Signature Tool

sigtool automates signature creation. If you have got an infected file not recognized by ClamAV and there is another anti-virus scanner working in a console that detects the virus, then you can try to create the signature automatically. Sigtool is only partially useful because it only detects a last part of a real signature. It will fail for multipart signatures (often used to match polymorphic viruses). Example of usage: Create a random file (with any content) and insert the test1 file content into it. We will use clamscan to generate the signature. This is only an example - in real life you don't need such tricks - just an infected file. Scan it with clamscan -stdout testfile - the output should be:

	testfile: ClamAV-Test-Signature FOUND

	----------- SCAN SUMMARY -----------
	Known viruses: 10213
	Scanned directories: 0
	Scanned files: 1
	Data scanned: 0.95 MB
	Infected files: 1
	I/O buffer size: 131072 bytes
	Time: 0.245 sec (0 m 0 s)

The unique string in this output is "ClamAV-Test-Signature" so run sigtool with the following arguments:

	$ sigtool -c "clamscan --stdout" -f testfile -s "ClamAV-Test"

The program will concatenate arguments for -c (-command) and -f (-file), that's why the scanner's options must be given in the proper order. At the end it will generate a file testfile.sig, which should contain 100 bytes in our example. It contains the proper signature.

	Detected, decreasing end 20051 -> 16040
	Detected, decreasing end 16040 -> 12029
	Detected, decreasing end 12029 -> 8018
	Not detected at 8018, moving forward.
	Detected, decreasing end 10024 -> 8018
	Not detected at 8018, moving forward.
	Detected, decreasing end 9021 -> 8018
	Not detected at 8018, moving forward.
	Not detected at 8520, moving forward.
	Detected, decreasing end 8771 -> 8520
	Not detected at 8520, moving forward.
	Not detected at 8646, moving forward.
	Not detected at 8709, moving forward.
	Detected, decreasing end 8741 -> 8709
	Not detected at 8709, moving forward.
	Not detected at 8725, moving forward.
	Detected, decreasing end 8733 -> 8725
	Not detected at 8725, moving forward.
	Not detected at 8729, moving forward.
	Detected, decreasing end 8731 -> 8729
	Not detected at 8729, moving forward.
	Detected, decreasing end 8730 -> 8729
	Not detected at 8729, moving forward.
	Increasing end 8729 -> 8730
	 *** Signature end found at 8730
	Detected at 8680, moving forward.
	Detected at 8680, moving forward.
	Not detected, moving backward 8693 -> 8680
	Detected at 8680, moving forward.
	Not detected, moving backward 8687 -> 8680
	Detected at 8680, moving forward.
	Not detected, moving backward 8684 -> 8680
	Detected at 8680, moving forward.
	Not detected, moving backward 8682 -> 8680
	Detected at 8680, moving forward.
	Not detected, moving backward 8681 -> 8680
	Detected at 8680, moving forward.
	Not detected, moving backward 8681 -> 8680
	Detected at 8680, moving forward.
	Moving forward 8680 -> 8681
	 *** Signature start found at 8681

	The scanner was executed 33 times.
	The signature length is 49 (98 hex)
	Saving signature in testfile.sig file.
	Saving binary signature in testfile.bsig file.

To make the generated signature complete you only to add the VirusName= string at the beginning of the hexadecimal signature in testfile.sig.
TIP: ClamAV scanners read all .db files in the database directory. You can create your own database files (e.g. local.db) and they won't be modified by freshclam !