1. clamav-devel
  2. Blame
clamav-devel/docs/html/node25.html
28e73e95 
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
 
 <!--Converted with LaTeX2HTML 2K.1beta (1.48)
 original version by:  Nikos Drakos, CBLU, University of Leeds
 * revised and updated by:  Marcus Hennecke, Ross Moore, Herb Swan
 * with significant contributions from:
   Jens Lippmann, Marek Rouchal, Martin Wilck and others -->
 <HTML>
 <HEAD>
66f082ad 
 <TITLE>Signature Tool</TITLE>
 <META NAME="description" CONTENT="Signature Tool">
28e73e95 
 <META NAME="keywords" CONTENT="clamdoc">
 <META NAME="resource-type" CONTENT="document">
 <META NAME="distribution" CONTENT="global">
 
 <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
 <META NAME="Generator" CONTENT="LaTeX2HTML v2K.1beta">
 <META HTTP-EQUIV="Content-Style-Type" CONTENT="text/css">
 
 <LINK REL="STYLESHEET" HREF="clamdoc.css">
66f082ad 
 <LINK REL="previous" HREF="node24.html">
 <LINK REL="up" HREF="node18.html">
28e73e95 
 <LINK REL="next" HREF="node26.html">
 </HEAD>
 
 <BODY >
 <!--Navigation Panel-->
66f082ad 
 <A NAME="tex2html645"
28e73e95 
   HREF="node26.html">
 <IMG WIDTH="37" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="next"
  SRC="/usr/share/latex2html/icons/next.png"></A>
66f082ad 
 <A NAME="tex2html641"
   HREF="node18.html">
28e73e95 
 <IMG WIDTH="26" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="up"
  SRC="/usr/share/latex2html/icons/up.png"></A>
66f082ad 
 <A NAME="tex2html637"
28e73e95 
   HREF="node24.html">
 <IMG WIDTH="63" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="previous"
  SRC="/usr/share/latex2html/icons/prev.png"></A>
66f082ad 
 <A NAME="tex2html643"
28e73e95 
   HREF="node1.html">
 <IMG WIDTH="65" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="contents"
  SRC="/usr/share/latex2html/icons/contents.png"></A>  
 <BR>
66f082ad 
 <B> Next:</B> <A NAME="tex2html646"
   HREF="node26.html">Problem solving</A>
 <B> Up:</B> <A NAME="tex2html642"
   HREF="node18.html">Usage</A>
 <B> Previous:</B> <A NAME="tex2html638"
   HREF="node24.html">Output format</A>
  &nbsp <B>  <A NAME="tex2html644"
28e73e95 
   HREF="node1.html">Contents</A></B> 
 <BR>
 <BR>
 <!--End of Navigation Panel-->
66f082ad 
 <H2><A NAME="SECTION00047000000000000000">
 Signature Tool</A>
 </H2>
     <I>sigtool</I> automates signature creation. If you have got an infected
     file not recognized by ClamAV and there is an another anti-virus scanner
     working in a console that detects the virus you can try to generate
     the signature automatically. <A NAME="tex2html77"
   HREF="footnode.html#foot461"><SUP>6</SUP></A> <I>Sigtool is only
     partially useful because it only detects the last part of a real
     signature. It will fail for multipart signatures (and especially for
     polymorphic viruses).</I>
     Example usage: create a random file (with any content) and insert the
     <code>test/test1</code> file content into it. We will use <I>clamscan</I>
     to generate the signature. Remember this is only an example - in a real
     life you don't need such tricks - just an infected file. Scan it with
     <code>clamscan --stdout testfile</code> - the output should be:
     <PRE>
 	testfile: ClamAV-Test-Signature FOUND
28e73e95
66f082ad 
 	----------- SCAN SUMMARY -----------
 	Known viruses: 21074
 	Scanned directories: 0
 	Scanned files: 1
 	Data scanned: 0.95 MB
 	Infected files: 1
 	I/O buffer size: 131072 bytes
 	Time: 1.245 sec (0 m 0 s)
 </PRE>
     The unique string in this output is "ClamAV-Test-Signature" so run
     <I>sigtool</I> with the following arguments:
     <PRE>
 	$ sigtool -c "clamscan --stdout" -f testfile -s "ClamAV-Test"
 </PRE>
     The program will concatenate arguments for <code>-c (--command)</code> and
     <code>-f (--file)</code> that's why the scanner's options must be given in the
     proper order. At the end it will generate a file called <I>testfile.sig</I>,
     which should be 100 bytes in size (in our example). It contains the proper
     signature.
     <PRE>
 	Detected, decreasing end 20051 -&gt; 16040
 	Detected, decreasing end 16040 -&gt; 12029
 	Detected, decreasing end 12029 -&gt; 8018
 	Not detected at 8018, moving forward.
 	Detected, decreasing end 10024 -&gt; 8018
 	Not detected at 8018, moving forward.
 	Detected, decreasing end 9021 -&gt; 8018
 	Not detected at 8018, moving forward.
 	Not detected at 8520, moving forward.
 	Detected, decreasing end 8771 -&gt; 8520
 	Not detected at 8520, moving forward.
 	Not detected at 8646, moving forward.
 	Not detected at 8709, moving forward.
 	Detected, decreasing end 8741 -&gt; 8709
 	Not detected at 8709, moving forward.
 	Not detected at 8725, moving forward.
 	Detected, decreasing end 8733 -&gt; 8725
 	Not detected at 8725, moving forward.
 	Not detected at 8729, moving forward.
 	Detected, decreasing end 8731 -&gt; 8729
 	Not detected at 8729, moving forward.
 	Detected, decreasing end 8730 -&gt; 8729
 	Not detected at 8729, moving forward.
 	Increasing end 8729 -&gt; 8730
 	 *** Signature end found at 8730
 	Detected at 8680, moving forward.
 	Detected at 8680, moving forward.
 	Not detected, moving backward 8693 -&gt; 8680
 	Detected at 8680, moving forward.
 	Not detected, moving backward 8687 -&gt; 8680
 	Detected at 8680, moving forward.
 	Not detected, moving backward 8684 -&gt; 8680
 	Detected at 8680, moving forward.
 	Not detected, moving backward 8682 -&gt; 8680
 	Detected at 8680, moving forward.
 	Not detected, moving backward 8681 -&gt; 8680
 	Detected at 8680, moving forward.
 	Not detected, moving backward 8681 -&gt; 8680
 	Detected at 8680, moving forward.
 	Moving forward 8680 -&gt; 8681
 	 *** Signature start found at 8681
 
 	The scanner was executed 33 times.
 	The signature length is 49 (98 hex)
 	Saving signature in testfile.sig file.
 	Saving binary signature in testfile.bsig file.
 </PRE>
     To make the generated signature complete you only to add the
     <code>VirusName=</code> string at the beginning of the hexadecimal signature in
     testfile.sig.
 <BR>    <I><B>TIP:</B> ClamAV scanners read all .db files in the database
     directory. You can create your own database files (e.g. local.db) and they
     won't be modified by freshclam !</I>
13c03b49
66f082ad 
 <P>
 <HR>
 <!--Navigation Panel-->
 <A NAME="tex2html645"
   HREF="node26.html">
 <IMG WIDTH="37" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="next"
  SRC="/usr/share/latex2html/icons/next.png"></A> 
 <A NAME="tex2html641"
   HREF="node18.html">
 <IMG WIDTH="26" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="up"
  SRC="/usr/share/latex2html/icons/up.png"></A> 
 <A NAME="tex2html637"
   HREF="node24.html">
 <IMG WIDTH="63" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="previous"
  SRC="/usr/share/latex2html/icons/prev.png"></A> 
 <A NAME="tex2html643"
   HREF="node1.html">
 <IMG WIDTH="65" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="contents"
  SRC="/usr/share/latex2html/icons/contents.png"></A>  
 <BR>
 <B> Next:</B> <A NAME="tex2html646"
   HREF="node26.html">Problem solving</A>
 <B> Up:</B> <A NAME="tex2html642"
   HREF="node18.html">Usage</A>
 <B> Previous:</B> <A NAME="tex2html638"
   HREF="node24.html">Output format</A>
  &nbsp <B>  <A NAME="tex2html644"
   HREF="node1.html">Contents</A></B> 
 <!--End of Navigation Panel-->
28e73e95 
 <ADDRESS>
 Tomasz Kojm
66f082ad 
 2004-06-14
28e73e95 
 </ADDRESS>
 </BODY>
 </HTML>