The easiest way to create signatures for ClamAV is to use filehash checksums, however this method can be only used against static malware.
To create a MD5 signature for
test.exe use the
--md5 option of
zolw@localhost:/tmp/test$ sigtool --md5 test.exe > test.hdb zolw@localhost:/tmp/test$ cat test.hdb 48c4533230e1ae1c118c741c0db19dfb:17387:test.exe
That’s it! The signature is ready for use:
zolw@localhost:/tmp/test$ clamscan -d test.hdb test.exe test.exe: test.exe FOUND ----------- SCAN SUMMARY ----------- Known viruses: 1 Scanned directories: 0 Engine version: 0.92.1 Scanned files: 1 Infected files: 1 Data scanned: 0.02 MB Time: 0.024 sec (0 m 0 s)
You can change the name (by default sigtool uses the name of the file) and place it inside a
*.hdb file. A single database file can include any number of signatures. To get them automatically loaded each time
clamd starts just copy the database file(s) into the local virus database directory (eg.
The hash-based signatures shall not be used for text files, HTML and any other data that gets internally preprocessed before pattern matching. If you really want to use a hash signature in such a case, run
--leave-temps flags as described above and create a signature for a preprocessed file left in
/tmp. Please keep in mind that a hash signature will stop matching as soon as a single byte changes in the target file.
ClamAV 0.98 has also added support for SHA1 and SHA256 file checksums. The format is the same as for MD5 file checksum. It can differentiate between them based on the length of the hash string in the signature. For best backwards compatibility, these should be placed inside a
*.hsb file. The format is:
ClamAV 0.98 has also added support for hash signatures where the size is not known but the hash is. It is much more performance-efficient to use signatures with specific sizes, so be cautious when using this feature. For these cases, the ’*’ character can be used in the size field. To ensure proper backwards compatibility with older versions of ClamAV, these signatures must have a minimum functional level of 73 or higher. Signatures that use the wildcard size without this level set will be rejected as malformed.
Sample .hsb signature matching any size:
Sample .msb signature matching any size:
You can create a hash signature for a specific section in a PE file. Such signatures shall be stored inside
.mdb (MD5) and
.msb files in the following format:
The easiest way to generate MD5 based section signatures is to extract target PE sections into separate files and then run sigtool with the option
ClamAV also has support for SHA1 and SHA256 section based signatures. The format is the same as for MD5 PE section based signatures. It can differentiate between them based on the length of the hash string in the signature. For best backwards compatibility, these should be placed inside a