Some samples i have cannot be detected at the moment without generating a bunch of false positives. Some hints that could make life easier and drop scan times too are imho:
- (even basic) file type detection: as a minumum MZ exe's, PE exe's, maybe also scripts (vbs/bat/whatever) and innocent types as well (say gif89, jfif, riff, mpeg, etc.)
- smarter handling of the '*' wildcard: being able to limit the range between a min and a max would be great. I mean something like ".{min,max}" in posix regex
- Entrypoint detection for MZ's and PE's: this would solve the hassle with encrypting virii having very small or common decription routines
- Also detecting the read/write/exec attribute of the PE section containing the EP can prove very usefull: in fact many virii and packed worms rely on these attributes insted of using VirtualProtect and similar api's; i know this can be very tricky and painful to implement but would still be appreciated
Thanks,
acab
Tomasz Kojm ha scritto:
On Thu, 14 Aug 2003 13:12:20 -0400 Bennett Todd <[EMAIL PROTECTED]> wrote:
For funsies, I decided to play around with adding Eicar to my .sig.
I was unsurprised that clamscan nailed it. I was surprised to find that Trend didn't, it allowed it through; apparently it doesn't flag Eicar within a normal text body, only as a separate file or attachment.
Is this business of flagging on Eicar within a text body intrinsic to clamav, or is it a defect of the way I'm currently playing with it?
ClamAV doesn't use position indicators in signatures and always scans all data - generally it's a useful feature but the scanner might be a little slower in comparison to other scanners when a file is _huge_. The lack of position indicators sometimes causes false positive alerts, that's why they will be implemented in the next database format.
Best regards, Tomasz Kojm
------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Clamav-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-devel
