1. clamav-devel
  2. clamav-devel
  3. docs
  4. html
  5. node25.html
Raw Blame History 
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">

<!--Converted with LaTeX2HTML 2K.1beta (1.48)
original version by:  Nikos Drakos, CBLU, University of Leeds
* revised and updated by:  Marcus Hennecke, Ross Moore, Herb Swan
* with significant contributions from:
  Jens Lippmann, Marek Rouchal, Martin Wilck and others -->
<HTML>
<HEAD>
<TITLE>Signature Tool</TITLE>
<META NAME="description" CONTENT="Signature Tool">
<META NAME="keywords" CONTENT="clamdoc">
<META NAME="resource-type" CONTENT="document">
<META NAME="distribution" CONTENT="global">

<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="LaTeX2HTML v2K.1beta">
<META HTTP-EQUIV="Content-Style-Type" CONTENT="text/css">

<LINK REL="STYLESHEET" HREF="clamdoc.css">

<LINK REL="previous" HREF="node24.html">
<LINK REL="up" HREF="node18.html">
<LINK REL="next" HREF="node26.html">
</HEAD>

<BODY >
<!--Navigation Panel-->
<A NAME="tex2html645"
  HREF="node26.html">
<IMG WIDTH="37" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="next"
 SRC="/usr/share/latex2html/icons/next.png"></A> 
<A NAME="tex2html641"
  HREF="node18.html">
<IMG WIDTH="26" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="up"
 SRC="/usr/share/latex2html/icons/up.png"></A> 
<A NAME="tex2html637"
  HREF="node24.html">
<IMG WIDTH="63" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="previous"
 SRC="/usr/share/latex2html/icons/prev.png"></A> 
<A NAME="tex2html643"
  HREF="node1.html">
<IMG WIDTH="65" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="contents"
 SRC="/usr/share/latex2html/icons/contents.png"></A>  
<BR>
<B> Next:</B> <A NAME="tex2html646"
  HREF="node26.html">Problem solving</A>
<B> Up:</B> <A NAME="tex2html642"
  HREF="node18.html">Usage</A>
<B> Previous:</B> <A NAME="tex2html638"
  HREF="node24.html">Output format</A>
 &nbsp <B>  <A NAME="tex2html644"
  HREF="node1.html">Contents</A></B> 
<BR>
<BR>
<!--End of Navigation Panel-->

<H2><A NAME="SECTION00047000000000000000">
Signature Tool</A>
</H2>
    <I>sigtool</I> automates signature creation. If you have got an infected
    file not recognized by ClamAV and there is an another anti-virus scanner
    working in a console that detects the virus you can try to generate
    the signature automatically. <A NAME="tex2html77"
  HREF="footnode.html#foot461"><SUP>6</SUP></A> <I>Sigtool is only
    partially useful because it only detects the last part of a real
    signature. It will fail for multipart signatures (and especially for
    polymorphic viruses).</I>
    Example usage: create a random file (with any content) and insert the
    <code>test/test1</code> file content into it. We will use <I>clamscan</I>
    to generate the signature. Remember this is only an example - in a real
    life you don't need such tricks - just an infected file. Scan it with
    <code>clamscan --stdout testfile</code> - the output should be:
    <PRE>
	testfile: ClamAV-Test-Signature FOUND

	----------- SCAN SUMMARY -----------
	Known viruses: 21074
	Scanned directories: 0
	Scanned files: 1
	Data scanned: 0.95 MB
	Infected files: 1
	I/O buffer size: 131072 bytes
	Time: 1.245 sec (0 m 0 s)
</PRE>
    The unique string in this output is "ClamAV-Test-Signature" so run
    <I>sigtool</I> with the following arguments:
    <PRE>
	$ sigtool -c "clamscan --stdout" -f testfile -s "ClamAV-Test"
</PRE>
    The program will concatenate arguments for <code>-c (--command)</code> and
    <code>-f (--file)</code> that's why the scanner's options must be given in the
    proper order. At the end it will generate a file called <I>testfile.sig</I>,
    which should be 100 bytes in size (in our example). It contains the proper
    signature.
    <PRE>
	Detected, decreasing end 20051 -&gt; 16040
	Detected, decreasing end 16040 -&gt; 12029
	Detected, decreasing end 12029 -&gt; 8018
	Not detected at 8018, moving forward.
	Detected, decreasing end 10024 -&gt; 8018
	Not detected at 8018, moving forward.
	Detected, decreasing end 9021 -&gt; 8018
	Not detected at 8018, moving forward.
	Not detected at 8520, moving forward.
	Detected, decreasing end 8771 -&gt; 8520
	Not detected at 8520, moving forward.
	Not detected at 8646, moving forward.
	Not detected at 8709, moving forward.
	Detected, decreasing end 8741 -&gt; 8709
	Not detected at 8709, moving forward.
	Not detected at 8725, moving forward.
	Detected, decreasing end 8733 -&gt; 8725
	Not detected at 8725, moving forward.
	Not detected at 8729, moving forward.
	Detected, decreasing end 8731 -&gt; 8729
	Not detected at 8729, moving forward.
	Detected, decreasing end 8730 -&gt; 8729
	Not detected at 8729, moving forward.
	Increasing end 8729 -&gt; 8730
	 *** Signature end found at 8730
	Detected at 8680, moving forward.
	Detected at 8680, moving forward.
	Not detected, moving backward 8693 -&gt; 8680
	Detected at 8680, moving forward.
	Not detected, moving backward 8687 -&gt; 8680
	Detected at 8680, moving forward.
	Not detected, moving backward 8684 -&gt; 8680
	Detected at 8680, moving forward.
	Not detected, moving backward 8682 -&gt; 8680
	Detected at 8680, moving forward.
	Not detected, moving backward 8681 -&gt; 8680
	Detected at 8680, moving forward.
	Not detected, moving backward 8681 -&gt; 8680
	Detected at 8680, moving forward.
	Moving forward 8680 -&gt; 8681
	 *** Signature start found at 8681

	The scanner was executed 33 times.
	The signature length is 49 (98 hex)
	Saving signature in testfile.sig file.
	Saving binary signature in testfile.bsig file.
</PRE>
    To make the generated signature complete you only to add the
    <code>VirusName=</code> string at the beginning of the hexadecimal signature in
    testfile.sig.
<BR>    <I><B>TIP:</B> ClamAV scanners read all .db files in the database
    directory. You can create your own database files (e.g. local.db) and they
    won't be modified by freshclam !</I>

<P>
<HR>
<!--Navigation Panel-->
<A NAME="tex2html645"
  HREF="node26.html">
<IMG WIDTH="37" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="next"
 SRC="/usr/share/latex2html/icons/next.png"></A> 
<A NAME="tex2html641"
  HREF="node18.html">
<IMG WIDTH="26" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="up"
 SRC="/usr/share/latex2html/icons/up.png"></A> 
<A NAME="tex2html637"
  HREF="node24.html">
<IMG WIDTH="63" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="previous"
 SRC="/usr/share/latex2html/icons/prev.png"></A> 
<A NAME="tex2html643"
  HREF="node1.html">
<IMG WIDTH="65" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="contents"
 SRC="/usr/share/latex2html/icons/contents.png"></A>  
<BR>
<B> Next:</B> <A NAME="tex2html646"
  HREF="node26.html">Problem solving</A>
<B> Up:</B> <A NAME="tex2html642"
  HREF="node18.html">Usage</A>
<B> Previous:</B> <A NAME="tex2html638"
  HREF="node24.html">Output format</A>
 &nbsp <B>  <A NAME="tex2html644"
  HREF="node1.html">Contents</A></B> 
<!--End of Navigation Panel-->
<ADDRESS>
Tomasz Kojm
2004-06-14
</ADDRESS>
</BODY>
</HTML>