ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
Reply to topic
Question about sigtool- Please help!
Nathaniel


Joined: 06 Aug 2007
Posts: 20
Reply with quote
Hi, yay 1st post!

Anyways, can someone tell me exactly how to use sigtool?
Im trying to turn the .cvd to .db.

here what i did
1. double click sigtool.exe and the dos screen comes up.
2. The dos screen closes out 1 milli secound later.( It closes faster than a blick!!!)


Embarassed What happened? how do i get the .cvd to .bd? I dont think i did it right? Can you start uploading the .bd again??? i like it better?
Embarassed

Thanks! Incase you need my OS, it windows xp pro.
View user's profileSend private message
sherpya


Joined: 22 Mar 2006
Posts: 894
Location: Italy
Reply with quote
please refer to this doc to use sigtool
http://svn.clamav.net/websvn/filedetails.php?repname=clamav-devel&path=%2Ftrunk%2Fdocs%2Fsignatures.pdf&rev=0&sc=0 http://svn.clamav.net/websvn/filedetails.php?repname=clamav-devel&path=%2Ftrunk%2Fdocs%2Fsignatures.pdf&rev=0&sc=0
View user's profileSend private message
Nathaniel


Joined: 06 Aug 2007
Posts: 20
Reply with quote



Thanks, but, it doesnt have what i was looking for. Or can anyone explain???

the main question is: Is the dos window of sigtool sopposed to disapear RIGHT when it is opened??? because i dont even have time to press a key or do anything.
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4292
Location: USA
Reply with quote
I tried to use Sigtool several months ago and was unable to because, like you experienced, it quickly disappeared from the DOS window. I wound up using an MD5 hash program for static malware and a hex editor for traditional malware signatures--in conjunction with Notepad.

I advise you to leave the standard ClamAV signatures alone--don't mess with them.

Regards,
View user's profileSend private message
Nathaniel


Joined: 06 Aug 2007
Posts: 20
Reply with quote
GuitarBob wrote:
I tried to use Sigtool several months ago and was unable to because, like you experienced, it quickly disappeared from the DOS window. I wound up using an MD5 hash program for static malware and a hex editor for traditional malware signatures--in conjunction with Notepad.

I advise you to leave the standard ClamAV signatures alone--don't mess with them.

Regards,


Where can i get MD%, and how do i get the definitions useing a hex editer to get def? i just see a lot of mumbers......
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4292
Location: USA
Reply with quote
Developing signatures for malware is quite involved, and you really need to know what you are doing. There is some good information on the ClamAV Web site about their signatures, but it's not complete. I suggest you read up on this if you are really interested--search the Web for info.

MD5 hash signatures are made from an entire file and are primarily used for scripts and other malware that does not change. You run the file through the MD5 software and put the resulting hash into a database format. Each antivirus program has their own specific format. Both VirusTotal and Jotti give MD5 hashes for malware submitted to them, but I don't think that makes a reliable signature.

Hex signatures are more involved than the MD5 sigs. You have to isolate and identify the viral component from the malware code, get the hexadecimal equivalent and put it into a database. You will need an isolated computer and software tools like debuggers and decryptors to "break" the code and analyze it.

Most of us are better off letting the virus analysts develop the signatures. The analysts at ClamAV do a pretty good job, and they have many kinds of malware signatures--including hex, MD5, phishing, and several others. They develop about 3,000 signatues per month, and Clam now has over 140,000 signatures--more than some of the small commercial antivirus companies.

Regards,

Regards,
View user's profileSend private message
Nathaniel


Joined: 06 Aug 2007
Posts: 20
Reply with quote
ok thanks confusing


anyways, clamwin has more than norton with only around 70,000 def.

if clam win wants real time protection, i could do that with visual basic. (then we should have a visual basic version)
I havent tried python yet and c++ is confusing

ill post one here when im done!!! Wink
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4292
Location: USA
Reply with quote
I didn't mean to be confusing. If you are not experienced at virus analysis and signature development, I wanted you to see that it is really not an easy thing to do. If you would like to pursue it, contact the Clam Antivirus team. They might offer some suggestions, and I'm sure they can always use some additional help with the original signatures in Linux.

Clam has about 140,000 malware signatures. Norton only has 70,000 or so, but this is misleading. Some of the Norton signatures are generic--able to spot entire families of viruses, so that is probably equivalent to 200,000 signatures.

ClamWin 1.0 will feature a real-time scanner and other improvements written in a version of C. No release date yet--but work is continuining. If you would like to help, contact the ClamWin team. There are only two developers--and part-time at that.

Regards,
View user's profileSend private message
Nathaniel


Joined: 06 Aug 2007
Posts: 20
Reply with quote
ok thanks Embarassed

does anyone have a way to fix this problem?
View user's profileSend private message
b0ne


Joined: 26 Oct 2006
Posts: 174
Reply with quote
Nathaniel wrote:
ok thanks Embarassed

does anyone have a way to fix this problem?


Sigtool is not a gui program, you can't just double click it. It is a command line interface.

In order to understand hwo to use it you can read the following url for documentation. http://www.clamav.net/doc/latest/signatures.pdf http://www.clamav.net/doc/latest/signatures.pdf

Additionally, you can open a command prompt and type "sigtool --help". The command line switch to unpack the databases is "sigtool --unpack=c:\Path To File\main.cvd"
View user's profileSend private message
Nathaniel


Joined: 06 Aug 2007
Posts: 20
Reply with quote
i tried that sigtool --unpack=c:\Path To File\main.cvd and command prompt still only says " 'sigtool' is not reconised as an internal or external command, operatable program, or batch file...................................


thanks, but can someone tell me from beginning???
i think it might just be my computer problem, but i need other choices becausei need the database as .db
View user's profileSend private message
b0ne


Joined: 26 Oct 2006
Posts: 174
Reply with quote
Nathaniel wrote:
i tried that sigtool --unpack=c:\Path To File\main.cvd and command prompt still only says " 'sigtool' is not reconised as an internal or external command, operatable program, or batch file


Um, well for starters, it sounds like you are not familiar with the idea of the "PATH" environment variables.

Sigtool is not located in your "PATH" so you cannot just run it from any command prompt location. You either have to type in the full path to the executable or change directories to the location where the executable resides in order to launch it.

Secondly, "Path To File" was an example, with the assumption that one might have pre-existing understand of what a "file path" entails. You need to replace "Path to file" with the full path to that particular file, ie: "c:\documents and settings\all users\clamwin\db\main.cvd" or whatever it is on your system.

Also, the files are not in a binary database format after they're extracted from the CVD files. Post extraction, they are essentially colon separated values in a text format.
View user's profileSend private message
Nathaniel


Joined: 06 Aug 2007
Posts: 20
Reply with quote
i typed in

C:\program files\clamwin\bin\sigtool.exe --unpack=C:\documents and settings\all users\.clamwin\db\main.cvd


it still says the same thing except now it says " C:\program" is not reconised as an internal or external command, oreratable program or batch file.

IS THIS COMMAND PROMPT STUPID?!?!?! ITS NOT A PROGRAM ITS THE PATH!!! SERIOUSLY!!!
View user's profileSend private message
Nathaniel


Joined: 06 Aug 2007
Posts: 20
Reply with quote
look at the image whats my problem???



http://upload2.postimage.org/179206/photo_hosting.html
View user's profileSend private message
budtse


Joined: 14 Jan 2006
Posts: 372
Location: Belgium
Reply with quote
Nathaniel wrote:

IS THIS COMMAND PROMPT STUPID?!?!?! ITS NOT A PROGRAM ITS THE PATH!!! SERIOUSLY!!!


As a matter of fact: it is. That's no reason for shouting.

Just put "C:\program files\clamwin\bin\sigtool.exe" and "C:\documents and settings\all users\.clamwin\db\main.cvd" between double quotes, and it should work. DOS (or in this case, NTVDM) is not used to handle spaces in file names, and neither is sigtool, or any command line program that uses parameters.

budtse
View user's profileSend private message
Question about sigtool- Please help!
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 2  

  
  
 Reply to topic