At 4:15 PM +0000 2/16/10, Steve Basford wrote:
>
Attached document? I did not see an attachment. Can you send a link?
Is this the TargetType you are after...
2.3.4 Extended signature format
The extended signature format allows for specification of additional
information such as a target file type, virus offset or engine version,
making the detection more reliable. The format is:
MalwareName:TargetType:Offset:HexSignature[:MinEngineFunctionalityLevel:[Max]]
where TargetType is one of the following numbers specifying the type of the
target file:
0 = any file
1 = Portable Executable
2 = OLE2 component (e.g. a VBA script)
3 = HTML (normalised)
4 = Mail file
5 = Graphics
6 = ELF
7 = ASCII text file (normalised)
And Offset is an asterisk or a decimal number n possibly combined with a
special modifier:
Source: http://www.clamav.com/doc/latest/signatures.pdf
Steve et all,
Yes I know all this, as I told Alain I have read all available docs
but they (nor the wiki) do not explain how a "7" is determined (eg by
extension if so which ones or by contents if so how), are php's and
per'ls considered ascii, portable executable or html or what, what is
an rtf considered an OLE or ascii orwhat, and what does a zeus bin
file get categorized as? Answers for these and many other questions
like these, I have searched the docs to find out with no joy.
Tom
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
