ClamAV File Types

ClamAV has two file typing systems for filtering signature matches: Target Types and File Types.

Target Types

A Target Type is an integer that indicates which kind of file the signature will match against. Target Type notation was first created for the purposes writing efficient signatures. A signature with a target type of 0 will be run against every file type, and thus is not ideal. However, the Target Type notation is limited and it may be unavoidable.

Although the newer CL_TYPE string name notation has replaced the Target Type for some signature formats, many signature formats require a target type number.

This is the current list of available Target Types:

Target TypeDescription
0any file
1Portable Executable, both 32-bit and 64-bit
2OLE2 containers, including specific macros. Primarily used by MS Office and MSI installation files
3HTML (normalized)
4Mail file
5Graphics
6ELF
7ASCII text file (normalized)
8Unused
9Mach-O files
10PDF files
11Flash files
12Java class files

Important: HTML, ASCII, Javascript are all normalized:

  • ASCII - All lowercase.
  • HTML - Whitespace transformed to spaces, tags/tag attributes normalized, all lowercase.
  • Javascript - All strings are normalized (hex encoding is decoded), numbers are parsed and normalized, local variables/function names are normalized to n001 format, argument to eval() is parsed as JS again, unescape() is handled, some simple JS packers are handled, output is whitespace normalized.

File Types

ClamAV maintains it's own file typing format and assigns these types using either:

  • Evaluation of a unique sequence of bytes at the start of a file (File Type Magic).

  • File type indicators when parsing container files.

    • For example: CL_TYPE_SCRIPT may be assigned to data contained in a PDF when the PDF indicates that a stream of bytes is "Javascript"

  • File type determination based on the names or characteristics contained within the file.

    • For example: CL_TYPE_OOXML_WORD may be assigned to a Zip file containing files with specific names.

ClamAV File Types are prefixed with CL_TYPE_. The following is an exhaustive list of all current file types.

CL_TYPEDescription
CL_TYPE_7Z7-Zip Archive
CL_TYPE_7ZSFXSelf-Extracting 7-Zip Archive
CL_TYPE_APMDisk Image - Apple Partition Map
CL_TYPE_ARJARJ Archive
CL_TYPE_ARJSFXSelf-Extracting ARJ Archive
CL_TYPE_AUTOITAutoIt Automation Executable
CL_TYPE_BINARY_DATAbinary data
CL_TYPE_BINHEXBinHex Macintosh 7-bit ASCII email attachment encoding
CL_TYPE_BZBZip Compressed File
CL_TYPE_CABSFXSelf-Extracting Microsoft CAB Archive
CL_TYPE_CPIO_CRCCPIO Archive (CRC)
CL_TYPE_CPIO_NEWCCPIO Archive (NEWC)
CL_TYPE_CPIO_ODCCPIO Archive (ODC)
CL_TYPE_CPIO_OLDCPIO Archive (OLD, Little Endian or Big Endian)
CL_TYPE_CRYPTFFFiles encrypted by CryptFF malware
CL_TYPE_DMGApple DMG Archive
CL_TYPE_EGGESTSoft EGG Archive, new in 0.102
CL_TYPE_ELFELF Executable (Linux/Unix program or library)
CL_TYPE_GIFGIF Graphics File, new in 0.103
CL_TYPE_GPTDisk Image - GUID Partition Table
CL_TYPE_GRAPHICSOther graphics files; BMP, JPEG2000
CL_TYPE_GZGZip Compressed File
CL_TYPE_HTML_UTF16Wide-Character / UTF16 encoded HTML
CL_TYPE_HTMLHTML data
CL_TYPE_HWP3Hangul Word Processor (3.X)
CL_TYPE_HWPOLE2Hangul Word Processor embedded OLE2
CL_TYPE_INTERNALInternal properties
CL_TYPE_ISHIELD_MSIWindows Install Shield MSI installer
CL_TYPE_ISO9660ISO 9660 file system for optical disc media
CL_TYPE_JAVAJava Class File
CL_TYPE_JPEGJPEG Graphics File, new in 0.103.1
CL_TYPE_LNKMicrosoft Windows Shortcut File
CL_TYPE_MACHO_UNIBINUniversal Binary/Java Bytecode
CL_TYPE_MACHOApple/NeXTSTEP Mach-O Executable file format
CL_TYPE_MAILEmail file
CL_TYPE_MBRDisk Image - Master Boot Record
CL_TYPE_MHTMLMHTML Saved Web Page
CL_TYPE_MSCABMicrosoft CAB Archive
CL_TYPE_MSCHMMicrosoft CHM help archive
CL_TYPE_MSEXEMicrosoft EXE / DLL Executable file
CL_TYPE_MSOLE2Microsoft OLE2 Container file
CL_TYPE_MSSZDDMicrosoft Compressed EXE
CL_TYPE_NULSFTNullSoft Scripted Installer program
CL_TYPE_OLD_TARTAR archive (old)
CL_TYPE_ONENOTEMicrosoft OneNote Document section file
CL_TYPE_OOXML_HWPHangul Office Open Word Processor (5.X)
CL_TYPE_OOXML_PPTMicrosoft Office Open XML PowerPoint
CL_TYPE_OOXML_WORDMicrosoft Office Open Word 2007+
CL_TYPE_OOXML_XLMicrosoft Office Open Excel 2007+
CL_TYPE_PART_HFSPLUSApple HFS+ partition
CL_TYPE_PDFAdobe PDF document
CL_TYPE_PNGPNG Graphics File, new in 0.103
CL_TYPE_POSIX_TARTAR archive
CL_TYPE_PSPostscript
CL_TYPE_PYTHON_COMPILEDPython byte-compiled executable (.pyc)
CL_TYPE_RARRAR Archive
CL_TYPE_RARSFXSelf-Extracting RAR Archive
CL_TYPE_RIFFResource Interchange File Format container formatted file
CL_TYPE_RTFRich Text Format document
CL_TYPE_SCRENCFiles encrypted by ScrEnc malware
CL_TYPE_SCRIPTGeneric type for scripts (Javascript, Python, etc)
CL_TYPE_SISSymbian OS Software Installation Script Archive
CL_TYPE_SWFAdobe Flash File (LZMA, Zlib, or uncompressed)
CL_TYPE_TEXT_ASCIIASCII text
CL_TYPE_TEXT_UTF16BEUTF-16BE text
CL_TYPE_TEXT_UTF16LEUTF-16LE text
CL_TYPE_TEXT_UTF8UTF-8 text
CL_TYPE_TIFFTIFF Graphics File (Little or Big Endian), new in 0.103.1
CL_TYPE_TNEFMicrosoft Outlook & Exchange email attachment format
CL_TYPE_UDFUDF (Universal Disk Format) Partition
CL_TYPE_UUENCODEDUUEncoded (Unix-to-Unix) binary file (Unix email attachment)
CL_TYPE_XARXAR Archive
CL_TYPE_XDPAdobe XDP - Embedded PDF
CL_TYPE_XML_HWPHangul Word Processor XML (HWPML) Document
CL_TYPE_XML_WORDMicrosoft Word 2003 XML Document
CL_TYPE_XML_XLMicrosoft Excel 2003 XML Document
CL_TYPE_XZXZ Archive
CL_TYPE_ZIPZip Archive
CL_TYPE_ZIPSFXSelf-Extracting Zip Archive