Hi, Okay, that sounds like the right approach. I thought it surely was something simple like that. I'm glad to hear that everything's ok :)
On 03/05/15, Andy Singer wrote: > Hi, > It depends on how the signature was written. In the case of eicar, it is > Eicar-Test-Signature:0:0:58354f2150254041505b345c505a58353428505e2937434329377d2445494341522d5354414e444152442d414e544956495255532d544553542d46494c452124482b482a > > so it will only be detected only if the eicar pattern is at position 0 of > the file. If you change the signature to > > Eicar-Test-Signature:0:*:58354f2150254041505b345c505a58353428505e2937434329377d2445494341522d5354414e444152442d414e544956495255532d544553542d46494c452124482b482a > > the file will be detected regardless of where the pattern appears. In the > case of WIN.Trojan.DarkKomet, the signature is, > > WIN.Trojan.DarkKomet:1:*:657473746174202d61202d6e202d6f00000000ffffffff0d00000044444f5348545450464c4f4f44000000ffffffff0c00000044444f5353594e464c4f4f4400000000ffffffff0c00000044444f53554450464c4f4f4400000000ffffffff0a0000005b436861 > > This can be present anywhere in a file, but only if it's a PE file. If you > prepend random data to the file, it will no longer have an MZ header, and > ClamAV will not recognize it as a PE file, so the signature will be > ignored. In the signature, change the target (1= PE) to (0= any) and you > can prepend random data. > > ClamAV was designed for scanning files, not shellcode. If a file doesn't > have an MZ header, Windows won't execute it, so there's no need for ClamAV > to continue checking for PE signatures.
pgpuZxw595lp9.pgp
Description: PGP signature
_______________________________________________ http://lurker.clamav.net/list/clamav-devel.html Please submit your patches to our Bugzilla: http://bugs.clamav.net http://www.clamav.net/contact.html#ml
