Here few examples howto create custom signatures with sigtool
md5
If file contains HTML code, it need normalize! (BUG)
sigtool --html-normalise=foo.html
mv nocomment.html foo.html
sigtool --md5 foo.html
Output:
5b402ec0270e70d236146c1c0cdac8e5:49:foo.html
This need to add example: custom.hdb file (copy/paste)
hex
echo "CONTENT_TO_HEX_DUMP" | sigtool --hex-dump | head -c 2048 > custom.ndb
FORMAT: Name:Type:Offset:HEX_OUTPUT
Type:
0 = any file
1 = Portable Executable (ie Windows exe)
2 = OLE2 component (e.g. a VBA script)
3 = HTML (normalised)
4 = Mail file
5 = Graphics
6 = ELF
7 = ASCII text file (normalised)
Example:
cat to file or echo "eval(base64_decode(":
Here File:
echo sigtool.txt | sigtool --hex-dump
Output:
6576616c286261736536345f6465636f646528220a
Note: Remove last 0a, not working if included!
Testing
clamscan --database=/tmp/custom.ndb /path/to/malware.php
References
Offical manual: signatures.pdf
Good documentation with examples: http://blog.clamav.net/2014/03/programmatic-boolean-simplification-and.html