Bill Landry wrote: > There has been some discussion on the Sanesecurity users list about > ClamAV signatures matching unintended words. For example, a signature > that is written to match "acebook . com" (remove the spaces) would also > match "facebook . com". > > Is there a way to delimit what can precede a signature? For example, > allow preceding character matching if the preceding character is NOT an > alpha/numeric character?
What you are trying to do is match with an anchor. This is discussed (incredibly briefly) in the ClamAV sigantures PDF file with this comment: HEXSIG[x-y]aa or aa[x-y]HEXSIG Match aa anchored to a hex-signature, see https://wwws.clamav.net/ bugzilla/show_bug.cgi?id=776 for a discussion and examples dp _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
