Hi Tomasz!
Tomasz Kojm wrote:
On Sat, 24 Jun 2006 18:41:13 -0400
Nicolas Riendeau <[EMAIL PROTECTED]> wrote:
I'm not sure but it almost looks like once the first (xx|yy) wildcard
content matches the rest are not tested (the number of bytes and the static
bytes must still match though). But the
On Sat, 24 Jun 2006 18:41:13 -0400
Nicolas Riendeau <[EMAIL PROTECTED]> wrote:
> Hi!
>
> Tomasz Kojm wrote:
> > On Sat, 24 Jun 2006 17:33:29 -0400
> > Nicolas Riendeau <[EMAIL PROTECTED]> wrote:
> >
> >>It looks like I'm not out of the woods yet as it almost looks like every
> >>two bytes there m
Nicolas Riendeau wrote:
> or sometimes is messed up in one of the system libraries on my pc...
oops, something...
Nick
___
http://lurker.clamav.net/list/clamav-users.html
Hi!
Tomasz Kojm wrote:
On Sat, 24 Jun 2006 17:33:29 -0400
Nicolas Riendeau <[EMAIL PROTECTED]> wrote:
It looks like I'm not out of the woods yet as it almost looks like every
two bytes there must be a static byte because otherwise I get FPs...
I made some additionnal tests and I'm no longer
On Sat, 24 Jun 2006 17:33:29 -0400
Nicolas Riendeau <[EMAIL PROTECTED]> wrote:
> > The first two bytes must be 'static', so "(61|41)(6e|4e)" must be replaced
> > with two hex numbers (so you may need to use four separate signatures or
> > rely on the normaliser as suggested by aCaB). This limitati
Hi!
Tomasz Kojm wrote:
On Wed, 21 Jun 2006 19:11:44 -0400
Nicolas Riendeau <[EMAIL PROTECTED]> wrote:
[eg Joke.local.EricssonHoax:0:*:(61|41)(6e|4e)(6e|4e)(61|41)... ]
This thingy's not going to work, sorry.
It doesn't work but the thing I don't understand is why... According to the
docs t
On Wed, 21 Jun 2006 19:11:44 -0400
Nicolas Riendeau <[EMAIL PROTECTED]> wrote:
> >>[eg Joke.local.EricssonHoax:0:*:(61|41)(6e|4e)(6e|4e)(61|41)... ]
> >
> >
> > This thingy's not going to work, sorry.
>
> It doesn't work but the thing I don't understand is why... According to the
> docs that sy
Hi!
aCaB wrote:
Nicolas Riendeau wrote:
It is part of the message (which could be in text/plain or text/html)...
[there is a risk that QP or base64 could make it not work I guess (does
Clamav takes care of this?) but the test file I'm using doesn't use
either...]
Yup, Clamav will decode tha
Nicolas Riendeau wrote:
> It is part of the message (which could be in text/plain or text/html)...
>
> [there is a risk that QP or base64 could make it not work I guess (does
> Clamav takes care of this?) but the test file I'm using doesn't use
> either...]
Yup, Clamav will decode that.
>
> To
Hi!
Dennis Peterson wrote:
Is this part of the message in an attachment that is fed to clamav?
dp
___
http://lurker.clamav.net/list/clamav-users.html
It is part of the message (which could be in text/plain or text/html)...
[there is a risk that Q
Nicolas Riendeau wrote:
Hi!
I have been trying to add a signature to detect an hoax and I can't seem
to get it right...
What I have been trying to use to detect that hoax is the email address
they refer to which is always [EMAIL PROTECTED] (regarless of
the language the message is written i
Hi!
I have been trying to add a signature to detect an hoax and I can't seem to get it
right...
What I have been trying to use to detect that hoax is the email address they refer to
which is always [EMAIL PROTECTED] (regarless of the language the message is
written in).
If I write don't us
12 matches
Mail list logo
