Posts

Showing posts from April, 2012

ClamAV Signatures

Recently while working with ClamAV I encountered some cool features I wanted to share. Signatures Too Long In one instance, I found out that ClamAV cannot accept signatures greater than a certain length. While I'm not exactly sure what that length is, I'm sure you'll get a syntax error if the signature is too long. In another instance, I found that ClamAV does alright with heuristics. It may be a custom hack, but the gist of the matter is: I can input the arguments to a (function(p,a,c,k,e,r)) and only the arguments to the function, and ClamAV will detect the use of the function and will include the function in the normalized result. Example ('e r=x.9,t="",q;4(r.3("m.")!=-1)t="q";4(r.3("7.")!=-1)t="q";4(r.3("8.")!=-1)t="p";4(r.3("a.")!=-1)t="q";4(r.3("f.")!=-1)t="g...