On 2008-12-19 14:02, Andre Hübner wrote: > Hello, > > sometimes clamav is to rigorous and "kills" some uploaded php-files where no > malware can be found. > but in this case i want to stop a specific directmailer (spam) with russian > origin from being uploaded. > File was submitted already but seems not to be included in official malware. > Now i did my own signature with: > > sigtool --md5 malwarename > malwarename.hdb > Now is the question whats the best way to do my own signatures? If i add > some whitespace to malware the md5 signature seems to not fit and malware is > not found.
There are other kinds of signatures, besides md5 supported by ClamAV: See signatures.pdf, especially section 2.3.4 Extended signature format. Text files are also normalized by ClamAV. You should run mkdir tmp && clamscan --leave-temps --tempdir=tmp, and then look for the normalized text file, and create a type 7 signature for it. Best regards, --Edwin _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
