xue wen wrote:
> To whom it may concern,
>
> I have tried to understand the signatures in the ClamAV's database. I have
> succeeded to add a string signature into .db file. And when I tried to add a
> regular expression into signature, there were some errors. I have referred
> to the document of signatures.pdf and followed the instructions to add *, ?
> and | etc, into the hex signatures. But when I used these signature as rule,
> the error was printed like this:
>
> LibClamAV Error: cli_parse_add(): Problem adding signatures (2).
> Problem parsing signature at line 1
> Problem parsing database at line 1
> Can't load daily.db: Malformed database
> ERROR: Malformed database
There seems to be a complexity limit on wildcard signatures; for a
while I was automating part of the process of generating signatures for
image-based spam. The automated process regularly produced signatures
which were structured properly, but which were rejected by Clam as
"malformed". Trimming them down (usually just trimming the end off
until it worked) was the only way I could get them functioning.
Nobody really answered my confusion when I asked about it at the time
(late October 2006, check the list archives for "Complexity limits on
(custom) signatures?"), although there was some interesting discussion
that came out of it.
If you post examples, and what you're hoping to match on, several people
on this list can probably point out what you're doing wrong.
> Are there regular expressions in ClamAV's virus signatures? If so, why can't
> I add some into them?
Mmmh... Clamav signatures include a *very* small subset of most regex
syntax - (aa|bb), ?? as "anything", and {nn} to compress a long string
of ?'s down. It's been a while since I looked at creating signatures
myself so I don't recall what other bits there are.
-kgd
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
