ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
ClamWin Free Antivirus Forum Index » General Suggestions/Questions
Reply to topic
Unicode Strings for signature (maybe a dumb question)
darksider9


Joined: 30 Jan 2012
Posts: 0
Location: USA
Post Posted: Mon Jan 30, 2012 11:19 pm Reply with quote
Hi All,

First time poster, and just now starting to attempt to develop some signatures for ClamAV. I was wondering though (I know this maybe a dumb question), is it possible to develop a signature based off a UNICODE STRING inside of the file? Some EXE's that I have been seeing, have a very specific STRING, and I was wondering if I could make it fire off of that alone. Any help is much appreciated. Thank you in advance.

Darksider
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 9
Location: USA
Post Posted: Tue Jan 31, 2012 12:00 am Reply with quote
Sure, it's possible to get a signature for anything you can see in a debugger/hex editor/disassembler. It if is really unique, it might hold up and not have any false positives. I prefer to stay away from formatting type stuff, but I think something like that fairly new Unicode trick of reversing the extension so it does not appear at the end of the filename might work. Not many legitimate executable files would do that.

Watch it though--every time I think I have found something unique, it seems to get false positives!

Regards,
View user's profileSend private message
Unicode Strings for signature (maybe a dumb question)
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
 		All times are GMT  
Page 1 of 1  
  
  
ClamWin Free Antivirus Forum Index » General Suggestions/Questions
 Reply to topic