At 02:54 PM 7/27/2005, [EMAIL PROTECTED] wrote:
q# wrote:
> Wrong signature format: zmd != ndb
Alright - where's the documentation of the zmd database format?
Does sigtool --list-sigs | grep "Zip.Empty" have any output? That should
at least verify whether the sig is being loaded.
Recent clamav (0.86.2, probably some earlier versions) should detect
modified zips as "Exploit.Zip.ModifiedHeaders"
The detection is built into the unzip code, there isn't an actual signature.
If your zip file is hacked "correctly" clamav should detect it already.
You can get a pre-hacked eicar zip to test from
http://www.webmail.us/testvirus test # 26.
--
Noel Jones
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html