> >On Thu, Jan 26, 2006 at 01:09:28PM +0100, Diego d'Ambra wrote: >> Erik Corry wrote: >> >On Thu, Jan 26, 2006 at 11:50:00AM +0100, Erik Corry wrote: >> > > >> > > How about: >> > > >> > > >> >>JS.Feebs-C.variant-ec:3:*:756e6573636170652822(253636|66)(253735|75)(25363e|6e >)(253633|63)*(253237|27)(253237|27)(25323c|2c)??(25323c|2c)??(25323c|2c)??(2532 >3c|2c) >> > >> >Sheesh, this sig making stuff isn't as simple as it looks :-) >> >That didn't work well at all! >> > >> >>JS.Feebs-C.variant-ec:3:*:756e6573636170652822(253636|66)(253735|75)(253645|6e >)(253633|63) >> > >> >> Bingo, matches every variant. >> >> I believe adding a match for e.g. <=((?+1)%??-1);> and possible > >Is this syntax documented? It doesn't look like the syntax documented in >the signatures.pdf file from the clamav web site. >
There is an "advanced" turotial here: http://www.antionline.com/showthread.php?s=&threadid=262564 I found it accidently yesterday. _______________________________________________ http://lurker.clamav.net/list/clamav-users.html
