Hi Emanuel, When creating ClamAV signatures, refer to https://github.com/Cisco-Talos/clamav-devel/tree/dev/0.102/docs/UserManual, specifically:
- NDBs: https://github.com/Cisco-Talos/clamav-devel/blob/dev/0.102/docs/UserManual/Signatures/ExtendedSignatures.md - LDBs: https://github.com/Cisco-Talos/clamav-devel/blob/dev/0.102/docs/UserManual/Signatures/LogicalSignatures.md Sigtool's hex-dump does not create a NDB signature and that is why you are receiving the error message. As stated in the ExtendedSignatures.md a NDB signature should follow the below format: MalwareName:TargetType:Offset:HexSignature[:min_flevel:[max_flevel]] and example would be: MyCustomSignature:2:0:d0cf11e0a1b11ae1 The above signature restricts the file types scanned to OLEs ("2") and looks for the signature("d0cf11e0a1b11ae1") at a specific offset ("0"). Hope that helps, demonduck On Wed, Jan 30, 2019 at 9:04 AM Emanuel Gonzalez < [email protected]> wrote: > Hello, > > I read this document > https://blog.clamav.net/2016/06/create-your-own-anti-virus-signatures.html > > > I need add a signature to database: > > > # cat 30012019_term_4373.doc | sigtool –hex-dump | head -c 2048 > > customsig.ndb > > # clamdscan -d customsig.ndb 30012019_term_4373.doc > WARNING: Ignoring unsupported option --database (-d) > /root/30012019_term_4373.doc: lstat() failed: Permission denied. ERROR > > ----------- SCAN SUMMARY ----------- > Infected files: 0 > Total errors: 1 > Time: 0.000 sec (0 m 0 s) > > # clamscan -d customsig.ndb 30012019_term_4373.doc > LibClamAV Error: Problem parsing database at line 1 > LibClamAV Error: Can't load customsig.ndb: Malformed database > ERROR: Malformed database > > ----------- SCAN SUMMARY ----------- > Known viruses: 0 > Engine version: 0.101.1 > Scanned directories: 0 > Scanned files: 0 > Infected files: 0 > Data scanned: 0.00 MB > Data read: 0.00 MB (ratio 0.00:1) > Time: 0.002 sec (0 m 0 s) > > # freshclam > ClamAV update process started at Wed Jan 30 11:03:14 2019 > main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, builder: > sigmgr) > daily.cld is up to date (version: 25343, sigs: 2228905, f-level: 63, > builder: raynman) > bytecode.cld is up to date (version: 328, sigs: 94, f-level: 63, builder: > neo) > > > # clamd --v > ClamAV 0.101.1/25343/Wed Jan 30 02:04:01 2019 > > any ideas.? > > _______________________________________________ > clamav-users mailing list > [email protected] > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml >
_______________________________________________ clamav-users mailing list [email protected] http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
