[Pkg-clamav-commits] [SCM] Debian repository for ClamAV branch, debian/unstable, updated. debian/0.95+dfsg-1-6156-g094ec9b
Tomasz Kojm
tkojm at clamav.net
Sun Apr 4 01:21:22 UTC 2010
The following commit has been merged in the debian/unstable branch:
commit 11239bbe1a3a42db0dee2bc33632914abd2dbb59
Author: Tomasz Kojm <tkojm at clamav.net>
Date: Thu Feb 25 17:20:50 2010 +0100
docs: update signatures.pdf - more to come
diff --git a/ChangeLog b/ChangeLog
index df70856..877684d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+Thu Feb 25 17:20:27 CET 2010 (tk)
+---------------------------------
+ * docs: update signatures.pdf
+
Tue Feb 16 16:41:30 CET 2010 (tk)
---------------------------------
* libclamav/cvd.c: enable new dsig check for main db
diff --git a/docs/signatures.pdf b/docs/signatures.pdf
index e338689..e2a8182 100644
Binary files a/docs/signatures.pdf and b/docs/signatures.pdf differ
diff --git a/docs/signatures.tex b/docs/signatures.tex
index e5c5e5f..a572cb6 100644
--- a/docs/signatures.tex
+++ b/docs/signatures.tex
@@ -38,8 +38,8 @@ JVh4vYmW8mZ62ZHYMlM903TMZFg5hZIxcjQB3SX0TapdF1SFNzoWjsyH53eXvMDY
eaPVNe2ccXLfEegoda4xU2TezbGfbSEGoU1qolyQYLX674sNA2Ni6l6/CEKYYh
Verification OK.
\end{verbatim}
- The ClamAV project distributes two CVD files: \emph{main.cvd} and
- \emph{daily.cvd}.
+ The ClamAV project distributes a number of CVD files, including
+ \emph{main.cvd} and \emph{daily.cvd}.
\section{Signature formats}
@@ -52,7 +52,7 @@ zolw at localhost:/tmp/test$ sigtool --md5 test.exe > test.hdb
zolw at localhost:/tmp/test$ cat test.hdb
48c4533230e1ae1c118c741c0db19dfb:17387:test.exe
\end{verbatim}
- That's it! The signature is ready to use:
+ That's it! The signature is ready for use:
\begin{verbatim}
zolw at localhost:/tmp/test$ clamscan -d test.hdb test.exe
test.exe: test.exe FOUND
@@ -83,10 +83,11 @@ PESectionSize:MD5:MalwareName
target PE sections into separate files and then run sigtool with the
option \verb+--mdb+
- \subsection{Hexadecimal signatures}
- ClamAV stores all signatures in a hexadecimal format. By a hex-signature
- here we mean a fragment of a malware's body converted into a hexadecimal
- string which can be additionally extended with various wildcards.
+ \subsection{Body-based signatures}
+ ClamAV stores all body-based signatures in a hexadecimal format. In this
+ section by a hex-signature we mean a fragment of malware's body converted
+ into a hexadecimal string which can be additionally extended using various
+ wildcards.
\subsubsection{Hexadecimal format}
You can use \verb+sigtool --hex-dump+ to convert any data into a hex-string:
@@ -97,7 +98,7 @@ How do I look in hex?
\end{verbatim}
\subsubsection{Wildcards}
- ClamAV supports the following extensions inside hex signatures:
+ ClamAV supports the following extensions for hex-signatures:
\begin{itemize}
\item \verb+??+\\
Match any byte.
@@ -122,11 +123,15 @@ How do I look in hex?
\item \verb+(aa|bb|cc|..)+\\
Match aa or bb or cc..
\item \verb+!(aa|bb|cc|..)+\\
- Match any byte except aa and bb and cc..
+ Match any byte except aa and bb and cc.. (ClamAV$\ge$0.96)
\item \verb+HEXSIG[x-y]aa+ or \verb+aa[x-y]HEXSIG+\\
Match aa anchored to a hex-signature, see
\url{https://wwws.clamav.net/bugzilla/show_bug.cgi?id=776} for
- a discussion and examples.
+ discussion and examples.
+ \item \verb+(B)+\\
+ Match word boundary (including file boundaries).
+ \item \verb+(L)+\\
+ Match CR, CRLF or file boundaries.
\end{itemize}
The range signatures \verb+*+ and \verb+{}+ virtually separate
a hex-signature into two parts, eg. \verb+aabbcc*bbaacc+ is treated
@@ -168,7 +173,7 @@ MalwareName:TargetType:Offset:HexSignature[:MinEngineFunctionalityLevel:[Max]]
\item 5 = Graphics
\item 6 = ELF
\item 7 = ASCII text file (normalized)
- \item 8 = Disassembler data
+ \item 8 = Unused
\item 9 = Mach-O files
\end{itemize}
And \verb+Offset+ is an asterisk or a decimal number \verb+n+ possibly
@@ -226,6 +231,15 @@ Subsig1;Subsig2;...
\item \verb+SubsigN+ is n-th subsignature in extended format possibly
preceded with an offset. There can be specified up to 64 subsigs.
\end{itemize}
+ Keywords used in \verb+TargetDescriptionBlock+:
+ \begin{itemize}
+ \item \verb+Target:X+: Target file type
+ \item \verb+Engine:X-Y+: Required engine functionality (range; 0.96)
+ \item \verb+FileSize:X-Y+: Required file size (range in bytes; 0.96)
+ \item \verb+EntryPoint+: Entry point offset (range in bytes; 0.96)
+ \item \verb+NumberOfSections+: Required number of sections in executable (range; 0.96)
+ \item \verb+Container:CL_TYPE_*+: File type of the container which stores the scanned file
+ \end{itemize}
Modifiers for subexpressions:
\begin{itemize}
\item \verb+A=X+: If the SUB-EXPRESSION A refers to a single signature
@@ -265,11 +279,53 @@ f2aef7d14951684cf04100e8110a00;S2+78:22??232c2d252229{-15}6e6573
(63|64)61706528;S+50:68efa311c3b9963cb1ee8e586d32aeb9043e;f9c58d
cf43987e4f519d629b103375;SL+550:6300680065005c0046006900
\end{verbatim}
+ ClamAV 0.96 introduced support for special macro subsignatures in
+ the following format: \verb+${min-max}MACROID$+, where \verb+MACROID+
+ points to a group of signatures and \verb+{min-max}+ specifies the
+ offset range at which one of the group signatures should match.
+ The range is calculated against the match offset of the previous
+ subsignature. The macro subsignature makes its preceding subsignature
+ considered a match only if both of them get matched. For more
+ information and examples please see
+ \url{https://wwws.clamav.net/bugzilla/show_bug.cgi?id=164}.
+
+ \subsection{Signatures based on container metadata}
+ ClamAV 0.96 allows creating generic signatures matching files stored
+ inside different container types which meet specific conditions.
+ The signature format is
+\begin{verbatim}
+VirusName:ContainerType:ContainerSize:FileNameREGEX:FileSizeInContainer:
+FileSizeReal:IsEncrypted:FilePos:Res1:Res2[:MinFL[:MaxFL]]
+\end{verbatim}
+ where the corresponding fields are:
+ \begin{itemize}
+ \item \verb+VirusName:+ Virus name to be displayed when signature matches
+ \item \verb+ContainerType:+ one of \verb+CL_TYPE_ZIP+, \verb+CL_TYPE_RAR+,
+ \verb+CL_TYPE_ARJ+, \verb+CL_TYPE_CAB+, \verb+CL_TYPE_7Z+,
+ \verb+CL_TYPE_MAIL+, \verb+CL_TYPE_(POSIX|OLD)_TAR+,
+ \verb+CL_TYPE_CPIO_(OLD|ODC|NEWC|CRC)+ or \verb+*+ to match
+ any of the container types listed here
+ \item \verb+ContainerSize:+ size of the container file itself (eg. size of
+ the zip archive) specified in bytes as absolute value or range \verb+x-y+
+ \item \verb+FileNameREGEX:+ regular expression describing name of the target file
+ \item \verb+FileSizeInContainer:+ usually compressed size; for MAIL, TAR and CPIO ==
+ \verb+FileSizeReal+; specified in bytes as absolute value or range
+ \item \verb+FileSizeReal:+ usually uncompressed size; for MAIL, TAR and CPIO ==
+ \verb+FileSizeInContainer+; absolute value or range
+ \item \verb+IsEncrypted+: 1 if the target file is encrypted, 0 if it's not and
+ \verb+*+ to ignore
+ \item \verb+FilePos+: file position in container (counting from 1); absolute value
+ or range
+ \item \verb+Res1+: when \verb+ContainerType+ is \verb+CL_TYPE_ZIP+ or
+ \verb+CL_TYPE_RAR+ this field is treated as a CRC sum of the target file
+ specified in hexadecimal format; for other container types it's ignored
+ \item \verb+Res2+: not used as of ClamAV 0.96
+ \end{itemize}
+ The signatures for container files are stored inside \verb+.cdb+ files.
- \subsection{Signatures based on archive metadata}
- Signatures based on metadata inside archive files can provide an effective
- protection against malware that spreads via encrypted zip or rar
- archives. The format of a metadata signature is:
+ \subsection{Signatures based on ZIP/RAR metadata (obsolete)}
+ The (now obsolete) archive metadata signatures can be only applied
+ to ZIP and RAR files and have the following format:
\begin{verbatim}
virname:encrypted:filename:normal size:csize:crc32:cmethod:fileno:max depth
\end{verbatim}
@@ -293,11 +349,16 @@ virname:encrypted:filename:normal size:csize:crc32:cmethod:fileno:max depth
it inside a database file with the extension of \verb+.fp+.\\
\noindent
- To whitelist a specific signature inside main.cvd add the following
- entry into daily.ign or a local file local.ign:
+ To whitelist a specific signature from the database you just add
+ its name into a local file called local.ign2 stored inside the
+ database directory. You can additionally follow the signature name
+ with the MD5 of the entire database entry for this signature, eg:
\begin{verbatim}
-db_name:line_number:signature_name
+Eicar-Test-Signature:bc356bae4c42f19a3de16e333ba3569c
\end{verbatim}
+ In such a case, the signature will no longer be whitelisted when
+ its entry in the database gets modified (eg. the signature gets
+ updated to avoid false alerts).
\subsection{Signature names}
ClamAV uses the following prefixes for signature names:
@@ -326,7 +387,8 @@ db_name:line_number:signature_name
\end{itemize}
Important rules of the naming convention:
\begin{itemize}
- \item always use a -zippwd suffix in the malware name for signatures of type zmd,
+ \item always use a -zippwd suffix in the malware name for signatures
+ of type zmd,
\item always use a -rarpwd suffix in the malware name for signatures
of type rmd,
\item only use alphanumeric characters, dash (-), dot (.), underscores
--
Debian repository for ClamAV
More information about the Pkg-clamav-commits
mailing list