Re: [Clamav-devel] Is this how clamAV is intended to work?

Thu, 05 Mar 2015 11:55:44 -0800 

Hello sir ,
                  Mine question was for clamdscan not for clamsscan.I made 
typing mistake in mine previous mail.sir clamdscan is not showing line  by Line 
scan of folders in c drives .It prints output only when it founds some 
signature else it keeps on scanning without any output on screen and finally 
gives summary having total errors.I want to see output on screen as ok after 
each folder gets scanned if it's not endeared.how to do this in its code to 
achieve that .

Sent from my iPhone

> On Mar 6, 2015, at 12:22 AM, Tyler Manson <[email protected]> wrote:
> 
> Hi,
> 
> Okay, that sounds like the right approach. I thought it surely was
> something simple like that. I'm glad to hear that everything's ok :)
> 
> 
>> On 03/05/15, Andy Singer wrote:
>> Hi,
>> It depends on how the signature was written. In the case of eicar, it is
>> Eicar-Test-Signature:0:0:58354f2150254041505b345c505a58353428505e2937434329377d2445494341522d5354414e444152442d414e544956495255532d544553542d46494c452124482b482a
>> 
>> so it will only be detected only if the eicar pattern is at position 0 of
>> the file. If you change the signature to
>> 
>> Eicar-Test-Signature:0:*:58354f2150254041505b345c505a58353428505e2937434329377d2445494341522d5354414e444152442d414e544956495255532d544553542d46494c452124482b482a
>> 
>> the file will be detected regardless of where the pattern appears. In the
>> case of WIN.Trojan.DarkKomet, the signature is,
>> 
>> WIN.Trojan.DarkKomet:1:*:657473746174202d61202d6e202d6f00000000ffffffff0d00000044444f5348545450464c4f4f44000000ffffffff0c00000044444f5353594e464c4f4f4400000000ffffffff0c00000044444f53554450464c4f4f4400000000ffffffff0a0000005b436861
>> 
>> This can be present anywhere in a file, but only if it's a PE file. If you
>> prepend random data to the file, it will no longer have an MZ header, and
>> ClamAV will not recognize it as a PE file, so the signature will be
>> ignored. In the signature, change the target (1= PE) to (0= any) and you
>> can prepend random data.
>> 
>> ClamAV was designed for scanning files, not shellcode. If a file doesn't
>> have an MZ header, Windows won't execute it, so there's no need for ClamAV
>> to continue checking for PE signatures.
> _______________________________________________
> http://lurker.clamav.net/list/clamav-devel.html
> Please submit your patches to our Bugzilla: http://bugs.clamav.net
> 
> http://www.clamav.net/contact.html#ml
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

http://www.clamav.net/contact.html#ml

Reply via email to