OK I have read all the docs and gotten some feedback here (Thanks Steve, Scott and Edwin) but I am still a little confused and can't seem to find comprehensive docs to read. The below questions are for hex signatures. I also am confused on some of the others but those questions will come later...
1) Docs included with 0.94.2 download (signatures.pdf) say to put hex sigs in *.db files yet I see others putting them in *.ndb. What's the difference in format and where does one find the docs on *.ndb format? 2) Could someone explain: characters are elided? 3) Type 0 (any file) is exactly raw contents of the file? Or something else? 4) Type 1 Portable executable is what? What differentiates this from Type 0? 5) Type 2 OLE2 Component is what? I think it is MS Office files but is it anything else? Or is it the OLE DLL files? What differentiates this from Type 0? 6) Type 4 Mail file is what? I think it is just raw mail contents. Is this correct? What differentiates this from Type 0? It appear that when writing rules you need to create dups to deal with line endings one with 0a for running on non-windows systems and 0d0a for running on windows systems. This is confusing for me. Is this true? Is it true for Type 0 et al? 7) Type 5 Graphics file is what? I think it is just rawcontents of gif, jpg, tiff, png, bmp, etc. Is this correct? What differentiates this from Type 0? 8) Type 6 ELF file appears to be just an executable? What differentiates this from Type 0 in terms of rule writing? 9) Type 7 ASCII file appears to have all the tags removed (if they were there) and everything moved to lowercase? Is this correct and what about characters outside of the standard 127 of ASCII? 10) It appears to me that some of the purpose of the 7 file types is to limit when a rule is applied and not the content on what the rule applies to probably to reduce false detects. Is there any other reason? 11) Any suggestions on where I can find out how to understand and decode .ftm? Thanks for all that have and will help. I think when I understand this all I will post a summary doc to help others. TIA, Tom _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
