This shows you the differences between two versions of the page.
Next revision | Previous revision | ||
create_your_own_anti-virus_signatures_with_clamav [2009/07/05 23:42] adam created |
create_your_own_anti-virus_signatures_with_clamav [2009/07/05 23:44] adam |
||
---|---|---|---|
Line 23: | Line 23: | ||
Save it as strip-attach.pl or something and make it executable. Then run it with an argument of the file to strip such as: | Save it as strip-attach.pl or something and make it executable. Then run it with an argument of the file to strip such as: | ||
- | strip-attach.pl | + | |
The output will give you the paths to the text portion and the attachment portion of the email. If you saved the email attachment to your PC from your mail client, you can start to pay attention now. | The output will give you the paths to the text portion and the attachment portion of the email. If you saved the email attachment to your PC from your mail client, you can start to pay attention now. | ||
Line 59: | Line 59: | ||
Either name the virus yourself if it's just a file you don't want on your network or it's a new virus, or take a look at what other AV engines call a virus by submitting your suspicious file to somewhere like [[http:// | Either name the virus yourself if it's just a file you don't want on your network or it's a new virus, or take a look at what other AV engines call a virus by submitting your suspicious file to somewhere like [[http:// | ||
- | My good friend and malware expert [[http:// | + | My good friend and malware expert [[http:// |
Now, test the signature against your suspect file: | Now, test the signature against your suspect file: | ||
- | clamscan -d customsig.ndb testfile | + | |
It's pretty inefficient to store one virus signature per file, so if you're going to be doing this frequently or you want your signature to used as part of regular operations, you may as well start keeping your own virus db file as part of ClamAV itself. Simply copy your customsig.ndb to the directory used by ClamAV' | It's pretty inefficient to store one virus signature per file, so if you're going to be doing this frequently or you want your signature to used as part of regular operations, you may as well start keeping your own virus db file as part of ClamAV itself. Simply copy your customsig.ndb to the directory used by ClamAV' | ||
- | clamscan testfile | + | |
And that's it. Add each new signature line into the customsig.ndb file you put in ClamAV' | And that's it. Add each new signature line into the customsig.ndb file you put in ClamAV' |