Mailing List Archive

Virus Definition Byte Sequences
Hello,

I had a few files flagged recently by ClamAV with a couple different signatures. I am trying to find out which part of the file the virus signature was found in. Is it possible to map the definitions provided by ClamAV to actual byte signatures so that I can map myself? Is it possible to get the byte range where the pattern was found? Thanks in advance for the help.

-Garrett
Re: Virus Definition Byte Sequences [ In reply to ]
sigtool can be used to show the starting offset of signature matches, like
in the example below:

$ sigtool --test-sigs manual/sigs.ldb build/test.exe
VIRUS NAME: Test.Sig.LDB_1of2_PE_ICON_1
TDB: Engine:51-255,Target:1,IconGroup1:TEST_ICON_GROUP_1
LOGICAL EXPRESSION: 0
* SUBSIG ID 0
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> SUBSIG: 434c414d41565f544553545f5052494e54465f535452494e475f
MATCH: ** YES/CHECK OFFSET ** (50 matches at offsets: 1173430 1173380
1160786 1160736 1113386 1113336 1065986 1065936 1018586 1018536 971186
971136 923786 923736 876386 876336 828986 828936 781586 781536 734186
734136 686786 686736 639386 639336 591986 591936 544586 544536 497186
497136 449786 449736 402386 402336 354986 354936 307586 307536 260186
260136 212786 212736 165386 165336 117986 117936 70586 70536)

You'll need to put the full definition of the sigs you want to search for
in their own clamav database file with the correct file extension (like
sigs.ldb in the example above for an LDB sig). You can find the full
definition of a signature in the ClamAV database via sigtool using sigtool
--find-sigs. For example:

sigtool --find-sigs=Win.Dropper.Ramnit-8009875-1
[daily.ldb]
Win.Dropper.Ramnit-8009875-1;Engine:51-255,Target:1;0&1&2&3&4;6f754d4e7539;5c2d52445e6d;7a4f6e4f4530;413759616320;50285e38283420

In that example, you would put
Win.Dropper.Ramnit-8009875-1;Engine:51-255,Target:1;0&1&2&3&4;6f754d4e7539;5c2d52445e6d;7a4f6e4f4530;413759616320;50285e38283420
into sigs.ldb and then pass that as the argument to sigtool --test-sigs
along with the matching sample path.

There are some known issues with sigtool --test-sigs, but hopefully it
works well enough for your use case

Hope that helps!

-Andrew

On Tue, Jun 30, 2020 at 6:27 PM Singletary, Garrett (GE Healthcare) via
clamav-users <clamav-users@lists.clamav.net> wrote:

> Hello,
>
>
>
> I had a few files flagged recently by ClamAV with a couple different
> signatures. I am trying to find out which part of the file the virus
> signature was found in. Is it possible to map the definitions provided by
> ClamAV to actual byte signatures so that I can map myself? Is it possible
> to get the byte range where the pattern was found? Thanks in advance for
> the help.
>
>
>
> -Garrett
>
>
>
>
>
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>