionalityLevel:[Max]] and I am having two problems. First problem has to do with UTF/UNICODE characters as well as various codepages which are used in place of ascii in spam and phish. What makes this more difficult is that one email might contain ascii, another UTF, and yet another Latin-2 all representing the same signature. So how does one create a regex for the "R" rules and/or a HEX sequence that can deal with various character sets? My second source of confusion is with target type. The options are * 0 = any Þle * 1 = Portable Executable * 2 = OLE2 component (e.g. a VBA script) * 3 = HTML (normalised) * 4 = Mail file * 5 = Graphics * 6 = ELF * 7 = ASCII text Þle (normalised) but how does clamd tell what kind of file it is so it knows what rule types need to be run? If its a "mail file" does it automatically deal with attachment and mime types and character sets? There are other questions but they all break down to what do these really mean for rules and when do they really count? TIA, Tom _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
