Tomasz..Thanks for the prompt reply.
Some of the names are just numbers e.g.
"_0017_0001_002
" what do they mean?
I am not completely sure about how the Clam AV
works..but does it sequentially look for all of those
binary patterns in the file? Wouldn't that be awfully
slow? (I haven't tried though).
e.g. Let's say there is a file which is not
infected...
Then clam would end up doing something like:
For each AV pattern
Search ENTIRE file for that pattern.
Considering that there are 7747 patterns and that for
each pattern it searches the entire file it seems it'd
be very slow is that true?
Also, I always thought that pattern search meant
looking for a particular sequence of bits at a
particular location (offset) in the file. I don't see
the clam database having any such information. Am I
missing something?
Thanks in advance,
Learner!
--- Tomasz Kojm <[EMAIL PROTECTED]> wrote:
> > Hi all,
> >
> > I was wondering if someone could explain the
> syntax
> > of the signature file and how it is parsed by
> Clam.
>
> Hi,
>
> it's very simple - the format is:
> virus name=hex_code
>
> where hex_code is a binary data transformed into a
> hexadecimal string.
> You can create hex code with sigtool:
> cat somedata | sigtool --hex-dump > somedata.hex
>
> Best regards,
> Tomasz Kojm
> --
> oo ..... [EMAIL PROTECTED]
> (\/)\.........
> http://www.konarski.edu.pl/~zolw
> \..........._ I nie zapomnij kliknac w
> brzuszek...
> //\ /\\ <- C. Amboinensis
> www.pajacyk.pl
>
>
---------------------------------------------------------------------
> To unsubscribe, e-mail:
> [EMAIL PROTECTED]
> For additional commands, e-mail:
> [EMAIL PROTECTED]
>
__________________________________________________
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo
http://search.yahoo.com
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
