Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: ClamAV: users
Signature generation problems

Index | Next | Previous | View Flat

mbroekman at maileig

May 2, 2012, 1:29 PM

Views: 746
Signature generation problems

I'm having some issues creating a hex signature to match some PHP code
I've run across. I've pulled the snippet of the PHP code that I want to
match on and created the signature using sigtool --hex-dump, but when I
try testing against it, there are no matches. However, if I convert the
entire PHP file to hex using sigtool, I do find the snippet signature in

grep "`awk -F: '{ print $4 }' new1.ndb`" footer.ndb

Similarly, I can take the signature, convert it back to ASCII and match
successfully against the original file:

grep "`awk -F: '{ print $4 }' new1.ndb | xxd -r -p`" footer.php

The hex signature is only 64 characters long so I know that I'm not
blowing through any buffers internally (which I've done before by

The signature I've generated is:


From the text:

if (!isset($eva1fYlbakBcVSir)) {

$ clamscan -d ./new1.ndb footer.php

footer.php: OK

----------- SCAN SUMMARY -----------

Known viruses: 1

Engine version: 0.97.3

Scanned directories: 0

Scanned files: 1

Infected files: 0

Data scanned: 0.01 MB

Data read: 0.01 MB (ratio 1.00:1)

Time: 0.010 sec (0 m 0 s)

Anyone have any ideas about this?

Thanks in advance


Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net

Subject User Time
Signature generation problems mbroekman at maileig May 2, 2012, 1:29 PM
    Re: Signature generation problems azidouemba at sourcefire May 2, 2012, 1:51 PM
    Re: Signature generation problems mbroekman at maileig May 3, 2012, 6:48 AM

  Index | Next | Previous | View Flat

Interested in having your list archived? Contact Gossamer Threads
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.