Great, thanks! All I had to do was writing an new.ldb rule with hex patterns to search for:
Sig1;Target:4;(0|1|2|3|4|5|6|7|8|9|10|11|12);e2e5ede0eb;c2c5cdc0cb;fe32 ;de32;d7c5cec1cc;f7e5eee1ec;c032;e032;d0b2d0b5d0bdd0b0d0bb;d092d095d09d d090d09b;d18e32;d0ae32;7576656e616c and run clamscan: clamscan -f ~/list -i -d ~/new.ldb On Wed, 2019-03-06 at 10:50 +0100, Arnaud Jacques wrote: > Hello Alex, > > > > We do have a large IMAP ~200GB, and in order to find letters > > containing specific "keyword", > > grep is not good because of base64 encoding. So the idea is to > > look > > through with antivirus scanner for "virus" inside letters, which > > is > > not a virus but a (not sure, may be) "bytecode signature" = > > "keyword" > > > > Sounds good? A link to a howto will be appreciated. > > Yes it is possible. Please see the official documentation : > https://www.clamav.net/documents/creating-signatures-for-clamav >
_______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml