Hello,
Am 08.09.2014 um 16:58 schrieb Steve Basford:
Hi,
Tricky :(
Copy this into@ not_tested.ndb
test.ercynpr:7:*:3D7374725F726F74313328??636572745F657263796E7072??293B2024
test.cryptbot:7:*:3D22{12}225E22{40}3B2024
Thanks, this seems to work. I will try it. Hopefully only a few FP.
Tha
Because plugin developers do nutty things, I'd probably combine the two
into a single signature to reduce possible false positives, but other than
that it looks like those. I've seen non-malicious CMS plugins that use
similar obfuscation techniques, though I'm certainly willing to use these
as is
On Mon, September 8, 2014 3:04 pm, Hajo Locke wrote:
>
> What should i do now? Is there a trick to find a signature which fits
> for all samples or i have to create a different signature for every
> sample?
Hi,
Tricky :(
Copy this into@ not_tested.ndb
test.ercynpr:7:*:3D7374725F726F74313328?
Hajo,
Would you be interested in sharing the signatures you create with the
ClamAV community? If so, please check out the process here:
http://blog.clamav.net/2014/02/introducing-clamav-community-signatures.html
As for signatures for obfuscated PHP, it really does depend on the code you
are looki
Hello,
sorry for links to my translator. I thought thunderbird is removing this
when choosing pure-text-format.
now it is readable:
Am 08.09.2014 um 16:04 schrieb Hajo Locke:
Hello,
from time to time i create some signatures from what i found in
php-code of my users.
Now i found some malwa
