This is great news!
Some samples i have cannot be detected at the moment without generating a bunch of false positives. Some hints that could make life easier and drop scan times too are imho:
- (even basic) file type detection: as a minumum MZ exe's, PE exe's, maybe also scripts (vbs/bat/whatever) and innocent types as well (say gif89, jfif, riff, mpeg, etc.)
- smarter handling of the '*' wildcard: being able to limit the range between a min and a max would be great. I mean something like ".{min,max}" in posix regex
- Entrypoint detection for MZ's and PE's: this would solve the hassle with encrypting virii having very small or common decription routines
- Also detecting the read/write/exec attribute of the PE section containing the EP can prove very usefull: in fact many virii and packed worms rely on these attributes insted of using VirtualProtect and similar api's; i know this can be very tricky and painful to implement but would still be appreciated
Thanks,
acab


Tomasz Kojm ha scritto:
On Thu, 14 Aug 2003 13:12:20 -0400
Bennett Todd <[EMAIL PROTECTED]> wrote:


For funsies, I decided to play around with adding Eicar to my .sig.

I was unsurprised that clamscan nailed it. I was surprised to find
that Trend didn't, it allowed it through; apparently it doesn't flag
Eicar within a normal text body, only as a separate file or
attachment.

Is this business of flagging on Eicar within a text body intrinsic
to clamav, or is it a defect of the way I'm currently playing with
it?


ClamAV doesn't use position indicators in signatures and always scans
all data - generally it's a useful feature but the scanner might be
a little slower in comparison to other scanners when a file is
_huge_. The lack of position indicators sometimes causes false positive
alerts, that's why they will be implemented in the next database
format.

Best regards,
Tomasz Kojm




-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Clamav-devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-devel

Reply via email to