testfile: ClamAV-Test-Signature FOUND ----------- SCAN SUMMARY ----------- Known viruses: 10213 Scanned directories: 0 Scanned files: 1 Data scanned: 0.95 MB Infected files: 1 I/O buffer size: 131072 bytes Time: 0.245 sec (0 m 0 s)The unique string in this output is "ClamAV-Test-Signature" so run sigtool with the following arguments:
$ sigtool -c "clamscan --stdout" -f testfile -s "ClamAV-Test"The program will concatenate arguments for -c (-command) and -f (-file), that's why the scanner's options must be given in the proper order. At the end it will generate a file testfile.sig, which should contain 100 bytes in our example. It contains the proper signature.
Detected, decreasing end 20051 -> 16040 Detected, decreasing end 16040 -> 12029 Detected, decreasing end 12029 -> 8018 Not detected at 8018, moving forward. Detected, decreasing end 10024 -> 8018 Not detected at 8018, moving forward. Detected, decreasing end 9021 -> 8018 Not detected at 8018, moving forward. Not detected at 8520, moving forward. Detected, decreasing end 8771 -> 8520 Not detected at 8520, moving forward. Not detected at 8646, moving forward. Not detected at 8709, moving forward. Detected, decreasing end 8741 -> 8709 Not detected at 8709, moving forward. Not detected at 8725, moving forward. Detected, decreasing end 8733 -> 8725 Not detected at 8725, moving forward. Not detected at 8729, moving forward. Detected, decreasing end 8731 -> 8729 Not detected at 8729, moving forward. Detected, decreasing end 8730 -> 8729 Not detected at 8729, moving forward. Increasing end 8729 -> 8730 *** Signature end found at 8730 Detected at 8680, moving forward. Detected at 8680, moving forward. Not detected, moving backward 8693 -> 8680 Detected at 8680, moving forward. Not detected, moving backward 8687 -> 8680 Detected at 8680, moving forward. Not detected, moving backward 8684 -> 8680 Detected at 8680, moving forward. Not detected, moving backward 8682 -> 8680 Detected at 8680, moving forward. Not detected, moving backward 8681 -> 8680 Detected at 8680, moving forward. Not detected, moving backward 8681 -> 8680 Detected at 8680, moving forward. Moving forward 8680 -> 8681 *** Signature start found at 8681 The scanner was executed 33 times. The signature length is 49 (98 hex) Saving signature in testfile.sig file. Saving binary signature in testfile.bsig file.To make the generated signature complete you only to add the VirusName= string at the beginning of the hexadecimal signature in testfile.sig.