On Wed, 27 May 2009 06:52:17 -0700 Dennis Peterson <denni...@inetnw.com> wrote:
> Bill Landry wrote: > > There has been some discussion on the Sanesecurity users list about > > ClamAV signatures matching unintended words. For example, a signature > > that is written to match "acebook . com" (remove the spaces) would also > > match "facebook . com". > > > > Is there a way to delimit what can precede a signature? For example, > > allow preceding character matching if the preceding character is NOT an > > alpha/numeric character? > > What you are trying to do is match with an anchor. This is discussed > (incredibly briefly) in the ClamAV sigantures PDF file with this comment: Another possible solution is to use logical signatures. You can tell the engine to match acebook but not facebook, eg.: Foo;Target:0;0&1=0;616365626f6f6b;66616365626f6f6b For more information about logical signatures please see http://svn.clamav.net/websvn/filedetails.php?repname=clamav-devel&path=%2Ftrunk%2Fdocs%2Fsignatures.pdf&rev=0&sc=0 Regards, -- oo ..... Tomasz Kojm <tk...@clamav.net> (\/)\......... http://www.ClamAV.net/gpg/tkojm.gpg \..........._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Wed May 27 16:04:12 CEST 2009 _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
