Could be a whitespace character issue. Try to see if ClamAV normalizes your php script:
clamscan --debug --leave-temps --tempdir=yourtempdir yourphpscript.php Go to yourtempdir and see if there is a file(s) there. Look for any differences between it and your original file. Base your signature on the file(s) from yourtempdir. Hope that helps. - Alain On Wed, May 2, 2012 at 2:29 PM, Maarten Broekman <mbroek...@maileig.com> wrote: > I'm having some issues creating a hex signature to match some PHP code > I've run across. I've pulled the snippet of the PHP code that I want to > match on and created the signature using sigtool --hex-dump, but when I > try testing against it, there are no matches. However, if I convert the > entire PHP file to hex using sigtool, I do find the snippet signature in > there. > > grep "`awk -F: '{ print $4 }' new1.ndb`" footer.ndb > > > > Similarly, I can take the signature, convert it back to ASCII and match > successfully against the original file: > > grep "`awk -F: '{ print $4 }' new1.ndb | xxd -r -p`" footer.php > > > > The hex signature is only 64 characters long so I know that I'm not > blowing through any buffers internally (which I've done before by > accident). > > > > The signature I've generated is: > > 6966202821697373657428246576613166596c62616b4263565369722929207b > > > > From the text: > > if (!isset($eva1fYlbakBcVSir)) { > > > > > > $ clamscan -d ./new1.ndb footer.php > > footer.php: OK > > > > ----------- SCAN SUMMARY ----------- > > Known viruses: 1 > > Engine version: 0.97.3 > > Scanned directories: 0 > > Scanned files: 1 > > Infected files: 0 > > Data scanned: 0.01 MB > > Data read: 0.01 MB (ratio 1.00:1) > > Time: 0.010 sec (0 m 0 s) > > > > Anyone have any ideas about this? > > > > Thanks in advance > > > > --Maarten > > > > _______________________________________________ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://www.clamav.net/support/ml _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml