ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
Reply to topic
Creating signature (sigtool) help!
sigtool


Joined: 08 Jan 2007
Posts: 6
Reply with quote
Hi.

I live in Moscow! Speak English bad.
Please! Help me!
I want creating signature - sigtool.exe. How???

------------------------------
cmd.exe

sigtool --md5 test.exe > test.hdb (in test.hdb creating md5 test.exe - 49e9ec961494064722947dce19bb3818:36:(null))
next

sigtool --unpack daily.cvd (C:\Program Files\ClamWin\bin\daily.cvd)
next build cvd

sigtool --build dail.cvd --server localhost

and error!

--
C:\Program Files\ClamWin\bin>sigtool --build daily.cvd --server localhost
LibClamAV debug: Loading databases from .
LibClamAV debug: Loading ./daily.cvd
LibClamAV debug: in cli_cvdload()
LibClamAV debug: MD5(.tar.gz) = 61d069903e4732a9cffc9ddb2b237897
LibClamAV debug: Decoded signature: 61d069903e4732a9cffc9ddb2b237897
LibClamAV debug: Digital signature is correct.
LibClamAV Warning: ********************************************************
LibClamAV Warning: *** This version of the ClamAV engine is outdated. ***
LibClamAV Warning: *** DON'T PANIC! Read http://www.clamav.net/faq.html ***
LibClamAV Warning: ********************************************************
LibClamAV debug: in cli_untgz()
LibClamAV debug: Unpacking /tmp/clamav-26ea61b73e63eb2d/COPYING
LibClamAV debug: Unpacking /tmp/clamav-26ea61b73e63eb2d/daily.db
LibClamAV debug: Unpacking /tmp/clamav-26ea61b73e63eb2d/daily.hdb
LibClamAV debug: Unpacking /tmp/clamav-26ea61b73e63eb2d/daily.ndb
LibClamAV debug: Unpacking /tmp/clamav-26ea61b73e63eb2d/daily.zmd
LibClamAV debug: Unpacking /tmp/clamav-26ea61b73e63eb2d/daily.fp
LibClamAV debug: Unpacking /tmp/clamav-26ea61b73e63eb2d/daily.info
LibClamAV debug: Unpacking /tmp/clamav-26ea61b73e63eb2d/daily.pdb
LibClamAV debug: Loading databases from /tmp/clamav-26ea61b73e63eb2d
LibClamAV debug: Loading /tmp/clamav-26ea61b73e63eb2d/daily.db
LibClamAV debug: Initializing main node
LibClamAV debug: Initializing trie
LibClamAV debug: Initializing BM tables
LibClamAV debug: in cli_bm_init()
LibClamAV debug: BM: Number of indexes = 63744
LibClamAV debug: Loading /tmp/clamav-26ea61b73e63eb2d/daily.fp
LibClamAV debug: Initializing md5 list structure
LibClamAV debug: Loading /tmp/clamav-26ea61b73e63eb2d/daily.hdb
LibClamAV debug: Loading /tmp/clamav-26ea61b73e63eb2d/daily.ndb
LibClamAV debug: Loading /tmp/clamav-26ea61b73e63eb2d/daily.zmd
LibClamAV debug: Loading ./daily.db
LibClamAV debug: Loading ./daily.fp
LibClamAV debug: Loading ./daily.hdb
LibClamAV debug: Loading ./daily.ndb
LibClamAV debug: Loading ./daily.zmd
LibClamAV debug: Loading ./virus.hdb
Database properly parsed.
Signatures: 4299
ERROR: Signatures in database: 2149. Loaded: 4299.
Please check the current directory and remove unnecessary databases
or install the latest ClamAV version.

or FAQ writen:

sigtool --build daily.cvd --server SIGNING_SERVER
where SIGNING SERVER is one of the ClamAV Signing Servers you access
to. This command will automatically generate binary database with
signature.
LibClamAV debug: Loading databases from .
LibClamAV debug: Loading ./daily.db
LibClamAV debug: Loading ./daily.hdb
LibClamAV debug: Initializing trie.
Database properly parsed.
Signatures: 183
COPYING
tar: main.db: Cannot stat: No such file or directory
tar: main.hdb: Cannot stat: No such file or directory
daily.db
daily.hdb
tar: Notes: Cannot stat: No such file or directory
tar: Error exit delayed from previous errors
Builder id: tkojm
Password:
Signature received (length = 171).
Database daily.cvd created.

Don’t worry about �No such file or directory� tar errors. Finally, you
verify the new database with:

zolw@localhost:/usr/local/share/clamav$ sigtool -i daily.
Build time: 26 Aug 2004 22-41 +0200
Version: 473
# of signatures: 183
Functionality level: 2
Builder: tkojm
MD5: 0e89235392c1a1142dda0d022f218903
Digital signature: bWBCx3KO7rkdOQo+zTIZXKhGNvmEz5n/fTUsCEVrdFwhWr2gf5MjsmO7nF/Verification OK.
View user's profileSend private message
Developing Your Own Signatures
GuitarBob


Joined: 09 Jul 2006
Posts: 4388
Location: USA
Reply with quote
If you have identified a virus and know how to develop a signature for it, the link below to the ClamAntivirus Web site will help. Look at Item 30.

Be sure to send a sample of the virus to Clam or ClamWin. Ask them to let you know when they add the signature to the regular database, and you can remove your signature then.

http://www.clamav.net/faq.html#pagestart

Regards,
View user's profileSend private message
sherpya


Joined: 22 Mar 2006
Posts: 898
Location: Italy
Reply with quote
-server takes an ip number and not a name, unfortunately the signing server code is not public so for now there is no way to
create cvd, you can still create single files like something.ndb something.hdb and put it in the db directory
View user's profileSend private message
sigtool


Joined: 08 Jan 2007
Posts: 6
Reply with quote
Creating something.hdb, put in (C:\Documents and Settings\Ice\.clamwin\db). Clam not see virus file.

Quote:
-server takes an ip number and not a name, unfortunately the signing server code is not public so for now there is no way to
create cvd, you can still create single files like something.ndb something.hdb and put it in the db directory


I can build cvd file or not? Not understand!
You can show me how work -build comand in sigtool?
View user's profileSend private message
b0ne


Joined: 26 Oct 2006
Posts: 174
Reply with quote
sigtool wrote:
I can build cvd file or not? Not understand!
You cannot build CVD's, but you can create your own signatures in their own database. See this url: http://www.clamav.net/doc/latest/signatures.pdf http://www.clamav.net/doc/latest/signatures.pdf

I created a file blah.txt on my c: drive. In this text file I typed "BLAHBLAHBLAH" without quotes or a carriage-return. To create the signature I ran "sigtool.exe --md5 blah.txt". The output is in this format, hash:size:filename. I renamed the signature and put it in the file test.hdb.

The signature looks like this: 677e03bac2437b464fad66df286104bd:16:MD5SIG_BLAHTXT

I put test.hdb in the clamwin database directory located on my computer at: "C:\Documents and Settings\All Users\.clamwin\db"

Next I right clicked on the blah.txt and chose to scan it with ClamWin.

C:\blah.txt: MD5SIG_BLAHTXT FOUND
-- summary --
Known viruses: 86212
Engine version: 0.88.7
Scanned directories: 0
Scanned files: 1
Infected files: 1
View user's profileSend private message
Virus Signatures
GuitarBob


Joined: 09 Jul 2006
Posts: 4388
Location: USA
Reply with quote
Is the EICAR file in hexadecimal? I'm not certain, but it doesn't have the hex look to me, and ClamWin recognizes it. If it is not in hex, then ClamWin must have the capability to recognize something other than hex signatures.

Regards,
View user's profileSend private message
Re: Virus Signatures
b0ne


Joined: 26 Oct 2006
Posts: 174
Reply with quote
GuitarBob wrote:
Is the EICAR file in hexadecimal?

main.cvd Eicar-Test-Signature 0:0:58354f2150254041505b345c505a58353428505e2937434329377d2445494341522d5354414e444152442d414e544956495255532d544553542d46494c452124482b482a

It's a sig alright. Even though hash data is commonly represented in a hexadecimal form, Technically MD5 hashes aren't byte signatures but that is the other method clamav supports.
View user's profileSend private message
Virus Sigs
GuitarBob


Joined: 09 Jul 2006
Posts: 4388
Location: USA
Reply with quote
Thanks, bOne. All I've ever seen for EICAR is the:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

AV TEST provides an MD5 hash with their report, so perhaps that could be used then.

Regards,
View user's profileSend private message
I have the same question
Traversal


Joined: 14 Dec 2006
Posts: 9
Location: China
Reply with quote
I wanna creat my own signatures for ClamAV for my local network use
but i donnt know how to do
View user's profileSend private message
Personal Signatures
GuitarBob


Joined: 09 Jul 2006
Posts: 4388
Location: USA
Reply with quote
See the link above--explains how: http://www.clamav.net

Regards
View user's profileSend private message
drgoa.r


Joined: 20 Nov 2006
Posts: 66
Location: Bulgaria
Reply with quote
look here for info how to built your own:
http://www.clamav.net/doc/latest/signatures.pdf
View user's profileSend private message
Creating signature (sigtool) help!
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 1  

  
  
 Reply to topic