Check out https://github.com/vrtadmin/clamav-devel/blob/master/docs/signatures.pdf, section 3.2.4.
You should be able to write something like: !(not)badfunction( FYI, PCRE support is coming in ClamAV 0.99. There is a release candidate here if you want to try it: http://www.clamav.net/downloads Finally, consider sharing your signature with the community, if possible: http://blog.clamav.net/2014/02/introducing-clamav-community-signatures.html Thanks, - Alain On Thu, Oct 29, 2015 at 6:05 PM, Deyan Chepishev <dchepis...@gmail.com> wrote: > Hello, > > I have a signature, which matches bad things, but also is giving me a lot > of false positives. The reason for this is, that the bad code is actually > subset of the good code, which gives me the false positive. > > What I mean: > > I have signature, which matches for example: > > badfunction( > > however, this signature also matches: > > notbadfunction( > > which is giving me the false positive. > > If I assume that, the first one is subsig0 and the second is subsig1 > > If I make LDB signature like this: > > testsig;Target:0;0&1=0;subsig0;subsig1 > > This will eliminate the false positives, but will also stop catching files > which contains both of them, which is also bad. > > What I am trying to achieve is the following: > > file containing: > ========== > badfunction( > ========== > - should match as infected > > file containing: > ========== > notbadfunction( > ========== > - should NOT match > > file containing: > ========== > badfunction( > notbadfunction( > ========== > - should match as infected. > > > Can anyone give me a tip, how can I make this ? > > Thank you, > > Regards, > Deyan > > > > _______________________________________________ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
