test.html
THIS IS A MALWARE
Test signatures:
this is a malware
This is a malware
test.ndb
test1:3:*:3c212d2d20546869732069732061206d616c77617265202d2d3e
test2:3:*:3c212d2d20746869732069732061206d616c77617265202d2d3e
test3:3:*:20746869732069732061206d616c7761726520
test4:3:*:205468697
Hello Alain,
> Did you normalize your file? I.e. Clamscan--leave-temps?
You didn't understand :)
If I normalize the file, the HTML comments are deleted. I need them to create
a signature.
--
Best regards,
Arnaud Jacques
SecuriteInfo.com
Facebook : https://www.facebook.com/pages/SecuriteInfoc
Arnaud:
Did you normalize your file? I.e. Clamscan--leave-temps?
- Alain
-Alain
> On Jan 26, 2016, at 6:55 AM, Arnaud Jacques / SecuriteInfo.com
> wrote:
>
> Hello Steve,
>
>> I've seen the same sometimes I've had to end up using type 0, instead
>> of 3/4/7 which isn't ideal.
>
> Even wit
On Tue, January 26, 2016 11:54 am, Arnaud Jacques / SecuriteInfo.com wrote:
> Hello Steve,
>
>
>> I've seen the same sometimes I've had to end up using type 0,
>> instead of 3/4/7 which isn't ideal.
>
> Even with filetype 0 this doesn't match :
Hi Arnaud,
Can you attach a sample... see if I c
Hello Steve,
> I've seen the same sometimes I've had to end up using type 0, instead
> of 3/4/7 which isn't ideal.
Even with filetype 0 this doesn't match :
# cat test.ndb
test:7:*:3c212d2d20546869732069732061206d616c77617265202d2d3e
test:7:*:3c212d2d20746869732069732061206d616c77617265202d2
On Tue, January 26, 2016 10:49 am, Arnaud Jacques / SecuriteInfo.com wrote:
> Hello Clamav Team,
>
> I *need* to include the comment tags to avoid false positives. I tried
> several signatures : # cat test.ndb
I've seen the same sometimes I've had to end up using type 0, instead
of 3/4/7 whic
Hello Clamav Team,
To detect some JS includers, I need to create a signature based on HTML
comment. Here is an example
# cat test.html
I *need* to include the comment tags to avoid false positives. I tried several
signatures :
# cat test.ndb
test:7:*:3c212d2d20546869732069732061206d616c77
