Re: [clamav-users] own hex-based rules do not match if more complex strings are used

Fri, 14 Aug 2020 02:26:42 -0700 

Hello

Maybe use "echo -n" to avoid final carriage return in string.


Le 14/08/2020 à 10:16, Stefan Bauer via clamav-users a écrit :

Hi,

given is a very simple example test-file:

# more BAD.file
%PDF-1.7
5 0 obj
     /F << /Type /FileSpec /F (http://bad.url/crap.xlsx) /V true /FS /URL >> 
   >>
another bad string
5 0 obj


Now i add a string to a new test.db file:
# SIG=`echo "another bad string" | sigtool --hex-dump` && echo "sig1=$SIG" > test.db 

and let it scan:

# clamscan -d /root/test.db /root/BAD.file
/root/BAD.file: sig1.UNOFFICIAL FOUND

----------- SCAN SUMMARY -----------
Known viruses: 1
Engine version: 0.102.4
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 0.004 sec (0 m 0 s)

Works. However using a more complex string, does not:
SIG=`echo "/F << /Type /FileSpec /F (http" | sigtool --hex-dump` && echo "sig1=$SIG" > test.db 

# clamscan -d /root/test.db /root/BAD.file
/root/BAD.file: OK

----------- SCAN SUMMARY -----------
Known viruses: 1
Engine version: 0.102.4
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 0.004 sec (0 m 0 s)

What am I doing wrong?

Thank you.


_______________________________________________

clamav-users mailing list
[email protected]
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



--
Cordialement / Best regards,

Arnaud Jacques
Gérant de SecuriteInfo.com

Téléphone : +33-(0)3.60.47.09.81
E-mail : [email protected]
Site web : https://www.securiteinfo.com
Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286
Twitter : @SecuriteInfoCom
Signatures for ClamAV antivirus : http://ow.ly/LqfdL

_______________________________________________

clamav-users mailing list
[email protected]
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Reply via email to