You would put the signature (Ziptest:0:.*\.exe:*:*:*:*:*:*) into the file virusexe.zmd. You can put all your signatures in that file, just put each one on a new line.
Then, when you want to scan with it, just use: clamscan -d virusexe.zmd If you would like to scan a specific file or directory, just add that target to the end of the command. If you go to page 16 you will see the section (3.7) that says what each of the fields in the zmd signature do. The example signature is just using a regular expression for the file name. You can write your own regular expression there. To break down the one in the example signature, .* matches any byte zero or more times, \. matches a period, and then exe. So it will cover any [filename].exe. You should probably modify it to make it case insensitive. Hope this helps, Doug On Wed, Sep 18, 2013 at 2:01 PM, Rajesh M <[email protected]> wrote: > Doug > > thanks for your reply. > > i read thru the file but still am not 100 percent sure > > will this be the command in case i want all zipped exe files to be > detected as virus. > > i tried this command but does not work > > sigtool --md5 Ziptest:0:.*\.exe:*:*:*:*:*:* > virusexe.zmd > > can you please check the above and let me know > > thanks very much > > rajesh > ps : i dont wish to use sanesecurity because it cause a lot of false > positives in my email system. > > > > > You can use a zmd signature detailed in this doc: > > http://www.clamav.net/doc/latest/signatures.pdf > > > > Here is an example signature for detecting files with the .sh extension: > > Ziptest:0:.*\.sh:*:*:*:*:*:* > > > > - Doug > > > > > > > > On Tue, Sep 17, 2013 at 7:08 AM, Rajesh M <[email protected]> > > wrote: > > > >> hi > >> > >> i wish to know the steps to prepare signature so that clamav will detect > >> all zipped files containing files with extensions pif, scr, exe, com, > >> bat, > >> cmd, vbs, lnk, cpl, vbs as virus -- immaterial of whether they contain > >> virus or not. > >> > >> what is the process for this. > >> > >> is there is any documentation which describes this ? > >> > >> thank you very much. > >> > >> rajesh > >> > >> > >> > >> > >> _______________________________________________ > >> Help us build a comprehensive ClamAV guide: visit > http://wiki.clamav.net > >> http://www.clamav.net/support/ml > >> > > _______________________________________________ > > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > > http://www.clamav.net/support/ml > > > > > > > > _______________________________________________ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://www.clamav.net/support/ml > _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
