Check out
https://github.com/vrtadmin/clamav-devel/blob/master/docs/signatures.pdf,
section 3.2.4.
You should be able to write something like:
!(not)badfunction(
FYI, PCRE support is coming in ClamAV 0.99. There is a release candidate
here if you want to try it: http://www.clamav.net/downloads
Hello,
I have a signature, which matches bad things, but also is giving me a lot of
false positives. The reason for this is, that the bad code is actually subset of
the good code, which gives me the false positive.
What I mean:
I have signature, which matches for example:
badfunction(
howe
