diff --git a/ChangeLog b/ChangeLog index df708566c..877684deb 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +Thu Feb 25 17:20:27 CET 2010 (tk) +--------------------------------- + * docs: update signatures.pdf + Tue Feb 16 16:41:30 CET 2010 (tk) --------------------------------- * libclamav/cvd.c: enable new dsig check for main db diff --git a/docs/signatures.pdf b/docs/signatures.pdf index e33868977..e2a818262 100644 Binary files a/docs/signatures.pdf and b/docs/signatures.pdf differ diff --git a/docs/signatures.tex b/docs/signatures.tex index e5c5e5fda..a572cb6c9 100644 --- a/docs/signatures.tex +++ b/docs/signatures.tex @@ -38,8 +38,8 @@ JVh4vYmW8mZ62ZHYMlM903TMZFg5hZIxcjQB3SX0TapdF1SFNzoWjsyH53eXvMDY eaPVNe2ccXLfEegoda4xU2TezbGfbSEGoU1qolyQYLX674sNA2Ni6l6/CEKYYh Verification OK. \end{verbatim} - The ClamAV project distributes two CVD files: \emph{main.cvd} and - \emph{daily.cvd}. + The ClamAV project distributes a number of CVD files, including + \emph{main.cvd} and \emph{daily.cvd}. \section{Signature formats} @@ -52,7 +52,7 @@ zolw@localhost:/tmp/test$ sigtool --md5 test.exe > test.hdb zolw@localhost:/tmp/test$ cat test.hdb 48c4533230e1ae1c118c741c0db19dfb:17387:test.exe \end{verbatim} - That's it! The signature is ready to use: + That's it! The signature is ready for use: \begin{verbatim} zolw@localhost:/tmp/test$ clamscan -d test.hdb test.exe test.exe: test.exe FOUND @@ -83,10 +83,11 @@ PESectionSize:MD5:MalwareName target PE sections into separate files and then run sigtool with the option \verb+--mdb+ - \subsection{Hexadecimal signatures} - ClamAV stores all signatures in a hexadecimal format. By a hex-signature - here we mean a fragment of a malware's body converted into a hexadecimal - string which can be additionally extended with various wildcards. + \subsection{Body-based signatures} + ClamAV stores all body-based signatures in a hexadecimal format. In this + section by a hex-signature we mean a fragment of malware's body converted + into a hexadecimal string which can be additionally extended using various + wildcards. \subsubsection{Hexadecimal format} You can use \verb+sigtool --hex-dump+ to convert any data into a hex-string: @@ -97,7 +98,7 @@ How do I look in hex? \end{verbatim} \subsubsection{Wildcards} - ClamAV supports the following extensions inside hex signatures: + ClamAV supports the following extensions for hex-signatures: \begin{itemize} \item \verb+??+\\ Match any byte. @@ -122,11 +123,15 @@ How do I look in hex? \item \verb+(aa|bb|cc|..)+\\ Match aa or bb or cc.. \item \verb+!(aa|bb|cc|..)+\\ - Match any byte except aa and bb and cc.. + Match any byte except aa and bb and cc.. (ClamAV$\ge$0.96) \item \verb+HEXSIG[x-y]aa+ or \verb+aa[x-y]HEXSIG+\\ Match aa anchored to a hex-signature, see \url{https://wwws.clamav.net/bugzilla/show_bug.cgi?id=776} for - a discussion and examples. + discussion and examples. + \item \verb+(B)+\\ + Match word boundary (including file boundaries). + \item \verb+(L)+\\ + Match CR, CRLF or file boundaries. \end{itemize} The range signatures \verb+*+ and \verb+{}+ virtually separate a hex-signature into two parts, eg. \verb+aabbcc*bbaacc+ is treated @@ -168,7 +173,7 @@ MalwareName:TargetType:Offset:HexSignature[:MinEngineFunctionalityLevel:[Max]] \item 5 = Graphics \item 6 = ELF \item 7 = ASCII text file (normalized) - \item 8 = Disassembler data + \item 8 = Unused \item 9 = Mach-O files \end{itemize} And \verb+Offset+ is an asterisk or a decimal number \verb+n+ possibly @@ -226,6 +231,15 @@ Subsig1;Subsig2;... \item \verb+SubsigN+ is n-th subsignature in extended format possibly preceded with an offset. There can be specified up to 64 subsigs. \end{itemize} + Keywords used in \verb+TargetDescriptionBlock+: + \begin{itemize} + \item \verb+Target:X+: Target file type + \item \verb+Engine:X-Y+: Required engine functionality (range; 0.96) + \item \verb+FileSize:X-Y+: Required file size (range in bytes; 0.96) + \item \verb+EntryPoint+: Entry point offset (range in bytes; 0.96) + \item \verb+NumberOfSections+: Required number of sections in executable (range; 0.96) + \item \verb+Container:CL_TYPE_*+: File type of the container which stores the scanned file + \end{itemize} Modifiers for subexpressions: \begin{itemize} \item \verb+A=X+: If the SUB-EXPRESSION A refers to a single signature @@ -265,11 +279,53 @@ f2aef7d14951684cf04100e8110a00;S2+78:22??232c2d252229{-15}6e6573 (63|64)61706528;S+50:68efa311c3b9963cb1ee8e586d32aeb9043e;f9c58d cf43987e4f519d629b103375;SL+550:6300680065005c0046006900 \end{verbatim} + ClamAV 0.96 introduced support for special macro subsignatures in + the following format: \verb+${min-max}MACROID$+, where \verb+MACROID+ + points to a group of signatures and \verb+{min-max}+ specifies the + offset range at which one of the group signatures should match. + The range is calculated against the match offset of the previous + subsignature. The macro subsignature makes its preceding subsignature + considered a match only if both of them get matched. For more + information and examples please see + \url{https://wwws.clamav.net/bugzilla/show_bug.cgi?id=164}. - \subsection{Signatures based on archive metadata} - Signatures based on metadata inside archive files can provide an effective - protection against malware that spreads via encrypted zip or rar - archives. The format of a metadata signature is: + \subsection{Signatures based on container metadata} + ClamAV 0.96 allows creating generic signatures matching files stored + inside different container types which meet specific conditions. + The signature format is +\begin{verbatim} +VirusName:ContainerType:ContainerSize:FileNameREGEX:FileSizeInContainer: +FileSizeReal:IsEncrypted:FilePos:Res1:Res2[:MinFL[:MaxFL]] +\end{verbatim} + where the corresponding fields are: + \begin{itemize} + \item \verb+VirusName:+ Virus name to be displayed when signature matches + \item \verb+ContainerType:+ one of \verb+CL_TYPE_ZIP+, \verb+CL_TYPE_RAR+, + \verb+CL_TYPE_ARJ+, \verb+CL_TYPE_CAB+, \verb+CL_TYPE_7Z+, + \verb+CL_TYPE_MAIL+, \verb+CL_TYPE_(POSIX|OLD)_TAR+, + \verb+CL_TYPE_CPIO_(OLD|ODC|NEWC|CRC)+ or \verb+*+ to match + any of the container types listed here + \item \verb+ContainerSize:+ size of the container file itself (eg. size of + the zip archive) specified in bytes as absolute value or range \verb+x-y+ + \item \verb+FileNameREGEX:+ regular expression describing name of the target file + \item \verb+FileSizeInContainer:+ usually compressed size; for MAIL, TAR and CPIO == + \verb+FileSizeReal+; specified in bytes as absolute value or range + \item \verb+FileSizeReal:+ usually uncompressed size; for MAIL, TAR and CPIO == + \verb+FileSizeInContainer+; absolute value or range + \item \verb+IsEncrypted+: 1 if the target file is encrypted, 0 if it's not and + \verb+*+ to ignore + \item \verb+FilePos+: file position in container (counting from 1); absolute value + or range + \item \verb+Res1+: when \verb+ContainerType+ is \verb+CL_TYPE_ZIP+ or + \verb+CL_TYPE_RAR+ this field is treated as a CRC sum of the target file + specified in hexadecimal format; for other container types it's ignored + \item \verb+Res2+: not used as of ClamAV 0.96 + \end{itemize} + The signatures for container files are stored inside \verb+.cdb+ files. + + \subsection{Signatures based on ZIP/RAR metadata (obsolete)} + The (now obsolete) archive metadata signatures can be only applied + to ZIP and RAR files and have the following format: \begin{verbatim} virname:encrypted:filename:normal size:csize:crc32:cmethod:fileno:max depth \end{verbatim} @@ -293,11 +349,16 @@ virname:encrypted:filename:normal size:csize:crc32:cmethod:fileno:max depth it inside a database file with the extension of \verb+.fp+.\\ \noindent - To whitelist a specific signature inside main.cvd add the following - entry into daily.ign or a local file local.ign: + To whitelist a specific signature from the database you just add + its name into a local file called local.ign2 stored inside the + database directory. You can additionally follow the signature name + with the MD5 of the entire database entry for this signature, eg: \begin{verbatim} -db_name:line_number:signature_name +Eicar-Test-Signature:bc356bae4c42f19a3de16e333ba3569c \end{verbatim} + In such a case, the signature will no longer be whitelisted when + its entry in the database gets modified (eg. the signature gets + updated to avoid false alerts). \subsection{Signature names} ClamAV uses the following prefixes for signature names: @@ -326,7 +387,8 @@ db_name:line_number:signature_name \end{itemize} Important rules of the naming convention: \begin{itemize} - \item always use a -zippwd suffix in the malware name for signatures of type zmd, + \item always use a -zippwd suffix in the malware name for signatures + of type zmd, \item always use a -rarpwd suffix in the malware name for signatures of type rmd, \item only use alphanumeric characters, dash (-), dot (.), underscores