Hello,
Thank you for the answer.
There is probably something missing in the doc, because the signature is not
properly working with the current clamav release 0.98.7
I tried the following signature:
testsig:0:*:!(6e6f74)62616466756e6374696f6e28
_______________not_______badfunction(
If I scan with clamav 0.98.7 I still get a match for
notbadfunction(
While if I use clamav 0.99-rc1 it works as expected.
Do you think this is a bug in 0.98.7, or it is just not specified in the doc,
that this requires version 0.99 ?
Regards,
Deyan
Alain Zidouemba wrote:
Check out
https://github.com/vrtadmin/clamav-devel/blob/master/docs/signatures.pdf,
section 3.2.4.
You should be able to write something like:
!(not)badfunction(
FYI, PCRE support is coming in ClamAV 0.99. There is a release candidate
here if you want to try it: http://www.clamav.net/downloads
Finally, consider sharing your signature with the community, if possible:
http://blog.clamav.net/2014/02/introducing-clamav-community-signatures.html
Thanks,
- Alain
On Thu, Oct 29, 2015 at 6:05 PM, Deyan Chepishev <dchepis...@gmail.com>
wrote:
Hello,
I have a signature, which matches bad things, but also is giving me a lot
of false positives. The reason for this is, that the bad code is actually
subset of the good code, which gives me the false positive.
What I mean:
I have signature, which matches for example:
badfunction(
however, this signature also matches:
notbadfunction(
which is giving me the false positive.
If I assume that, the first one is subsig0 and the second is subsig1
If I make LDB signature like this:
testsig;Target:0;0&1=0;subsig0;subsig1
This will eliminate the false positives, but will also stop catching files
which contains both of them, which is also bad.
What I am trying to achieve is the following:
file containing:
==========
badfunction(
==========
- should match as infected
file containing:
==========
notbadfunction(
==========
- should NOT match
file containing:
==========
badfunction(
notbadfunction(
==========
- should match as infected.
Can anyone give me a tip, how can I make this ?
Thank you,
Regards,
Deyan
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
