The extended signature format is ClamAV’s most basic type of body-based signature since the deprecation of the original
.db database format.
Extended sigantures allow for specification of additional information beyond just hexidecimal content such as a file “target type”, virus offset, or engine functionality level (FLEVEL), making the detection more reliable.
The format is:
MalwareName: The virus name. Should conform to the standards defined here.
TargetType: A number specifying the type of the target file: Target Types
Offset: An asterisk or a decimal number
n possibly combined with a special modifier:
n= absolute offset
EOF-n= end of file minus
Signatures for PE, ELF and Mach-O files additionally support:
EP+n= entry point plus n bytes (
EP-n= entry point minus n bytes
Sx+n= start of section
x’s (counted from 0) data plus
SEx= entire section
x(offset must lie within section boundaries)
SL+n= start of last section plus
All the above offsets except
* can be turned into floating offsets and represented as
MaxShift is an unsigned integer. A floating offset will match every offset between
10,5 will match all offsets from 10 to 15 and
EP+n,y will match all offsets from
EP+n+y. Versions of ClamAV older than 0.91 will silently ignore the
MaxShift extension and only use
MaxFL parameters can restrict the signature to specific engine releases. All signatures in the extended format must be placed inside
HexSignature: The body-based content matching format.
min_flevel: (optional) The minimum ClamAV engine that the file type signature works with. See the FLEVEL reference for details. To be used in the event that file type support has been recently added.
max_flevel: (optional, requires
min_flevel) The maximum ClamAV engine that the file type signature works with. To be used in the event that file type support has been recently removed.