[Pkg-clamav-commits] [SCM] Debian repository for ClamAV branch, debian/unstable, updated. 99ae9353f6834da0cb73f59f4b32d1f0ae1263fa
Stephen Gran
steve at lobefin.net
Thu Sep 4 12:37:05 UTC 2008
The following commit has been merged in the debian/unstable branch:
commit 2495d6ac644feff51b1a059f9d48b38f2089833b
Author: Stephen Gran <steve at lobefin.net>
Date: Thu Sep 4 13:25:52 2008 +0100
Revert "update documentation"
This reverts commit 437e99401135badad4b22536979925bcad5f8368.
diff --git a/ChangeLog b/ChangeLog
index 0ec8729..6c9330a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,7 +1,3 @@
-Thu Mar 20 21:27:22 CET 2008 (tk)
----------------------------------
- * doc/signatures.[pdf,tex]: update documentation
-
Thu Mar 20 12:16:13 CET 2008 (tk)
---------------------------------
* clamdscan/client.c: some messages were being printed twice (bb#884)
diff --git a/docs/signatures.pdf b/docs/signatures.pdf
index e2e9c06..72ed530 100644
Binary files a/docs/signatures.pdf and b/docs/signatures.pdf differ
diff --git a/docs/signatures.tex b/docs/signatures.tex
index 32b87df..ee6e85d 100644
--- a/docs/signatures.tex
+++ b/docs/signatures.tex
@@ -15,38 +15,34 @@
\noindent
\section{Introduction}
- CVD (ClamAV Virus Database) is a digitally signed container that
- includes signature databases in various text formats. The header
- of the container is a 512 bytes long string with colon separated fields:
+ CVD (ClamAV Virus Database) is a digitally signed tarball file that
+ contains one or more databases. The header is a 512 bytes long string
+ with colon separated fields:
\begin{verbatim}
ClamAV-VDB:build time:version:number of signatures:functionality
-level required:MD5 checksum:digital signature:builder name:build
-time (sec)
+level required:MD5 checksum:digital signature:builder name:build time (sec)
\end{verbatim}
- \verb+sigtool --info+ displays detailed information about a given CVD file:
+ \verb+sigtool --info+ displays detailed information about a CVD file:
\begin{verbatim}
zolw at localhost:/usr/local/share/clamav$ sigtool -i main.cvd
-File: main.cvd
-Build time: 09 Dec 2007 15:50 +0000
-Version: 45
-Signatures: 169676
-Functionality level: 21
-Builder: sven
-MD5: b35429d8d5d60368eea9630062f7c75a
-Digital signature: dxsusO/HWP3/GAA7VuZpxYwVsE9b+tCk+tPN6OyjVF/U8
-JVh4vYmW8mZ62ZHYMlM903TMZFg5hZIxcjQB3SX0TapdF1SFNzoWjsyH53eXvMDY
-eaPVNe2ccXLfEegoda4xU2TezbGfbSEGoU1qolyQYLX674sNA2Ni6l6/CEKYYh
+Build time: 09 Jun 2006 22-19 +0200
+Version: 39
+# of signatures: 58116
+Functionality level: 8
+Builder: tkojm
+MD5: a9a400e70dcbfe2c9e11d78416e1c0cc
+Digital signature: 0s12V8OxLWO95fNNv+kTxj7CEWBW/1TKOGC7G4RelhogruBYw8dJeIX2+yhxex/XsLohxoEuXxC2CaFXiiTbrbvpK2USIxkpn53n6LYVV6jKgkP5sa08MdJE7cl29H1slfCrdaevBUZ1Z/UefkRnV6p3iQVpDPsBwqFRbrem33b
Verification OK.
\end{verbatim}
- The ClamAV project distributes two CVD files: \emph{main.cvd} and
- \emph{daily.cvd}.
+ There are two CVD databases in ClamAV: \emph{main.cvd} and \emph{daily.cvd}
+ for daily updates.
- \section{Signature formats}
+ \section{Signature format}
\subsection{MD5}
- The easiest way to create signatures for ClamAV is to use MD5 checksums,
- however this method can be only used against static malware. To create
- a signature for \verb+test.exe+ use the \verb+--md5+ option of sigtool:
+ There's an easy way to create signatures for static malware using MD5
+ checksums. To create a signature for \verb+test.exe+ use the \verb+--md5+
+ option of sigtool:
\begin{verbatim}
zolw at localhost:/tmp/test$ sigtool --md5 test.exe > test.hdb
zolw at localhost:/tmp/test$ cat test.hdb
@@ -60,36 +56,33 @@ test.exe: test.exe FOUND
----------- SCAN SUMMARY -----------
Known viruses: 1
Scanned directories: 0
-Engine version: 0.92.1
+Engine version: 0.88.2
Scanned files: 1
Infected files: 1
Data scanned: 0.02 MB
Time: 0.024 sec (0 m 0 s)
\end{verbatim}
- You can change the name (by default sigtool uses the name of the file)
- and place it inside a \verb+*.hdb+ file. A single database file can
- include any number of signatures. To get them automatically loaded
- each time clamscan/clamd starts just copy the database file(s) into
- the local virus database directory (eg. /usr/local/share/clamav).
+ You can edit it to change the name (by default sigtool uses the file name).
+ Remember that all MD5 signatures must be placed inside \verb+*.hdb+ files
+ and you can include any number of signatures inside a single file. To get
+ them automatically loaded every time clamscan/clamd starts just copy them
+ to the local virus database directory.
\subsection{MD5, PE section based}
- You can create a MD5 signature for a specific section in a PE file.
- Such signatures shall be stored inside \verb+.mdb+ files in the
- following format:
+ You can create an MD5 signature for a specific section in a PE file.
+ Such signatures are stored in .mdb files in the following format:
\begin{verbatim}
PESectionSize:MD5:MalwareName
\end{verbatim}
- The easiest way to generate MD5 based section signatures is to extract
- target PE sections into separate files and then run sigtool with the
- option \verb+--mdb+
\subsection{Hexadecimal signatures}
- ClamAV stores all signatures in a hexadecimal format. By a hex-signature
- here we mean a fragment of a malware's body converted into a hexadecimal
- string which can be additionally extended with various wildcards.
+ ClamAV keeps viral fragments in hexadecimal format. If you don't know how
+ to get a proper signature please try the MD5 method or submit your sample
+ at \url{http://www.clamav.net/sendvirus}
\subsubsection{Hexadecimal format}
- You can use \verb+sigtool --hex-dump+ to convert any data into a hex-string:
+ You can use \verb+sigtool --hex-dump+ to convert arbitrary data into
+ hexadecimal format:
\begin{verbatim}
zolw at localhost:/tmp/test$ sigtool --hex-dump
How do I look in hex?
@@ -102,13 +95,12 @@ How do I look in hex?
\item \verb+??+\\
Match any byte.
\item \verb+a?+\\
- Match a high nibble (the four high bits). \textbf{IMPORTANT NOTE:}
- The nibble matching is only available in libclamav with the
- functionality level 17 and higher therefore please only use it with
- .ndb signatures followed by ":17" (MinEngineFunctionalityLevel,
- see \ref{ndb}).
+ Match high nibble (high four bits). \textbf{IMPORTANT NOTE:} Nibble
+ matching is only available in libclamav with the functionality level
+ 17 therefore please only use it with .ndb signatures, each followed
+ by ":17" (MinEngineFunctionalityLevel, see \ref{ndb}).
\item \verb+?a+\\
- Match a low nibble (the four low bits).
+ Match low nibble (low four bits).
\item \verb+*+\\
Match any number of bytes.
\item \verb+{n}+\\
@@ -117,56 +109,47 @@ How do I look in hex?
Match n or less bytes.
\item \verb+{n-}+\\
Match n or more bytes.
- \item \verb+(aa|bb|cc|..)+\\
- Match aa or bb or cc..
- \item \verb+HEXSIG[x-y]aa+ or \verb+aa[x-y]HEXSIG+\\
- Match aa anchored to a hex-signature, see
- \url{https://wwws.clamav.net/bugzilla/show_bug.cgi?id=776} for
- a discussion and examples.
+ \item \verb+(a|b)+\\
+ Match a or b (you can use more alternate characters).
\end{itemize}
- The range signatures \verb+*+ and \verb+{}+ virtually separate
- a hex-signature into two parts, eg. \verb+aabbcc*bbaacc+ is treated
- as two sub-signatures \verb+aabbcc+ and \verb+bbaacc+ with any number
- of bytes between them. It's a requirement that each sub-signature
- includes a block of two static characters somewhere in its body.
\subsubsection{Basic signature format}
- The simplest (and now deprecated) signature format is:
+ The simplest signatures are of the format:
\begin{verbatim}
MalwareName=HexSignature
\end{verbatim}
- ClamAV will scan the entire file looking for HexSignature. All
- signatures of this type must be placed inside \verb+*.db+ files.
+ ClamAV will analyse a whole content of a file trying to match it. All
+ signatures of this type must be placed in \verb+*.db+ files.
\subsubsection{Extended signature format}\label{ndb}
- The extended signature format allows for specification of additional
- information such as a target file type, virus offset or engine version,
- making the detection more reliable. The format is:
+ Extended signature format allows on including additional information about
+ target file type, virus offset and required engine version.
+ The format is:
\begin{verbatim}
MalwareName:TargetType:Offset:HexSignature[:MinEngineFunctionalityLevel:[Max]]
\end{verbatim}
- where \verb+TargetType+ is one of the following numbers specifying
- the type of the target file:
+ where \verb+TargetType+ is one of the following decimal numbers describing
+ the target file type:
\begin{itemize}
\item 0 = any file
\item 1 = Portable Executable
- \item 2 = OLE2 component (e.g. a VBA script)
+ \item 2 = OLE2 component (e.g. VBA script)
\item 3 = HTML (normalised)
\item 4 = Mail file
- \item 5 = Graphics
+ \item 5 = Graphics (to help catching exploits in JPEG files)
\item 6 = ELF
- \item 7 = ASCII text file (normalised)
\end{itemize}
And \verb+Offset+ is an asterisk or a decimal number \verb+n+ possibly
- combined with a special modifier:
+ combined with a special string:
\begin{itemize}
\item \verb+*+ = any
\item \verb+n+ = absolute offset
\item \verb+EOF-n+ = end of file minus \verb+n+ bytes
\end{itemize}
- Signatures for PE and ELF files additionally support:
+ Signatures for Portable Executables files (target = 1) also support:
\begin{itemize}
- \item \verb#EP+n# = entry point plus n bytes (\verb#EP+0# for \verb+EP+)
+ \item \verb#EP+n# = entry point plus n bytes (\verb#EP+0# if you
+ want to anchor to \verb+EP+)
\item \verb#EP-n# = entry point minus n bytes
\item \verb#Sx+n# = start of section \verb+x+'s (counted from 0)
data plus \verb+n+ bytes
@@ -183,17 +166,15 @@ MalwareName:TargetType:Offset:HexSignature[:MinEngineFunctionalityLevel:[Max]]
0.91 will silently ignore the \verb+MaxShift+ extension and only use
\verb+Offset+.\\
- \noindent
All signatures in the extended format must be placed inside \verb+*.ndb+ files.
\subsection{Signatures based on archive metadata}
- Signatures based on metadata inside archive files can provide an effective
- protection against malware that spreads via encrypted zip or rar
- archives. The format of a metadata signature is:
+ In order to detect some malware which spreads inside of Zip or RAR archives
+ (especially encrypted ones) you can try to create a signature describing
+ a malicious archived file. The general format is:
\begin{verbatim}
virname:encrypted:filename:normal size:csize:crc32:cmethod:fileno:max depth
\end{verbatim}
- where the corresponding fields are:
\begin{itemize}
\item Virus name
\item Encryption flag (1 -- encrypted, 0 -- not encrypted)
@@ -205,22 +186,15 @@ virname:encrypted:filename:normal size:csize:crc32:cmethod:fileno:max depth
\item File position in archive (* to ignore)
\item Maximum number of nested archives (* to ignore)
\end{itemize}
- The database file should have the extension of \verb+.zmd+ or
- \verb+.rmd+ for zip or rar metadata respectively.
+ The database should have the extension \verb+.zmd+ or \verb+.rmd+ for
+ Zip or RAR archive respectively.
- \subsection{Whitelist databases}
+ \subsection{Whitelist database}
To whitelist a specific file use the MD5 signature format and place
- it inside a database file with the extension of \verb+.fp+.\\
-
- \noindent
- To whitelist a specific signature inside main.cvd add the following
- entry into daily.ign or a local file local.ign:
-\begin{verbatim}
-db_name:line_number:signature_name
-\end{verbatim}
+ it in the database with the extension \verb+.fp+.
\subsection{Signature names}
- ClamAV uses the following prefixes for signature names:
+ ClamAV uses the following prefixes for particular malware:
\begin{itemize}
\item \emph{Worm} for Internet worms
\item \emph{Trojan} for backdoor programs
@@ -236,7 +210,7 @@ db_name:line_number:signature_name
\item \emph{BAT} for BAT malware
\item \emph{W97M}, \emph{W2000M} for Word macro viruses
\item \emph{X97M}, \emph{X2000M} for Excel macro viruses
- \item \emph{O97M}, \emph{O2000M} for generic Office macro viruses
+ \item \emph{O97M}, \emph{O2000M} for general Office macro viruses
\item \emph{DoS} for Denial of Service attack software
\item \emph{DOS} for old DOS malware
\item \emph{Exploit} for popular exploits
@@ -256,35 +230,30 @@ db_name:line_number:signature_name
\section{Special files}
\subsection{HTML}
- ClamAV contains a special HTML normalisation code which helps to detect
+ ClamAV contains a special HTML normalisation code required to detect
HTML exploits. Running \verb+sigtool --html-normalise+ on a HTML file
- should generate the following files:
+ should create the following files:
\begin{itemize}
- \item nocomment.html - the file is normalised, lower-case, with all
- comments and superflous white space removed
- \item notags.html - as above but with all HTML tags removed
+ \item comment.html - the whole file normalised
+ \item nocomment.html - the file normalised, with all comments removed
+ \item script.html - the parts of the file in \verb+<script>+ tags
+ (lowercased)
\end{itemize}
The code automatically decodes JScript.encode parts and char ref's (e.g.
\verb+f+). You need to create a signature against one of the created
- files. To eliminate potential false positive alerts the target type should
- be set to 3.
-
- \subsection{Text files}
- Similarly to HTML all ASCII text files get normalised (converted
- to lower-case, all superflous white space and control characters removed,
- etc.) before scanning. Use \verb+clamscan --leave-temps+ to obtain
- a normalised file then create a signature with the target type 7.
+ files. To eliminate potential false positive alerts you should use
+ extended signature format with target type of 3.
\subsection{Compressed Portable Executable files}
- If the file is compressed with UPX, FSG, Petite or other PE packer
- supported by libclamav, run \verb+clamscan+ with
- \verb+--debug --leave-temps+. Example output for a FSG compressed file:
+ If the file is compressed with UPX, FSG, Petite or other executable packer
+ (supported by libclamav) run \verb+clamscan+ with
+ \verb+--debug --leave-temps+. Example output on FSG compressed file:
\begin{verbatim}
-LibClamAV debug: UPX/FSG/MEW: empty section found - assuming compression
-LibClamAV debug: FSG: found old EP @119e0
-LibClamAV debug: FSG: Unpacked and rebuilt executable saved in
-/tmp/clamav-f592b20f9329ac1c91f0e12137bcce6c
+LibClamAV debug: UPX/FSG: empty section found - assuming compression
+LibClamAV debug: FSG: found old EP @1554
+LibClamAV debug: FSG: Successfully decompressed
+LibClamAV debug: UPX/FSG: Decompressed data saved in /tmp/clamav-4eba73ff4050a26
\end{verbatim}
- Next create a type 1 signature for \verb+/tmp/clamav-f592b20f9329ac1c91f0e12137bcce6c+
+ and then create a signature for \verb+/tmp/clamav-4eba73ff4050a26+
\end{document}
--
Debian repository for ClamAV
More information about the Pkg-clamav-commits
mailing list