clamav/clamav-devel/docs/html/node21.html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">

<!--Converted with LaTeX2HTML 2K.1beta (1.48)
original version by:  Nikos Drakos, CBLU, University of Leeds
* revised and updated by:  Marcus Hennecke, Ross Moore, Herb Swan
* with significant contributions from:
  Jens Lippmann, Marek Rouchal, Martin Wilck and others -->
<HTML>
<HEAD>
<TITLE>Signature Tool</TITLE>
<META NAME="description" CONTENT="Signature Tool">
<META NAME="keywords" CONTENT="clamdoc">
<META NAME="resource-type" CONTENT="document">
<META NAME="distribution" CONTENT="global">

<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="LaTeX2HTML v2K.1beta">
<META HTTP-EQUIV="Content-Style-Type" CONTENT="text/css">

<LINK REL="STYLESHEET" HREF="clamdoc.css">

<LINK REL="previous" HREF="node20.html">
<LINK REL="up" HREF="node16.html">
<LINK REL="next" HREF="node22.html">
</HEAD>

<BODY >
<!--Navigation Panel-->
<A NAME="tex2html386"
  HREF="node22.html">
<IMG WIDTH="37" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="next"
 SRC="/usr/share/latex2html/icons/next.png"></A> 
<A NAME="tex2html382"
  HREF="node16.html">
<IMG WIDTH="26" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="up"
 SRC="/usr/share/latex2html/icons/up.png"></A> 
<A NAME="tex2html378"
  HREF="node20.html">
<IMG WIDTH="63" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="previous"
 SRC="/usr/share/latex2html/icons/prev.png"></A> 
<A NAME="tex2html384"
  HREF="node1.html">
<IMG WIDTH="65" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="contents"
 SRC="/usr/share/latex2html/icons/contents.png"></A>  
<BR>
<B> Next:</B> <A NAME="tex2html387"
  HREF="node22.html">Compatible software</A>
<B> Up:</B> <A NAME="tex2html383"
  HREF="node16.html">Usage</A>
<B> Previous:</B> <A NAME="tex2html379"
  HREF="node20.html">Output format</A>
 &nbsp <B>  <A NAME="tex2html385"
  HREF="node1.html">Contents</A></B> 
<BR>
<BR>
<!--End of Navigation Panel-->

<H2><A NAME="SECTION00045000000000000000">
Signature Tool</A>
</H2>
    <I>sigtool</I> automates signature creation. If you have an infected file,
    which isn't detected by ClamAV, but it is by another anti-virus scanner
    working in the console, you can create the signature easily.
    <I>Example of usage:</I>
    Create a random file and put the <B>test1</B> file content into it. We
    will use <I>clamscan</I> to generate the signature, it's just an example.
    Scan it with <I>clamscan -stdout testfile</I>, the output is
    <PRE>
	testfile: ClamAV-Test-Signature FOUND

	----------- SCAN SUMMARY -----------
	Known viruses: 7734
	Scanned directories: 0
	Scanned files: 1
	Data scanned: 0.95 Mb
	Infected files: 1
	I/O buffer size: 131072 bytes
	Time: 0.245 sec (0 m 0 s)
</PRE>
    The unique string in this output is "ClamAV-Test-Signature". Run
    <I>sigtool</I> with the following parameters:
    <PRE>
	$ sigtool -c "clamscan --stdout" -f testfile -s "ClamAV-Test"
</PRE>
    The program will concatenate arguments for <I>-c (-command)</I> and
    <I>-f (-file)</I>, that's why the scanner's options must be given in the
    proper order. At the end it will generate a file <I>testfile.sig</I>,
    which should contain 100 bytes in our example. It contains the proper
    signature.
    <PRE>
	...
	...
	Detected at 12103, moving backward.
	Detected at 11983, moving backward.
	Detected at 11923, moving backward.
	Not detected, increasing pos 11893 -&gt; 11923
	Detected at 11923, moving backward.
	Not detected, increasing pos 11908 -&gt; 11923
	Detected at 11923, moving backward.
	Not detected, increasing pos 11915 -&gt; 11923
	Detected at 11923, moving backward.
	Detected at 11919, moving backward.
	Detected at 11917, moving backward.
	Detected at 11916, moving backward.
	Starting precise loop
	 *** Found signature end at 11916

	The scanner was executed 46 times.
	Signature length is 50, so length of hex string should be 100
	Saving signature in testfile.sig file.
</PRE>

<P>
<BR><HR>
<ADDRESS>
Tomasz Kojm
2003-06-21
</ADDRESS>
</BODY>
</HTML>
Initial revision git-svn: trunk@4 2003-07-29 15:37:11 +00:00			`<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">`

			`<!--Converted with LaTeX2HTML 2K.1beta (1.48)`
			`original version by: Nikos Drakos, CBLU, University of Leeds`
			`* revised and updated by: Marcus Hennecke, Ross Moore, Herb Swan`
			`* with significant contributions from:`
			`Jens Lippmann, Marek Rouchal, Martin Wilck and others -->`
			`<HTML>`
			`<HEAD>`
			`<TITLE>Signature Tool</TITLE>`
			`<META NAME="description" CONTENT="Signature Tool">`
			`<META NAME="keywords" CONTENT="clamdoc">`
			`<META NAME="resource-type" CONTENT="document">`
			`<META NAME="distribution" CONTENT="global">`

			`<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">`
			`<META NAME="Generator" CONTENT="LaTeX2HTML v2K.1beta">`
			`<META HTTP-EQUIV="Content-Style-Type" CONTENT="text/css">`

			`<LINK REL="STYLESHEET" HREF="clamdoc.css">`

			`<LINK REL="previous" HREF="node20.html">`
			`<LINK REL="up" HREF="node16.html">`
			`<LINK REL="next" HREF="node22.html">`
			`</HEAD>`

			`<BODY >`
			`<!--Navigation Panel-->`
			`<A NAME="tex2html386"`
			`HREF="node22.html">`
			`<IMG WIDTH="37" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="next"`
			`SRC="/usr/share/latex2html/icons/next.png"></A>`
			`<A NAME="tex2html382"`
			`HREF="node16.html">`
			`<IMG WIDTH="26" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="up"`
			`SRC="/usr/share/latex2html/icons/up.png"></A>`
			`<A NAME="tex2html378"`
			`HREF="node20.html">`
			`<IMG WIDTH="63" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="previous"`
			`SRC="/usr/share/latex2html/icons/prev.png"></A>`
			`<A NAME="tex2html384"`
			`HREF="node1.html">`
			`<IMG WIDTH="65" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="contents"`
			`SRC="/usr/share/latex2html/icons/contents.png"></A>`
			`<BR>`
			`<B> Next:</B> <A NAME="tex2html387"`
			`HREF="node22.html">Compatible software</A>`
			`<B> Up:</B> <A NAME="tex2html383"`
			`HREF="node16.html">Usage</A>`
			`<B> Previous:</B> <A NAME="tex2html379"`
			`HREF="node20.html">Output format</A>`
			`&nbsp <B> <A NAME="tex2html385"`
			`HREF="node1.html">Contents</A></B>`
			`<BR>`
			`<BR>`
			`<!--End of Navigation Panel-->`

			`<H2><A NAME="SECTION00045000000000000000">`
			`Signature Tool</A>`
			`</H2>`
			`<I>sigtool</I> automates signature creation. If you have an infected file,`
			`which isn't detected by ClamAV, but it is by another anti-virus scanner`
			`working in the console, you can create the signature easily.`
			`<I>Example of usage:</I>`
			`Create a random file and put the <B>test1</B> file content into it. We`
			`will use <I>clamscan</I> to generate the signature, it's just an example.`
			`Scan it with <I>clamscan -stdout testfile</I>, the output is`
			`<PRE>`
			`testfile: ClamAV-Test-Signature FOUND`

			`----------- SCAN SUMMARY -----------`
			`Known viruses: 7734`
			`Scanned directories: 0`
			`Scanned files: 1`
			`Data scanned: 0.95 Mb`
			`Infected files: 1`
			`I/O buffer size: 131072 bytes`
			`Time: 0.245 sec (0 m 0 s)`
			`</PRE>`
			`The unique string in this output is "ClamAV-Test-Signature". Run`
			`<I>sigtool</I> with the following parameters:`
			`<PRE>`
			`$ sigtool -c "clamscan --stdout" -f testfile -s "ClamAV-Test"`
			`</PRE>`
			`The program will concatenate arguments for <I>-c (-command)</I> and`
			`<I>-f (-file)</I>, that's why the scanner's options must be given in the`
			`proper order. At the end it will generate a file <I>testfile.sig</I>,`
			`which should contain 100 bytes in our example. It contains the proper`
			`signature.`
			`<PRE>`
			`...`
			`...`
			`Detected at 12103, moving backward.`
			`Detected at 11983, moving backward.`
			`Detected at 11923, moving backward.`
			`Not detected, increasing pos 11893 -> 11923`
			`Detected at 11923, moving backward.`
			`Not detected, increasing pos 11908 -> 11923`
			`Detected at 11923, moving backward.`
			`Not detected, increasing pos 11915 -> 11923`
			`Detected at 11923, moving backward.`
			`Detected at 11919, moving backward.`
			`Detected at 11917, moving backward.`
			`Detected at 11916, moving backward.`
			`Starting precise loop`
			`*** Found signature end at 11916`

			`The scanner was executed 46 times.`
			`Signature length is 50, so length of hex string should be 100`
			`Saving signature in testfile.sig file.`
			`</PRE>`

			`<P>`
			`<BR><HR>`
			`<ADDRESS>`
			`Tomasz Kojm`
			`2003-06-21`
			`</ADDRESS>`
			`</BODY>`
			`</HTML>`