Tom:
Is this the answer you were looking for?
--
Alain S. Zidouemba
Research Engineer, Vulnerability Research Team
SOURCEfire
Tel: 1(410)423-4764
email: <mailto:[email protected]>[email protected]
2010/2/15 Alain Zidouemba
<<mailto:[email protected]>[email protected]>
Courtesy of Edwin:
The file type is determined by signatures in daily.ftm (or the builtin
ones in filetypes_int.h if that is missing) on a portion at the
beginning of the file.
sigtool --unpack-current daily
cat daily.ftm
As for binary versus ascii, utf8, utf16be, utf17le see textdet.c, it
looks at the beginning of the file and determines which one it could be,
based on the ratio of how many good/bad ascii,utf8, etc. characters it
seen.
Also there are some signatures that are detected on the fly (not only at
the beginning of the file), during a type0 scan:
/* bigger numbers have higher priority (in o-t-f detection) */
CL_TYPE_HTML, /* on the fly */
CL_TYPE_MAIL, /* magic + on the fly */
CL_TYPE_SFX, /* foo SFX marker */
CL_TYPE_ZIPSFX, /* on the fly */
CL_TYPE_RARSFX, /* on the fly */
CL_TYPE_CABSFX,
CL_TYPE_ARJSFX,
CL_TYPE_NULSFT, /* on the fly */
CL_TYPE_AUTOIT,
CL_TYPE_ISHIELD_MSI,
These filetypes are used both to determine what signature to match, and
what unpacker to run.
And the mapping from CL_TYPE to signature targettypes is in matcher.h:
{ 0, "GENERIC", 0, 0, 1 },
{ CL_TYPE_MSEXE, "PE", 1, 0, 1 },
{ CL_TYPE_MSOLE2, "OLE2", 2, 1, 0 },
{ CL_TYPE_HTML, "HTML", 3, 1, 0 },
{ CL_TYPE_MAIL, "MAIL", 4, 1, 1 },
{ CL_TYPE_GRAPHICS, "GRAPHICS", 5, 1, 0 },
{ CL_TYPE_ELF, "ELF", 6, 1, 0 },
{ CL_TYPE_TEXT_ASCII, "ASCII", 7, 1, 1 },
/* note that this actually inclludes utf8, utf16be, and utf16le too! */
{ CL_TYPE_ERROR, "NOT USED", 8, 1, 0 },
{ CL_TYPE_MACHO, "MACH-O", 9, 1, 0 }
--
Alain S. Zidouemba
Research Engineer, Vulnerability Research Team
SOURCEfire
Tel: 1(410)423-4764
email: <mailto:[email protected]>[email protected]
On Sat, Feb 13, 2010 at 7:30 PM, Tom Shaw
<<mailto:[email protected]>[email protected]> wrote:
Pardon me, Alain, but I did say I did due diligence in looking before
asking. I have read that before and will have to day the document is lacking
on much content. Further it doesn't tell me squat about what/how clam
assigned files to a TargetType. For example how is a zeus .bin file
categorized? or a command file or how is an "ascii" file determine to be an
"ascii" file and ......
Tom
At 6:58 PM -0500 2/13/10, Alain Zidouemba wrote:
You can find the document here:
<http://www.clamav.com/doc/latest/signatures.pdf>www.clamav.com/doc/latest/signatures.pdf
--
Alain S. Zidouemba
Research Engineer, Vulnerability Research Team
SOURCEfire
Tel: 1(410)423-4764
email:
<mailto:[email protected]>[email protected]
On Sat, Feb 13, 2010 at 6:50 PM, Tom Shaw
<<mailto:[email protected]>[email protected]> wrote:
That's GREAT, Alain but no attachment was attached :-(
Tom
At 6:02 PM -0500 2/13/10, Alain Zidouemba wrote:
Tom,
You can find the answer in the attached document.
On Feb 13, 2010 5:49 PM, "Tom Shaw"
<<mailto:[email protected]>[email protected]> wrote:
How does one determine what TargetType ClamAV will assign to a file or
attachment? I have been all through the docs and wiki and can find no
specifics.
Any and all help is appreciated.
>>>>
Tom
_______________________________________________
Help us build a comprehensive ClamAV guide: visit
<http://wiki.clamav.net>http://wiki.clamav.net
<http://www.clamav.net/support/ml>http://www.clamav.net/support/ml
_______________________________________________
Help us build a comprehensive ClamAV guide: visit
<http://wiki.clamav.net>http://wiki.clamav.net
<http://www.clamav.net/support/ml>http://www.clamav.net/support/ml
--
Tom Shaw - Chief Engineer, OITC
<tshaw at <http://oitc.com>oitc.com>,
<http://www.oitc.com/>http://www.oitc.com/ local wx:
<http://www.oitc.com/weather>http://www.oitc.com/weather
US Phone Numbers: 321-984-3714, 321-729-6258(fax), 321-258-2475
(cell/voice
mail,pager) US skypeline: 321-622-9098
Text Paging:
<http://www.oitc.com/Pager/sendmessage.html>http://www.oitc.com/Pager/sendmessage.html
AIM/iChat: <mailto:[email protected]>[email protected]
Skype: trshaw
Fish more and Live longer
To err is human. To purr, feline
--
Tom Shaw - Chief Engineer, OITC
<tshaw at <http://oitc.com>oitc.com>,
<http://www.oitc.com/>http://www.oitc.com/ local wx:
<http://www.oitc.com/weather>http://www.oitc.com/weather
US Phone Numbers: 321-984-3714, 321-729-6258(fax), 321-258-2475 (cell/voice
mail,pager) US skypeline: 321-622-9098
Text Paging:
<http://www.oitc.com/Pager/sendmessage.html>http://www.oitc.com/Pager/sendmessage.html
AIM/iChat: <mailto:[email protected]>[email protected]
Skype: trshaw
Fish more and Live longer
To err is human. To purr, feline
