> On Wed, 27 May 2009 06:52:17 -0700 > Dennis Peterson <denni...@inetnw.com> wrote: > >> Bill Landry wrote: >> > There has been some discussion on the Sanesecurity users list about >> > ClamAV signatures matching unintended words. For example, a signature >> > that is written to match "acebook . com" (remove the spaces) would >> also >> > match "facebook . com". >> > >> > Is there a way to delimit what can precede a signature? For example, >> > allow preceding character matching if the preceding character is NOT >> an >> > alpha/numeric character? >> >> What you are trying to do is match with an anchor. This is discussed >> (incredibly briefly) in the ClamAV sigantures PDF file with this >> comment: > > Another possible solution is to use logical signatures. You can tell the > engine > to match acebook but not facebook, eg.: > > Foo;Target:0;0&1=0;616365626f6f6b;66616365626f6f6b > > For more information about logical signatures please see > http://svn.clamav.net/websvn/filedetails.php?repname=clamav-devel&path=%2Ftrunk%2Fdocs%2Fsignatures.pdf&rev=0&sc=0
Thanks, Tomasz, I will look into logical signatures, as well. Do you know if using logical signature take more overhead to use than standard hex signatures? Bill _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
