149
151
the type of the target file:
151
153
\item 0 = any file
152
\item 1 = Portable Executable
153
\item 2 = OLE2 component (e.g. a VBA script)
154
\item 3 = HTML (normalised)
154
\item 1 = Portable Executable, both 32- and 64-bit.
155
\item 2 = file inside OLE2 container (e.g. image, embedded executable,
156
VBA script). The OLE2 format is primarily used by MS Office and MSI
158
\item 3 = HTML (normalized: whitespace transformed to spaces, tags/tag
159
attributes normalized, all lowercase), Javascript is normalized too:
160
all strings are normalized (hex encoding is decoded), numbers are
161
parsed and normalized, local variables/function names are normalized
162
to 'n001' format, argument to eval() is parsed as JS again,
163
unescape() is handled, some simple JS packers are handled,
164
output is whitespace normalized.
155
165
\item 4 = Mail file
156
166
\item 5 = Graphics
158
\item 7 = ASCII text file (normalised)
168
\item 7 = ASCII text file (normalized)
160
170
And \verb+Offset+ is an asterisk or a decimal number \verb+n+ possibly
161
171
combined with a special modifier:
187
197
All signatures in the extended format must be placed inside \verb+*.ndb+ files.
199
\subsubsection{Logical signatures}\label{ndb}
200
Logical signatures allow combining of multiple signatures in extended
201
format using logical operators. They can provide both more detailed and
202
flexible pattern matching. The logical sigs are stored inside \verb+*.ldb+
203
files in the following format:
205
SignatureName;TargetDescriptionBlock;LogicalExpression;Subsig0;
210
\item \verb+TargetDescriptionBlock+ provides information about the
211
engine and target file with comma separated \verb+Arg:Val+ pairs,
212
currently (as of 0.95.1) only \verb+Target:X+ and \verb+Engine:X-Y+
214
\item \verb+LogicalExpression+ specifies the logical expression
215
describing the relationship between \verb+Subsig0...SubsigN+.\\
216
\textbf{Basis clause:} 0,1,...,N decimal indexes are SUB-EXPRESSIONS
217
representing \verb+Subsig0, Subsig1,...,SubsigN+ respectively.\\
218
\textbf{Inductive clause:} if \verb+A+ and \verb+B+ are
219
SUB-EXPRESSIONS and \verb+X, Y+ are decimal numbers then
220
\verb+(A&B)+, \verb+(A|B)+, \verb+A=X+, \verb+A=X,Y+, \verb+A>X+,
221
\verb+A>X,Y+, \verb+A<X+ and \verb+A<X,Y+ are SUB-EXPRESSIONS
222
\item \verb+SubsigN+ is n-th subsignature in extended format possibly
223
preceded with an offset. There can be specified up to 64 subsigs.
225
Modifiers for subexpressions:
227
\item \verb+A=X+: If the SUB-EXPRESSION A refers to a single signature
228
then this signature must get matched exactly X times; if it refers to
229
a (logical) block of signatures then this block must generate exactly
230
X matches (with any of its sigs).
231
\item \verb+A=0+ specifies negation (signature or block of signatures
233
\item \verb+A=X,Y+: If the SUB-EXPRESSION A refers to a single signature
234
then this signature must be matched exactly X times; if it refers to
235
a (logical) block of signatures then this block must generate X matches
236
and at least Y different signatures must get matched.
237
\item \verb+A>X+: If the SUB-EXPRESSION A refers to a single signature
238
then this signature must get matched more than X times; if it refers to
239
a (logical) block of signatures then this block must generate more
240
than X matches (with any of its sigs).
241
\item \verb+A>X,Y+: If the SUB-EXPRESSION A refers to a single signature
242
then this signature must get matched more than X times; if it refers to
243
a (logical) block of signatures then this block must generate more than
244
X matches and at least Y different signatures must be matched.
245
\item \verb+A<X+ and \verb+A<X,Y+ as above with the change of "more"
250
Sig1;Target:0;(0&1&2&3)&(4|1);6b6f74656b;616c61;7a6f6c77;7374656
253
Sig2;Target:0;((0|1|2)>5,2)&(3|1);6b6f74656b;616c61;7a6f6c77;737
256
Sig3;Target:0;((0|1|2|3)=2)&(4|1);6b6f74656b;616c61;7a6f6c77;737
259
Sig4;Target:1,Engine:18-20;((0|1)&(2|3))&4;EP+123:33c06834f04100
260
f2aef7d14951684cf04100e8110a00;S2+78:22??232c2d252229{-15}6e6573
261
(63|64)61706528;S+50:68efa311c3b9963cb1ee8e586d32aeb9043e;f9c58d
262
cf43987e4f519d629b103375;SL+550:6300680065005c0046006900
189
265
\subsection{Signatures based on archive metadata}
190
266
Signatures based on metadata inside archive files can provide an effective
191
267
protection against malware that spreads via encrypted zip or rar
272
348
\subsection{Text files}
273
Similarly to HTML all ASCII text files get normalised (converted
349
Similarly to HTML all ASCII text files get normalized (converted
274
350
to lower-case, all superflous white space and control characters removed,
275
351
etc.) before scanning. Use \verb+clamscan --leave-temps+ to obtain
276
a normalised file then create a signature with the target type 7.
352
a normalized file then create a signature with the target type 7.
278
354
\subsection{Compressed Portable Executable files}
279
355
If the file is compressed with UPX, FSG, Petite or other PE packer