On Wed, 22 Mar 2017, Hajo Locke wrote: > thank you steve. i could find the lines and removed them. How could you decode > this signature?
~$ sigtool --find-sigs Html.Phishing.Auction-214 | sigtool --decode-sigs VIRUS NAME: Html.Phishing.Auction-214 TARGET TYPE: HTML OFFSET: * DECODED SIGNATURE: sein, weil sie [... snipped ...] aktualisiert wurde > especially interesting is that virus was found in complete sql-file but not in > splitted subfiles. May be target type is ignored at filesize x? > complete sql file is 4.6mb I guess that the string that was looked for spanned a subfile boundary and was split over two subfiles. Groeten, Kees. -- Kees Theunissen, Systeem- en netwerkbeheerder, Tel: 040-3334724 Dutch Institute For Fundamental Energy Research (DIFFER) e-mailadres: c.j.theunis...@differ.nl postadres: Postbus 6336, 5600 HH, Eindhoven bezoekersadres: De Zaale 20, 5612 AJ, Eindhoven _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml