<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<!--Converted with LaTeX2HTML 2K.1beta (1.48)
original version by: Nikos Drakos, CBLU, University of Leeds
* revised and updated by: Marcus Hennecke, Ross Moore, Herb Swan
* with significant contributions from:
Jens Lippmann, Marek Rouchal, Martin Wilck and others -->
<HTML>
<HEAD>
<TITLE>Signature Tool</TITLE>
<META NAME="description" CONTENT="Signature Tool">
<META NAME="keywords" CONTENT="clamdoc">
<META NAME="resource-type" CONTENT="document">
<META NAME="distribution" CONTENT="global">
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="LaTeX2HTML v2K.1beta">
<META HTTP-EQUIV="Content-Style-Type" CONTENT="text/css">
<LINK REL="STYLESHEET" HREF="clamdoc.css">
<LINK REL="previous" HREF="node20.html">
<LINK REL="up" HREF="node15.html">
<LINK REL="next" HREF="node22.html">
</HEAD>
<BODY >
<!--Navigation Panel-->
<A NAME="tex2html276"
HREF="node22.html">
<IMG WIDTH="37" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="next"
SRC="/usr/share/latex2html/icons/next.png"></A>
<A NAME="tex2html274"
HREF="node15.html">
<IMG WIDTH="26" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="up"
SRC="/usr/share/latex2html/icons/up.png"></A>
<A NAME="tex2html270"
HREF="node20.html">
<IMG WIDTH="63" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="previous"
SRC="/usr/share/latex2html/icons/prev.png"></A>
<BR>
<B> Next:</B> <A NAME="tex2html277"
HREF="node22.html">LibClamAV</A>
<B> Up:</B> <A NAME="tex2html275"
HREF="node15.html">Usage</A>
<B> Previous:</B> <A NAME="tex2html271"
HREF="node20.html">FreshClam</A>
<BR>
<BR>
<!--End of Navigation Panel-->
<H2><A NAME="SECTION00036000000000000000">
Signature Tool</A>
</H2>
<I>sigtool</I> automates signature creation. If you have an infected file,
which isn't detected by ClamAV, but is by another anti-virus scanner
working in the console you can create the signature easily.
<I>Example of usage:</I>
Create a random file and put the <B>test1</B> file content into it. We
will use <I>clamscan</I> to generate the signature, it's just an example.
Scan it with <I>clamscan -stdout testfile</I>, the output is
<PRE>
testfile: ClamAV-Test-Signature FOUND
----------- SCAN SUMMARY -----------
Known viruses: 2033
Scanned directories: 0
Scanned files: 1
Data scanned: 0.95 Mb
Infected files: 1
I/O buffer size: 131072 bytes
Time: 0.245 sec (0 m 0 s)
</PRE>
The unique string in this output is "ClamAV-Test-Signature". Run
<I>sigtool</I> with the following parameters:
<PRE>
$ sigtool -c "clamscan --stdout" -f testfile -s "ClamAV-Test"
</PRE>
The program will concatenate arguments for <I>-c (-command)</I> and
<I>-f (-file)</I>, that's why the scanner's options must be given in the
proper order. At the end it will generate a file <I>testfile.sig</I>,
which should contain 100 bytes in our example. It contains the proper
signature.
<PRE>
...
...
Detected at 12103, moving backward.
Detected at 11983, moving backward.
Detected at 11923, moving backward.
Not detected, increasing pos 11893 -> 11923
Detected at 11923, moving backward.
Not detected, increasing pos 11908 -> 11923
Detected at 11923, moving backward.
Not detected, increasing pos 11915 -> 11923
Detected at 11923, moving backward.
Detected at 11919, moving backward.
Detected at 11917, moving backward.
Detected at 11916, moving backward.
Starting precise loop
*** Found signature end at 11916
The scanner was executed 46 times.
Signature length is 50, so length of hex string should be 100
Saving signature in testfile.sig file.
</PRE>
<P>
<BR><HR>
<ADDRESS>
Tomasz Kojm
2002-11-21
</ADDRESS>
</BODY>
</HTML>
