Could be a whitespace character issue. Try to see if ClamAV normalizes
your php script:
clamscan --debug --leave-temps --tempdir=yourtempdir yourphpscript.php
Go to yourtempdir and see if there is a file(s) there. Look for any
differences between it and your original file. Base your signature on
the file(s) from yourtempdir.
Hope that helps.
- Alain
On Wed, May 2, 2012 at 2:29 PM, Maarten Broekman <mbroek...@maileig.com> wrote:
> I'm having some issues creating a hex signature to match some PHP code
> I've run across. I've pulled the snippet of the PHP code that I want to
> match on and created the signature using sigtool --hex-dump, but when I
> try testing against it, there are no matches. However, if I convert the
> entire PHP file to hex using sigtool, I do find the snippet signature in
> there.
>
> grep "`awk -F: '{ print $4 }' new1.ndb`" footer.ndb
>
>
>
> Similarly, I can take the signature, convert it back to ASCII and match
> successfully against the original file:
>
> grep "`awk -F: '{ print $4 }' new1.ndb | xxd -r -p`" footer.php
>
>
>
> The hex signature is only 64 characters long so I know that I'm not
> blowing through any buffers internally (which I've done before by
> accident).
>
>
>
> The signature I've generated is:
>
> 6966202821697373657428246576613166596c62616b4263565369722929207b
>
>
>
> From the text:
>
> if (!isset($eva1fYlbakBcVSir)) {
>
>
>
>
>
> $ clamscan -d ./new1.ndb footer.php
>
> footer.php: OK
>
>
>
> ----------- SCAN SUMMARY -----------
>
> Known viruses: 1
>
> Engine version: 0.97.3
>
> Scanned directories: 0
>
> Scanned files: 1
>
> Infected files: 0
>
> Data scanned: 0.01 MB
>
> Data read: 0.01 MB (ratio 1.00:1)
>
> Time: 0.010 sec (0 m 0 s)
>
>
>
> Anyone have any ideas about this?
>
>
>
> Thanks in advance
>
>
>
> --Maarten
>
>
>
> _______________________________________________
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
