sigtool

Here few examples howto create custom signatures with sigtool

md5

If file contains HTML code, it need normalize! (BUG)

sigtool --html-normalise=foo.html
mv nocomment.html foo.html
sigtool --md5 foo.html

Output:

5b402ec0270e70d236146c1c0cdac8e5:49:foo.html

This need to add example: custom.hdb file (copy/paste)

hex


echo "CONTENT_TO_HEX_DUMP" | sigtool --hex-dump | head -c 2048 > custom.ndb

FORMAT: Name:Type:Offset:HEX_OUTPUT

Type:

0 = any file
1 = Portable Executable (ie Windows exe)
2 = OLE2 component (e.g. a VBA script)
3 = HTML (normalised)
4 = Mail file
5 = Graphics
6 = ELF
7 = ASCII text file (normalised)

Example:

cat to file or echo "eval(base64_decode(":

Here File:
echo sigtool.txt | sigtool --hex-dump

Output:

6576616c286261736536345f6465636f646528220a

Note: Remove last 0a, not working if included!

Testing


clamscan --database=/tmp/custom.ndb /path/to/malware.php

References

Offical manual: signatures.pdf

Good documentation with examples: http://blog.clamav.net/2014/03/programmatic-boolean-simplification-and.html