|
topix93
| Joined: 15 Mar 2012 |
| Posts: 0 |
|
|
|
 Posted: Sat Mar 31, 2012 8:22 pm |
|
 |
 |
|
|
how to get the signature of a file?
|
|
|
|
GuitarBob
| Joined: 09 Jul 2006 |
| Posts: 9 |
| Location: USA |
|
|
| Posted: Sat Mar 31, 2012 8:54 pm |
|
|
|
|
|
There are several different types of signatures. There is some information about getting Clam AV signatures for Immunet 3.0 users at https://blog.clamav.net/2011/02/how-to-create-custom-signatures-for.html on the web.
Regards,
|
|
|
|
topix93
| Joined: 15 Mar 2012 |
| Posts: 0 |
|
|
|
| Posted: Mon Apr 02, 2012 1:33 pm |
|
|
|
|
|
do you know a way to get the signature of a file, programmatically?
|
|
|
|
GuitarBob
| Joined: 09 Jul 2006 |
| Posts: 9 |
| Location: USA |
|
|
| Posted: Mon Apr 02, 2012 8:17 pm |
|
|
|
|
|
There are many types of signatures. A file hash (MD5 or SHA) is probably the easiest signature to get programmatically. Other signatures are more involved.
Regards,
|
|
|
|
topix93
| Joined: 15 Mar 2012 |
| Posts: 0 |
|
|
|
| Posted: Wed Apr 04, 2012 10:18 am |
|
|
|
|
|
with an exe estension the header, that is always over 512 bytes, contains a field called signature. this field signature contain "MZ" for the executable file (EXE) ...
this document it's in italian, but i think that it is comprehensible.
so what control an antivirus, like clamwin, for detecting a virus?... maybe get the first 512 byte or use the technique of the checksum?
|
|
|
|
GuitarBob
| Joined: 09 Jul 2006 |
| Posts: 9 |
| Location: USA |
|
|
| Posted: Wed Apr 04, 2012 1:18 pm |
|
|
|
|
|
If a sigmaker can find the entry point of the file, he may use the first 512 bytes as a signature. Many files are packed and the entropy point is obscured, so this can not always be done. The kind of signature used depends upon what information is available from the file and the time the sigmaker has to develop a file. There is usually not much information or time available.
The first thing a sigmaker should do is find out if the file is malicious. These items can help: Google the file hash (MD5 or SHA), scan on Jotti or Virus Total or Virus Scan, execute in a virtual machine/sandbox, or use some heuristics.
Regards,
|
|
|
|
topix93
| Joined: 15 Mar 2012 |
| Posts: 0 |
|
|
|
| Posted: Wed Apr 18, 2012 10:14 am |
|
|
|
|
|
how many bytes get clamwin for the signature?
|
|
|
|
GuitarBob
| Joined: 09 Jul 2006 |
| Posts: 9 |
| Location: USA |
|
|
| Posted: Wed Apr 18, 2012 1:46 pm |
|
|
|
|
|
The signatures are not all the same length. The size depends upon what is used in the file for a signature--a file hash, a hex signature of a piece code, or something else. Each type of file hash all has the same length, if it is used for a signature Here is an MD5 hash of the ClamWin executable: 67b03985a613060bee8fcc24f810f3bb. All MD5 hashes will have this same size, but each file will have a different MD5 hash. An SHA-1 file hash will have a different size than an MD5 hash.
Do a Google search for "getting Clam AV signatures" to find some PDF explanations of Clam signatures. There is a lot of information about them. There is not much information about signatures for other AVs, but they are similar.
Regards,
|
|
|
