Hi there,
On Thu, 29 Apr 2021, Olivier via clamav-users wrote:
Robert Kudyba <rkud...@fordham.edu> writes:
How would you make this work for docs.google.com as well?
the following regex corresponds to https://drive.google.com
next if /^MBL_\d+:0:\*:68747470733a2f2f64726976652e676f6f676c652e636f6d$/;
If I remember correctly (I am at home and I have nothing to check), the
URL is encoded in base64 ...
This is plain hexadecimal representation of the individual characters,
not Base64 encoding.
... so it should be:
68747470733a2f2f646f637s2e676f6f676c652e636f6d
The character 's' is not in the range [0-9a-f] which are normally used
to represent hexadecimal numbers.
ASCII hex
h 68
t 74
t 74
p 70
s 73
: 3a
# the following regex corresponds to https://drive.google.com
next if /^MBL_\d+:0:\*:68747470733a2f2f64726976652e676f6f676c652e636f6d$/;
# the following regex corresponds to https://docs.google.com
next if /^MBL_\d+:0:\*:68747470733a2f2f646f63732e676f6f676c652e636f6d$/;
You could do better with a regex, see the excellent Perl documentation.
See also
https://www.clamav.net/documents/body-based-signature-content-format
for writing signatures and for example
man ascii
for more information about hexadecimal representation of characters.
Be careful with this stuff, it's easy to shoot yourself in the foot.
Look carefully at what's happening. The script does try to log things
and you can easily extend that - you might need to look at for example
man syslog
HTH
--
73,
Ged.
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
