At 12:44 AM -0700 5/8/09, Bill Landry wrote:
GrayHat wrote:Thanks for the report...I removed the signature earlier.y/w and thanks for fixing the issue; also, and since we're at it... I was playing with an idea and maybe you'll find it interesting See, decoding signatures isn't a problem once one gets a grip about how to do it, but in case someone will need to check various signatures, it may become a tedious process, so... what about adding a web page (e.g.) on the sanesecurity website to allow decoding any given sanesecurity signature ? I mean, a page on which one may enter the signature name (e.g.) "Sanesecurity.Img.8453.UNOFFICIAL" and which, after clicking the submit button will show the text string(s) for that particular signatureThere are already web sites that do this (google for "Hexadecimal decode") See for example: http://www.yellowpipe.com/yis/tools/encrypter/index.php You could also do the signature decoding with the clamav-unofficial-sigs script by using the '-d' (decode) flag. Using the signature example you used above: clamav-unofficial-sigs.sh -d Sanesecurity.Img.8453 Outputs: Sanesecurity.Img.8453 found in: scam.ndb Sanesecurity.Img.8453 signature decodes to: ÿÿÿÿContent-Type: image/{-P}Content-ID: <{-P}_csseditor> And yes, I am rather partial to this script... ;-)
What is {-P} and where is it documented? Tom