On 9/14/10 1:55 AM, Tomasz Kojm wrote:
On Mon, 13 Sep 2010 20:54:28 +0100 Steve Basford
<[email protected]> wrote:
In addition, there a brilliant Third-Party signature decoder here, which
will easily show you the content of the Third-Party signature,
just cut/paste or type in the signature name and it'll decode it:
http://www.sanesecurity.com/clamav/decodesigs.htm
You can easily decode signatures locally, eg.:
$ sigtool --find-sigs HTML.Phishing.Bank-1313 | sigtool --decode-sigs
Time tests of sigtool --find-sigs compared to grep. The output of either sigtool
or grep can be piped back in to sigtool --decode-sigs:
$ time sigtool --find-sigs Sanesecurity.Spam.10995
Sanesecurity.Spam.10995:4:*:46726f6d3a20{-50}5066697a6572*5375626a6563743a20{-100}2520
real 2m4.16s
user 1m46.65s
sys 0m2.88s
$ time grep Sanesecurity.Spam.10995 /usr/share/clamav/*
/usr/share/clamav/scam.ndb:Sanesecurity.Spam.10995:4:*:46726f6d3a20{-50}5066697a6572*5375626a6563743a20{-100}2520
real 0m4.76s
user 0m2.59s
sys 0m1.88s
And here's the decoded bits:
$ time echo "Sanesecurity.Spam.10995:4:*:46726f6d3a20{-50}5066697a6572*5>
VIRUS NAME: Sanesecurity.Spam.10995
TARGET TYPE: MAIL
OFFSET: *
DECODED SIGNATURE:
From: {WILDCARD_ANY_STRING(LENGTH<=50)}Pfizer{WILDCARD_ANY_STRING}Subject:
{WILDCARD_ANY_STRING(LENGTH<=100)}%
real 0m0.05s
user 0m0.01s
sys 0m0.03s
Looks like sigtool could use some optimizing for the --find-sig feature.
dp
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
