Hi.

I live in Moscow! Speak English bad.
Please! Help me!
I want creating signature - sigtool.exe. How???

------------------------------
cmd.exe

sigtool --md5 test.exe > test.hdb (in test.hdb creating md5 test.exe - 49e9ec961494064722947dce19bb3818:36:(null))
next

sigtool --unpack daily.cvd (C:\Program Files\ClamWin\bin\daily.cvd)
next build cvd

sigtool --build dail.cvd --server localhost

and error!

--
C:\Program Files\ClamWin\bin>sigtool --build daily.cvd --server localhost
LibClamAV debug: Loading databases from .
LibClamAV debug: Loading ./daily.cvd
LibClamAV debug: in cli_cvdload()
LibClamAV debug: MD5(.tar.gz) = 61d069903e4732a9cffc9ddb2b237897
LibClamAV debug: Decoded signature: 61d069903e4732a9cffc9ddb2b237897
LibClamAV debug: Digital signature is correct.
LibClamAV Warning: ********************************************************
LibClamAV Warning: *** This version of the ClamAV engine is outdated. ***
LibClamAV Warning: *** DON'T PANIC! Read https://www.clamav.net/faq.html ***
LibClamAV Warning: ********************************************************
LibClamAV debug: in cli_untgz()
LibClamAV debug: Unpacking /tmp/clamav-26ea61b73e63eb2d/COPYING
LibClamAV debug: Unpacking /tmp/clamav-26ea61b73e63eb2d/daily.db
LibClamAV debug: Unpacking /tmp/clamav-26ea61b73e63eb2d/daily.hdb
LibClamAV debug: Unpacking /tmp/clamav-26ea61b73e63eb2d/daily.ndb
LibClamAV debug: Unpacking /tmp/clamav-26ea61b73e63eb2d/daily.zmd
LibClamAV debug: Unpacking /tmp/clamav-26ea61b73e63eb2d/daily.fp
LibClamAV debug: Unpacking /tmp/clamav-26ea61b73e63eb2d/daily.info
LibClamAV debug: Unpacking /tmp/clamav-26ea61b73e63eb2d/daily.pdb
LibClamAV debug: Loading databases from /tmp/clamav-26ea61b73e63eb2d
LibClamAV debug: Loading /tmp/clamav-26ea61b73e63eb2d/daily.db
LibClamAV debug: Initializing main node
LibClamAV debug: Initializing trie
LibClamAV debug: Initializing BM tables
LibClamAV debug: in cli_bm_init()
LibClamAV debug: BM: Number of indexes = 63744
LibClamAV debug: Loading /tmp/clamav-26ea61b73e63eb2d/daily.fp
LibClamAV debug: Initializing md5 list structure
LibClamAV debug: Loading /tmp/clamav-26ea61b73e63eb2d/daily.hdb
LibClamAV debug: Loading /tmp/clamav-26ea61b73e63eb2d/daily.ndb
LibClamAV debug: Loading /tmp/clamav-26ea61b73e63eb2d/daily.zmd
LibClamAV debug: Loading ./daily.db
LibClamAV debug: Loading ./daily.fp
LibClamAV debug: Loading ./daily.hdb
LibClamAV debug: Loading ./daily.ndb
LibClamAV debug: Loading ./daily.zmd
LibClamAV debug: Loading ./virus.hdb
Database properly parsed.
Signatures: 4299
ERROR: Signatures in database: 2149. Loaded: 4299.
Please check the current directory and remove unnecessary databases
or install the latest ClamAV version.

or FAQ writen:

sigtool --build daily.cvd --server SIGNING_SERVER
where SIGNING SERVER is one of the ClamAV Signing Servers you access
to. This command will automatically generate binary database with
signature.
LibClamAV debug: Loading databases from .
LibClamAV debug: Loading ./daily.db
LibClamAV debug: Loading ./daily.hdb
LibClamAV debug: Initializing trie.
Database properly parsed.
Signatures: 183
COPYING
tar: main.db: Cannot stat: No such file or directory
tar: main.hdb: Cannot stat: No such file or directory
daily.db
daily.hdb
tar: Notes: Cannot stat: No such file or directory
tar: Error exit delayed from previous errors
Builder id: tkojm
Password:
Signature received (length = 171).
Database daily.cvd created.

Don’t worry about �No such file or directory� tar errors. Finally, you
verify the new database with:

zolw@localhost:/usr/local/share/clamav$ sigtool -i daily.
Build time: 26 Aug 2004 22-41 +0200
Version: 473
# of signatures: 183
Functionality level: 2
Builder: tkojm
MD5: 0e89235392c1a1142dda0d022f218903
Digital signature: bWBCx3KO7rkdOQo+zTIZXKhGNvmEz5n/fTUsCEVrdFwhWr2gf5MjsmO7nF/Verification OK.

If you have identified a virus and know how to develop a signature for it, the link below to the ClamAntivirus Web site will help. Look at Item 30.

Be sure to send a sample of the virus to Clam or ClamWin. Ask them to let you know when they add the signature to the regular database, and you can remove your signature then.

https://www.clamav.net/faq.html#pagestart

Regards,

-server takes an ip number and not a name, unfortunately the signing server code is not public so for now there is no way to
create cvd, you can still create single files like something.ndb something.hdb and put it in the db directory

Creating something.hdb, put in (C:\Documents and Settings\Ice\.clamwin\db). Clam not see virus file.



I can build cvd file or not? Not understand!
You can show me how work -build comand in sigtool?

You cannot build CVD's, but you can create your own signatures in their own database. See this url: https://www.clamav.net/doc/latest/signatures.pdf https://www.clamav.net/doc/latest/signatures.pdf

I created a file blah.txt on my c: drive. In this text file I typed "BLAHBLAHBLAH" without quotes or a carriage-return. To create the signature I ran "sigtool.exe --md5 blah.txt". The output is in this format, hash:size:filename. I renamed the signature and put it in the file test.hdb.

The signature looks like this: 677e03bac2437b464fad66df286104bd:16:MD5SIG_BLAHTXT

I put test.hdb in the clamwin database directory located on my computer at: "C:\Documents and Settings\All Users\.clamwin\db"

Next I right clicked on the blah.txt and chose to scan it with ClamWin.

C:\blah.txt: MD5SIG_BLAHTXT FOUND
-- summary --
Known viruses: 86212
Engine version: 0.88.7
Scanned directories: 0
Scanned files: 1
Infected files: 1

Is the EICAR file in hexadecimal? I'm not certain, but it doesn't have the hex look to me, and ClamWin recognizes it. If it is not in hex, then ClamWin must have the capability to recognize something other than hex signatures.

Regards,

main.cvd Eicar-Test-Signature 0:0:58354f2150254041505b345c505a58353428505e2937434329377d2445494341522d5354414e444152442d414e544956495255532d544553542d46494c452124482b482a

It's a sig alright. Even though hash data is commonly represented in a hexadecimal form, Technically MD5 hashes aren't byte signatures but that is the other method clamav supports.

Thanks, bOne. All I've ever seen for EICAR is the:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

AV TEST provides an MD5 hash with their report, so perhaps that could be used then.

Regards,

I wanna creat my own signatures for ClamAV for my local network use
but i donnt know how to do

See the link above--explains how: https://www.clamav.net

Regards

look here for info how to built your own:
https://www.clamav.net/doc/latest/signatures.pdf