s426254/DNWA
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
ab1d7e2546
DNWA/13/1.txt
Jakub Stefko 55521f222e ...
2021-01-26 23:08:08 +01:00

29 lines
2.2 KiB
Plaintext
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

1.Co to CVD
CVD (ClamAV Virus Database) to podpisany cyfrowo 'tarball' zawierający jedną lub więcej baz danych
2. Dodawanie sygnatur
a) HTML
ClamAV contains HTML normalization code which makes it easier to write signatures for HTML data that might differ based on white space, capitalization, and other insignificant differences. Running sigtool --html-normalise on a HTML file can be used to see what a files contents will look like after normalization. This command should generate the following files:
nocomment.html - znormalizowany, lower-case, wyrzucone komentarze i white-spaces
notags.html - jak powyżej, ale tagi html są wyrzucone
javascript - any script contents are normalized and the results appended to this file
The code automatically decodes JScript.encode parts and char refs (e.g. f). To create a successful signature for the input file type, the rule must match on the contents of one of the created files. Signatures matching on normalized HTML should have a target type of 3. For reference, see Target Types.
b) Pliki tekstowe
Similarly to HTML all ASCII text files get normalized (converted to lower-case, all superfluous white space and control characters removed, etc.) before scanning. Running sigtool --ascii-normalise on a text file will result in a normalized version being written to the file named normalised_text. Rules matching on normalized ASCII text should have a target type of 7. For reference, see Target Types.
c) Skompresowane pliki wykonywalne (UPX, FSG, Petite, ...)
ClamAV będzie próbował automatycznie wypakować plik. To inspect the executable that results from ClamAVs unpacking process, run clamscan with --debug --leave-temps. Example output for a FSG compressed file:
LibClamAV debug: UPX/FSG/MEW: empty section found - assuming compression
LibClamAV debug: FSG: found old EP @119e0
LibClamAV debug: FSG: Unpacked and rebuilt executable saved in
/tmp/clamav-f592b20f9329ac1c91f0e12137bcce6c
W powyższym przykładie /tmp/clamav-f592b20f9329ac1c91f0e12137bcce6c jest wypakowanym plikiem wykonywalnym
3. Nazwy plików w archiwum: clamav-<hash> (jak w przykładzie z 2c)
Reference in New Issue View Git Blame Copy Permalink