[sanesecurity] Re: scam.ndb - false positive

From: Tom Shaw <tshaw@xxxxxxxx>
To: sanesecurity@xxxxxxxxxxxxx
Date: Fri, 8 May 2009 06:54:04 -0400

At 12:44 AM -0700 5/8/09, Bill Landry wrote:

GrayHat wrote:

 Thanks for the report...I removed the signature earlier.


 y/w and thanks for fixing the issue; also, and since we're
 at it... I was playing with an idea and maybe you'll find it
 interesting

 See, decoding signatures isn't a problem once one gets
 a grip about how to do it, but in case someone will need
 to check various signatures, it may become a tedious
 process, so... what about adding a web page (e.g.) on
 the sanesecurity website to allow decoding any given
 sanesecurity signature ?

 I mean, a page on which one may enter the signature
 name (e.g.) "Sanesecurity.Img.8453.UNOFFICIAL" and
 which, after clicking the submit button will show the
 text string(s) for that particular signature


There are already web sites that do this (google for "Hexadecimal
decode")  See for example:

   http://www.yellowpipe.com/yis/tools/encrypter/index.php

You could also do the signature decoding with the clamav-unofficial-sigs
script by using the '-d' (decode) flag.  Using the signature example you
used above:

  clamav-unofficial-sigs.sh -d Sanesecurity.Img.8453

Outputs:

   Sanesecurity.Img.8453 found in: scam.ndb
   Sanesecurity.Img.8453 signature decodes to:

   ÿÿÿÿContent-Type: image/{-P}Content-ID: <{-P}_csseditor>

And yes, I am rather partial to this script...  ;-)


What is {-P} and where is it documented?

Tom

Follow-Ups:
- [sanesecurity] Re: scam.ndb - false positive
  - From: Steve Basford

References:
- [sanesecurity] scam.ndb - false positive
  - From: GrayHat
- [sanesecurity] Re: scam.ndb - false positive
  - From: Steve Basford
- [sanesecurity] Re: scam.ndb - false positive
  - From: GrayHat
- [sanesecurity] Re: scam.ndb - false positive
  - From: Bill Landry

[sanesecurity] Re: scam.ndb - false positive

Other related posts: