I've been doing some testing with some of the new signature wildcards,
in particular:
• (B)
Match word boundary (including file boundaries).
• (L)
Match CR, CRLF or file boundaries.
I've found that both of these wildcards work when used singularly in any
of the following combinations:
SpamDomain.example_com:4:*:(B)6578616d706c652e636f6d(B)
SpamDomain.example_com:4:*:(L)6578616d706c652e636f6d(L)
SpamDomain.example_com:4:*:(B)6578616d706c652e636f6d(L)
SpamDomain.example_com:4:*:(L)6578616d706c652e636f6d(B)
However, I would like to combine them on both sides of the hex
signature, but none of the following combinations work without causing
errors:
SpamDomain.example_com:4:*:(B|L)6578616d706c652e636f6d(B|L)
SpamDomain.example_com:4:*:(B)(L)6578616d706c652e636f6d(B)(L)
SpamDomain.example_com:4:*:((B)|(L))6578616d706c652e636f6d((B)|(L))
Is there a way to combine these two wildcards into a single hex
signature so that it can detect any of the following combinations in an
email message:
normal word boundary (B)...(B):
===============================
This is example.com test message.
beginning of line CR, CRLF boundary and word boundary (L)...(B):
================================================================
This is
example.com test message.
word boundary and end of line CR, CRLF boundary (B)...(L):
==========================================================
This is example.com
test message
beginning and end of line CR, CRLF boundary (L)...(L):
======================================================
This is
example.com
test message.
Any feedback is appreciated.
Bill
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
