<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <!--Converted with LaTeX2HTML 2K.1beta (1.48) original version by: Nikos Drakos, CBLU, University of Leeds * revised and updated by: Marcus Hennecke, Ross Moore, Herb Swan * with significant contributions from: Jens Lippmann, Marek Rouchal, Martin Wilck and others --> <HTML> <HEAD> <TITLE>Signature Tool</TITLE> <META NAME="description" CONTENT="Signature Tool"> <META NAME="keywords" CONTENT="clamdoc"> <META NAME="resource-type" CONTENT="document"> <META NAME="distribution" CONTENT="global"> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"> <META NAME="Generator" CONTENT="LaTeX2HTML v2K.1beta"> <META HTTP-EQUIV="Content-Style-Type" CONTENT="text/css"> <LINK REL="STYLESHEET" HREF="clamdoc.css"> <LINK REL="previous" HREF="node20.html"> <LINK REL="up" HREF="node15.html"> <LINK REL="next" HREF="node22.html"> </HEAD> <BODY > <!--Navigation Panel--> <A NAME="tex2html276" HREF="node22.html"> <IMG WIDTH="37" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="next" SRC="/usr/share/latex2html/icons/next.png"></A> <A NAME="tex2html274" HREF="node15.html"> <IMG WIDTH="26" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="up" SRC="/usr/share/latex2html/icons/up.png"></A> <A NAME="tex2html270" HREF="node20.html"> <IMG WIDTH="63" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="previous" SRC="/usr/share/latex2html/icons/prev.png"></A> <BR> <B> Next:</B> <A NAME="tex2html277" HREF="node22.html">LibClamAV</A> <B> Up:</B> <A NAME="tex2html275" HREF="node15.html">Usage</A> <B> Previous:</B> <A NAME="tex2html271" HREF="node20.html">FreshClam</A> <BR> <BR> <!--End of Navigation Panel--> <H2><A NAME="SECTION00036000000000000000"> Signature Tool</A> </H2> <I>sigtool</I> automates signature creation. If you have an infected file, which isn't detected by ClamAV, but is by another anti-virus scanner working in the console you can create the signature easily. <I>Example of usage:</I> Create a random file and put the <B>test1</B> file content into it. We will use <I>clamscan</I> to generate the signature, it's just an example. Scan it with <I>clamscan -stdout testfile</I>, the output is <PRE> testfile: ClamAV-Test-Signature FOUND ----------- SCAN SUMMARY ----------- Known viruses: 2033 Scanned directories: 0 Scanned files: 1 Data scanned: 0.95 Mb Infected files: 1 I/O buffer size: 131072 bytes Time: 0.245 sec (0 m 0 s) </PRE> The unique string in this output is "ClamAV-Test-Signature". Run <I>sigtool</I> with the following parameters: <PRE> $ sigtool -c "clamscan --stdout" -f testfile -s "ClamAV-Test" </PRE> The program will concatenate arguments for <I>-c (-command)</I> and <I>-f (-file)</I>, that's why the scanner's options must be given in the proper order. At the end it will generate a file <I>testfile.sig</I>, which should contain 100 bytes in our example. It contains the proper signature. <PRE> ... ... Detected at 12103, moving backward. Detected at 11983, moving backward. Detected at 11923, moving backward. Not detected, increasing pos 11893 -> 11923 Detected at 11923, moving backward. Not detected, increasing pos 11908 -> 11923 Detected at 11923, moving backward. Not detected, increasing pos 11915 -> 11923 Detected at 11923, moving backward. Detected at 11919, moving backward. Detected at 11917, moving backward. Detected at 11916, moving backward. Starting precise loop *** Found signature end at 11916 The scanner was executed 46 times. Signature length is 50, so length of hex string should be 100 Saving signature in testfile.sig file. </PRE> <P> <BR><HR> <ADDRESS> Tomasz Kojm 2002-11-21 </ADDRESS> </BODY> </HTML>