Tom:
Is this the answer you were looking for?
--
Alain S. Zidouemba
Research Engineer, Vulnerability Research Team
SOURCEfire
Tel: 1(410)423-4764
email: alain.zidoue...@sourcefire.com
2010/2/15 Alain Zidouemba <azidoue...@sourcefire.com>
> Courtesy of Edwin:
>
> The file type is determined by signatures in daily.ftm (or the builtin
> ones in filetypes_int.h if that is missing) on a portion at the
> beginning of the file.
>
> sigtool --unpack-current daily
> cat daily.ftm
>
> As for binary versus ascii, utf8, utf16be, utf17le see textdet.c, it
> looks at the beginning of the file and determines which one it could be,
> based on the ratio of how many good/bad ascii,utf8, etc. characters it
> seen.
>
> Also there are some signatures that are detected on the fly (not only at
> the beginning of the file), during a type0 scan:
> /* bigger numbers have higher priority (in o-t-f detection) */
> CL_TYPE_HTML, /* on the fly */
> CL_TYPE_MAIL, /* magic + on the fly */
> CL_TYPE_SFX, /* foo SFX marker */
> CL_TYPE_ZIPSFX, /* on the fly */
> CL_TYPE_RARSFX, /* on the fly */
> CL_TYPE_CABSFX,
> CL_TYPE_ARJSFX,
> CL_TYPE_NULSFT, /* on the fly */
> CL_TYPE_AUTOIT,
> CL_TYPE_ISHIELD_MSI,
>
> These filetypes are used both to determine what signature to match, and
> what unpacker to run.
>
> And the mapping from CL_TYPE to signature targettypes is in matcher.h:
> { 0, "GENERIC", 0, 0, 1 },
> { CL_TYPE_MSEXE, "PE", 1, 0, 1 },
> { CL_TYPE_MSOLE2, "OLE2", 2, 1, 0 },
> { CL_TYPE_HTML, "HTML", 3, 1, 0 },
> { CL_TYPE_MAIL, "MAIL", 4, 1, 1 },
> { CL_TYPE_GRAPHICS, "GRAPHICS", 5, 1, 0 },
> { CL_TYPE_ELF, "ELF", 6, 1, 0 },
> { CL_TYPE_TEXT_ASCII, "ASCII", 7, 1, 1 },
> /* note that this actually inclludes utf8, utf16be, and utf16le too! */
>
> { CL_TYPE_ERROR, "NOT USED", 8, 1, 0 },
> { CL_TYPE_MACHO, "MACH-O", 9, 1, 0 }
>
> --
> Alain S. Zidouemba
> Research Engineer, Vulnerability Research Team
> SOURCEfire
> Tel: 1(410)423-4764
> email: alain.zidoue...@sourcefire.com
>
>
>
> On Sat, Feb 13, 2010 at 7:30 PM, Tom Shaw <ts...@oitc.com> wrote:
> > Pardon me, Alain, but I did say I did due diligence in looking before
> > asking. I have read that before and will have to day the document is
> lacking
> > on much content. Further it doesn't tell me squat about what/how clam
> > assigned files to a TargetType. For example how is a zeus .bin file
> > categorized? or a command file or how is an "ascii" file determine to be
> an
> > "ascii" file and ......
> >
> > Tom
> >
> > At 6:58 PM -0500 2/13/10, Alain Zidouemba wrote:
> >>
> >> You can find the document here:
> >>
> >> www.clamav.com/doc/latest/signatures.pdf
> >>
> >> --
> >> Alain S. Zidouemba
> >> Research Engineer, Vulnerability Research Team
> >> SOURCEfire
> >> Tel: 1(410)423-4764
> >> email: alain.zidoue...@sourcefire.com
> >>
> >>
> >> On Sat, Feb 13, 2010 at 6:50 PM, Tom Shaw <ts...@oitc.com> wrote:
> >>>
> >>> That's GREAT, Alain but no attachment was attached :-(
> >>>
> >>> Tom
> >>>
> >>> At 6:02 PM -0500 2/13/10, Alain Zidouemba wrote:
> >>>>
> >>>> Tom,
> >>>>
> >>>> You can find the answer in the attached document.
> >>>>
> >>>> On Feb 13, 2010 5:49 PM, "Tom Shaw" <ts...@oitc.com> wrote:
> >>>>
> >>>> How does one determine what TargetType ClamAV will assign to a file
> or
> >>>> attachment? I have been all through the docs and wiki and can find
> no
> >>>> specifics.
> >>>>
> >>>> Any and all help is appreciated.
> >>>>
> >>>> Tom
> >>>>
> >>>> _______________________________________________
> >>>> Help us build a comprehensive ClamAV guide: visit
> >>>> http://wiki.clamav.net
> >>>> http://www.clamav.net/support/ml
> >>>>
> >>>> _______________________________________________
> >>>> Help us build a comprehensive ClamAV guide: visit
> >>>> http://wiki.clamav.net
> >>>> http://www.clamav.net/support/ml
> >>>
> >>>
> >>> --
> >>> Tom Shaw - Chief Engineer, OITC
> >>> <tshaw at oitc.com>, http://www.oitc.com/ local wx:
> >>> http://www.oitc.com/weather
> >>> US Phone Numbers: 321-984-3714, 321-729-6258(fax), 321-258-2475
> >>> (cell/voice
> >>> mail,pager) US skypeline: 321-622-9098
> >>> Text Paging: http://www.oitc.com/Pager/sendmessage.html
> >>> AIM/iChat: trs...@mac.com
> >>> Skype: trshaw
> >>>
> >>> Fish more and Live longer
> >>> To err is human. To purr, feline
> >>>
> >
> >
> > --
> > Tom Shaw - Chief Engineer, OITC
> > <tshaw at oitc.com>, http://www.oitc.com/ local wx:
> > http://www.oitc.com/weather
> > US Phone Numbers: 321-984-3714, 321-729-6258(fax), 321-258-2475
> (cell/voice
> > mail,pager) US skypeline: 321-622-9098
> > Text Paging: http://www.oitc.com/Pager/sendmessage.html
> > AIM/iChat: trs...@mac.com
> > Skype: trshaw
> >
> > Fish more and Live longer
> > To err is human. To purr, feline
> >
>
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
