Dennis Peterson wrote: > Bill Landry wrote: >> There has been some discussion on the Sanesecurity users list about >> ClamAV signatures matching unintended words. For example, a signature >> that is written to match "acebook . com" (remove the spaces) would also >> match "facebook . com". >> >> Is there a way to delimit what can precede a signature? For example, >> allow preceding character matching if the preceding character is NOT an >> alpha/numeric character? > > What you are trying to do is match with an anchor. This is discussed > (incredibly > briefly) in the ClamAV sigantures PDF file with this comment: > > HEXSIG[x-y]aa or aa[x-y]HEXSIG > Match aa anchored to a hex-signature, see https://wwws.clamav.net/ > bugzilla/show_bug.cgi?id=776 for a discussion and examples
Thanks Dennis, I will take a look at that. Bill _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
