Interpreting Scan Alerts FAQ
If you're unable to find an answer to your question in our FAQ, you can seek help in our clamav-users mailing list, on our Discord server, or by submitting an issue on GitHub. The mailing list archives and existing Github issues (open or closed) may also have an answer to your question.
Please consider contributing answered questions back to this FAQ, and improving the quality of these answers, by submitting pull requests to our documentation source repository.
ClamAV alerted on a file during a scan. What do I do?
ClamAV may have found a malicious or suspicious file. However, you're probably asking yourself if the alert is a False Positive (FP). It may well be, so don't just delete the file out-of-hand.
ClamAV alerted on a file in the clamav source code. Am I infected?
If you scan the build directory for ClamAV, you may see an alert on a ClamAV test file, like this:
clamav-0.104.1/build/unit_tests/input/clamav_hdb_scanfiles/clam.chm: Clamav.Test.File-6 FOUND
You can savely ignore this alert. The files found under the clamav unit_tests/input in the build directory are supposed to alert, to demonstrate correct file parser functionality.
Online Research
First, consider the file itself and whether or not the alert makes sense. If you're concerned, start by searching the name of the signature on Google. If FP's are being reported, you may see others complaining about the same thing, or you may be able to get an understanding of what the signature is trying to find.
Technical Investigation
Second, if you're technically inclined, you may want to try to read the signature details to understand how it works and what, specifically, it's alerting on. Take heed, this investigation might leave you more confused than when you started. ClamAV doesn't post write-ups on how each signature in-part because a good number of our signatures these days are generated automatically and not by a human mind.
-
Start by opening a command prompt in a new empty directory, for example:
user@laptop:~$ mkdir /tmp/sigdump user@laptop:~$ cd /tmp/sigdump -
Use the
sigtoolprogram to unpack the ClamAV databases into their separate components. SigTool should be installed alongside clamscan, probably in/usr/local/bin/sigtool. The ClamAV databases are traditionally installed in/usr/local/share/clamavalthough if you installed from a package manager, your paths may vary:user@laptop:/tmp/sigdump$ sigtool -u /usr/local/share/clamav/main.cvd user@laptop:/tmp/sigdump$ sigtool -u /usr/local/share/clamav/daily.cvd # May be: daily.cld user@laptop:/tmp/sigdump$ sigtool -u /usr/local/share/clamav/bytecode.cvd # May be: bytecode.cld -
Use
lsto verify that you've successfully unpacked the databases:user@laptop:/tmp/sigdump$ ls 3986187.cbc 3986230.cbc 3986303.cbc 4553522.cbc 6335443.cbc 6399052.cbc daily.cfg daily.msb 3986188.cbc 3986231.cbc 3986305.cbc 4970075.cbc 6335540.cbc 6404655.cbc daily.crb daily.msu 3986206.cbc 3986232.cbc 3986306.cbc 5044126.cbc 6335560.cbc 6428210.cbc daily.fp daily.ndb 3986212.cbc 3986233.cbc 3986310.cbc 5588995.cbc 6335564.cbc 6428556.cbc daily.ftm daily.ndu 3986214.cbc 3986234.cbc 3986321.cbc 5819336.cbc 6335669.cbc 6441308.cbc daily.hdb daily.pdb 3986215.cbc 3986235.cbc 3986322.cbc 5999914.cbc 6336023.cbc 6442366.cbc daily.hdu daily.sfp 3986216.cbc 3986236.cbc 3986327.cbc 5999936.cbc 6336035.cbc 6447941.cbc daily.hsb daily.wdb 3986217.cbc 3986242.cbc 3986328.cbc 6300337.cbc 6336074.cbc 6453673.cbc daily.hsu main.crb 3986218.cbc 3986244.cbc 3986334.cbc 6311970.cbc 6336259.cbc 6471051.cbc daily.idb main.fp 3986219.cbc 3986249.cbc 3986337.cbc 6316126.cbc 6336260.cbc 6497366.cbc daily.ign main.hdb 3986220.cbc 3986259.cbc 4306126.cbc 6324281.cbc 6336630.cbc 6539706.cbc daily.ign2 main.hsb 3986221.cbc 3986282.cbc 4306157.cbc 6327695.cbc 6336737.cbc 6566834.cbc daily.info main.info 3986222.cbc 3986283.cbc 4307467.cbc 6329916.cbc 6336739.cbc 6614848.cbc daily.ldb main.mdb 3986223.cbc 3986289.cbc 4416867.cbc 6329917.cbc 6364361.cbc COPYING daily.ldu main.msb 3986224.cbc 3986292.cbc 4510302.cbc 6335400.cbc 6380163.cbc bytecode.info daily.mdb main.ndb 3986229.cbc 3986301.cbc 4526683.cbc 6335427.cbc 6395243.cbc daily.cdb daily.mdu main.sfp -
Use
grepto search for the signature in question. For example:user@laptop:/tmp/sigdump$ grep -r Win.Downloader.DDECmdExec-6683887-5 Win.Downloader.DDECmdExec-6683887-5;Engine:81-255,Target:0;4;0:1f8b;0:255044462d;0:4d5a{-100}50450000;7c27{-255}2721;(0=0&1=0&2=0)&3/(?<!\x20)[=+\-@]\s*?(\w+\s*?\x28)?.{0,50}(certutil|cmd|cmstp|cscript|dnscmd|msiexec|netsh|regsvr32|rpcping|rundll32|schtasks|telnet|tscon|tsdiscon|wmic|wscript).{0,50}\|\s*?\x27[^\x27]{5,255}\x27\s*?\x21/i -
Reading ClamAV signatures is hard. You can familiarize yourself with the ClamAV signature format by reading the documentation on writing ClamAV Signatures.
To get a jump start, you can make
sigtoolprint out a more human readable represenation of what the signature is looking for. Pipe the output from grep directly into sigtool by using the--decode-sigsoption:user@laptop:/tmp/sigdump$ grep Win.Downloader.DDECmdExec-6683887-5 -r . | ../../bin/sigtool --decode-sigsThe output will look something like this:
VIRUS NAME: ./daily.ldb:Win.Downloader.DDECmdExec-6683887-5 TDB: Engine:81-255,Target:0 LOGICAL EXPRESSION: 4 * SUBSIG ID 0 +-> OFFSET: 0 +-> SIGMOD: NONE +-> DECODED SUBSIGNATURE: � * SUBSIG ID 1 +-> OFFSET: 0 +-> SIGMOD: NONE +-> DECODED SUBSIGNATURE: %PDF- * SUBSIG ID 2 +-> OFFSET: 0 +-> SIGMOD: NONE +-> DECODED SUBSIGNATURE: MZ{WILDCARD_ANY_STRING(LENGTH<=100)}PE * SUBSIG ID 3 +-> OFFSET: ANY +-> SIGMOD: NONE +-> DECODED SUBSIGNATURE: |'{WILDCARD_ANY_STRING(LENGTH<=255)}'! * SUBSIG ID 4 +-> OFFSET: ANY +-> SIGMOD: NONE +-> DECODED SUBSIGNATURE: +-> TRIGGER: (0=0&1=0&2=0)&3 +-> REGEX: (?<!\x20)[=+\-@]\s*?(\w+\s*?\x28)?.{0,50}(certutil|cmd|cmstp|cscript|dnscmd|msiexec|netsh|regsvr32|rpcping|rundll32|schtasks|telnet|tscon|`tsdiscon|wmic|wscript).{0,50}\|\s*?\x27[^\x27]{5,255}\x27\s*?\x21 +-> CFLAGS: i -
Interpret the results. ClamAV signatures can be as simple as a hash-based signature of a known-malicious file, but they can also be a complex logical test. You may not learn enough to make an educated decision. The above example is a pretty complicated one, so I will try to walk you through it.
You can see that there are 5 subsignatures (numbered 0 - 4). The
LOGICICAL EXPRESSIONindicates which subsignature(s) matter and why. This could be something like0 AND 1to indicate that 2 subsignatures must both trigger in order for the overall signature to alert. In this case, only subsignature4is required by theLOGICAL EXPRESSION.If you look at
SUBSIG ID 4, you'll see that has a has aTRIGGERwhich acts in much the same way as the aboveLOGICAL EXPRESSION. If the subsignatures in the logical expression are satisfied, then the regular expressionREGEXwill be tested. If the regular expression matches, then the SUBSIG ID 4 will trigger and the overall signature will alert.
Reporting
If you believe that the signature alerted on a benign file, please report the False Positive so our analysts can refine or remove the faulty signature. You can report false positives on our website or you can submit the report using the clamsubmit command-line program.
If you're concerned that the file may be malicious, and aren't comfortable quarantining and/or deleting the file, feel free to ask in the user mailing lists for advice. Please subscribe to clamav-users and then post a message to all the list members by sending an email to clamav-users -at- lists -dot- clamav -dot- net.