Hello!
In order to understand the pattern matching procedure of clamav, I
created a new signature database that contain only one signature
(test=72706e696674). The hex representation is equal to the string 'printf'.
However, when I use the clamscan utility to scan binary files, like
/bin/ls and /bin/rm, that contain the 'printf' string (binary files
match using grep), it does not report that the files are infected.
I run clamscan like this,
$ ./clamscan -d ../database/test.db /bin/ls
and I get the following output
----------- SCAN SUMMARY -----------
Known viruses: 1
Engine version: 0.92
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.09 MB
Time: 0.032 sec (0 m 0 s)
Is this behavior expected or I do something wrong?
Thanks in advance!
Giorgos
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
