Re: [Clamav-users] script to find smallest area of file that contains signature

Fri, 10 Dec 2004 14:40:21 -0800

Nigel Horne wrote: 
On Fri, 2004-12-10 at 20:57, dale wrote:

Hello,
Can anyone direct me to a script sh/perl/etc that can find the smallest area within a file that has a virus signature? I have a 700MB iso file with a false positive, and I would like to submit only the signature part of the file to someone for analysis. 


You don't say your operating system, but if it's Linux you can
mount the ISO image (mount -o loop) then use clamscan -r to find
the file.


Dale


-Nigel
Nigel,
I should have mentioned my OS (sorry about that). I am using Linux (SME server 6.0.1). I have mounted the iso and no files within the iso fail (see below for details). I have also googled and found 2 other potential false positives with this signature and with iso files (see urls below).

Thanks,

Dale


http://ubuntuforums.org/showthread.php?s=c11d9edc7d58928ab1350a61ede92194&p=25277#post25277

http://www.linuxquestions.org/questions/history/258299

[EMAIL PROTECTED] root]# clamscan /home/e-smith/files/ibays/mirror/html/linux/k12ltsp/K12LTSP-all/iso/K12LTSP-4.1.1-disc2.iso
/home/e-smith/files/ibays/mirror/html/linux/k12ltsp/K12LTSP-all/iso/K12LTSP-4.1.1-disc2.iso: Trojan.URLspoof.gen FOUND

----------- SCAN SUMMARY -----------
Known viruses: 26012
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 51.75 MB
I/O buffer size: 131072 bytes
Time: 15.055 sec (0 m 15 s)
[EMAIL PROTECTED] root]# mkdir /mnt/temp
[EMAIL PROTECTED] root]# mount -t iso9660 -o loop /home/e-smith/files/ibays/mirror/html/linux/k12ltsp/K12LTSP-all/iso/K12LTSP-4.1.1-disc2.iso /mnt/temp
[EMAIL PROTECTED] root]# clamscan -r /mnt/temp/ 2> results.txt
[EMAIL PROTECTED] root]# grep -v OK results.txt

----------- SCAN SUMMARY -----------
Known viruses: 26012
Scanned directories: 3
Scanned files: 408
Infected files: 0
Data scanned: 647.10 MB
I/O buffer size: 131072 bytes
Time: 201.286 sec (3 m 21 s)
[EMAIL PROTECTED] root]# umount /mnt/temp
[EMAIL PROTECTED] root]# clamscan -V
clamscan / ClamAV version 0.75.1
[EMAIL PROTECTED] root]#

_______________________________________________
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Reply via email to