On Thu, 7 Aug 2008 16:34:04 +0100 "Chambers, Phil" <[EMAIL PROTECTED]> wrote:
>I have a local ndb file containing signatures of some spear phishing
>attacks targeted specifically at us.
>
>I recently added another signature and it cause clamd to shut down!
>
>Two points:
>
>1) Surely clamd should log the problem but skip the faulty signature
>and carry on?
>
>I am now extremely concerned about creating new signatures because of
>the risk of taking clamd out, with the serious consequences that that
>entails.
>
>2) I have gone through my new signature time and time again and
>compared it with others that are fine and I can't find anything wrong
>with it!
>
>I have looked at the source code and there are numerous places where it
>detects problems with signature, but they all generate the same failure
>message: "Malformed database".
>
>It is going to take me a very long time to patch the code to make it
>generate different error messages for each case where a signature can
>be malformed, so that I can diagnose my problem, but I see no
>alternative.
>
>That is, unless there is a tool available to check signatures before
>they are installed. Does anyone have any suggestions?
>
>The failing signature is:
>
>Email.Phishing.Exeter.0002:0:0,6:44656172{-18}537562736372696265722c{-4}
>5765{-4}617265{-4}63757272656e746c79{-4}6361727279696e672d6f7574{-4}61{-
>4}6d656e7461696e616e6365{-4}70726f63657373{-4}746f{-4}796f7572{-18}61636
>36f756e742c{-4}746f{-4}636f6d706c657465{-4}74686973
You might try perhaps placing your new signature into an "ndb" file and
then running something like:
clamscan -d Path-2-NDB-file
That would report if there were a malformed signature in the file.
--
Gerard
[EMAIL PROTECTED]
"The jig's up, Elman."
"Which jig?"
Jeff Elman
signature.asc
Description: PGP signature
_______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
