Browse code
bb#11407 - add engine level requirements for special subsigs
Kevin Lin authored on 2015/10/20 03:54:30Showing 2 changed files
| ... | ... |
@@ -526,7 +526,8 @@ dcf43987e4f519d629b103375;SL+550:6300680065005c0046006900 |
| 526 | 526 |
\subsubsection{Subsignature Modifiers}
|
| 527 | 527 |
ClamAV (clamav-0.99) supports a number of additional subsignature modifiers |
| 528 | 528 |
for logical signatures. This is done by specifying '::' followed by a number |
| 529 |
- of characters representing the desired options. |
|
| 529 |
+ of characters representing the desired options. Signatures using subsignature |
|
| 530 |
+ modifiers require \verb+Engine:81-255+ for backwards-compatibility. |
|
| 530 | 531 |
\begin{itemize}
|
| 531 | 532 |
\item Case-Insensitive [\verb+i+]\\ |
| 532 | 533 |
Specifying the \verb+i+ modifier causes ClamAV to match all alphabetic |
| ... | ... |
@@ -547,31 +548,30 @@ dcf43987e4f519d629b103375;SL+550:6300680065005c0046006900 |
| 547 | 547 |
\end{itemize}
|
| 548 | 548 |
Examples: |
| 549 | 549 |
\begin{verbatim}
|
| 550 |
-clamav-nocase-A;Target:0;0&1;41414141/i;424242424242/i |
|
| 550 |
+clamav-nocase-A;Engine:81-255,Target:0;0&1;41414141/i;424242424242/i |
|
| 551 | 551 |
-matches 'AAAA'(nocase) and 'BBBBBB'(nocase) |
| 552 | 552 |
|
| 553 |
-clamav-fullword-A;Target:0;0&1;414141;68656c6c6f/f |
|
| 553 |
+clamav-fullword-A;Engine:81-255,Target:0;0&1;414141;68656c6c6f/f |
|
| 554 | 554 |
-matches 'AAA' and 'hello'(fullword) |
| 555 |
-clamav-fullword-B;Target:0;0&1;414141;68656c6c6f/fi |
|
| 555 |
+clamav-fullword-B;Engine:81-255,Target:0;0&1;414141;68656c6c6f/fi |
|
| 556 | 556 |
-matches 'AAA' and 'hello'(fullword nocase) |
| 557 | 557 |
|
| 558 |
-clamav-wide-B2;Target:0;0&1;414141;68656c6c6f/wa |
|
| 558 |
+clamav-wide-B2;Engine:81-255,Target:0;0&1;414141;68656c6c6f/wa |
|
| 559 | 559 |
-matches 'AAA' and 'hello'(wide ascii) |
| 560 |
-clamav-wide-C0;Target:0;0&1;414141;68656c6c6f/iwfa |
|
| 560 |
+clamav-wide-C0;Engine:81-255,Target:0;0&1;414141;68656c6c6f/iwfa |
|
| 561 | 561 |
-matches 'AAA' and 'hello'(nocase wide fullword ascii) |
| 562 | 562 |
\end{verbatim}
|
| 563 | 563 |
|
| 564 | 564 |
\subsection{Special Subsignature Types}
|
| 565 | 565 |
\subsubsection{Macro subsignatures (clamav-0.96) : \textnormal{\texttt{\$\{min-max\}MACROID\$}}}
|
| 566 |
- \begin{itemize}
|
|
| 567 |
- \item Macro subsignatures are used to combine a number of existing extended |
|
| 568 |
- signatures (\verb+.ndb+) into a on-the-fly generated alternate string logical |
|
| 569 |
- signature (\verb+.ldb+). |
|
| 570 |
- \end{itemize}
|
|
| 566 |
+ Macro subsignatures are used to combine a number of existing extended |
|
| 567 |
+ signatures (\verb+.ndb+) into a on-the-fly generated alternate string logical |
|
| 568 |
+ signature (\verb+.ldb+). Signatures using macro subsignatures require \verb+Engine:51-255+ |
|
| 569 |
+ for backwards-compatibility.\\\\ |
|
| 571 | 570 |
Example: |
| 572 | 571 |
\begin{verbatim}
|
| 573 | 572 |
test.ldb: |
| 574 |
- TestMacro;Target:0;0&1;616161;${6-7}12$
|
|
| 573 |
+ TestMacro;Engine:51-255,Target:0;0&1;616161;${6-7}12$
|
|
| 575 | 574 |
|
| 576 | 575 |
test.ndb: |
| 577 | 576 |
D1:0:$12:626262 |
| ... | ... |
@@ -579,7 +579,7 @@ clamav-wide-C0;Target:0;0&1;414141;68656c6c6f/iwfa |
| 579 | 579 |
D3:0:$30:626264 |
| 580 | 580 |
\end{verbatim}
|
| 581 | 581 |
The example logical signature \verb+TestMacro+ is functionally equivalent to:\\ |
| 582 |
- \verb+TestMacro;Target:0;0;616161{3-4}(626262|636363)+
|
|
| 582 |
+ \verb+TestMacro;Engine:51-255,Target:0;0;616161{3-4}(626262|636363)+
|
|
| 583 | 583 |
\begin{itemize}
|
| 584 | 584 |
\item \verb+MACROID+ points to a group of signatures; there can be at most 32 macro groups. |
| 585 | 585 |
\begin{itemize}
|
| ... | ... |
@@ -595,6 +595,9 @@ clamav-wide-C0;Target:0;0&1;414141;68656c6c6f/iwfa |
| 595 | 595 |
\item For more information and examples please see \url{https://wwws.clamav.net/bugzilla/show_bug.cgi?id=164}.
|
| 596 | 596 |
\end{itemize}
|
| 597 | 597 |
\subsubsection{PCRE subsignatures (clamav-0.99) : \textnormal{\texttt{Trigger/PCRE/[Flags]}}}
|
| 598 |
+ PCRE subsignatures are used within a logical signature (\verb+.ldb+) to specify regex matches |
|
| 599 |
+ that execute once triggered by a conditional based on preceding subsignatures. Signatures using |
|
| 600 |
+ PCRE subsignatures require \verb+Engine:81-255+ for backwards-compatibility. |
|
| 598 | 601 |
\begin{itemize}
|
| 599 | 602 |
\item \verb+Trigger+ is a required field that is a valid \verb+LogicalExpression+ and |
| 600 | 603 |
may refer to any subsignatures that precede this subsignature. Triggers cannot be |
| ... | ... |
@@ -626,32 +629,34 @@ clamav-wide-C0;Target:0;0&1;414141;68656c6c6f/iwfa |
| 626 | 626 |
\end{itemize}
|
| 627 | 627 |
Examples: |
| 628 | 628 |
\begin{verbatim}
|
| 629 |
-Find.All.ClamAV;Target:0;1;6265676c6164697427736e6f7462797465636 |
|
| 630 |
-f6465;0/clamav/g |
|
| 629 |
+Find.All.ClamAV;Engine:81-255,Target:0;1;6265676c6164697427736e6 |
|
| 630 |
+f7462797465636f6465;0/clamav/g |
|
| 631 | 631 |
|
| 632 |
-Find.ClamAV.OnlyAt.299;Target:0;2;7374756c747a67657473;706372657 |
|
| 633 |
-2656765786c6f6c;299:0&1/clamav/ |
|
| 632 |
+Find.ClamAV.OnlyAt.299;Engine:81-255,Target:0;2;7374756c747a6765 |
|
| 633 |
+7473;7063726572656765786c6f6c;299:0&1/clamav/ |
|
| 634 | 634 |
|
| 635 |
-Find.ClamAV.StartAt.300;Target:0;3;616c61696e;62756731393238;636 |
|
| 636 |
-c6f736564;300:0&1&2/clamav/r |
|
| 635 |
+Find.ClamAV.StartAt.300;Engine:81-255,Target:0;3;616c61696e;6275 |
|
| 636 |
+6731393238;636c6f736564;300:0&1&2/clamav/r |
|
| 637 | 637 |
|
| 638 |
-Find.All.Encompassed.ClamAV;Target:0;3;7768796172656e2774;796f75 |
|
| 639 |
-7573696e67;79617261;200,300:0&1&2/clamav/ge |
|
| 638 |
+Find.All.Encompassed.ClamAV;Engine:81-255,Target:0;3;77687961726 |
|
| 639 |
+56e2774;796f757573696e67;79617261;200,300:0&1&2/clamav/ge |
|
| 640 | 640 |
|
| 641 |
-Named.CapGroup.Pcre;Target:0;3;636f75727479617264;616c62756d;746 |
|
| 642 |
-57272696572;50:0&1&2/variable=(?<nilshell>.{16})end/gr
|
|
| 641 |
+Named.CapGroup.Pcre;Engine:81-255,Target:0;3;636f75727479617264; |
|
| 642 |
+616c62756d;74657272696572;50:0&1&2/variable=(?<nilshell>.{16})en
|
|
| 643 |
+d/gr |
|
| 643 | 644 |
|
| 644 |
-Firefox.TreeRange.UseAfterFree;Target:0;0&1&2;2e766965772e73656c |
|
| 645 |
-656374696f6e;2e696e76616c696461746553656c656374696f6e;0&1/\x2Evi |
|
| 646 |
-ew\x2Eselection.*?\x2Etree\s*\x3D\s*null.*?\x2Einvalidate/smi |
|
| 645 |
+Firefox.TreeRange.UseAfterFree;Engine:81-255,Target:0,Engine:81- |
|
| 646 |
+255;0&1&2;2e766965772e73656c656374696f6e;2e696e76616c69646174655 |
|
| 647 |
+3656c656374696f6e;0&1/\x2Eview\x2Eselection.*?\x2Etree\s*\x3D\s* |
|
| 648 |
+null.*?\x2Einvalidate/smi |
|
| 647 | 649 |
|
| 648 |
-Firefox.IDB.UseAfterFree;Target:0;0&1;4944424b657952616e6765;0/^ |
|
| 649 |
-\x2e(only|lowerBound|upperBound|bound)\x28.*?\x29.*?\x2e(lower|u |
|
| 650 |
-pper|lowerOpen|upperOpen)/smi |
|
| 650 |
+Firefox.IDB.UseAfterFree;Engine:81-255,Target:0;0&1;4944424b6579 |
|
| 651 |
+52616e6765;0/^\x2e(only|lowerBound|upperBound|bound)\x28.*?\x29. |
|
| 652 |
+*?\x2e(lower|upper|lowerOpen|upperOpen)/smi |
|
| 651 | 653 |
|
| 652 |
-Firefox.boundElements;Target:0;0&1&2;6576656e742e626f756e64456c6 |
|
| 653 |
-56d656e7473;77696e646f772e636c6f7365;0&1/on(load|click)\s*=\s*\x |
|
| 654 |
-22?window\.close\s*\x28/si |
|
| 654 |
+Firefox.boundElements;Engine:81-255,Target:0;0&1&2;6576656e742e6 |
|
| 655 |
+26f756e64456c656d656e7473;77696e646f772e636c6f7365;0&1/on(load|c |
|
| 656 |
+lick)\s*=\s*\x22?window\.close\s*\x28/si |
|
| 655 | 657 |
\end{verbatim}
|
| 656 | 658 |
|
| 657 | 659 |
\subsection{Icon signatures for PE files}
|