I can reproduce the Malformed pattern problem with a file with just the one signature:
Xls.Downloader.Powload-6923120-0 which is an even longer one . This is 4 signatures before Doc.Trojan.Agent-6923124-0 in daily.ldb sigtool reports the wrong line numbering eg with a file with just Xls.Downloader.Powload-6923120-0 it reports the problem as being on line 2. It seems to be 4 lines out when reporting on the whole daily.ldb again sigtool --find Xls.Downloader.Powload-6923120-0 | sigtool --decode-sigs doesn't show a problem. clamscan --debug -d file_with_just_the_sig_above.ldb somefile doesn't show a problem. Xls.Downloader.Powload-6923120-0 turned up in daily 25410 which was when the problem started Maybe sigtool --list can't handle long signatures in ClamAV 0.100.2 There does seem a pointlessness to signatures based upon exact variable names etc that are obfuscated and likely will vary with each sample. A regex signature to get any variable name would be better. David Shrimpton ________________________________________ From: clamav-users <clamav-users-boun...@lists.clamav.net> on behalf of Arnaud Jacques <webmas...@securiteinfo.com> Sent: Saturday, April 6, 2019 12:27 AM To: clamav-users@lists.clamav.net Subject: Re: [clamav-users] Malformed pattern daily.ldb version 25410 Hello, > sigtool --find-sigs Doc.Trojan.Agent-6923124-0 | sigtool --decode-sigs I don't understand why this signature is so long, and why it is based on always changing variables. _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
