\documentclass[a4paper,titlepage,12pt]{article}
 \usepackage{amssymb}
 \usepackage{pslatex}
 \usepackage[dvips]{graphicx}
 \usepackage{wrapfig}
 \usepackage{url}
 \date{}
 
 \begin{document}
 
     \begin{center}
 	\huge Creating signatures for ClamAV\\
 	\vspace{2cm}
     \end{center}
 
     \noindent
     \section{Introduction}

     CVD (ClamAV Virus Database) is a digitally signed container that
     includes signature databases in various text formats. The header
     of the container is a 512 bytes long string with colon separated fields:

     \begin{verbatim}
 ClamAV-VDB:build time:version:number of signatures:functionality

 level required:MD5 checksum:digital signature:builder name:build
 time (sec)

     \end{verbatim}

     \verb+sigtool --info+ displays detailed information about a given CVD file:

     \begin{verbatim}
 zolw@localhost:/usr/local/share/clamav$ sigtool -i main.cvd

 File: main.cvd
 Build time: 09 Dec 2007 15:50 +0000
 Version: 45
 Signatures: 169676
 Functionality level: 21
 Builder: sven
 MD5: b35429d8d5d60368eea9630062f7c75a
 Digital signature: dxsusO/HWP3/GAA7VuZpxYwVsE9b+tCk+tPN6OyjVF/U8
 JVh4vYmW8mZ62ZHYMlM903TMZFg5hZIxcjQB3SX0TapdF1SFNzoWjsyH53eXvMDY
 eaPVNe2ccXLfEegoda4xU2TezbGfbSEGoU1qolyQYLX674sNA2Ni6l6/CEKYYh

 Verification OK.
     \end{verbatim}

     The ClamAV project distributes two CVD files: \emph{main.cvd} and
     \emph{daily.cvd}.

     \section{Signature formats}

 
     \subsection{MD5}

     The easiest way to create signatures for ClamAV is to use MD5 checksums,
     however this method can be only used against static malware. To create
     a signature for \verb+test.exe+ use the \verb+--md5+ option of sigtool:

     \begin{verbatim}
 zolw@localhost:/tmp/test$ sigtool --md5 test.exe > test.hdb
 zolw@localhost:/tmp/test$ cat test.hdb 
 48c4533230e1ae1c118c741c0db19dfb:17387:test.exe
     \end{verbatim}
     That's it! The signature is ready to use:
     \begin{verbatim}
 zolw@localhost:/tmp/test$ clamscan -d test.hdb test.exe 
 test.exe: test.exe FOUND
 
 ----------- SCAN SUMMARY -----------
 Known viruses: 1
 Scanned directories: 0

 Engine version: 0.92.1

 Scanned files: 1
 Infected files: 1
 Data scanned: 0.02 MB
 Time: 0.024 sec (0 m 0 s)
     \end{verbatim}

     You can change the name (by default sigtool uses the name of the file)
     and place it inside a \verb+*.hdb+ file. A single database file can
     include any number of signatures. To get them automatically loaded
     each time clamscan/clamd starts just copy the database file(s) into
     the local virus database directory (eg. /usr/local/share/clamav).

     \subsection{MD5, PE section based}

     You can create a MD5 signature for a specific section in a PE file.
     Such signatures shall be stored inside \verb+.mdb+ files in the
     following format:

     \begin{verbatim}
 PESectionSize:MD5:MalwareName
     \end{verbatim}

     The easiest way to generate MD5 based section signatures is to extract
     target PE sections into separate files and then run sigtool with the
     option \verb+--mdb+

     \subsection{Hexadecimal signatures}

     ClamAV stores all signatures in a hexadecimal format. By a hex-signature
     here we mean a fragment of a malware's body converted into a hexadecimal
     string which can be additionally extended with various wildcards.

 
     \subsubsection{Hexadecimal format}

     You can use \verb+sigtool --hex-dump+ to convert any data into a hex-string:

     \begin{verbatim}
 zolw@localhost:/tmp/test$ sigtool --hex-dump
 How do I look in hex?
 486f7720646f2049206c6f6f6b20696e206865783f0a
     \end{verbatim}
 
     \subsubsection{Wildcards}
     ClamAV supports the following extensions inside hex signatures:
     \begin{itemize}
 	\item \verb+??+\\
 	Match any byte.

 	\item \verb+a?+\\

 	Match a high nibble (the four high bits).\\ \textbf{IMPORTANT NOTE:}

 	The nibble matching is only available in libclamav with the
 	functionality level 17 and higher therefore please only use it with
 	.ndb signatures followed by ":17" (MinEngineFunctionalityLevel,
 	see \ref{ndb}).

 	\item \verb+?a+\\

 	Match a low nibble (the four low bits).

 	\item \verb+*+\\
 	Match any number of bytes.
 	\item \verb+{n}+\\

 	Match $n$ bytes.

 	\item \verb+{-n}+\\

 	Match $n$ or less bytes.

 	\item \verb+{n-}+\\

 	Match $n$ or more bytes.
 	\item \verb+{n-m}+\\
 	Match between $n$ and $m$ bytes ($m > n$).

 	\item \verb+(aa|bb|cc|..)+\\
 	Match aa or bb or cc..
 	\item \verb+HEXSIG[x-y]aa+ or \verb+aa[x-y]HEXSIG+\\
 	Match aa anchored to a hex-signature, see
 	\url{https://wwws.clamav.net/bugzilla/show_bug.cgi?id=776} for
 	a discussion and examples.

     \end{itemize}

     The range signatures \verb+*+ and \verb+{}+ virtually separate
     a hex-signature into two parts, eg. \verb+aabbcc*bbaacc+ is treated
     as two sub-signatures \verb+aabbcc+ and \verb+bbaacc+ with any number
     of bytes between them. It's a requirement that each sub-signature
     includes a block of two static characters somewhere in its body.

 
     \subsubsection{Basic signature format}

     The simplest (and now deprecated) signature format is:

     \begin{verbatim}
 MalwareName=HexSignature
     \end{verbatim}

     ClamAV will scan the entire file looking for HexSignature. All
     signatures of this type must be placed inside \verb+*.db+ files.

     \subsubsection{Extended signature format}\label{ndb}

     The extended signature format allows for specification of additional
     information such as a target file type, virus offset or engine version,
     making the detection more reliable. The format is:

     \begin{verbatim}
 MalwareName:TargetType:Offset:HexSignature[:MinEngineFunctionalityLevel:[Max]]
     \end{verbatim}

     where \verb+TargetType+ is one of the following numbers specifying
     the type of the target file:

     \begin{itemize}
 	\item 0 = any file

 	\item 1 = Portable Executable, both 32- and 64-bit.
 	\item 2 = file inside OLE2 container (e.g. image, embedded executable,
 	VBA script). The OLE2 format is primarily used by MS Office and MSI
 	installation files.
 	\item 3 = HTML (normalized: whitespace transformed to spaces, tags/tag
 	attributes normalized, all lowercase), Javascript is normalized too:
 	all strings are normalized (hex encoding is decoded), numbers are
 	parsed and normalized, local variables/function names are normalized
 	to 'n001' format, argument to eval() is parsed as JS again,
 	unescape() is handled, some simple JS packers are handled,
 	output is whitespace normalized.

 	\item 4 = Mail file

 	\item 5 = Graphics

 	\item 6 = ELF

 	\item 7 = ASCII text file (normalized)

 	\item 8 = Disassembler data
 	\item 9 = Mach-O files

     \end{itemize}
     And	\verb+Offset+ is an asterisk or a decimal number \verb+n+ possibly

     combined with a special modifier:

     \begin{itemize}
 	\item \verb+*+ = any
 	\item \verb+n+ = absolute offset
 	\item \verb+EOF-n+ = end of file minus \verb+n+ bytes
     \end{itemize}

     Signatures for PE, ELF and Mach-O files additionally support:

     \begin{itemize}

 	\item \verb#EP+n# = entry point plus n bytes (\verb#EP+0# for \verb+EP+)

 	\item \verb#EP-n# = entry point minus n bytes

 	\item \verb#Sx+n# = start of section \verb+x+'s (counted from 0)

 	data plus \verb+n+ bytes

 	\item \verb#Sx-n# = start of section \verb+x+'s data minus \verb+n+ bytes

 	\item \verb#SL+n# = start of last section plus \verb+n+ bytes

 	\item \verb#SL-n# = start of last section minus \verb+n+ bytes

     \end{itemize}

     All the above offsets except \verb+*+ can be turned into
     \textbf{floating offsets} and represented as \verb+Offset,MaxShift+ where
     \verb+MaxShift+ is an unsigned integer. A floating offset will match every
     offset between \verb+Offset+ and \verb#Offset+MaxShift#, eg. \verb+10,5+
     will match all offsets from 10 to 15 and \verb#EP+n,y# will match all
     offsets from \verb#EP+n# to \verb#EP+n+y#. Versions of ClamAV older than
     0.91 will silently ignore the \verb+MaxShift+ extension and only use
     \verb+Offset+.\\
 

     \noindent

     All signatures in the extended format must be placed inside \verb+*.ndb+ files.

     \subsubsection{Logical signatures}\label{ndb}
     Logical signatures allow combining of multiple signatures in extended
     format using logical operators. They can provide both more detailed and
     flexible pattern matching. The logical sigs are stored inside \verb+*.ldb+
     files in the following format:
     \begin{verbatim}
 SignatureName;TargetDescriptionBlock;LogicalExpression;Subsig0;
 Subsig1;Subsig2;...
     \end{verbatim}
     where:
     \begin{itemize}
 	\item \verb+TargetDescriptionBlock+ provides information about the
 	engine and target file with comma separated \verb+Arg:Val+ pairs,
 	currently (as of 0.95.1) only \verb+Target:X+ and \verb+Engine:X-Y+
 	are supported.
 	\item \verb+LogicalExpression+ specifies the logical expression
 	describing the relationship between \verb+Subsig0...SubsigN+.\\
 	\textbf{Basis clause:} 0,1,...,N decimal indexes are SUB-EXPRESSIONS
 	representing \verb+Subsig0, Subsig1,...,SubsigN+ respectively.\\
 	\textbf{Inductive clause:} if \verb+A+ and \verb+B+ are
 	SUB-EXPRESSIONS and \verb+X, Y+ are decimal numbers then
 	\verb+(A&B)+, \verb+(A|B)+, \verb+A=X+, \verb+A=X,Y+, \verb+A>X+,
 	\verb+A>X,Y+, \verb+A<X+ and \verb+A<X,Y+ are SUB-EXPRESSIONS
 	\item \verb+SubsigN+ is n-th subsignature in extended format possibly
 	preceded with an offset. There can be specified up to 64 subsigs.
     \end{itemize}
     Modifiers for subexpressions:
     \begin{itemize}
 	\item \verb+A=X+: If the SUB-EXPRESSION A refers to a single signature
 	then this signature must get matched exactly X times; if it refers to
 	a (logical) block of signatures then this block must generate exactly
 	X matches (with any of its sigs).
 	\item \verb+A=0+ specifies negation (signature or block of signatures
 	cannot be matched)
 	\item \verb+A=X,Y+: If the SUB-EXPRESSION A refers to a single signature
 	then this signature must be matched exactly X times; if it refers to
 	a (logical) block of signatures then this block must generate X matches
 	and at least Y different signatures must get matched.
 	\item \verb+A>X+: If the SUB-EXPRESSION A refers to a single signature
 	then this signature must get matched more than X times; if it refers to
 	a (logical) block of signatures then this block must generate more
 	than X matches (with any of its sigs).
 	\item \verb+A>X,Y+: If the SUB-EXPRESSION A refers to a single signature
 	then this signature must get matched more than X times; if it refers to
 	a (logical) block of signatures then this block must generate more than
 	X matches and at least Y different signatures must be matched.
 	\item \verb+A<X+ and \verb+A<X,Y+ as above with the change of "more"
 	to "less".
     \end{itemize}
     Examples:
     \begin{verbatim}
 Sig1;Target:0;(0&1&2&3)&(4|1);6b6f74656b;616c61;7a6f6c77;7374656
 6616e;deadbeef
 
 Sig2;Target:0;((0|1|2)>5,2)&(3|1);6b6f74656b;616c61;7a6f6c77;737
 46566616e  
 
 Sig3;Target:0;((0|1|2|3)=2)&(4|1);6b6f74656b;616c61;7a6f6c77;737
 46566616e;deadbeef
 
 Sig4;Target:1,Engine:18-20;((0|1)&(2|3))&4;EP+123:33c06834f04100
 f2aef7d14951684cf04100e8110a00;S2+78:22??232c2d252229{-15}6e6573
 (63|64)61706528;S+50:68efa311c3b9963cb1ee8e586d32aeb9043e;f9c58d
 cf43987e4f519d629b103375;SL+550:6300680065005c0046006900
     \end{verbatim}
 

     \subsection{Signatures based on archive metadata}

     Signatures based on metadata inside archive files can provide an effective
     protection against malware that spreads via encrypted zip or rar
     archives. The format of a metadata signature is:

 \begin{verbatim}
 virname:encrypted:filename:normal size:csize:crc32:cmethod:fileno:max depth
 \end{verbatim}

     where the corresponding fields are:

     \begin{itemize}
 	\item Virus name
 	\item Encryption flag (1 -- encrypted, 0 -- not encrypted)

 	\item File name (this is a regular expression - * to ignore)

 	\item Normal (uncompressed) size (* to ignore)
 	\item Compressed size (* to ignore)
 	\item CRC32 (* to ignore)
 	\item Compression method (* to ignore)
 	\item File position in archive (* to ignore)
 	\item Maximum number of nested archives (* to ignore)
     \end{itemize}

     The database file should have the extension of \verb+.zmd+ or
     \verb+.rmd+ for zip or rar metadata respectively.

     \subsection{Whitelist databases}

     To whitelist a specific file use the MD5 signature format and place

     it inside a database file with the extension of \verb+.fp+.\\
 
     \noindent
     To whitelist a specific signature inside main.cvd add the following
     entry into daily.ign or a local file local.ign:
 \begin{verbatim}
 db_name:line_number:signature_name
 \end{verbatim}

 
     \subsection{Signature names}

     ClamAV uses the following prefixes for signature names:

     \begin{itemize}
 	\item \emph{Worm} for Internet worms
 	\item \emph{Trojan} for backdoor programs

 	\item \emph{Adware} for adware
 	\item \emph{Flooder} for flooders
         \item \emph{HTML} for HTML files
         \item \emph{Email} for email messages
         \item \emph{IRC} for IRC trojans

 	\item \emph{JS} for Java Script malware

 	\item \emph{PHP} for PHP malware
 	\item \emph{ASP} for ASP malware

 	\item \emph{VBS} for VBS malware

 	\item \emph{BAT} for BAT malware

 	\item \emph{W97M}, \emph{W2000M} for Word macro viruses
 	\item \emph{X97M}, \emph{X2000M} for Excel macro viruses

 	\item \emph{O97M}, \emph{O2000M} for generic Office macro viruses

 	\item \emph{DoS} for Denial of Service attack software

 	\item \emph{DOS} for old DOS malware

 	\item \emph{Exploit} for popular exploits
 	\item \emph{VirTool} for virus construction kits
 	\item \emph{Dialer} for dialers
 	\item \emph{Joke} for hoaxes
     \end{itemize}

     Important rules of the naming convention:
     \begin{itemize}

 	\item always use a -zippwd suffix in the malware name for signatures of	      type zmd,
 	\item always use a -rarpwd suffix in the malware name for signatures

 	      of type rmd,
 	\item only use alphanumeric characters, dash (-), dot (.), underscores
 	      (\_) in malware names, never use space, apostrophe or quote mark.
     \end{itemize}

 
     \section{Special files}
 
     \subsection{HTML}

     ClamAV contains a special HTML normalisation code which helps to detect

     HTML exploits. Running \verb+sigtool --html-normalise+ on a HTML file

     should generate the following files:

     \begin{itemize}

 	\item nocomment.html - the file is normalized, lower-case, with all

 	comments and superflous white space removed
 	\item notags.html - as above but with all HTML tags removed

     \end{itemize}
     The code automatically decodes JScript.encode parts and char ref's (e.g.
     \verb+f+). You need to create a signature against one of the created

     files. To eliminate potential false positive alerts the target type should
     be set to 3.
 
     \subsection{Text files}

     Similarly to HTML all ASCII text files get normalized (converted

     to lower-case, all superflous white space and control characters removed,
     etc.) before scanning. Use \verb+clamscan --leave-temps+ to obtain

     a normalized file then create a signature with the target type 7.

 
     \subsection{Compressed Portable Executable files}

     If the file is compressed with UPX, FSG, Petite or other PE packer
     supported by libclamav, run \verb+clamscan+ with
     \verb+--debug --leave-temps+. Example output for a FSG compressed file:

     \begin{verbatim}

 LibClamAV debug: UPX/FSG/MEW: empty section found - assuming compression
 LibClamAV debug: FSG: found old EP @119e0
 LibClamAV debug: FSG: Unpacked and rebuilt executable saved in
 /tmp/clamav-f592b20f9329ac1c91f0e12137bcce6c

     \end{verbatim}

     Next create a type 1 signature for \verb+/tmp/clamav-f592b20f9329ac1c91f0e12137bcce6c+

 
 \end{document}