Hi!
Tomasz Kojm wrote:
On Wed, 21 Jun 2006 19:11:44 -0400
Nicolas Riendeau <[EMAIL PROTECTED]> wrote:
[eg Joke.local.EricssonHoax:0:*:(61|41)(6e|4e)(6e|4e)(61|41)... ]
This thingy's not going to work, sorry.
It doesn't work but the thing I don't understand is why... According to the
docs that syntax is supposedly acceptable and some stock signatures even
seem to be built in a similar way...
The first two bytes must be 'static', so "(61|41)(6e|4e)" must be replaced
with two hex numbers (so you may need to use four separate signatures or
rely on the normaliser as suggested by aCaB). This limitation should be
removed with the next major version of ClamAV (0.90).
Thank you!!
I did as you suggested and made four signatures as I cannot, unfortunatly, rely on
the html normaliser as this could be in a text/plain part of an email...
It looks like I'm not out of the woods yet as it almost looks like every two bytes
there must be a static byte because otherwise I get FPs...
[Does that make sense? I haven't seen any mention of it in the docs I read but maybe
they're too old?]
Once again thank you!!!
Nick
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
