| 28e73e95 |
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<!--Converted with LaTeX2HTML 2K.1beta (1.48)
original version by: Nikos Drakos, CBLU, University of Leeds
* revised and updated by: Marcus Hennecke, Ross Moore, Herb Swan
* with significant contributions from:
Jens Lippmann, Marek Rouchal, Martin Wilck and others -->
<HTML>
<HEAD> |
| 5def21ff |
<TITLE>Signature Tool</TITLE>
<META NAME="description" CONTENT="Signature Tool"> |
| 28e73e95 |
<META NAME="keywords" CONTENT="clamdoc">
<META NAME="resource-type" CONTENT="document">
<META NAME="distribution" CONTENT="global">
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="LaTeX2HTML v2K.1beta">
<META HTTP-EQUIV="Content-Style-Type" CONTENT="text/css">
<LINK REL="STYLESHEET" HREF="clamdoc.css">
<LINK REL="previous" HREF="node19.html"> |
| 5def21ff |
<LINK REL="up" HREF="node15.html"> |
| 28e73e95 |
<LINK REL="next" HREF="node21.html">
</HEAD>
<BODY >
<!--Navigation Panel--> |
| 5def21ff |
<A NAME="tex2html416" |
| 28e73e95 |
HREF="node21.html">
<IMG WIDTH="37" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="next"
SRC="/usr/share/latex2html/icons/next.png"></A> |
| 5def21ff |
<A NAME="tex2html412"
HREF="node15.html"> |
| 28e73e95 |
<IMG WIDTH="26" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="up"
SRC="/usr/share/latex2html/icons/up.png"></A> |
| 5def21ff |
<A NAME="tex2html408" |
| 28e73e95 |
HREF="node19.html">
<IMG WIDTH="63" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="previous"
SRC="/usr/share/latex2html/icons/prev.png"></A> |
| 5def21ff |
<A NAME="tex2html414" |
| 28e73e95 |
HREF="node1.html">
<IMG WIDTH="65" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="contents"
SRC="/usr/share/latex2html/icons/contents.png"></A>
<BR> |
| 5def21ff |
<B> Next:</B> <A NAME="tex2html417"
HREF="node21.html">Problem solving</A>
<B> Up:</B> <A NAME="tex2html413"
HREF="node15.html">Usage</A>
<B> Previous:</B> <A NAME="tex2html409"
HREF="node19.html">Output format</A>
  <B> <A NAME="tex2html415" |
| 28e73e95 |
HREF="node1.html">Contents</A></B>
<BR>
<BR>
<!--End of Navigation Panel-->
|
| 5def21ff |
<H2><A NAME="SECTION00045000000000000000">
Signature Tool</A> |
| 28e73e95 |
</H2> |
| 5def21ff |
<I>sigtool</I> automates signature creation. If you have got an infected
file not recognized by ClamAV and there is another anti-virus scanner
working in a console that detects the virus, then you can try to create
the signature automatically. <I>Sigtool is only partially useful because
it only detects a last part of a real signature. It will fail for multipart
signatures (often used to match polymorphic viruses).</I>
<I>Example of usage:</I>
Create a random file (with any content) and insert the <B>test1</B> file
content into it. We will use <I>clamscan</I> to generate the signature.
This is only an example - in real life you don't need such tricks - just
an infected file. Scan it with <I>clamscan -stdout testfile</I> - the
output should be: |
| 28e73e95 |
<PRE> |
| 5def21ff |
testfile: ClamAV-Test-Signature FOUND
----------- SCAN SUMMARY -----------
Known viruses: 10213
Scanned directories: 0
Scanned files: 1
Data scanned: 0.95 MB
Infected files: 1
I/O buffer size: 131072 bytes
Time: 0.245 sec (0 m 0 s) |
| 28e73e95 |
</PRE> |
| 5def21ff |
The unique string in this output is "ClamAV-Test-Signature" so run
<I>sigtool</I> with the following arguments: |
| 28e73e95 |
<PRE> |
| 5def21ff |
$ sigtool -c "clamscan --stdout" -f testfile -s "ClamAV-Test" |
| 28e73e95 |
</PRE> |
| 5def21ff |
The program will concatenate arguments for <I>-c (-command)</I> and
<I>-f (-file)</I>, that's why the scanner's options must be given in the
proper order. At the end it will generate a file <I>testfile.sig</I>,
which should contain 100 bytes in our example. It contains the proper
signature. |
| 28e73e95 |
<PRE> |
| 5def21ff |
Detected, decreasing end 20051 -> 16040
Detected, decreasing end 16040 -> 12029
Detected, decreasing end 12029 -> 8018
Not detected at 8018, moving forward.
Detected, decreasing end 10024 -> 8018
Not detected at 8018, moving forward.
Detected, decreasing end 9021 -> 8018
Not detected at 8018, moving forward.
Not detected at 8520, moving forward.
Detected, decreasing end 8771 -> 8520
Not detected at 8520, moving forward.
Not detected at 8646, moving forward.
Not detected at 8709, moving forward.
Detected, decreasing end 8741 -> 8709
Not detected at 8709, moving forward.
Not detected at 8725, moving forward.
Detected, decreasing end 8733 -> 8725
Not detected at 8725, moving forward.
Not detected at 8729, moving forward.
Detected, decreasing end 8731 -> 8729
Not detected at 8729, moving forward.
Detected, decreasing end 8730 -> 8729
Not detected at 8729, moving forward.
Increasing end 8729 -> 8730
*** Signature end found at 8730
Detected at 8680, moving forward.
Detected at 8680, moving forward.
Not detected, moving backward 8693 -> 8680
Detected at 8680, moving forward.
Not detected, moving backward 8687 -> 8680
Detected at 8680, moving forward.
Not detected, moving backward 8684 -> 8680
Detected at 8680, moving forward.
Not detected, moving backward 8682 -> 8680
Detected at 8680, moving forward.
Not detected, moving backward 8681 -> 8680
Detected at 8680, moving forward.
Not detected, moving backward 8681 -> 8680
Detected at 8680, moving forward.
Moving forward 8680 -> 8681
*** Signature start found at 8681 |
| 28e73e95 |
|
| 5def21ff |
The scanner was executed 33 times.
The signature length is 49 (98 hex)
Saving signature in testfile.sig file.
Saving binary signature in testfile.bsig file. |
| 28e73e95 |
</PRE> |
| 5def21ff |
To make the generated signature complete you only to add the
<I>VirusName=</I> string at the beginning of the hexadecimal signature in
testfile.sig.
<BR> <I><B>TIP:</B> ClamAV scanners read all .db files in the database
directory. You can create your own database files (e.g. local.db) and they
won't be modified by freshclam !</I> |
| 28e73e95 |
<P>
<HR>
<!--Navigation Panel--> |
| 5def21ff |
<A NAME="tex2html416" |
| 28e73e95 |
HREF="node21.html">
<IMG WIDTH="37" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="next"
SRC="/usr/share/latex2html/icons/next.png"></A> |
| 5def21ff |
<A NAME="tex2html412"
HREF="node15.html"> |
| 28e73e95 |
<IMG WIDTH="26" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="up"
SRC="/usr/share/latex2html/icons/up.png"></A> |
| 5def21ff |
<A NAME="tex2html408" |
| 28e73e95 |
HREF="node19.html">
<IMG WIDTH="63" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="previous"
SRC="/usr/share/latex2html/icons/prev.png"></A> |
| 5def21ff |
<A NAME="tex2html414" |
| 28e73e95 |
HREF="node1.html">
<IMG WIDTH="65" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="contents"
SRC="/usr/share/latex2html/icons/contents.png"></A>
<BR> |
| 5def21ff |
<B> Next:</B> <A NAME="tex2html417"
HREF="node21.html">Problem solving</A>
<B> Up:</B> <A NAME="tex2html413"
HREF="node15.html">Usage</A>
<B> Previous:</B> <A NAME="tex2html409"
HREF="node19.html">Output format</A>
  <B> <A NAME="tex2html415" |
| 28e73e95 |
HREF="node1.html">Contents</A></B>
<!--End of Navigation Panel-->
<ADDRESS>
Tomasz Kojm |
| 5def21ff |
2003-11-11 |
| 28e73e95 |
</ADDRESS>
</BODY>
</HTML> |