I am new to to Clamav. I have decoded a clamav signature using clamav-unofficial-sigs and it gives this as decoded signature .
signature decodes to:
???*CallByName?VbMethod??*RndR?
I was getting not output when trying to decode using sigtool. The document , which signature flagged as virus is a doc file has macros, but i think the doc is clean. Doing a little search in macros I found it has a line
CallByName myEvent, "do_work", VbMethod, enableParam1, enableParam2
I am not sure what this signature mean or what it has matched.
The question is:-
How to determine what a clamav signature matches ?
What meaning is conveyed by the signatures (are they regexes or some other matching sequences) ?
- Does clamav does dynamic analysis ?
Thank you
