[Clamav-users] Howto determine a signature.

Wed, 03 Mar 2004 03:36:30 -0800

Hi all,

I wrote a shell script to determine a signature from a file that contains the virus itself or from a file that contains the virus in attachement (mime-encoded).

I have tested (on debian linux and clamav 0.67-1 release) with two virus and it's seems to be work but if more than one people test it, I think it's much better.

I'll make a better release when I'll got more time.

Thank's for your commentaries.

cheers,

José

Usage : ScriptName file_infected label_for_the_new_signature

                
Shell :


FULL_PATH_VIRUS=$1
VIRUS=`basename $FULL_PATH_VIRUS`
LIBELLE_VIRUS=$2
SRC_DIR="Where your file infected must be found"
DEST_DIR="Directory of your clamav database"
LOG_DIR=/var/log
FIC_LOG=clamscan.log
SPLIT_DIR="Directory where used for split the infected file (must exist)"
TYPE_FIC=`file $FULL_PATH_VIRUS`
FIC_MIME=`echo $TYPE_FIC | grep -c "smtp mail text"`

# Test if mime-encoded
if [ $FIC_MIME -eq 1 ]
then
cd $SRC_DIR
munpack $FULL_PATH_VIRUS | awk '{print $1}' 2>&1 > /tmp/virus/name.$$
VIRUS=`cat /tmp/virus/name.$$`
rm /tmp/virus/name.$$
fi

cd $SPLIT_DIR
cat $SRC_DIR/$VIRUS | split --bytes=200

NB_SPLIT=`ls -x | wc -w`
LISTE_FILE_SIG=`ls -x`
set $LISTE_FILE_SIG

# Used to determine wich split file to use : Not very SMART !!!
WICH_SPLIT_FILE=`expr $NB_SPLIT - 3`
INDEX=1
while [ $INDEX -lt $WICH_SPLIT_FILE ]
do
        shift
        INDEX=`expr $INDEX + 1`
done
FILE_SIG=$1

cat $SPLIT_DIR/$FILE_SIG | sigtool --hex-dump > $SRC_DIR/$VIRUS.sig
echo -e "$LIBELLE_VIRUS (Clam)=\c" > $SRC_DIR/$VIRUS.db
cat $SRC_DIR/$VIRUS.sig >> $SRC_DIR/$VIRUS.db
chown clamav:clamav $SRC_DIR/$VIRUS.db
mv $SRC_DIR/$VIRUS.db $DEST_DIR

rm $SRC_DIR/$VIRUS.sig
rm $SPLIT_DIR/*



-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id56&alloc_id438&op=click
_______________________________________________
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Reply via email to