@@ -1,3 +1,7 @@

+Thu Feb 25 17:20:27 CET 2010 (tk)

+---------------------------------

+ * docs: update signatures.pdf

+

 Tue Feb 16 16:41:30 CET 2010 (tk)

 ---------------------------------

  * libclamav/cvd.c: enable new dsig check for main db

Binary files a/docs/signatures.pdf and b/docs/signatures.pdf differ

@@ -38,8 +38,8 @@ JVh4vYmW8mZ62ZHYMlM903TMZFg5hZIxcjQB3SX0TapdF1SFNzoWjsyH53eXvMDY

 eaPVNe2ccXLfEegoda4xU2TezbGfbSEGoU1qolyQYLX674sNA2Ni6l6/CEKYYh

 Verification OK.

     \end{verbatim}

-    The ClamAV project distributes two CVD files: \emph{main.cvd} and

-    \emph{daily.cvd}.

+    The ClamAV project distributes a number of CVD files, including

+    \emph{main.cvd} and \emph{daily.cvd}.

     \section{Signature formats}

@@ -52,7 +52,7 @@ zolw@localhost:/tmp/test$ sigtool --md5 test.exe > test.hdb

 zolw@localhost:/tmp/test$ cat test.hdb 

 48c4533230e1ae1c118c741c0db19dfb:17387:test.exe

     \end{verbatim}

-    That's it! The signature is ready to use:

+    That's it! The signature is ready for use:

     \begin{verbatim}

 zolw@localhost:/tmp/test$ clamscan -d test.hdb test.exe 

 test.exe: test.exe FOUND

@@ -83,10 +83,11 @@ PESectionSize:MD5:MalwareName

     target PE sections into separate files and then run sigtool with the

     option \verb+--mdb+

-    \subsection{Hexadecimal signatures}

-    ClamAV stores all signatures in a hexadecimal format. By a hex-signature

-    here we mean a fragment of a malware's body converted into a hexadecimal

-    string which can be additionally extended with various wildcards.

+    \subsection{Body-based signatures}

+    ClamAV stores all body-based signatures in a hexadecimal format. In this

+    section by a hex-signature we mean a fragment of malware's body converted

+    into a hexadecimal string which can be additionally extended using various

+    wildcards.

     \subsubsection{Hexadecimal format}

     You can use \verb+sigtool --hex-dump+ to convert any data into a hex-string:

@@ -97,7 +98,7 @@ How do I look in hex?

     \end{verbatim}

     \subsubsection{Wildcards}

-    ClamAV supports the following extensions inside hex signatures:

+    ClamAV supports the following extensions for hex-signatures:

     \begin{itemize}

 	\item \verb+??+\\

 	Match any byte.

@@ -122,11 +123,15 @@ How do I look in hex?

 	\item \verb+(aa|bb|cc|..)+\\

 	Match aa or bb or cc..

 	\item \verb+!(aa|bb|cc|..)+\\

-	Match any byte except aa and bb and cc..

+	Match any byte except aa and bb and cc.. (ClamAV$\ge$0.96)

 	\item \verb+HEXSIG[x-y]aa+ or \verb+aa[x-y]HEXSIG+\\

 	Match aa anchored to a hex-signature, see

 	\url{https://wwws.clamav.net/bugzilla/show_bug.cgi?id=776} for

-	a discussion and examples.

+	discussion and examples.

+	\item \verb+(B)+\\

+	Match word boundary (including file boundaries).

+	\item \verb+(L)+\\

+	Match CR, CRLF or file boundaries.

     \end{itemize}

     The range signatures \verb+*+ and \verb+{}+ virtually separate

     a hex-signature into two parts, eg. \verb+aabbcc*bbaacc+ is treated

@@ -168,7 +173,7 @@ MalwareName:TargetType:Offset:HexSignature[:MinEngineFunctionalityLevel:[Max]]

 	\item 5 = Graphics

 	\item 6 = ELF

 	\item 7 = ASCII text file (normalized)

-	\item 8 = Disassembler data

+	\item 8 = Unused

 	\item 9 = Mach-O files

     \end{itemize}

     And	\verb+Offset+ is an asterisk or a decimal number \verb+n+ possibly

@@ -226,6 +231,15 @@ Subsig1;Subsig2;...

 	\item \verb+SubsigN+ is n-th subsignature in extended format possibly

 	preceded with an offset. There can be specified up to 64 subsigs.

     \end{itemize}

+    Keywords used in \verb+TargetDescriptionBlock+:

+    \begin{itemize}

+	\item \verb+Target:X+: Target file type

+	\item \verb+Engine:X-Y+: Required engine functionality (range; 0.96)

+	\item \verb+FileSize:X-Y+: Required file size (range in bytes; 0.96)

+	\item \verb+EntryPoint+: Entry point offset (range in bytes; 0.96)

+	\item \verb+NumberOfSections+: Required number of sections in executable (range; 0.96)

+	\item \verb+Container:CL_TYPE_*+: File type of the container which stores the scanned file

+    \end{itemize}

     Modifiers for subexpressions:

     \begin{itemize}

 	\item \verb+A=X+: If the SUB-EXPRESSION A refers to a single signature

@@ -265,11 +279,53 @@ f2aef7d14951684cf04100e8110a00;S2+78:22??232c2d252229{-15}6e6573

 (63|64)61706528;S+50:68efa311c3b9963cb1ee8e586d32aeb9043e;f9c58d

 cf43987e4f519d629b103375;SL+550:6300680065005c0046006900

     \end{verbatim}

+    ClamAV 0.96 introduced support for special macro subsignatures in

+    the following format: \verb+${min-max}MACROID$+, where \verb+MACROID+

+    points to a group of signatures and \verb+{min-max}+ specifies the

+    offset range at which one of the group signatures should match.

+    The range is calculated against the match offset of the previous

+    subsignature. The macro subsignature makes its preceding subsignature

+    considered a match only if both of them get matched. For more

+    information and examples please see

+    \url{https://wwws.clamav.net/bugzilla/show_bug.cgi?id=164}.

+

+    \subsection{Signatures based on container metadata}

+    ClamAV 0.96 allows creating generic signatures matching files stored

+    inside different container types which meet specific conditions.

+    The signature format is

+\begin{verbatim}

+VirusName:ContainerType:ContainerSize:FileNameREGEX:FileSizeInContainer:

+FileSizeReal:IsEncrypted:FilePos:Res1:Res2[:MinFL[:MaxFL]]

+\end{verbatim}

+    where the corresponding fields are:

+    \begin{itemize}

+	\item \verb+VirusName:+ Virus name to be displayed when signature matches

+	\item \verb+ContainerType:+ one of \verb+CL_TYPE_ZIP+, \verb+CL_TYPE_RAR+,

+	\verb+CL_TYPE_ARJ+, \verb+CL_TYPE_CAB+, \verb+CL_TYPE_7Z+,

+	\verb+CL_TYPE_MAIL+, \verb+CL_TYPE_(POSIX|OLD)_TAR+,

+	\verb+CL_TYPE_CPIO_(OLD|ODC|NEWC|CRC)+ or \verb+*+ to match

+	any of the container types listed here

+	\item \verb+ContainerSize:+ size of the container file itself (eg. size of

+	the zip archive) specified in bytes as absolute value or range \verb+x-y+

+	\item \verb+FileNameREGEX:+ regular expression describing name of the target file

+	\item \verb+FileSizeInContainer:+ usually compressed size; for MAIL, TAR and CPIO ==

+	\verb+FileSizeReal+; specified in bytes as absolute value or range

+	\item \verb+FileSizeReal:+ usually uncompressed size; for MAIL, TAR and CPIO ==

+	\verb+FileSizeInContainer+; absolute value or range

+	\item \verb+IsEncrypted+: 1 if the target file is encrypted, 0 if it's not and

+	\verb+*+ to ignore

+	\item \verb+FilePos+: file position in container (counting from 1); absolute value

+	or range

+	\item \verb+Res1+: when \verb+ContainerType+ is \verb+CL_TYPE_ZIP+ or

+	\verb+CL_TYPE_RAR+ this field is treated as a CRC sum of the target file

+	specified in hexadecimal format; for other container types it's ignored

+	\item \verb+Res2+: not used as of ClamAV 0.96

+    \end{itemize}

+    The signatures for container files are stored inside \verb+.cdb+ files.

-    \subsection{Signatures based on archive metadata}

-    Signatures based on metadata inside archive files can provide an effective

-    protection against malware that spreads via encrypted zip or rar

-    archives. The format of a metadata signature is:

+    \subsection{Signatures based on ZIP/RAR metadata (obsolete)}

+    The (now obsolete) archive metadata signatures can be only applied

+    to ZIP and RAR files and have the following format:

 \begin{verbatim}

 virname:encrypted:filename:normal size:csize:crc32:cmethod:fileno:max depth

 \end{verbatim}

@@ -293,11 +349,16 @@ virname:encrypted:filename:normal size:csize:crc32:cmethod:fileno:max depth

     it inside a database file with the extension of \verb+.fp+.\\

     \noindent

-    To whitelist a specific signature inside main.cvd add the following

-    entry into daily.ign or a local file local.ign:

+    To whitelist a specific signature from the database you just add

+    its name into a local file called local.ign2 stored inside the

+    database directory. You can additionally follow the signature name

+    with the MD5 of the entire database entry for this signature, eg:

 \begin{verbatim}

-db_name:line_number:signature_name

+Eicar-Test-Signature:bc356bae4c42f19a3de16e333ba3569c

 \end{verbatim}

+    In such a case, the signature will no longer be whitelisted when

+    its entry in the database gets modified (eg. the signature gets

+    updated to avoid false alerts).

     \subsection{Signature names}

     ClamAV uses the following prefixes for signature names:

@@ -326,7 +387,8 @@ db_name:line_number:signature_name

     \end{itemize}

     Important rules of the naming convention:

     \begin{itemize}

-	\item always use a -zippwd suffix in the malware name for signatures of	      type zmd,

+	\item always use a -zippwd suffix in the malware name for signatures

+	      of type zmd,

 	\item always use a -rarpwd suffix in the malware name for signatures

 	      of type rmd,

 	\item only use alphanumeric characters, dash (-), dot (.), underscores