Path: utzoo!news-server.csri.toronto.edu!cs.utexas.edu!samsung!zaphod.mps.ohio-state.edu!unix.cis.pitt.edu!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: mrs@netcom.COM (Morgan Schweers) Newsgroups: comp.virus Subject: Re: File format for virus signatures (PC) Message-ID: <0008.9103111610.AA12780@ubu.cert.sei.cmu.edu> Date: 10 Mar 91 16:44:41 GMT Sender: Virus Discussion List Lines: 32 Approved: krvw@sei.cmu.edu Greetings, Hmmm... I'll point out that the VIRSCAN/TBSCAN file format is similar enough to the ViruScan external data file that a conversion utility SHOULD be relatively trivial. For reference, our strings are one line/one virus, no 'BOOT' or 'COM', etc. seperators. The string format is similar, but rather than have a single hex-digit after the '*' you put a number in parentheses. (I.E. "01020304 *(4) 050607?090a" ) The '?' wildcard ignores that hex-byte, the '*' will detect the next byte if it is within (x) bytes. Now for another 'flame' from me... "Unreadable/non-clear update scan strings." This makes it difficult for a user to add their own strings. These products might as well not have user-updatability, in effect. Unless the user has access to documentation on creating a virus 'string' through that particular utility, they can't expand it. I've got an open mind on this subject, however. (Not so open that my brain falls out, but anyhow...) If someone who uses this method can explain the rationale to me, I'll respond. I can think of two products which do this, and MAYBE a third. -- Morgan Schweers +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | I *AM* mrs@netcom.com, and ms@albert.ai.mit.edu. I'd prefer you use | | the netcom.com address, since MIT is now a WEE bit further away from | | me than I like calling... In any case, I don't represent my | | employers. They don't listen to what I say, and I return the | | compliment whenever possible. | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+