...
|
...
|
@@ -203,7 +203,9 @@ attachment.exe: OK
|
203
|
203
|
|
204
|
204
|
\subsection{Hash-based signatures}
|
205
|
205
|
The easiest way to create signatures for ClamAV is to use filehash checksums,
|
206
|
|
- however this method can be only used against static malware. To create a
|
|
206
|
+ however this method can be only used against static malware.
|
|
207
|
+ \subsubsection{MD5 hash-based signatures}
|
|
208
|
+ To create a
|
207
|
209
|
MD5 signature for \verb+test.exe+ use the \verb+--md5+ option of sigtool:
|
208
|
210
|
\begin{verbatim}
|
209
|
211
|
zolw@localhost:/tmp/test$ sigtool --md5 test.exe > test.hdb
|
...
|
...
|
@@ -238,7 +240,7 @@ Time: 0.024 sec (0 m 0 s)
|
238
|
238
|
left in /tmp. Please keep in mind that a hash signature will stop
|
239
|
239
|
matching as soon as a single byte changes in the target file.}
|
240
|
240
|
|
241
|
|
- \subsection{SHA1, SHA256}
|
|
241
|
+ \subsubsection{SHA1 and SHA256 hash-based signatures}
|
242
|
242
|
ClamAV 0.98 has also added support for SHA1 and SHA256 file checksums.
|
243
|
243
|
The format is the same as for MD5 file checksum.
|
244
|
244
|
It can differentiate between them based on the length of the hash string
|
...
|
...
|
@@ -248,7 +250,7 @@ Time: 0.024 sec (0 m 0 s)
|
248
|
248
|
HashString:FileSize:MalwareName
|
249
|
249
|
\end{verbatim}
|
250
|
250
|
|
251
|
|
- \subsection{PE section based}
|
|
251
|
+ \subsubsection{PE section based hash signatures}
|
252
|
252
|
You can create a hash signature for a specific section in a PE file.
|
253
|
253
|
Such signatures shall be stored inside \verb+.mdb+ files in the
|
254
|
254
|
following format:
|
...
|
...
|
@@ -265,7 +267,7 @@ PESectionSize:PESectionHash:MalwareName
|
265
|
265
|
in the signature. For best backwards compatibility, these should be
|
266
|
266
|
placed inside a \verb+*.msb+ file.
|
267
|
267
|
|
268
|
|
- \subsection{Unknown size}
|
|
268
|
+ \subsubsection{Hash signatures with unknown size}
|
269
|
269
|
ClamAV 0.98 has also added support for hash signatures where the size
|
270
|
270
|
is not known but the hash is. It is much more performance-efficient to
|
271
|
271
|
use signatures with specific sizes, so be cautious when using this
|
...
|
...
|
@@ -323,6 +325,11 @@ How do I look in hex?
|
323
|
323
|
Match aa or bb or cc..
|
324
|
324
|
\item \verb+!(aa|bb|cc|..)+\\
|
325
|
325
|
Match any byte except aa and bb and cc.. (ClamAV$\ge$0.96)
|
|
326
|
+ \item \verb+(aaaa|bbbb|cccc|..)+\\
|
|
327
|
+ Match alternative strings aaaa or bbbb or cccc. Alternative strings must have identical lengths.
|
|
328
|
+ \item \verb+!(aaaa|bbbb|cccc|..)+\\
|
|
329
|
+ Match any string except aaaa and bbbb and cccc. Alternative strings must have identical lengths.
|
|
330
|
+ (ClamAV$\ge$0.98.2)
|
326
|
331
|
\item \verb+HEXSIG[x-y]aa+ or \verb+aa[x-y]HEXSIG+\\
|
327
|
332
|
Match aa anchored to a hex-signature, see
|
328
|
333
|
\url{https://wwws.clamav.net/bugzilla/show_bug.cgi?id=776} for
|