ClamAV

ClamAV is an open source (GPLv2) anti-virus toolkit, designed especially for e-mail scanning on mail gateways. It provides a number of utilities including a flexible and scalable multi-threaded daemon, a command line scanner and advanced tool for automatic database updates. The core of the package is an anti-virus engine available in a form of shared library.

Tip: ClamAV is not a traditional anti-virus or endpoint security suite. For a fully featured modern endpoint security suite, check out Cisco Secure Endpoint. See "related products", below, for more details.

ClamAV is brought to you by Cisco Systems, Inc.

Community Projects

ClamAV has a diverse ecosystem of community projects, products, and other tools that either depend on ClamAV to provide malware detection capabilities or supplement ClamAV with new features such as improved support for 3rd party signature databases, graphical user interfaces (GUI), and more.

Features

• ClamAV is designed to scan files quickly.
• Real time protection (Linux only). The ClamOnAcc client for the ClamD scanning daemon provides on-access scanning on modern versions of Linux. This includes an optional capability to block file access until a file has been scanned (on-access prevention).
• ClamAV detects millions of viruses, worms, trojans, and other malware, including Microsoft Office macro viruses, mobile malware, and other threats.
• ClamAV's bytecode signature runtime, powered by either LLVM or our custom bytecode interpreter, allows the ClamAV signature writers to create and distribute very complex detection routines and remotely enhance the scanner’s functionality.
• Signed signature databases ensure that ClamAV will only execute trusted signature definitions.
• ClamAV scans within archives and compressed files but also protects against archive bombs. Built-in archive extraction capabilities include:
• Zip (including SFX, excluding some newer or more complex extensions)
• RAR (including SFX, most versions)
• 7Zip
• ARJ (including SFX)
• Tar
• CPIO
• Gzip
• Bzip2
• DMG
• IMG
• ISO 9660
• PKG
• HFS+ partition
• HFSX partition
• APM disk image
• GPT disk image
• MBR disk image
• XAR
• XZ
• Microsoft OLE2 (Office documments)
• Microsoft OOXML (Office documments)
• Microsoft Cabinet Files (including SFX)
• Microsoft CHM (Compiled HTML)
• Microsoft SZDD compression format
• HWP (Hangul Word Processor documents)
• BinHex
• SIS (SymbianOS packages)
• AutoIt
• InstallShield
• ESTsoft EGG
• Supports Windows executable file parsing, also known as Portable Executables (PE) both 32/64-bit, including PE files that are compressed or obfuscated with:
• AsPack
• UPX
• FSG
• Petite
• PeSpin
• NsPack
• wwpack32
• MEW
• Upack
• Y0da Cryptor
• Supports ELF and Mach-O files (both 32 and 64-bit)
• Supports almost all mail file formats
• Support for other special files/formats includes:
• HTML
• RTF
• PDF
• Files encrypted with CryptFF and ScrEnc
• uuencode
• TNEF (winmail.dat)
• Advanced database updater with support for scripted updates, digital signatures and DNS based database version queries

Disclaimer: Many of the above file formats continue to evolve. Executable packing and obfuscation tools in particular are constantly changing. We cannot guarantee that we can unpack or extract every version or variant of the listed formats.

Supported platforms

Clam AntiVirus is highly cross-platform. The development team cannot test every OS, so we have chosen to test ClamAV using the two most recent Long Term Support (LTS) versions of each of the most popular desktop operating systems. Our regularly tested operating systems include:

• GNU/Linux
• Alpine
• 3.11 (64bit)
• Ubuntu
• 18.04 (64bit, 32bit)
• 20.04 (64bit)
• Debian
• 9 (64bit, 32bit)
• 10 (64bit, 32bit)
• CentOS
• 7 (64bit, 32bit)
• 8 (64bit)
• Fedora
• 30 (64bit)
• 31 (64bit)
• UNIX
• FreeBSD
• 11 (64bit)
• 12 (64bit)
• macOS
• 10.13 (High Sierra)
• 10.15 (Catalina)
• Windows
• 7 (64bit, 32bit)
• 10 (64bit, 32bit)

The following minimum recommended system requirements are for using ClamScan or ClamD applications with the standard ClamAV signature database provided by Cisco.

Minimum recommended RAM for ClamAV:

• FreeBSD and Linux server edition: 2 GiB+
• Linux non-server edition: 2 GiB+
• Windows 7 & 10 32-bit: 2 GiB+
• Windows 7 & 10 64-bit: 3 GiB+
• macOS: 3 GiB+

Minimum recommended CPU for ClamAV:

• 1 CPU at 2.0 Ghz+

Minimum available hard disk space required:

For the ClamAV application we recommend having 5 GB of free space available. This recommendation is in addition to the recommended disk space for each OS.

Note: The tests to determine these minimum requirements were performed on systems that were not running other applications. If other applications are being run on the system, additional resources will be required in addition to our recommended minimums.

Mailing Lists and Chat

If you have a trouble installing or using ClamAV try asking on our mailing lists. There are four lists available:

• clamav-announce (at) lists.clamav.net
• info about new versions, moderated.
• Subscribers are not allowed to post to this mailing list.
• clamav-users (at) lists.clamav.net
• user questions
• clamav-devel (at) lists.clamav.net
• technical discussions
• clamav-virusdb (at) lists.clamav.net
• database update announcements, moderated
• clamav-binary (at) lists.clamav.net
• discussion and announcements for package maintainers

You can subscribe and search the mailing list archives here.

You can also join the community on our ClamAV Discord chat server.

Submitting New or Otherwise Undetected Malware

If you've got a virus which is not detected by the current version of ClamAV using the latest signature databases, please submit the sample for review at our website:

https://www.clamav.net/reports/malware

Likewise, if you have a benign file that is flagging as a virus and you wish to report a False Positive, please submit the sample for review at our website:

https://www.clamav.net/reports/fp

Cisco Secure Endpoint (formerly AMP for Endpoints) is Cisco's cloud-based security suite for commercial and enterprise customers. Secure Endpoint is available for Windows, Linux, and macOS and provides superior malware detection capabilities, behavioral monitoring, dynamic file analysis, endpoint isolation, analytics, and threat hunting. Secure Endpoint sports a modern administrative web interface (dashboard).

Immunet is a cloud-based antivirus application for Windows that is free for non-commercial use. Immunet offers great malware detection efficacy but, as a completely free product, Immunet's does not have same features or the quality user experience that Secure Endpoint offers. There is an Immunet user forum but Cisco offers no official user support.

Installing ClamAV

Installing with a Package Manager

ClamAV is widely available from third party package managers for most operating systems. This is often the quickest way to install ClamAV. It will make also upgrades easier.

Check out the Packages page to find installation instructions for your system.

Installing with an Installer

Windows

The ClamAV team provides official ClamAV builds for Windows on the ClamAV downloads page. You can choose between a traditional executable installer or a portable install ZIP package.

To use the executable installer, double-click the installer and follow the instructions.

To install from a ZIP package, unzip the portable install package to any directory.

Official ClamAV Docker Images

There are now official ClamAV images on Docker Hub. You can find the images on Docker Hub under clamav.

At present we offer images with builds of the latest development version. We call this "unstable". ClamAV 0.104 will be the first stable release that we'll publish on Docker Hub.. Once published 0.104.0+ will be available using a Docker image tag with the specific version number, or using "stable" to get the latest stable release.

Check out the Docker page to learn how to install and use ClamAV with Docker.

Installing from Source

If you need, you can also compile and install ClamAV from source:

What now?

Now that ClamAV is installed, you will want to customize your configuration and perhaps set up some scanning automation and alerting mechanisms.

Continue on to "Configuration"...

ClamAV Packages

Many Linux and Unix distributions as well as packaging systems for macOS and Windows offer one or more ClamAV packages to make it easy for you to install ClamAV.

These packages are usually well maintained but if you find an issue with one, please consider helping the volunteers that maintain the packages.

Disclaimer: ClamAV packages may vary somewhat from the upstream version. Some examples:

• The database and application config paths may vary:

• A default from-source install will go in /usr/local, with:

• applications in /usr/local/bin
• daemons in /usr/local/sbin
• libraries in /usr/local/lib
• headers in /usr/local/include
• configs in /usr/local/etc/ (or /usr/local/etc/clamav/ for v0.104+)
• databases in /usr/local/share/clamav/
• A Linux package install will probably go in /usr, with:

• applications in /usr/bin
• daemons in /usr/sbin
• libraries in /usr/lib
• headers in /usr/include
• configs in /etc/clamav
• databases in /var/lib/clamav
• As of 0.103.x, a from-source install requires the user create a config for FreshClam, ClamD, and ClamAV-Milter in order to use each application. A package install, however, is likely to come pre-configured. Users may wish to modify the configs as needed.

• Package installs sometimes carry extra patches for issues affecting their distribution, for issues the ClamAV developers haven't had time to fix or are unaware of, and for security issues when distributing older versions that are no longer maintained by the ClamAV developers.

• Some distributions parcel up ClamAV components into separate packages. You don't necessarily need all of the packages. If this applies to your package system, you may need to review the applications described in the scanning instructions to understand which features you will need.

Acknowledgments: Thank you to all of the volunteers who maintain these packages! We appreciate your help!

The Packages

Debian

Debian splits up ClamAV into a selection of different packages.

Realistically, you probably only need to apt install clamav and probably apt install clamav-daemon. If you require support for scanning compressed RAR files you first need to enable the "non-free" archive.*

The full list of packages includes:

• clamav - command-line interface
• clamav-base - base package
• clamav-daemon - scanner daemon
• clamav-docs - documentation
• clamav-freshclam - virus database update utility
• clamav-milter - sendmail integration
• clamav-testfiles - test files
• libclamav-dev - development files
• libclamav9 - library
• libclamunrar9 - unrar support

* RAR Support: ClamAV's RAR support comes from UnRAR, which is open-source but not entirely free in so far as its license restricts users from reverse engineering it to create RAR archives. For this reason, it is bundled separately in the "non-free" archive. Enable it by adding "non-free" to /etc/apt/sources.list. Eg:

deb http://http.us.debian.org/debian stable main contrib non-free

Then you can install the RAR-plugin using: apt install libclamunrar9

There are a variety of other ClamAV related projects as well. Run apt search clamav to see a larger list.

To test the installation, you can try to scan the test files in the clamav-testfiles package.

Note: Debian packages are maintained by Debian's ClamAV Team.

The package maintainers can be reached at clamav-devel at lists.alith.debian.org. More info at tracker.debian.org/pkg/clamav.

Patches: https://salsa.debian.org/clamav-team/clamav/tree/unstable/debian/patches

Ubuntu

Ubuntu's ClamAV packages are derived from the Debian packages (above). See the Debian instructions for installation details.

RAR Support: As with Debian, RAR support is not included in the base package. Users that desire RAR support will have to install libclamunar9 separately. Unlike with Debian, there is no need to enable "non-free" packages for this to work.

Note: Ubuntu packages are curated by Ubuntu Developers. Package source: https://packages.ubuntu.com/source/clamav

openSUSE

openSUSE provides two packages:

• clamav - The clamav package
• clamav-devel - The clamav package plus headers for software development.

Use the update variant for openSUSE, add it to your installation as another repository using YaST or zypper and give it a higher priority (lower number) than the repository that delivers the official updates.

Tip: RPMs of new ClamAV versions for existing SUSE products are provided through the respective online update channels. As these packages have to go through QA, it usually takes some time for a new ClamAV source release to appear as an official RPM. For those who want the newest version, packages are available from the security project in the openSUSE Build Service.

Zypper

Install ClamAV with zypper:

  zypper install -y clamav


Note: openSUSE packages are maintained by Reinhard Max.

EPEL: Fedora, RHEL, and CentOS

EPEL creates ClamAV packages for Fedora (as well as EPEL-enabled CentOS and RHEL). For more information on EPEL, visit their wiki.

To enable EPEL for CentOS:

dnf install -y epel-release


EPEL offers a selection of packages to install ClamAV:

• clamd - The Clam AntiVirus Daemon
• clamav - End-user tools for the Clam Antivirus scanner
• clamav-data - Virus signature data for the Clam Antivirus scanner
• clamav-devel - Header files and libraries for the Clam Antivirus scanner
• clamav-lib - Dynamic libraries for the Clam Antivirus scanner
• clamav-milter - Milter module for the Clam Antivirus scanner
• clamav-update - Auto-updater for the Clam Antivirus scanner data-files

Most users will only need to run:

dnf install -y clamav clamd clamav-update


Tips

CentOS: On Community Enterprise Operating System (CentOS) the ClamAV package requires the Extra Packages for Enterprise Linux (EPEL) repository.

RHEL: On RedHat Enterprise Linux (RHEL) the EPEL release package has to be installed either manually or through RHN.

Fedora: Fedora packages can be found at https://src.fedoraproject.org/rpms/clamav

Fedora's packaging is more customized than most. Please review the RPM notes when troubleshooting your Fedora package configuration.

Gentoo

ClamAV is available in portage under /usr/portage/app-antivirus/clamav

To install, run:

emerge clamav


For more details, see the package entry on Portage.

FreeBSD, OpenBSD, NetBSD

Although all these systems offer the possibility to use ports or pkgsrc, you can install the pre-built package:

FreeBSD

FreeBSD offers two ClamAV ports (packages):

• clamav
• clamav-devel

To install, run:

pkg install clamav


Note: For more details, see:

• https://www.freshports.org/security/clamav
• https://www.freshports.org/security/clamav-devel

OpenBSD

To install, run:

  pkg_add clamav


NetBSD

To install, run:

  pkgin install clamav


Solaris

OpenCSW is a community software project for Solaris 8+ on both Sparc and x86. It packages more than 2000 popular open source titles and they can all easily be installed with dependency handling via pkgutil which is modeled after Debian's apt-get.

pkgutil -i clamav


Note: The package can be found on OpenCSW though it is unfortuantely quite out-of-date.

Disclaimer: ClamAV is also no longer supported on Solaris because Solaris is proprietary, less commonly used, and difficult to work with. Future versions of ClamAV will depend on components written in the Rust programming language, which also does not support building directly on Solaris. It is likely that ClamAV will no longer work on Solaris in the future.

Slackware

Download the package, and as root, install it like so (substituting the appropriate filename):

  installpkg clamav.tar.gz


macOS

ClamAV can be easily installed on macOS using one of these popular package managers:

Homebrew

Install Homebrew if you don't already have it. Then run:

  brew install clamav


Homebrew installs versioned packages to /usr/local/Cellar/<pacakge>/<version> with symlinks in /usr/local/opt/<pacakge> to the current version. Symlinks for ClamAV's executables will be placed in /usr/local/bin to add them to your PATH. ClamAV's config files will be placed in /usr/local/etc/clamav.

As with most other installation methods, you may need to do the following at a minimum before you can run freshclam, clamscan, or use clamdscan with clamd:

1. Create /usr/local/etc/clamav/freshclam.conf from /usr/local/etc/clamav/freshclam.conf.sample.
2. Remove or comment-out the Example line from freshclam.conf
3. Run freshclam to download the latest malware definitions.

If you wish to run clamd you'll also need to create /usr/local/etc/clamav/clamd.conf from /usr/local/etc/clamav/clamd.conf.sample, and configure clamd.conf with Local/Unix socket settings (preferred), or TCP socket settings.

MacPorts

Install MacPorts if you don't already have it. Then run:

  sudo port install clamav


MacPorts installs versioned packages to /opt/local/. ClamAV's config files will be placed in /opt/local/etc.

As with most other installation methods, you may need to do the following at a minimum before you can run freshclam, clamscan, or use clamdscan with clamd:

1. Create /opt/local/etc/freshclam.conf from /opt/local/etc/freshclam.conf.sample.
2. Remove or comment-out the Example line from freshclam.conf
3. Run freshclam to download the latest malware definitions.

If you wish to run clamd you'll also need to create /opt/local/etc/clamd.conf from /opt/local/etc/clamd.conf.sample, and configure clamd.conf with Local/Unix socket settings (preferred), or TCP socket settings.

ClamAV in Docker

ClamAV can be run within a Docker container. This provides isolation from other processes by running it in a containerized environment. If new or unfamiliar with Docker, containers or cgroups see docker.com.

The official images on Docker Hub

ClamAV image tags on Docker Hub follow this naming convention:

• clamav/clamav:<version>: A release preloaded with signature databases.

Using this container will save the ClamAV project some bandwidth. Use this if you will keep the image around so that you don't download the entire database set every time you start a new container. Updating with FreshClam from existing databases set does not use much data.

• clamav/clamav:<version>_base: A release with no signature databases.

Use this container only if you mount a volume in your container under /var/lib/clamav to persist your signature database databases. This method is the best option because it will reduce data costs for ClamAV and for the Docker registry, but it does require advanced familiarity with Linux and Docker.

Caution: Using this image without mounting an existing database directory will cause FreshClam to download the entire database set each time you start a new container.

You can use the unstable version (i.e. clamav/clamav:unstable or clamav/clamav:unstable_base) to try the latest from our development branch.

Building the ClamAV image

While it is recommended to pull the image from our Docker Hub registry, some may want to build the image locally instead. All that is needed is:

docker build --tag "clamav:TICKET-123" .


in the current directory. This will build the ClamAV image and tag it with the name "clamav:TICKET-123". Any name can generally be used and it is this name that needs to be referred to later when running the image.

Running ClamD

To run clamd in a Docker container, first, an image either has to be built or pulled from a Docker registry.

Running ClamD using the official ClamAV images from Docker Hub

To pull the ClamAV "unstable" image from Docker Hub, run:

docker pull clamav/clamav:unstable


Tip: Substitute unstable with a different version as needed.

To pull and run the official ClamAV images from the Docker Hub registry, try the following command:

docker run \
--interactive \
--tty \
--rm \
--name "clam_container_01" \
clamav/clamav:unstable


The above creates an interactive container with the current TTY connected to it. This is optional but useful when getting started as it allows one to directly see the output and, in the case of clamd, send ctrl-c to close the container. The --rm parameter ensures the container is cleaned up again after it exits and the --name parameter names the container, so it can be referenced through other (Docker) commands, as several containers of the same image can be started without conflicts.

Note: Pulling is not always required. docker run will pull the image if it cannot be found locally. docker run --pull always will always pull beforehand to ensure the most up-to-date container is being used. Do not use --pull always with the larger ClamAV images.

Tip: It's common to see -it instead of --interactive --tty.

Running ClamD using a Locally Built Image

You can run a container using an image built locally (see "Building the ClamAV Image"). Just run:

docker run -it --rm \
--name "clam_container_01" \
clamav:TICKET-123


Persisting the virus database (volume)

The virus database in /var/lib/clamav is by default unique to each container and thus is normally not shared. For simple setups this is fine, where only one instance of clamd is expected to run in a dockerized environment. However some use cases may want to efficiently share the database or at least persist it across short-lived ClamAV containers.

To do so, you have two options:

1. Create a Docker volume using the docker volume command. Volumes are completely managed by Docker and are the best choice for creating a persistent database volume.

For example, create a "clam_db" volume:

docker volume create clam_db


Then start one or more containers using this volume. The first container to use a new database volume will download the full database set. Subsequent containers will use the existing databases and may update them as needed:

docker run -it --rm \
--name "clam_container_01" \
--mount source=clam_db,target=/var/lib/clamav \
clamav/clamav:unstable_base

2. Create a Bind Mount that maps a file system directory to a path within the container. Bind Mounts depend on the directory structure, permissions, and operating system of the Docker host machine.

Run the container with these arguments to mount the a directory from your host environment as a volume in the container.

    --mount type=bind,source=/path/to/databases,target=/var/lib/clamav


When doing this, it's best to use the <version>_base image tags so as to save on bandwith. E.g.:

docker run -it --rm \
--name "clam_container_01" \
--mount type=bind,source=/path/to/databases,target=/var/lib/clamav \
clamav/clamav:unstable_base


Disclaimer: When using a Bind Mount, the container's entrypoint script will change ownership of this directory to its "clamav" user. This enables FreshClam and ClamD with the required permissions to read and write to the directory, though these changes will also affect those files on the host.

If you're thinking about running multiple containers that share a single database volume, here are some notes on how this might work.

Running Clam(D)Scan

Scanning files using clamscan or clamdscan is possible in various ways with Docker. This section briefly describes them, but the other sections of this document are best read before hand to better understand some of the concepts.

One important aspect is however to realize that Docker by default does not have access to any of the hosts files. And so to scan these within Docker, they need to be mounted with a bind mount to be made accessible.

For example, running the container with these arguments ...

    --mount type=bind,source=/path/to/scan,target=/scandir
--mount type=bind,source=/path/to/scan,target=/scandir


... would make the hosts file/directory /path/to/scan available in the container as /scandir and thus invoking clamscan would thus be done on /scandir.

Note that while technically possible to run either scanners via docker exec this is not described as it is unlikely the container has access to the files to be scanned.

ClamScan

Using clamscan outside of the Docker container is how normally clamscan is invoked. To make use of the available shared dockerized resources however, it is possible to expose the virus database and share that for example. E.g. it could be possible to run a Docker container with only the freshclam daemon running, and share the virus database directory /var/lib/clamav. This could be useful for file servers for example, where only clamscan is installed on the host, and freshclam is managed in a Docker container.

Note: Running the freshclam daemon separated from clamd is less recommended, unless the clamd socket is shared with freshclam as freshclam would not be able to inform clamd of database updates.

Dockerized ClamScan

To run clamscan in a Docker container, the Docker container can be invoked as:

docker run -it --rm \
--mount type=bind,source=/path/to/scan,target=/scandir \
clamav/clamav:unstable \
clamscan /scandir


However, this will use whatever signatures are found in the image, which may be slightly out of date. If using clamscan in this way, it would be best to use a database volume that is up-to-date so that you scan with the latest signatures. E.g.:

docker run -it --rm \
--mount type=bind,source=/path/to/scan,target=/scandir \
--mount type=bind,source=/path/to/databases,target=/var/lib/clamav \
clamav/clamav:unstable_base \
clamscan /scandir


ClamDScan

As with clamscan, clamdscan can also be run when installed on the host, by connecting to the dockerized clamd. This can be done by either pointing clamdscan to the exposed TCP/UDP port or unix socket.

Dockerized ClamDScan

Running both clamd and clamdscan is also easily possible, as all that is needed is the shared socket between the two containers. The only cavaet here is to:

1. mount the files to be scanned in the container that will run clamd, or
2. mount the files to be scanned in the container that will clamdscan run if using clamdscan --stream. The --stream option will be slower, but enables submitting files from a different machine on a network.

For example:

docker run -it --rm \
--mount type=bind,source=/path/to/scan,target=/scandir \
--mount type=bind,source=/var/lib/docker/data/clamav/sockets/,target=/run/clamav/ \
clamav/clamav:unstable

docker run -it --rm \
--mount type=bind,source=/path/to/scan,target=/scandir \
--mount type=bind,source=/var/lib/docker/data/clamav/sockets/,target=/run/clamav/ \
clamav/clamav:unstable_base \
clamdscan /scandir


Controlling the container

The ClamAV container actually runs both freshclam and clamd daemons by default. Optionally available to the container is ClamAV's milter daemon. To control the behavior of the services started within the container, the following flags can be passed to the docker run command with the --env (-e) parameter.

• CLAMAV_NO_CLAMD [true|false] Do not start clamd. (default: start clamd)
• CLAMAV_NO_FRESHCLAMD [true|false] Do not start the freshclam daemon. (default: start the freshclam daemon)
• CLAMAV_NO_MILTERD [true|false] Do not start the clamav-milter daemon. (default: start the clamav-milter daemon )
• CLAMD_STARTUP_TIMEOUT [integer] Seconds to wait for clamd to start. (default: 1800)
• FRESHCLAM_CHECKS [integer] freshclam daily update frequency. (default: once per day)

So to additionally also enable clamav-milter, the following flag can be added:

    --env 'CLAMAV_NO_MILTERED=false'


Further more, all of the configuration files that live in /etc/clamav can be overridden by doing a volume-mount to the specific file. The following argument can be added for this purpose. The example uses the entire configuration directory, but this can be supplied multiple times if individual files deem to be replaced.

    --mount type=bind,source=/full/path/to/clamav/,target/etc/clamav


Note: Even when disabling the freshclam daemon, freshclam will always run at least once during container startup if there is no virus database. While not recommended, the virus database location itself /var/lib/clamav/ could be a persistent Docker volume. This however is slightly more advanced and out of scope of this document.

Connecting to the container

Executing commands within a running container

To connect to a running ClamAV container, docker exec can be used to run a command on an already running container. To do so, the name needs to be either obtained from docker ps or supplied during container start via the --name parameter. The most interesting command in this case can be clamdtop.

docker exec --interactive --tty "clamav_container_01" clamdtop


Alternatively, a shell can be started to inspect and run commands within the container as well.

docker exec --interactive --tty "clamav_container_01" /bin/sh


Unix sockets

The default socket for clamd is located inside the container as /run/clamav/clamd.sock and can be connected to when exposed via a Docker volume mount. To ensure, that clamd within the container can freely create and remove the socket, the path for the socket is to be volume-mounted, to expose it for others on the same host to use. The following volume can be used for this purpose. Do ensure that the directory on the host actually exists and clamav inside the container has permission to access it. Caution is required when managing permissions, as incorrect permission could open clamd for anyone on the host system.

    --mount type=bind,source=/var/lib/docker/data/clamav/sockets/,target=/run/clamav/


With the socket exposed to the host, any other service can now talk to clamd as well. If for example clamdtop where installed on the local host, calling

clamdtop "/var/lib/docker/data/clamav/sockets/clamd.sock"


should work just fine. Likewise, running clamdtop in a different container, but sharing the socket will equally work. While clamdtop works well as an example here, it is of course important to realize, this can also be used to connect a mail server to clamd.

TCP

ClamAV in the official Docker images is configured to listen for TCP connections on these ports:

• clamd: 3310
• clamav-milter: 7357

While clamd and clamav-milter will listen on the above TCP ports, Docker does not expose these by default to the host. Only within containers can these ports be accessed. To expose, or "publish", these ports to the host, and thus potentially over the (inter)network, the --publish (or --publish-all) flag to docker run can be used. While more advanced/secure mappings can be done as per documentation, the basic way is to --publish [<host_port>:]<container_port> to make the port available to the host.

    --publish 73310:3310 \
--publish 7357


The above would thus publish the milter port 3310 as 73310 on the host and the clamd port 7357 as a random to the host. The random port can be inspected via docker ps.

Warning: Extreme caution is to be taken when using clamd over TCP as there are no protections on that level. All traffic is un-encrypted. Extra care is to be taken when using TCP communications.

Container ClamD health-check

Docker has the ability to run simple ping checks on services running inside containers. If clamd is running inside the container, Docker will on occasion send a ping to clamd on the default port and wait for the pong from clamd. If clamd fails to respond, Docker will treat this as an error. The healthcheck results can be viewed with docker inspect.

Performance

The performance impact of running clamd in Docker is negligible. Docker is in essence just a wrapper around Linux's cgroups and cgroups can be thought of as chroot or FreeBSD's jail. All code is executed on the host without any translation. Docker does however do some isolation (through cgroups) to isolate the various systems somewhat.

Of course, nothing in life is free, and so there is some overhead. Disk-space being the most prominent one. The Docker container might have some duplication of files for example between the host and the container. Further more, also RAM memory may be duplicated for each instance, as there is no RAM-deduplication. Both of which can be solved on the host however. A filesystem that supports disk-deduplication and a memory manager that does RAM-deduplication.

The base container in itself is already very small ~16 MiB, at the time of thiswriting, this cost is still very tiny, where the advantages are very much worththe cost in general.

The container including the virus database is about ~240 MiB at the time of this writing.

Bandwidth

Please, be kind when using 'free' bandwidth, both for the virus databases but also the Docker registry. Try not to download the entire database set or the larger ClamAV database images on a regular basis.

Multiple containers sharing the same mounted databases

You can run multiple containers that share the same database volume, but be aware that the FreshClam daemons on each would compete to update the databases. Most likely, one would update the databases and trigger its ClamD to load the new databases, while the others would be oblivious to the new databases and would continue with the old signatures until the next ClamD self-check.

This is fine, honestly. It won't take that long before the new signatures are detected by ClamD's self-check and the databases are reloaded automatically.

To reload the databases on all ClamD containers immediately after an update, you could disable the FreshClam daemon when you start the containers. Later, use docker exec to perform an update and again as needed to have ClamD load updated databases.

Note: This really isn't necessary but you could do this if you wish.

Exactly how you orchestrate this will depend on your environment. You might do something along these lines:

1. Create a "clam_db" volume, if you don't already have one:

docker volume create clam_db


docker run -it --rm \
--name "clam_container_01" \
--mount source=clam_db,target=/var/lib/clamav \
--env 'CLAMAV_NO_FRESHCLAMD=true' \
clamav/clamav:unstable_base


Wait for the first one to download the databases (if it's a new database volume). Then start more:

docker run -it --rm \
--name "clam_container_02" \
--mount source=clam_db,target=/var/lib/clamav \
--env 'CLAMAV_NO_FRESHCLAMD=true' \
clamav/clamav:unstable_base

3. Check for updates, as needed:

docker exec -it clam_container_01 freshclam --on-update-execute=EXIT_1 || \

Building the library dependencies

There are two options for building and supplying the library dependencies. These are Mussels and vcpkg.

Mussels is an open source project developed in-house by the ClamAV team. It offers great flexibility for defining your own collections (cookbooks) of build instructions (recipes) instead of solely relying on a centralized repository of ports. And unlike vcpkg, Mussels does not implement CMake build tooling for projects that don't support CMake, but instead leverages whatever build system is provided by the project. This means that Mussels builds may require installing additional tools, like NMake and ActivePerl rather than simply requiring CMake. The advantage is that you'll be building those projects the same way that those developers intended, and that Mussels recipes are generally very light weight. Mussels has some sharp edges because it's a newer and much smaller project than vcpkg.

Vcpkg is an open source project developed by Microsoft and is heavily oriented towards CMake projects. Vcpkg offers a very large collection of "ports" for almost any project you may need to build. It is very easy to get started with vcpkg.

Mussels is the preferred tool to supply the library dependencies at least until such time as the vcpkg Debug-build libclamav unit test heap-corruption crash is resolved (see below).

Details for how to use Mussels and vcpkg will be provided with the build instructions (below), as the instructions differ significantly depending on which you choose.

Tip: Installing the Python 3 pytest package is also recommended in case the unit tests fail so that the test output is easy to read. You're welcome to skip it. However, if you have Python 2's pytest installed but not Python 3's pytest, the tests may fail to run.

You can install pytest by running:

python3 -m pip install --user pytest


Extract the archive. You should be able to right click on it and extract it to a folder, then in that folder, do the same for the clamav-[ver].tar file.

The rest of the instructions will assume you've opened Powershell in the clamav source directory.

Build ClamAV

First, make a "build" subdirectory. This will enable you to easily delete your build files if something goes wrong and you need to re-configure and try again.

mkdir build && cd build


Building with Mussels

Building the library dependencies with Mussels

Much like vcpkg, Mussels can be used to automatically build the ClamAV library dependencies. Unlike vcpkg, Mussels does not provide a mechanism for CMake to automatically detect the library paths.

To build the library dependencies with Mussels, use Python's pip package manager to install Mussels:

python3 -m pip install mussels


Update the Mussels cookbooks to get the latest build recipes and set the clamav cookbook to be trusted:

msl update
msl cookbook trust clamav


Use msl list if you wish to see the recipes provided by the clamav cookbook.

To build with Mussels, you may need to install a few extra tools required to build some of the libraries. These include NASM, Perl

Build the clamav_deps recipe to compile ClamAV's library dependencies. By default, Mussels will install them to ~\.mussels\install\<target>

msl build clamav_deps


If this worked, you should be ready to build ClamAV.

Building ClamAV

Next, set $env:CLAMAV_DEPENDENCIES to the location where Mussels built your library dependencies: $env:CLAMAV_DEPENDENCIES="$env:userprofile\.mussels\install\x64"  To configure the project, run: cmake .. -G "Visual Studio 15 2017" -A x64  -D JSONC_INCLUDE_DIR="$env:CLAMAV_DEPENDENCIES\include\json-c"
-D JSONC_LIBRARY="$env:CLAMAV_DEPENDENCIES\lib\json-c.lib"  -D ENABLE_JSON_SHARED=OFF  -D BZIP2_INCLUDE_DIR="$env:CLAMAV_DEPENDENCIES\include"                
-D BZIP2_LIBRARY_RELEASE="$env:CLAMAV_DEPENDENCIES\lib\libbz2.lib"  -D CURL_INCLUDE_DIR="$env:CLAMAV_DEPENDENCIES\include"                 
-D CURL_LIBRARY="$env:CLAMAV_DEPENDENCIES\lib\libcurl_imp.lib"  -D OPENSSL_ROOT_DIR="$env:CLAMAV_DEPENDENCIES"                         
-D OPENSSL_INCLUDE_DIR="$env:CLAMAV_DEPENDENCIES\include"  -D OPENSSL_CRYPTO_LIBRARY="$env:CLAMAV_DEPENDENCIES\lib\libcrypto.lib" 
-D OPENSSL_SSL_LIBRARY="$env:CLAMAV_DEPENDENCIES\lib\libssl.lib"  -D ZLIB_LIBRARY="$env:CLAMAV_DEPENDENCIES\lib\libssl.lib"              
-D LIBXML2_INCLUDE_DIR="$env:CLAMAV_DEPENDENCIES\include"  -D LIBXML2_LIBRARY="$env:CLAMAV_DEPENDENCIES\lib\libxml2.lib"          
-D PCRE2_INCLUDE_DIR="$env:CLAMAV_DEPENDENCIES\include"  -D PCRE2_LIBRARY="$env:CLAMAV_DEPENDENCIES\lib\pcre2-8.lib"            
-D CURSES_INCLUDE_DIR="$env:CLAMAV_DEPENDENCIES\include"  -D CURSES_LIBRARY="$env:CLAMAV_DEPENDENCIES\lib\pdcurses.lib"          
-D PThreadW32_INCLUDE_DIR="$env:CLAMAV_DEPENDENCIES\include"  -D PThreadW32_LIBRARY="$env:CLAMAV_DEPENDENCIES\lib\pthreadVC2.lib"    
-D ZLIB_INCLUDE_DIR="$env:CLAMAV_DEPENDENCIES\include"  -D ZLIB_LIBRARY="$env:CLAMAV_DEPENDENCIES\lib\zlibstatic.lib"          
-D LIBCHECK_INCLUDE_DIR="$env:CLAMAV_DEPENDENCIES\include"  -D LIBCHECK_LIBRARY="$env:CLAMAV_DEPENDENCIES\lib\checkDynamic.lib"    
-D CMAKE_INSTALL_PREFIX="install"


Now, go ahead and build the project:

cmake --build . --config Release


Tip: If you're having include-path issues when building, try building with detailed verbosity so you can verify that the paths are correct:

cmake --build . --config Release -- /verbosity:detailed


You can run the test suite with CTest:

ctest -C Release


And you can install to the install (set above) like this:

cmake --build . --config Release --target install


Tip: For a full list of configuration options, see the "Custom CMake options" section in the INSTALL.md file included with the source code.

Building with vcpkg

vcpkg can be used to build the ClamAV library dependencies automatically.

vcpkg integrates really well with CMake, enabling CMake to find your compiled libraries automatically, so you don't have to specify the include & library paths manually as you do when using Mussels.

DISCLAIMER: There is a known issue with the unit tests when building with vcpkg in Debug mode. When you run the > libclamav unit tests (check_clamav), the program will crash and a popup will claim there was heap corruption. If > you use Task Manager to kill the check_clamav.exe process, the rest of the tests pass just fine. This issue does > not occur when using Mussels to supply the library dependencies. Commenting out the following lines in readdb.c > resolves the heap corruption crash when running check_clamav, but of course introduces a memory leak:

    if (engine->stats_data)
free(engine->stats_data);


If anyone has time to figure out the real cause of the vcpkg Debug-build crash in check_clamav, it would be greatly appreciated.

You'll need to install vcpkg. See the vcpkg README for installation instructions.

Once installed, set the variable $VCPKG_PATH to the location where you installed vcpkg: $VCPKG_PATH="..." # Path to your vcpkg installation


By default, CMake and vcpkg build for 32-bit. If you want to build for 64-bit, set the VCPKG_DEFAULT_TRIPLET environment variable:

$env:VCPKG_DEFAULT_TRIPLET="x64-windows"  Next, use vcpkg to build the required library dependencies: & "$VCPKG_PATH\vcpkg" install 'curl[openssl]' 'json-c' 'libxml2' 'pcre2' 'pthreads' 'zlib' 'pdcurses' 'bzip2' 'check'


Now configure the ClamAV build using the CMAKE_TOOLCHAIN_FILE variable which will enable CMake to automatically find the libraries we built with vcpkg.

cmake .. -A x64
-D CMAKE_TOOLCHAIN_FILE="$VCPKG_PATH\scripts\buildsystems\vcpkg.cmake"  -D CMAKE_INSTALL_PREFIX="install"  Tip: You have to drop the -A x64 arguments if you're building for 32-bits, and correct the package paths accordingly. Now, go ahead and build the project: cmake --build . --config Release  You can run the test suite with CTest: ctest -C Release  And you can install to the install directory (set above) like this: cmake --build . --config Release --target install  Build the Installer To build the installer, you must have WIX Toolset installed. If you're using Chocolatey, you can install it simply with choco install wixtoolset and then open a new terminal so that WIX will be in your PATH. cpack -C Release  What now? Now that ClamAV is installed, you will want to customize your configuration and perhaps set up some scanning automation and alerting mechanisms. Continue on to "Configuration"... Community Projects Disclaimer: The software listed in this section is authored by third parties and not by the ClamAV Team. Compatibility may vary. Signatures The ClamAV Team provides FreshClam for ClamAV agents to update the official signature databases and provides CVD-Update for Private Mirror administrators to update their server content. Both FreshClam and CVD-Update have some limited features to update signatures from third-party sources but community tools exist that are designed for this purpose and provide a more complete experience for users that want the extra coverage. WARNING: While there are no known vulnerabilities in using traditional content-based and hash-based ClamAV signatures, bytecode signatures are a different story. Bytecode signatures are effectively cross-platform executable plugins similar to Web Assembly (WASM) but with less sandboxing. ClamScan and ClamD will not run unsigned bytecode signatures by default. Cisco-Talos' signing certificate is the only certificate trusted by ClamAV to run bytecode signatures. Both ClamD and ClamScan have options to run unsigned bytecode signatures but you should NEVER enable unsigned bytecode signatures in production when using signatures from third-party sources or a malicious bytecode signature author could gain control of your systems. ClamBC is a tool installed with ClamAV for testing bytecode signatures and should also NEVER be used to run signatures from an unknown or untrusted source. Fangfrish Fangfrisch (German for "freshly caught") is a sibling of the Clam Anti-Virus FreshClam utility. It allows downloading virus definition files that are not official ClamAV canon, e.g. from Sanesecurity, URLhaus and others. Fangfrisch was designed with security in mind, to be run by an unprivileged user only. Detailed documentation is available online. Get fangfrish Mail Filters ClamAV is popular for filtering mail. The ClamAV Team maintains ClamAV-Milter, which is a filter for the Sendmail mail transfer agent and the ClamAV community have created a wide variety of other tools to use ClamAV with different mail transfer agents. Generic Mail Transfer Agents amavisd-new | clamd, clamscan amavisd-new is a high-performance interface between mailer (MTA) and content checkers: virus scanners, and/or SpamAssassin. It is written in Perl for maintainability, without paying a significant price for speed. It talks to MTA via (E)SMTP or LMTP, or by using helper programs. Best with Postfix, fine with dual-sendmail setup and Exim v4, works with sendmail/milter, or with any MTA as a SMTP relay. For Courier and qmail MTA integration there is a patch in the distributed package. amavisd-new is a rewritten version of Amavis and is maintained by Mark Martinec. ClamScan is enabled automatically if clamscan binary is found at amavisd-new startup time. ClamD is activated by uncommenting its entry in the @av_scanners list in the file /etc/amavisd.conf. Get amavisd-new Sendmail MIMEDefang | clamscan, clamd MIMEDefang is an efficient mail scanner for Sendmail/milter written in C, Perl. Get MIMEDefang Postfix ClamSMTP | clamd ClamSMTP is an SMTP filter for Postfix and other mail servers that checks for viruses using the ClamAV anti-virus software. It aims to be lightweight, reliable, and simple rather than have a myriad of options. Written in C without major dependencies. Get ClamSMTP Clapf | libclamav Clapf is a clamav based virus scanning and anti-spam content filter for Postfix. Get clapf Exim Starting with release 4.50, Exim natively supports ClamAV. Get exim Others Mail Avenger | clamscan Mail Avenger is a highly-configurable SMTP server. It allows you to reject spam during mail transactions, before spooling messages in your local mail queue. You can specify site-wide default policies for filtering mail, but individual users can also craft their own policies by creating avenger scripts in their home directories. Get Mail Avenger MailScanner | clamscan MailScanner scans all e-mail for viruses, spam and attacks against security vulnerabilities. It is not tied to any particular virus scanner, but can be used with any combination of 14 different virus scanners, allowing sites to choose the best of breed virus scanner. Get Mail Scanner Sagator | clamscan, clamd, libclamav Sagator is an email antivirus/antispam gateway. Its modular architecture can use any combination of antivirus/spamchecker according to configuration. Get Sagator Courier-MTA | libclamav, clamavd Courier MTA includes four filers. courier-pythonfilter by Gordon Messner. Included in a Python filter suite, it uses pyClamAV (libclamav with python) Courier::Filter::Module::ClamAVd by Julian Mehnle. A Perl module for use with Courier::Filter, using clamavd. ClamCour by Tony Di Monaco. A C++ (with Boost) multithreaded filter using libclamav avfilter by Alessandro Vesely. A C forking filter using libclamav. Get Courier-MTA Haraka | clamd Haraka is a robust MTA written in node.js, with a modular architecture that lets plugins control nearly every aspect of the SMTP conversation. There is a large selection of included plugins, including a clamav plugin (docs, source) that filters messages using clamd. Haraka is attractive to two audiences: 1. Anyone managing mail systems with thousands or tens-of-thousands of concurrent incoming SMTP connections (like Craigslist) and wants to do with it fewer racks of servers. 2. Developers who need more control over mail routing, filtering, and processing than can be easily or efficiently handled with traditional (milter-based) MTAs. Get Haraka Web & FTP Tools Clammit | clamd Clammit is a proxy that will perform virus scans of files uploaded via http requests, including multipart/form-data. If a virus exists, it will reject the request out of hand. If no virus exists, the request is then forwarded to the application and it's response returned in the upstream direction. As the name implies, Clammit offloads the virus detection to the ClamAV virus detection server (clamd). Get Clammit Clara Serverless, real-time, ClamAV+Yara scanning for your S3 Buckets Get Clara bucket-antivirus-function Scan new objects added to any s3 bucket using AWS Lambda. Get bucket-antivirus-function cdk-serverless-clamscan An aws-cdk construct that uses ClamAV® to scan objects in Amazon S3 for viruses. The construct provides a flexible interface for a system to act based on the results of a ClamAV virus scan. Get cdk-serverless-clamscan HAVP | libclamav HAVP is a proxy with an antivirus filter. It does not cache or filter content. At the moment the complete traffic is scanned. A reason for that is the chance of malicious code in nearly every filetypes e.g. HTML (JavaScript) or Jpeg. Get HAVP mod_clamav | libclamav, clamd mod_clamav is an Apache virus scanning filter. It was written and is currently maintained by Andreas Müller. The project is very well documented and the installation is quite easy. Get mod_clamav phpMussel | clamav phpMussel is a PHP-based script based upon ClamAV signatures designed to detect trojans, viruses, malware and other threats within files uploaded to your system wherever the script is hooked. Written by Maikuolan Get phpMussel SpamAssassin - ClamAVPlugin | clamd A ClamAV plug in fpr SpamAssassin 3.X Get ClamAVPlugin clamav-rest Simple ClamAV REST proxy. Builds on top of clamav-java which is a minimal Java client for ClamAV. Get clamav-rest Filesystem & On-Access Scanning Clam Sentinel Clam sentinel is a program that detects file system changes and automatically scans the files added or modified using ClamWin. Require the installation of ClamWin. For Microsoft Windows 98/98SE/Me/2000/XP/Vista, Windows 7 and Windows 8.1. Get Clam Sentinel ClamFS | clamd ClamFS is a FUSE-based user-space file system for Linux and BSD with on-access anti-virus file scanning through clamd daemon (a file scanning service developed by ClamAV Project). Features: • Scans files using ClamAV • User-space file system (no kernel patches, modules, recompilations, etc.) • Based on libFUSE version 3 (until version 1.1.0 on libFUSE v2) • Implements all clamd scan modes: fname, fdpass and stream • Supports remote clamd instances in stream mode over TCP/IP socket • Caches scan results in a LRU cache with time-based and out-of-memory expiration • Configuration stored in XML files • Supports ulockmgr • Sends mails to administrator when detects virus Get ClamFS Avfs | ClamAV Avfs, a true on-access anti-virus file system that incrementally scans files and prevents infected data from being committed to disk. Avfs is a stackable file system and therefore can add virus detection to any other file system: Ext3, NFS, etc. Avfs supports forensic modes that can prevent a virus from reaching the disk or automatically create versions of potentially infected files to allow safe recovery. Avfs can also quarantine infected files on disk and isolate them from user processes. Avfs uses a matching algorithm that is derived from ClamAV but with changes to optimize scan time for larger signature sets. Though this project does not appear to be maintained or used elsewhere, the research was really good work and may inspire optimizations in ClamAV in the future. More about Avfs Mail User Agents Claws Mail Claws Mail is a user-friendly, lightweight, and fast email client. Claws Mail has a ClamD plugin for scanning received messages using ClamAV. Get Claws Mail Kmail | clamscan Mail is a fully-featured email client that fits nicely into the K Desktop Environment, KDE. It supports attachment scanning with clamscan. Get Kmail Open Webmail modules | clamscan Open WebMail by default can use ClamAV as the external viruscheck module to scan messages fetched from pop3 servers or all incoming messages. If a message or its attachments is found to have virus, Open WebMail will move the message from INBOX to the VIRUS folder automatically. Get Open Webmail ClamAV Bindings Rust clamav-rs | libclamav A safe Rust binding for libclamav. clamav-rs uses clamav-sys to wrap the libclamav C API. Get clamav-rs clamav-sys | libclamav clamav-sys is a minimal Rust interface around libclamav. This package is not supposed to be used stand-alone, but only through its safe wrapper, clamav-rs. Get clamav-sys rust-clamav | libclamav Like clamav-rs. rust-clamav is a safe library for interacting with libclamav from Rust. The low-level C API is wrapped in idomatic and safe Rust code. Get rust-clamav Perl File::Scan::ClamAV | clamd A Perl module for interacting with ClamD. File::Scan::ClamAV will connect to a local Clam Anti-Virus clamd service and send commands. Get File::Scan::ClamAV Mail::ClamAV | libclamav Perl extension for the ClamAV virus scanner. Get Mail::ClamAV Ruby Clamby | clamscan + freshclam Ruby binding for scanning file uploads using ClamScan. If you have a file upload on your site and you do not scan the files for viruses then you not only compromise your software, but also the users of the software and their files. This gem's function is to simply scan a given file. Get Clamby ClamAV::Client | clamd ClamAV::Client is a client library that can talk to the clam daemon. Get ClamAV::Client PHP PHP ClamAV | clamd PHP Client to connect to ClamAV daemon over TCP or using a local socket from command line and scan your storage files for viruses. Get PHP ClamAV PHP ClamAV Scan | clamd A simple PHP class for scanning files using a LOCAL ClamAV/clamd install either via a socket file or network socket (windows). Can either be used on its own or dropped into a Codeigniter app as a library. The main reason this was created was because the legacy php-clamav module is not compatible with PHP 7 and all other options I found were either not drop in compatible with CodeIgniter or were designed for use with Composer. Get PHP ClamAV Python clamd | clamd clamd is a portable Python module to use the ClamAV anti-virus engine on Windows, Linux, MacOSX and other platforms. It requires a running instance of the clamd daemon. This is a fork of pyClamd v0.2.0 created by Philippe Lagadec and published on his website: http://www.decalage.info/en/python/pyclamd which in turn is a slightly improved version of pyClamd v0.1.1 created by Alexandre Norman and published on his website: http://xael.org/norman/python/pyclamd/ Get clamd Python ClamAV | libclamav Python wrapper for libclamav using ctypes. Python ClamAV is a part of the ClamWin project. Get Python ClamAV pyClamd | clamd Add virus detection capabilities to your python software in an efficient and easy way. Get pyClamd Java clamav-java Simple ClamAV Java client. See also ClamAV REST service which builds on top of this. Get clamav-java Miscellaneous Tools IPCop | ClamAV IPCop Linux is a complete Linux Distribution whose sole purpose is to protect the networks it is installed on. ClamAV is included. Get IPCop Endian Firewall | ClamAV Endian Firewall Community (EFW) is a turn-key Linux security distribution that can transform any bare-metal appliance into a full-featured Unified Threat Management solution. Endian is designed to be the easiest security product to install, configure and use! Get Endian Firewall ClamTK | ClamAV ClamTk is a GUI front-end for ClamAV using gtk2-perl. It is designed to be an easy-to-use, on-demand scanner for Linux systems. ClamTk has been ported to Fedora, Debian, RedHat, openSUSE, ALT Linux, Ubuntu, CentOS, Gentoo, Archlinux, Mandriva, PCLinuxOS, FreeBSD, and others. Get ClamTK ClamWin | ClamAV ClamWin is a Free Antivirus program for Microsoft Windows 10 / 8 / 7 / Vista / XP / Me / 2000 / 98 and Windows Server 2012, 2008 and 2003. Get ClamWin Add a service user account If you're planning to run freshclam or clamd as a service on a Linux or Unix system, you should create a service account. The following instructions assume that you will use the an account named "clamav" for both services, although you may create a different account name for each if you wish. Note: These instructions are mostly just for folks building & installing from source. If you installed a package from your Linux/Unix distribution, it probably created the account(s) for you. Create a service user account (and group) Linux / Unix As root or with sudo, run: groupadd clamav useradd -g clamav -s /bin/false -c "Clam Antivirus" clamav  If your operating system does not have the groupadd and useradd utilities, consult a system manual. Don’t forget to lock access to the account! macOS Prep by identifying an unused group id (gid), and an unused user UniqueID. This command will display all current group PrimaryGroupIDs: dscl . list /Groups PrimaryGroupID | tr -s ' ' | sort -n -t ' ' -k2,2  This command will display all current user UniqueIDs: dscl . list /Users UniqueID | tr -s ' ' | sort -n -t ' ' -k2,2  Then, these commands can be used to create the clamav group and clamav user. sudo dscl . create /Groups/clamav sudo dscl . create /Groups/clamav RealName "Clam Antivirus Group" sudo dscl . create /Groups/clamav gid 799 # Ensure this is unique! sudo dscl . create /Users/clamav sudo dscl . create /Users/clamav RealName "Clam Antivirus User" sudo dscl . create /Users/clamav UserShell /bin/false sudo dscl . create /Users/clamav UniqueID 599 # Ensure this is unique! sudo dscl . create /Users/clamav PrimaryGroupID 799 # Must match the above gid!  About how the service accounts are used At present, the behavior differs slightly between clamd and freshclam. When run as root: • freshclam will always switch to run as the "DatabaseOwner" user account. The default account name is "clamav", or may be customized by specifying the "DatabaseOwner" setting in freshclam.conf. • clamd will only switch to run as the "User" user account if the "User" setting is specified in clamd.conf. If you do not specify a "User" in the config, clamd will continue to run as the root user! We may change this behavior in a future version to prevent clamd from being run as root. Caution: We do not recommend running clamd as root for safety reasons because ClamAV scans untrusted files that may be malware. Always configure the "User" setting in clamd.conf if you plan to run clamd as a service. On Unix/Linux systems, freshclam and clamd will switch to run as a different user if you start them as the root user, or using sudo. By default, that user account is named "clamav". The purpose is t If you are running freshclam and clamd as root or with sudo, and you did not explicitly configure with --disable-clamav, you will want to ensure that the DatabaseOwner user specified in freshclam.conf owns the database directory so it can download signature updates. The user that clamd, clamdscan, and clamscan run as may be the same user, but if it isn't -- it merely needs read access to the database directory. If you choose to use the default clamav user to run freshclam and clamd, you'll need to create the clamav group and the clamav user account the first time you install ClamAV. After installation: Make the service account own the database directory After you've installed ClamAV, you will want to make it so that the database directory is owned by the same service account as you're using for freshclam. As root or with sudo, run: sudo chown -R clamav:clamav /usr/local/share/clamav  Or (if you customized the database path): chown -R clamav:clamav /var/lib/clamav/  Usage Table Of Contents Purpose This user guide presents an overview of the various ways that libclamav can be used through the tools provided by ClamAV. To learn more about how to better use each facet of ClamAV that interests you, please follow the links provided. Daemon The ClamAV Daemon, or clamd, is a multi-threaded daemon that uses libclamav to scan files for viruses. ClamAV provides a number of tools which interface with this daemon. They are, as follows: Scanner ClamAV also provides a command-line tool for simple scanning tasks with libclamav called clamscan. Unlike the daemon, clamscan is not a persistent process and is best suited for use cases where one-time scanning with minimal setup is needed. Signature Testing and Management A number of tools allow for testing and management of signatures. Of note are the following: Configuration The more complex tools ClamAV provides each require some degree of configuration. ClamAV supplies two example configuration files: ClamAV also provides a mail filtering tool called clamav-milter which can be attached to a clamd instance for mail scanning purposes. Additionally, a tool called clamconf allows users to check the configurations used by each other tool, pulling information from the configuration files listed above, alongside other relevant information. Configuration Table Of Contents First Time Set-Up Depending on your install method and your operating system, some configuration options may have been pre-configured. For example a clamav install on Ubuntu with apt install will place configs in /etc/clamav. However, it is likely that you will need to create new config files or modify the existing ones with custom settings that make the most sense for your use case. A from-source install will require you to create a freshclam.conf before you can use FreshClam, a clamd.conf before you can use ClamD, and a clamav-milter.conf before you can use ClamAV-Milter. A default install from source will place the example configs in /usr/local/etc/ on Unix/Linux systems and in the install directory under conf_examples on Windows. These examples demonstrate each of the options and may help you decide how to configure ClamAV to suit your needs. But again the location of these examples may vary depending on how you installed ClamAV. To continue with the Ubuntu example, you may find the FreshClam config from an apt install in /usr/share/doc/clamav-freshclam/examples/. So if you're unsure where the example configs are on your system, you may wish to use ClamConf to generate them. Here are some quick steps to get you started. Unix Run these to generate example configs, if needed: clamconf -g freshclam.conf > freshclam.conf clamconf -g clamd.conf > clamd.conf clamconf -g clamav-milter.conf > clamav-milter.conf  Or if you have the examples already, copy them to drop the .example extension: cp freshclam.conf.example freshclam.conf cp clamd.conf.example clamd.conf cp clamav-milter.conf.example clamav-milter.conf  Next up, edit the configs you need. There are tips below for each of freshclam.conf, clamd.conf, and clamav-milter. Windows In a PowerShell terminal in the install directory, perform the following tasks: Run: copy .\conf_examples\freshclam.conf.sample .\freshclam.conf copy .\conf_examples\clamd.conf.sample .\clamd.conf  Run: write.exe .\freshclam.conf  WordPad will pop up. Delete the line that says "Example". You may also wish to set additional options to enable features or alter default behavior, such as the receive-timeout. Save the file and close WordPad. Run: write.exe .\clamd.conf  WordPad will pop up. Delete the line that says "Example". You may also wish to set additional options to enable features or alter default behavior, such as enabling logging. Save the file and close WordPad. Additional notes about the config files and database directories The install directory is but one of a few locations ClamAV may search for configs and for signature databases. Config files path search order: 1. The content of the registry key: "HKEY_LOCAL_MACHINE/Software/ClamAV/ConfDir" 2. The directory where libclamav.dll is located: "C:\Program Files\ClamAV" 3. "C:\ClamAV" Database files path search order: 1. The content of the registry key: "HKEY_LOCAL_MACHINE/Software/ClamAV/DataDir" 2. The directory "database" inside the directory where libclamav.dll is located: "C:\Program Files\ClamAV\database" 3. "C:\ClamAV\db" freshclam.conf freshclam is the automatic database update tool for Clam AntiVirus. It can be configured to work in two modes: • interactive - on demand from command line • daemon - silently in the background freshclam is an advanced tool: it supports scripted updates (instead of transferring the whole CVD file at each update it only transfers the differences between the latest and the current database via a special script), database version checks through DNS, proxy servers (with authentication), digital signatures and various error scenarios. Quick test: run freshclam (as superuser) with no parameters and check the output. freshclam  If everything is OK you may create the log file in /var/log (ensure the directory is owned either by clamav or whichever user freshclam will be running as): touch /var/log/freshclam.log chmod 600 /var/log/freshclam.log chown clamav /var/log/freshclam.log  Now you should edit the configuration file freshclam.conf and point the UpdateLogFile directive to the log file. Finally, to run freshclam in the daemon mode, execute: freshclam -d  The other way is to use the cron daemon. You have to add the following line to the crontab of root or clamav user: N * * * * /usr/local/bin/freshclam --quiet  to check for a new database every hour. N should be a number between 3 and 57 of your choice. Please don’t choose any multiple of 10, because there are already too many clients using those time slots. Proxy settings are only configurable via the configuration file and freshclam will require strict permission settings for the config file when HTTPProxyPassword is turned on. HTTPProxyServer myproxyserver.com HTTPProxyPort 1234 HTTPProxyUsername myusername HTTPProxyPassword mypass  Other freshclam.conf settings If your freshclam.conf was derived from the freshclam.conf.sample, you should find many other options that are simply commented out. If not, seek out the freshclam.conf.sample file, or on Linux/Unix systems run man freshclam.conf. Take the time to look through the options. You can enable the sample options by deleting the # comment characters. Some popular options to enable include: • LogTime • LogRotate • NotifyClamd • DatabaseOwner clamd.conf Currently, ClamAV requires users to edit their clamd.conf.example file before they can run the daemon. At a bare minimum, users will need to comment out the line that reads "Example", else clamd will consider the configuration invalid, ala: # Comment or remove the line below. #Example  You will also need to rename clamd.conf.example to clamd.conf via: mv ./clamd.conf.example ./clamd.conf  If you are setting up a simple, local clamd instance then some other configuration options of interests to you will be as follows: # Path to a local socket file the daemon will listen on. # Default: disabled (must be specified by a user) LocalSocket /tmp/clamd.socket ... # Sets the permissions on the unix socket to the specified mode. # Default: disabled (socket is world accessible) LocalSocketMode 660  Beyond that, clamd.conf is well commented and configuration should be straightforward. If needed, you can find out even more about the formatting and options available in clamd.conf with the command: man clamd.conf  Other clamd.conf settings If your clamd.conf was derived from the clamd.conf.sample, you should find many other options that are simply commented out. If not, seek out the clamd.conf.sample file, or on Linux/Unix systems run man clamd.conf. Take the time to look through the options. You can enable the sample options by deleting the # comment characters. Some popular options to enable include: • LogTime • LogClean • LogRotate • User • ScanOnAccess • OnAccessIncludePath • OnAccessExcludePath • OnAccessPrevention On-Access Scanning You can configure On-Access Scanning through clamd.conf. Configuration for On-Access Scanning starts in the second half of clamd.conf.sample starting with "On-access Scan Settings". All options are grouped acording to use and roughly ordered by importance in those groupings. Please carefully read the explanation of each option to see if it might be of use to you. Also read the on-access section of the Usage manual for further details on using On-Access Scanning. clamav-milter.conf ClamAV includes a mail filtering tool called clamav-milter. This tool interfaces directly with clamd, and thus requires a working clamd instance to run. However, clamav-milter's configuration and log files are separate from that of clamd. Ensuring ClamAV compiles with clamav-milter must be done at configure time with the command: ./configure [options] --enable-milter  This requires having the milter library installed on your system. If libmilter is not installed, ./configure will exit with this error message: checking for mi_stop in -lmilter... no configure: error: Cannot find libmilter  While not necessarily complicated, setting up the clamav-milter is an involved process. Thus, we recommend consulting your MTA’s manual on how to best connect ClamAV with the clamav-milter. Users and on user privileges If you are running freshclam and clamd as root or with sudo, and you did not explicitly configure with --disable-clamav, you will want to ensure that the DatabaseOwner user specified in freshclam.conf owns the database directory so it can download signature updates. The user that clamd, clamdscan, and clamscan run as may be the same user, but if it isn't -- it merely needs read access to the database directory. If you choose to use the default clamav user to run freshclam and clamd, you'll need to create the clamav group and the clamav user account the first time you install ClamAV. groupadd clamav useradd -g clamav -s /bin/false -c "Clam Antivirus" clamav  Finally, you will want to set user ownership of the database directory. For example: sudo chown -R clamav:clamav /usr/local/share/clamav  Configure SELinux for ClamAV Certain distributions (notably RedHat variants) when operating with SELinux enabled use the non-standard antivirus_can_scan_system SELinux option instead of clamd_can_scan_system. At this time, libclamav only sets the clamd_can_scan_system option, so you may need to manually enable antivirus_can_scan_system. If you don't perform this step, freshclam will log something like this when it tests the newly downloaded signature databases: During database load : LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Permission denied  To allow ClamAV to operate under SELinux, run the following: setsebool -P antivirus_can_scan_system 1  ClamConf clamconf is a tool ClamAV provides for checking your entire system configuration, as it relates to your ClamAV installation. When run, it displays values used when configuring ClamAV at compilation time, important OS details, the contents (and validity) of both clamd.conf and freshclam.conf, along with other important engine, database, platform, and build information. It can also generate example configuration files for clamd.conf and freshclam.conf. To use clamconf, and see all the information it provides, simply run the following command: clamconf  For more detailed information on clamconf, run: clamconf --help  or on Unix systems: man clamconf  Next Steps Now that you have the config file basics, it's time to learn about signature databases and how to keep yours up-to-date. Signature Testing and Management Table Of Contents Tip: The commands on Windows are generally the same, but you may need to add the .exe extension to run the ClamAV applications. FreshClam Before you can start the ClamAV scanning engine (using either clamd or clamscan), you must first have ClamAV Virus Database (.cvd) file(s) installed in the appropriate location on your system. The tool freshclam is used to download and update ClamAV’s official virus signature databases. While easy to use in its base configuration, freshclam does require a working freshclam.conf configuration file to run (the location of which can be passed in via command line if the default search location does not fit your needs). Once you have a valid configuration file, you can invoke FreshClam with the following command: freshclam  By default, freshclam will then attempt to connect to ClamAV's virus signature database distribution network. If no databases exist in the directory specified, freshclam will do a fresh download of the requested databases. Otherwise, freshclam will attempt to update existing databases, pairing them against downloaded cdiffs. If a database is found to be corrupted, it is not updated and instead replaced with a fresh download. Of course, all this behavior--and more--can be changed to suit your needs by modifying freshclam.conf and/or using various command line options. You can find more information about FreshClam with the commands: Unix/Linux: freshclam --help  Or (Unix/Linux only): man freshclam  Tip: Newer versions of FreshClam will create your database directory if it doesn't already exist. Older versions won't, and may fail unless you create it first. Important: It is common on Ubuntu after a fresh install to see the following error the first time you use ClamAV: freshclam freshclam: error while loading shared libraries: libclamav.so.7: cannot open shared object file: No such file or directory  You can fix this error by using ldconfig to rebuild the library search path. sudo ldconfig  SigTool ClamAV provides sigtool as a command-line testing tool for assisting users in their efforts creating and working with virus signatures. While sigtool has many uses--including crafting signatures--of particular note, is sigtool's ability to help users and analysts in determining if a file detected by libclamav's virus signatures is a false positive. This can be accomplished by using the command: sigtool --unpack=FILE  Where FILE points to your virus signature databases. Then, once sigtool has finished unpacking the database into the directory from which you ran the command, you can search for the offending signature name (provided either by clamscan scan reports or clamd logs). As an example: grep "Win.Test.EICAR" ./*  Or, do all that in one step with: sigtool --find="Win.Test.EICAR"  This should give you the offending signature(s) in question, which can then be included as part of your false positive report. To learn more in depth information on how sigtool can be used to help create virus signatures and work with malicious (and non-malicious) files please reference the many online tutorials on the topic. Otherwise, information on available sigtool functions can be easily referenced with: sigtool --help  Or (Unix/Linux only): man sigtool  ClamBC clambc is Clam Anti-Virus’ bytecode signature testing tool. It can be used to test newly crafted bytecode signatures or to help verify existing bytecode is executing against a sample as expected. For more detailed help, please use: clambc --help  Or (Unix/Linux only): man clambc  Next Steps Now that you know more about FreshClam and tools to work with the signature databases, it's time to run your first scan. Create your own signatures There is a whole community of malware researchers and signature writers. If you'd like to learn how to craft your own signatures, you can! Scanning Table Of Contents Tip: The commands on Windows are generally the same, but you may need to add the .exe extension to run the ClamAV applications. Daemon ClamD clamd is a multi-threaded daemon that uses libclamav to scan files for viruses. Scanning behavior can be fully configured to fit most needs by modifying clamd.conf. As clamd requires a virus signature database to run, we recommend setting up ClamAV's official signatures before running clamd using freshclam. The daemon works by listening for commands on the sockets specified in clamd.conf. Listening is supported over both unix local sockets and TCP sockets. IMPORTANT: clamd does not currently protect or authenticate traffic coming over the TCP socket, meaning it will accept any and all of the following commands listed from any source. Thus, we strongly recommend following best networking practices when setting up your clamd instance. I.e. don't expose your TCP socket to the Internet. Here is a quick list of the commands accepted by clamd over the socket. • PING • VERSION • RELOAD • SHUTDOWN • SCAN file/directory • RAWSCAN file/directory • CONTSCAN file/directory • MULTISCAN file/directory • ALLMATCHSCAN file/directory • INSTREAM • FILDES • STATS • IDSESSION, END As with most ClamAV tools, you can find out more about these by invoking the command: man clamd  The daemon also handles the following signals as so: • SIGTERM - perform a clean exit • SIGHUP - reopen the log file • SIGUSR2 - reload the database It should be noted that clamd should not be started using the shell operator & or other external tools which would start it as a background process. Instead, you should run clamd which will load the database and then daemonize itself (unless you have specified otherwise in clamd.conf). After that, clamd is ready to accept connections and perform file scanning. Once you have set up your configuration to your liking, and understand how you will be sending commands to the daemon, running clamd itself is simple. Simply execute the command: clamd  ClamDScan clamdscan is a clamd client, which greatly simplifies the task of scanning files with clamd. It sends commands to the clamd daemon across the socket specified in clamd.conf and generates a scan report after all requested scanning has been completed by the daemon. Thus, to run clamdscan, you must have an instance of clamd already running as well. Please keep in mind, that as a simple scanning client, clamdscan cannot change scanning and engine configurations. These are tied to the clamd instance and the configuration you set up in clamd.conf. Therefore, while clamdscan will accept many of the same commands as its sister tool clamscan, it will simply ignore most of them as (by design) no mechanism exists to make ClamAV engine configuration changes over the clamd socket. Again, running clamdscan, once you have a working clamd instance, is simple: clamdscan [*options*] [*file/directory/-*]  ClamDTop clamdtop is a tool to monitor one or multiple instances of clamd. It has a colorized ncurses interface, which shows each job queued, memory usage, and information about the loaded signature database for the connected clamd instance(s). By default it will attempt to connect to the local clamd as defined in clamd.conf. However, you can specify other clamd instances at the command line. To learn more, use the commands man clamdtop  or clamdtop --help  On-Access Scanning The ClamOnAcc application provides On-Access Scanning for Linux systems. On-Access Scanning is a form of real-time protection that uses ClamD to scan files when they're accessed. ClamOnAcc (v0.102+) ClamAV's On-Access Scanning (clamonacc) is a client that runs in its own application alongside, but separately from the clamd instance. The On-Access Scanner is capable of preventing access to/from any malicious files it discovers--based on the verdict it receives from clamd--but by default it is configured to run in notify-only mode, which means it will simply alert the user if a malicious file is detected, then take any additional actions that the user may have specified at the command line, but it will not actively prevent processes from reading or writing to that file. Disclaimer: Enabling Prevention mode will seriously impact performance if used on commonly accessed directories. Tip: You can run ClamOnAcc multiple times simultaneously, each with a different config. If you want to enable Prevention-mode for one directory, while sticking to notify-only mode for any other monitored directories, that's an option! On-Access Scanning is primarily set up through clamd.conf. However, you can learn more about all the configuration and command line options available to you by reading the On-Access Scanning User Guide. Once you have set up the On-Access Scanner (and clamd) to your liking, you will first need to run clamd before you can start it. If your clamd instance is local, it is required you run clamd as a user that is excluded (via OnAccessExcludeUname or OnAccessExcludeUID) from On-Access scanning events (e.g.) to prevent clamonacc from triggering events endlessly as it sends scan requests to clamd: su - clamav -c "/usr/local/bin/clamd  After the daemon is running, you can start the On-Access Scanner. clamonacc must be run as root in order to utilize its kernel event detection and intervention features: sudo clamonacc  It will run a number of startup checks to test for a sane configuration, and ensure it can connect to clamd, and if everything checks out clamonacc will automatically fork to the background and begin monitoring your system for events. ClamD (v0.101) In older versions, ClamAV's On-Access Scanner is a thread that runs within a clamd instance. The On-Access Scanner is capable of blocking access to/from any malicious files it discovers--based on the verdict it finds using the engine it shares with clamd--but by default it is configured to run in notify-only mode, which means it will simply alert the user if a malicious file is detected, but it will not actively prevent processes from reading or writing to that file. On-Access Scanning is primarily set up through clamd.conf. However, you can learn more about all the configuration and command line options available to you by reading the On-Access Scanning User Guide. Once you have set up the On-Access Scanner to your liking, you will need to run clamd will elevated permissions to start it. sudo clamd  One-Time Scanning ClamScan clamscan is a command line tool which uses libclamav to scan files and/or directories for viruses. Unlike clamdscan, clamscan does not require a running clamd instance to function. Instead, clamscan will create a new engine and load in the virus database each time it is run. It will then scan the files and/or directories specified at the command line, create a scan report, and exit. By default, when loading databases, clamscan will check the location to which freshclam installed the virus database signatures. This behavior, along with a myriad of other scanning and engine controls, can be modified by providing flags and other options at the command line. There are too many options to list all of them here. So we'll only cover a few common and more interesting ones: • --log=FILE - save scan report to FILE • --database=FILE/DIR - load virus database from FILE or load all supported db files from DIR • --official-db-only[=yes/no(*)] - only load official signatures • --max-filesize=#n - files larger than this will be skipped and assumed clean • --max-scansize=#n - the maximum amount of data to scan for each container file • --leave-temps[=yes/no(*)]- do not remove temporary files • --file-list=FILE - scan files from FILE • --quiet - only output error messages • --bell - sound bell on virus detection • --cross-fs[=yes(*)/no] - scan files and directories on other filesystems • --move=DIRECTORY - move infected files into DIRECTORY • --copy=DIRECTORY - copy infected files into DIRECTORY • --bytecode-timeout=N - set bytecode timeout (in milliseconds) • --heuristic-alerts[=yes(*)/no] - toggles heuristic alerts • --alert-encrypted[=yes/no(*)] - alert on encrypted archives and documents • --nocerts - disable authenticode certificate chain verification in PE files • --disable-cache - disable caching and cache checks for hash sums of scanned files To learn more about the options available when using clamscan please reference: man clamscan  and clamscan --help  Otherwise, the general usage of clamscan is: clamscan [options] [file/directory/-]  Some basic scans Run this to scan the files in the current directory: clamscan .  This will scan the current directory. At the end of the scan, it will display a summary. If you notice in the clamscan output, it only scanned something like 60 files, even though there are more files in subdirectories. By default, clamscan will only scan files in the current directory. Run this to scan all the files in the current directory: clamscan --recursive .  Run this to scan ALL the files on your system, it will take quite a while. Keep in mind that you can cancel it at any time by pressing Ctrl-C: Linux/Unix: clamscan.exe --recursive /  Windows: clamscan.exe --recursive C:\  Disclaimers Disclaimer: ClamAV doesn't have a "quick scan" mode. ClamAV is malware detection toolkit, not an endpoint security suite. It's up to you to decide what to scan. A full system scan is going to take a long time with ClamAV or with any anti-virus software. Disclaimer 2: ClamScan, ClamOnAcc, and ClamDScan each include --remove options for deleting any file which alerts during a scan. This is generally a terrible idea, unless you're monitoring an upload/downloads directory. False positives happen! You do not want to have the wrong file accidentally deleted. Instead, consider using --move or perhaps just --copy and set up script with the ClamD VirusEvent feature to notify you when something has been detected. Windows-specific Issues Globbing Since the Windows command prompt doesn't take care of wildcard expansion, minimal emulation of unix glob() is performed internally. It supports * and ? only. File paths Please always use the backslash as the path separator. SMB Network shares and UNC paths are supported. Socket and libclamav API Input The Windows version of ClamAV requires all the input to be UTF-8 encoded. This affects: • The API, notably the cl_scanfile() function • ClamD socket input, e.g. the commands SCAN, CONTSCAN, MUTLISCAN, etc. • ClamD socket output, i.e replies to the above queries For legacy reasons ANSI (i.e. CP_ACP) input will still be accepted and processed as before, but with two important remarks: 1. Socket replies to ANSI queries will still be UTF-8 encoded. 2. ANSI sequences which are also valid UTF-8 sequences will be handled as UTF-8. As a side note, console output (stdin and stderr) will always be OEM encoded, even when redirected to a file. On-Access Scanning Purpose This guide is for users interested in leveraging and understanding ClamAV's On-Access Scanning feature. It will walk through how to set up and use the On-Access Scanner and step through some common issues and their solutions. Requirements On-Access is only available on Linux systems. On Linux, On-Access requires a kernel version >= 3.8. This is because it leverages a kernel api called fanotify to block processes from attempting to access malicious files. This prevention occurs in kernel-space, and thus offers stronger protection than a purely user-space solution. For Versions >= 0.102.0 It also requires Curl version >= 7.45  to ensure support for all curl options used by clamonacc. Users on Linux operating systems that package older versions of libcurl have a number of options: 1. Wait for your package maintainer to provide a newer version of libcurl. 2. Install a newer version of libcurl from source. 3. Disable installation of clamonacc and On-Access Scanning capabilities with the ./configure flag --disable-clamonacc. General Use To use ClamAV's On-Access Scanner, operation will vary depending on version. For Versions >= 0.102.0 You will need to run the clamd and clamonacc applications side by side. First, you will need to configure and run clamd. For instructions on how to do that, see the clamd configuration guide. One important thing to note while configuring clamd.conf is that--like clamdscan--the clamonacc application will connect to clamd using the clamd.conf settings for either LocalSocket or TCPAddr/TCPSocket. Another important thing to note, is that when using a clamd.conf that specifies a LocalSocket, then clamd will need to be run under a user with the right permissions to scan the files you plan on including in your watch-path. Next, you will need to configure clamonacc. For a very simple configuration, follow these steps: 1. Open clamd.conf for editing 2. Specify the path(s) you would like to recursively watch by setting the OnAccessIncludePath option 3. Set OnAccessPrevention to yes 4. Check what username clamd is running under 5. Set OnAccessExcludeUname to clamd's uname 6. Save your work and close clamd.conf  For slightly more nuanced configurations, which may be adapted to your use case better, please check out the recipe guide below. Then, run clamonacc with elevated permissions: sudo clamonacc  If all went well, the On-Access scanner will fork to the background, and will now be actively protecting the path(s) specified with OnAccessIncludePath. You can test this by dropping an eicar file into the specified path, and attempting to read/access it (e.g. cat eicar.txt). This will result in an "Operation not permitted" message, triggered by fanotify blocking the access attempt at the kernel level. Finally, while you will have to restart both clamd and clamonacc. If default clamonacc performance is not to your liking, and your system has the resources available, we reccomend increasing the values for the following clamd.conf configuration options to increase performance: • MaxQueue • MaxThreads • OnAccessMaxThreads For Versions <= 0.101.x You will only need to run the clamd application in older versions. First, we reccomend you configure clamd for your environment. For instructions on how to do that, see the clamd configuration guide. Next, you will need to configure On Access Scanning using the clamd.conf file. For a very simple configuration follow these steps: 1. Open clamd.conf for editing 2. Set the ScanOnAccess option to yes 3. Specify the path(s) you would like to recursively watch by setting the OnAccessIncludePath option 4. Set OnAccessPrevention to yes 6. Save your work and close clamd.conf  For slightly more nuanced configurations, which may be adapted to your use case better, please check out the recipe guide below. Then, run clamd with elevated permissions: sudo clamd  If all went well, the On-Access scanner will fork to the background, and will now be actively protecting the path(s) specified with OnAccessIncludePath. You can test this by dropping an eicar file into the specified path, and attempting to read/access it (e.g. cat eicar.txt). This will result in an "Operation not permitted" message, triggered by fanotify blocking the access attempt at the kernel level. Troubleshooting Some OS distributors have disabled fanotify, despite kernel support. You can check for fanotify support on your kernel by running the command: cat /boot/config-<kernel_version> | grep FANOTIFY  You should see the following: CONFIG_FANOTIFY=y CONFIG_FANOTIFY_ACCESS_PERMISSIONS=y  If you see this... CONFIG_FANOTIFY_ACCESS_PERMISSIONS is not set  ... then ClamAV's On-Access Scanner will still function, scanning and alerting on files normally in real time. However, it will be unable to block access attempts on malicious files. We call this notify-only mode. ClamAV's On-Access Scanning system uses a scheme called Dynamic Directory Determination (DDD for short) which is a shorthand way of saying that it tracks the layout of every directory specified with OnAccessIncludePath dynamically, and recursively, in real time. It does this by leveraging inotify which by default has a limited number of watch-points available for use by a process at any given time. Given the complexity of some directory hierarchies, ClamAV may warn you that it has exhausted its supply of inotify watch-points (8192 by default). To increase the number of inotify watch-points available for use by ClamAV (to 524288), run the following command: echo 524288 | sudo tee -a /proc/sys/fs/inotify/max_user_watches  The OnAccessIncludePath option will not accept / as a valid path. This is because fanotify works by blocking a process' access to a file until a access_ok or access_denied determination has been made by the original fanotify calling process. Thus, by placing fanotify watch-points on the entire filesystem, key system files may have their access blocked to key processes at the kernel level, which will result in a system lockup. This restriction was made to prevent users from "shooting themselves in the foot." However, clever users will find it's possible to circumvent this restriction by using multiple OnAccessIncludePath options to recursively protect most of the filesystem anyways, or better still, simply the paths they truly care about. The OnAccessMountPath option uses a different fanotify api configuration which makes it incompatible with OnAccessIncludePath and the DDD System. Therefore, inotify watch-point limitations will not be a concern when using this option. Unfortunately, this also means that the following options cannot be used in conjunction with OnAccessMountPath: • OnAccessExtraScanning - is built around catching inotify events. • OnAccessExcludePath - is built upon the DDD System. • OnAccessPrevention - would lock up the system if / was selected for OnAccessMountPath. If you need OnAccessPrevention, you should use OnAccessIncludePath instead of OnAccessMountPath. Configuration and Recipes More nuanced behavior can be coerced from ClamAV's On-Access Scanner via careful modification to clamd.conf. Each option related to On-Access Scanning is easily identified by looking for the OnAccess prefix pre-pended to each option. The default clamd.conf file contains descriptions of each option, along with any documented limitations or safety features. Below are examples of common use cases, recipes for the correct minimal configuration, and the expected behavioral result. Use Case 0x0 • User needs to watch the entire file system, but blocking malicious access attempts isn't a concern  ScanOnAccess yes ## versions <= 0.101.x OnAccessMountPath / OnAccessExcludeRootUID yes OnAccessExcludeUname clamav ## versions >= 0.102  This configuration will put the On-Access Scanner into notify-only mode. It will also ensure only non-root, non-clam, user processes will trigger scans against the filesystem. Use Case 0x1 • System Administrator needs to watch the home directory of multiple Users, but not all users. Blocking access attempts is un-needed.  ScanOnAccess yes ## versions <= 0.101.x OnAccessIncludePath /home OnAccessExcludePath /home/user2 OnAccessExcludePath /home/user4 OnAccessExcludeUname clamav ## versions >= 0.102  With this configuration, the On-Access Scanner will watch the entirety of the /home directory recursively in notify-only mode. However, it will recursively exclude the /home/user2 and /home/user4 directories. Use Case 0x2 • The user needs to protect a single directory non-recursively and ensure all access attempts on malicious files are blocked.  ScanOnAccess yes ## versions <= 0.101.x OnAccessIncludePath /home/user/Downloads OnAccessExcludeUname clamav ## versions >= 0.102 OnAccessPrevention yes OnAccessDisableDDD yes  The configuration above will result in non-recursive real-time protection of the /home/user/Downloads directory by ClamAV's On-Access Scanner. Any access attempts that ClamAV detects on malicious files within the top level of the directory hierarchy will be blocked by fanotify at the kernel level. Command Line Options for Versions >= 0.102 Beyond clamd.conf configuration, you can change the behavior of the On-Access scanner by passing in a number of command line options. A list of all options can be retrieved with --help, but below is a list and explanation of some of options you might find most useful. • --log=FILE (-l FILE) - passing this option is important if you want a record of scan results, otherwise clamonacc will operate silently. • --verbose (-v) - primarily for debugging as this will increase the amount of noise in your log by quite a lot, but useful for troubleshooting potential connection problems • --foreground (-F) - forces clamonacc to not for the background, which is useful for debugging potential issues with during startup or runtime • --include-list=FILE (-e FILE) - allows users to pass a list of directories for clamonacc to watch, each directory must be a full path and separated by a newline • --exclude-list=FILE (-e FILE) - same as include-list option, but for excluding at startup • --remove - after an infected verdict, an attempt will be made to remove the infected file • --move=DIRECTORY - just like the remove option, but infected file will be moved to the specified quarantine location instead • --copy=DIRECTORY - just like the move, except infected file is also left in place Running ClamAV Services Table Of Contents Windows Services Note: This feature requires ClamAV version 0.104 or newer. On Windows, clamd and freshclam have options that enable them to run in the background. To install the services, first use the command: clamd --install-service  Then use net start clamd and net stop clamd to start/stop the service. To uninstall the service, use: clamd --uninstall-service  Services can also be managed via the Services application on Windows. How to Report A Bug Warning Against Accidental Vulnerability Disclosure You may not realize it, but your bug could be a security issue. Please review our Security Policy to determine if your bug is a security issue before you create a public ticket on GitHub issues. GitHub Issues are public reports and security issues must be reported in private. Steps Before You Report If you find a bug in ClamAV, please do the following before you submit a bug report: 1. Verify if the bug exists in the most recent stable release or ideally check if the bug exists in the latest unreleased code in Git before reporting the issue. 2. Review the open issues to make sure someone else hasn't already reported the same issue. Tip: Before switching to GitHub Issues, ClamAV used Bugzilla. You can also review older open tickets from the Bugzilla archive. 3. Collect the required information, described below, to include with your report. 4. Create a new ticket on GitHub. Please do not submit bugs for third party software. Required Information Please be sure to include all of the following information so that we can effectively address your bug: • ClamAV version, settings, and system details: On the command line, run: clamconf -n  ClamConf will print out configuration information and some system information. The -n option prints out only non-default options. This information will help the team identify possible triggers for your bug. • 3rd party signatures: Please tell us if you are using any unofficial signature databases, that is anything other than main.cvd/cld, daily.cvd/cld, and bytecode.cvd/cld • How to reproduce the problem: Include specific steps needed to reproduce the issue. If the issue is reproducible only when scanning a specific file, attach it to the ticket. Large Files: The maximum size for file attachments on GitHub Issues is 25MB and the maximum size for images is 10MB. If the file is too big to mail it, you can upload it to a password protected website and send us the URL and the credentials to access it. If your file must be kept confidential you can reach out on the ClamAV Discord chat server to exchange email addresses and to share the zipped file or to share the zip password. CAUTION: Don’t forget to encrypt it or you may cause damage to the mail servers between you and us! On the command line, run: zip -P virus -e file.zip file.ext  Creating signatures for ClamAV Table Of Contents Introduction In order to detect malware and other file-based threats, ClamAV relies on signatures to differentiate clean and malicious/unwanted files. ClamAV signatures are primarily text-based and conform to one of the ClamAV-specific signature formats associated with a given method of detection. These formats are explained in the Signature formats section below. In addition, ClamAV 0.99 and above support signatures written in the YARA format. More information on this can be found in the Using YARA rules in ClamAV section. The ClamAV project distributes a collection of signatures in the form of CVD (ClamAV Virus Database) files. The CVD file format provides a digitally-signed container that encapsulates the signatures and ensures that they can't be modified by a malicious third-party. This signature set is actively maintained by Cisco Talos and can be downloaded using the freshclam application that ships with ClamAV. For more details on this, see the CVD file section. Database formats ClamAV CVD and CLD database archives may be unpacked to the current directory using sigtool -u <database name>. For more details on inspecting CVD and CLD files, see Inspecting signatures inside a CVD file. Once unpacked, you'll observe a large collection of database files with various extensions described below. The CVD and CLD database archives may be supplemented with custom database files in the formats described to gain additional detection functionality. This is done simply by adding files of the following formats to the database directory, typically /usr/local/share/clamav or "C:\Program Files\ClamAV\database". Alternatively, clamd and clamscan can be instructed to load the database from an alternative database file or database directory manually using the clamd DatabaseDirectory config option or the clamscan -d command line option. Settings databases ClamAV provides a handful of configuration related databases along side the signature definitions. *.cfg: Dynamic config settings *.cat *.crb: Trusted and revoked PE certs *.ftm: File Type Magic (FTM) Signature databases Note: Signature databases with an extension ending in u are only loaded when Potentially Unwanted Application (PUA) signatures are enabled (default: off). Body-based Signatures Body-based signature content is a definition that matches not based on a hash but based on the specific sequences of bytes exhibited by the target file. ClamAV body-based signature content has a special format to allow regex-like matching of data that is not entirely known. This format is used extensively in both Extended Signatures and Logical Signatures. *.ndb *.ndu: Extended signatures *.ldb *.ldu; *.idb: Logical Signatures *.cdb: Container Metadata Signatures *.cbc: Bytecode Signatures *.pdb *.gdb *.wdb: Phishing URL Signatures) Hash-based Signatures *.hdb *.hsb *.hdu *.hsu: File hash signatures *.mdb *.msb *.mdu *.msu: PE section hash signatures Hash-based Signature format Alternative signature support *.yar *.yara: YARA rules Other database files *.fp *.sfp *.ign *.ign2: allowed files, ignored signatures *.pwdb: Encrypted archive passwords *.info: Database information Signature names ClamAV uses the following prefixes for signature names: • Worm for Internet worms • Trojan for backdoor programs • Adware for adware • Flooder for flooders • HTML for HTML files • Email for email messages • IRC for IRC trojans • JS for Java Script malware • PHP for PHP malware • ASP for ASP malware • VBS for VBS malware • BAT for BAT malware • W97M, W2000M for Word macro viruses • X97M, X2000M for Excel macro viruses • O97M, O2000M for generic Office macro viruses • DoS for Denial of Service attack software • DOS for old DOS malware • Exploit for popular exploits • VirTool for virus construction kits • Dialer for dialers • Joke for hoaxes Important rules of the naming convention: • Always use a -zippwd suffix in the malware name for ZIP container metadata (.cdb) signatures, • Always use a -rarpwd suffix in the malware name for RAR container metadata (.cdb) signatures, • Only use alphanumeric characters, dash (-), dot (.), underscores (_) in malware names, never use space, apostrophe or quote mark. Signature Writing Tips and Tricks Testing rules with clamscan To test a new signature, first create a text file with the extension corresponding to the signature type (Ex: .ldb for logical signatures). Then, add the signature as it's own line within the file. This file can be passed to clamscan via the -d option, which tells ClamAV to load signatures from the file specified. If the signature is not formatted correctly, ClamAV will display an error - run clamscan with --debug --verbose to see additional information about the error message. Some common causes of errors include: • The signature file has the incorrect extension type for the signatures contained within • The file has one or more blank lines • For logical signatures, a semicolon exists at the end of the file If the rule is formatted correctly, clamscan will load the signature(s) in and scan any files specified via the command line invocation (or all files in the current directory if none are specified). A successful detection will look like the following: clamscan -d test.ldb text.exe test.exe: Win.Malware.Agent.UNOFFICIAL FOUND ----------- SCAN SUMMARY ----------- Known viruses: 1 Engine version: 0.100.0 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 17.45 MB Data read: 17.45 MB (ratio 1.00:1) Time: 0.400 sec (0 m 0 s)  If the rule did not match as intended: • The file may have exceeded one or more of the default scanning limits built-in to ClamAV. Try running clamscan with the following options to see if raising the limits addresses the issue: --max-filesize=2000M --max-scansize=2000M --max-files=2000000 --max-recursion=2000000 --max-embeddedpe=2000M --max-htmlnormalize=2000000 --max-htmlnotags=2000000 --max-scriptnormalize=2000000 --max-ziptypercg=2000000 --max-partitions=2000000 --max-iconspe=2000000 --max-rechwp3=2000000 --pcre-match-limit=2000000 --pcre-recmatch-limit=2000000 --pcre-max-filesize=2000M. • If matching on HTML or text files, ClamAV might be performing normalization that causes the content of the scanned file to change. See the HTML and Text file sections for more details. • libclamav may have been unable to unpack or otherwise process the file. See Debug information from libclamav for more details. NOTE: If you run clamscan with a -d flag, ClamAV will not load in the signatures downloaded via freshclam. This means that: • some of ClamAV's unpacking support might be disabled, since some unpackers are implemented as bytecode signatures • PE certificate trust verification based on Authenticode signatures won't work, since this functionality relies on .crb rules If any of this functionality is needed, load in the CVD files manually with additional -d flags. Debug information from libclamav In order to create efficient signatures for ClamAV it’s important to understand how the engine handles input files. The best way to see how it works is having a look at the debug information from libclamav. You can do it by calling clamscan with the --debug and --leave-temps flags. The first switch makes clamscan display all the interesting information from libclamav and the second one avoids deleting temporary files so they can be analyzed further. The now important part of the info is: $ clamscan --debug attachment.exe
[...]
LibClamAV debug: Recognized MS-EXE/DLL file
LibClamAV debug: Matched signature for file type PE
LibClamAV debug: File type: Executable


The engine recognized a windows executable.

    LibClamAV debug: Machine type: 80386
LibClamAV debug: NumberOfSections: 3
LibClamAV debug: TimeDateStamp: Fri Jan 10 04:57:55 2003
LibClamAV debug: File format: PE
LibClamAV debug: SizeOfCode: 0x9000
LibClamAV debug: SizeOfInitializedData: 0x1000
LibClamAV debug: SizeOfUninitializedData: 0x1e000
LibClamAV debug: BaseOfCode: 0x1f000
LibClamAV debug: SectionAlignment: 0x1000
LibClamAV debug: FileAlignment: 0x200
LibClamAV debug: MajorSubsystemVersion: 4
LibClamAV debug: MinorSubsystemVersion: 0
LibClamAV debug: SizeOfImage: 0x29000
LibClamAV debug: NumberOfRvaAndSizes: 16
LibClamAV debug: Subsystem: Win32 GUI
LibClamAV debug: ------------------------------------
LibClamAV debug: Section 0
LibClamAV debug: Section name: UPX0
LibClamAV debug: Section data (from headers - in memory)
LibClamAV debug: VirtualSize: 0x1e000 0x1e000
LibClamAV debug: SizeOfRawData: 0x0 0x0
LibClamAV debug: PointerToRawData: 0x400 0x400
LibClamAV debug: Section's memory is executable
LibClamAV debug: Section's memory is writeable
LibClamAV debug: ------------------------------------
LibClamAV debug: Section 1
LibClamAV debug: Section name: UPX1
LibClamAV debug: Section data (from headers - in memory)
LibClamAV debug: VirtualSize: 0x9000 0x9000
LibClamAV debug: SizeOfRawData: 0x8200 0x8200
LibClamAV debug: PointerToRawData: 0x400 0x400
LibClamAV debug: Section's memory is executable
LibClamAV debug: Section's memory is writeable
LibClamAV debug: ------------------------------------
LibClamAV debug: Section 2
LibClamAV debug: Section name: UPX2
LibClamAV debug: Section data (from headers - in memory)
LibClamAV debug: VirtualSize: 0x1000 0x1000
LibClamAV debug: SizeOfRawData: 0x200 0x1ff
LibClamAV debug: PointerToRawData: 0x8600 0x8600
LibClamAV debug: Section's memory is writeable
LibClamAV debug: ------------------------------------
LibClamAV debug: EntryPoint offset: 0x8470 (33904)


The section structure displayed above suggests the executable is packed with UPX.

    LibClamAV debug: ------------------------------------
LibClamAV debug: EntryPoint offset: 0x8470 (33904)
LibClamAV debug: UPX/FSG/MEW: empty section found - assuming
compression
LibClamAV debug: UPX: bad magic - scanning for imports
LibClamAV debug: UPX: PE structure rebuilt from compressed file
LibClamAV debug: UPX: Successfully decompressed with NRV2B
LibClamAV debug: UPX/FSG: Decompressed data saved in
/tmp/clamav-90d2d25c9dca42bae6fa9a764a4bcede
LibClamAV debug: ***** Scanning decompressed file *****
LibClamAV debug: Recognized MS-EXE/DLL file
LibClamAV debug: Matched signature for file type PE


Indeed, libclamav recognizes the UPX data and saves the decompressed (and rebuilt) executable into /tmp/clamav-90d2d25c9dca42bae6fa9a764a4bcede. Then it continues by scanning this new file:

    LibClamAV debug: File type: Executable
LibClamAV debug: Machine type: 80386
LibClamAV debug: NumberOfSections: 3
LibClamAV debug: TimeDateStamp: Thu Jan 27 11:43:15 2011
LibClamAV debug: File format: PE
LibClamAV debug: SizeOfCode: 0xc000
LibClamAV debug: SizeOfInitializedData: 0x19000
LibClamAV debug: SizeOfUninitializedData: 0x0
LibClamAV debug: BaseOfCode: 0x1000
LibClamAV debug: SectionAlignment: 0x1000
LibClamAV debug: FileAlignment: 0x1000
LibClamAV debug: MajorSubsystemVersion: 4
LibClamAV debug: MinorSubsystemVersion: 0
LibClamAV debug: SizeOfImage: 0x26000
LibClamAV debug: NumberOfRvaAndSizes: 16
LibClamAV debug: Subsystem: Win32 GUI
LibClamAV debug: ------------------------------------
LibClamAV debug: Section 0
LibClamAV debug: Section name: .text
LibClamAV debug: Section data (from headers - in memory)
LibClamAV debug: VirtualSize: 0xc000 0xc000
LibClamAV debug: SizeOfRawData: 0xc000 0xc000
LibClamAV debug: PointerToRawData: 0x1000 0x1000
LibClamAV debug: Section contains executable code
LibClamAV debug: Section's memory is executable
LibClamAV debug: ------------------------------------
LibClamAV debug: Section 1
LibClamAV debug: Section name: .rdata
LibClamAV debug: Section data (from headers - in memory)
LibClamAV debug: VirtualSize: 0x2000 0x2000
LibClamAV debug: SizeOfRawData: 0x2000 0x2000
LibClamAV debug: PointerToRawData: 0xd000 0xd000
LibClamAV debug: ------------------------------------
LibClamAV debug: Section 2
LibClamAV debug: Section name: .data
LibClamAV debug: Section data (from headers - in memory)
LibClamAV debug: VirtualSize: 0x17000 0x17000
LibClamAV debug: SizeOfRawData: 0x17000 0x17000
LibClamAV debug: PointerToRawData: 0xf000 0xf000
LibClamAV debug: Section's memory is writeable
LibClamAV debug: ------------------------------------
LibClamAV debug: EntryPoint offset: 0x7b9f (31647)
LibClamAV debug: Bytecode executing hook id 257 (0 hooks)
attachment.exe: OK
[...]


No additional files get created by libclamav. By writing a signature for the decompressed file you have more chances that the engine will detect the target data when it gets compressed with another packer.

This method should be applied to all files for which you want to create signatures. By analyzing the debug information you can quickly see how the engine recognizes and preprocesses the data and what additional files get created. Signatures created for bottom-level temporary files are usually more generic and should help detecting the same malware in different forms.

Writing signatures for special files

HTML

ClamAV contains HTML normalization code which makes it easier to write signatures for HTML data that might differ based on white space, capitalization, and other insignificant differences. Running sigtool --html-normalise on a HTML file can be used to see what a file's contents will look like after normalization. This command should generate the following files:

• nocomment.html - the file is normalized, lower-case, with all comments and superfluous white space removed

• notags.html - as above but with all HTML tags removed

• javascript - any script contents are normalized and the results appended to this file

The code automatically decodes JScript.encode parts and char ref’s (e.g. &#102;). To create a successful signature for the input file type, the rule must match on the contents of one of the created files. Signatures matching on normalized HTML should have a target type of 3. For reference, see Target Types.

Text files

Similarly to HTML all ASCII text files get normalized (converted to lower-case, all superfluous white space and control characters removed, etc.) before scanning. Running sigtool --ascii-normalise on a text file will result in a normalized version being written to the file named normalised\_text. Rules matching on normalized ASCII text should have a target type of 7. For reference, see Target Types.

Compressed Portable Executable files

If the file is compressed with UPX, FSG, Petite or another PE packer supported by libclamav, ClamAV will attempt to automatically unpack the executable and evaluate signatures against the unpacked executable. To inspect the executable that results from ClamAV's unpacking process, run clamscan with --debug --leave-temps. Example output for a FSG compressed file:

    LibClamAV debug: UPX/FSG/MEW: empty section found - assuming compression
LibClamAV debug: FSG: found old EP @119e0
LibClamAV debug: FSG: Unpacked and rebuilt executable saved in
/tmp/clamav-f592b20f9329ac1c91f0e12137bcce6c


In the example above, /tmp/clamav-f592b20f9329ac1c91f0e12137bcce6c is the unpacked executable, and a signature can be written based off of this file.

Using sigtool

sigtool pulls in libclamav and provides shortcuts to doing tasks that clamscan does behind the scenes. These can be really useful when writing a signature or trying to get information about a signature that might be causing FPs or performance problems.

The following sigtool flags can be especially useful for signature writing:

• --md5 / --sha1 / --sha256: Generate the MD5/SHA1/SHA256 hash and calculate the file size, outputting both as a properly-formatted .hdb/.hsb signature

• --mdb: Generate section hashes of the specified file. This is useful when generating .mdb signatures.

• --decode: Given a ClamAV signature from STDIN, show a more user-friendly representation of it. An example usage of this flag is cat test.ldb | sigtool --decode.

• --hex-dump: Given a sequence of bytes from STDIN, print the hex equivalent. An example usage of this flag is echo -n "Match on this" | sigtool --hex-dump.

• --html-normalise: Normalize the specified HTML file in the way that clamscan will before looking for rule matches. Writing signatures off of these files makes it easier to write rules for target type HTML (you'll know what white space, capitalization, etc. to expect). See the HTML section for more details.

• --ascii-normalise: Normalize the specified ASCII text file in the way that clamscan will before looking for rule matches. Writing signatures off of this normalized file data makes it easier to write rules for target type Txt (you'll know what white space, capitalization, etc. to expect). See the Text files sectino for more details.

• --print-certs: Print the Authenticode signatures of any PE files specified. This is useful when writing signature-based .crb rule files.

• --vba: Extract VBA/Word6 macro code

• --test-sigs: Given a signature and a sample, determine whether the signature matches and, if so, display the offset into the file where the match occurred. This can be useful for investigating false positive matches in clean files.

Inspecting signatures inside a CVD file

CVD (ClamAV Virus Database) is a digitally signed container that includes signature databases in various text formats. The header of the container is a 512 bytes long string with colon separated fields:

    ClamAV-VDB:build time:version:number of signatures:functionality level required:MD5 checksum:digital signature:builder name:build time (sec)


sigtool --info displays detailed information about a given CVD file:

    zolw@localhost:/usr/local/share/clamav$sigtool -i main.cvd File: main.cvd Build time: 09 Dec 2007 15:50 +0000 Version: 45 Signatures: 169676 Functionality level: 21 Builder: sven MD5: b35429d8d5d60368eea9630062f7c75a Digital signature: dxsusO/HWP3/GAA7VuZpxYwVsE9b+tCk+tPN6OyjVF/U8 JVh4vYmW8mZ62ZHYMlM903TMZFg5hZIxcjQB3SX0TapdF1SFNzoWjsyH53eXvMDY eaPVNe2ccXLfEegoda4xU2TezbGfbSEGoU1qolyQYLX674sNA2Ni6l6/CEKYYh Verification OK.  The ClamAV project distributes a number of CVD files, including main.cvd and daily.cvd. To view the signature associated with a given detection name, the CVD files can be unpacked and the underlying text files searched for a rule definition using a tool like grep. To do this, use sigtool's --unpack flag as follows: $ mkdir /tmp/clamav-sigs
$cd /tmp/clamav-sigs/$ sigtool --unpack /var/lib/clamav/main.cvd
$ls COPYING main.fp main.hsb main.mdb main.ndb main.crb main.hdb main.info main.msb main.sfp  External tools Below are tools that can be helpful when writing ClamAV signatures: • CASC - CASC is a plugin for IDA Pro that allows the user to highlight sections of code and create a signature based on the underlying instructions (with options to ignore bytes associated with registers, addresses, and offsets). It also contains SigAlyzer, a tool to take an existing signature and locate the regions within the binary that match the subsignatures. Database Info The .info file format specifies information about the other database files unpacked from a CVD or CLD database archive. This file exists for the purposes of validating the correctness of the official ClamAV database container files and cannot be loaded a la carte. The format is simply: name:size:sha256  name: The database file name. size: The size in bytes of the database. sha256: A SHA256 hash of the database. Dynamic Configuration (DCONF) ClamAV supports a limited set of configuration options that may be enabled or disabled via settings in the *.cfg database. At this time, these settings are distributed in daily.cfg. The goal of DCONF is to enable the ClamAV team to rapidly disable new or experimental features for specific ClamAV versions if a significant defect is discovered after release. This database is small, and the settings are largely vestigial. The team has not had a need to disable many features in a long time, and so the ClamAV versions in the settings at this time should no longer be in use. The strings and values referenced in daily.cfg are best cross-referenced with the macros and structures defined here: • https://github.com/Cisco-Talos/clamav/blob/main/libclamav/dconf.h#L49 • https://github.com/Cisco-Talos/clamav/blob/main/libclamav/dconf.c#L54 The format for a DCONF signature is: Category:Flags:StartFlevel:EndFlevel  Category may be one of: • PE • ELF • MACHO • ARCHIVE • DOCUMENT • MAIL • OTHER • PHISHING • BYTECODE • STATS • PCRE Flags: Every feature that may be configured via DCONF is listed in struct dconf_module modules in libclamav/dconf.c. Any given feature may be default-on or default-off. Default-on features have the 4th field set to a 1 and default off are set to 0. The Flags field for a given Category overrides the defaults for all of the options listed under that category. A settings of 0x0, for example, means that all options the category be disabled. The macros listed in libclamav/dconf.h will help you identify which bits to set to get the desired results. StartFlevel: This is the FLEVEL of the minimum ClamAV engine for which you want the settings to be in effect. EndFlevel: This is the FLEVEL of the maximum ClamAV engine for which you want the settings to be in effect. You may wish to select 255 to override the defaults of future releases. Example Consider the OTHER_CONF_PDFNAMEOBJ option in the category OTHER. #define OTHER_CONF_UUENC 0x1 // Default: 1 #define OTHER_CONF_SCRENC 0x2 // Default: 1 #define OTHER_CONF_RIFF 0x4 // Default: 1 #define OTHER_CONF_JPEG 0x8 // Default: 1 #define OTHER_CONF_CRYPTFF 0x10 // Default: 1 #define OTHER_CONF_DLP 0x20 // Default: 1 #define OTHER_CONF_MYDOOMLOG 0x40 // Default: 1 #define OTHER_CONF_PREFILTERING 0x80 // Default: 1 #define OTHER_CONF_PDFNAMEOBJ 0x100 // Default: 1 #define OTHER_CONF_PRTNINTXN 0x200 // Default: 1 #define OTHER_CONF_LZW 0x400 // Default: 1  All of the OTHER options, including OTHER_CONF_PDFNAMEOBJ are default-on. To disable the option for ClamAV v0.100.X but leave the other options in their default settings, we would need to set the flags to: 0110 1111 1111 ^pdfnameobj off  Or in hex: 0x6FF The example setting to place in daily.cfg then woudl be: OTHER:0x6FF:90:99  Trusted and Revoked Certificates Clamav 0.98 checks signed PE files for certificates and verifies each certificate in the chain against a database of trusted and revoked certificates. The signature format is Name;Trusted;Subject;Serial;Pubkey;Exponent;CodeSign;TimeSign;CertSign; NotBefore;Comment[;minFL[;maxFL]]  where the corresponding fields are: • Name: name of the entry • Trusted: bit field, specifying whether the cert is trusted. 1 for trusted. 0 for revoked • Subject: sha1 of the Subject field in hex • Serial: the serial number as clamscan --debug --verbose reports • Pubkey: the public key in hex • Exponent: the exponent in hex. Currently ignored and hardcoded to 010001 (in hex) • CodeSign: bit field, specifying whether this cert can sign code. 1 for true, 0 for false • TimeSign: bit field. 1 for true, 0 for false • CertSign: bit field, specifying whether this cert can sign other certs. 1 for true, 0 for false • NotBefore: integer, cert should not be added before this variable. Defaults to 0 if left empty • Comment: comments for this entry The signatures for certs are stored inside .crb files. File Type Magic ClamAV's primary mechanism for determining file types is to match the file with a File Type Magic signature. These file type signatures are compiled into ClamAV, and may also be overridden dynamically using the definition founds found in a *.ftm file. The ClamAV standard signature database includes these definitions in daily.ftm. The signature format is not too disimilar from NDB body-based signatures. The format is: magictype:offset:magicbytes:name:type:type[:min_flevel[:max_flevel]]  Where: magictype: Supported magic types include: • 0 - direct memory comparison of magicbytes for file types • 1 - The magicbytes use the body-based content matching format. • 4 - direct memory comparison of magicbytes for partition types (HFS+, HFSX) offset: The offset from start of the file to match against. May be * if magictype is 1. name: A descriptive name for the file type. rtype: Usually CL_TYPE_ANY. type: The CL_TYPE corresponding with the file type signature. See the CL_TYPE reference for details. min_flevel: (optional) The minimum ClamAV engine that the file type signature works with. See the FLEVEL reference for details. To be used in the event that file type support has been recently added. max_flevel: (optional, requires min_flevel) The maximum ClamAV engine that the file type signature works with. To be used in the event that file type support has been recently removed. Allow list databases File allow lists To allow a specific file use the MD5 signature format and place it inside a database file with the extension of .fp (for "false positive"). To allow a specific file with the SHA1 or SHA256 file hash signature format, place the signature inside a database file with the extension of .sfp (for "SHA false positive"). To generate FP or SFP signatures, try something like this... MD5: sigtool --md5 /path/to/false/positive/file >> /path/to/databases/false-positives.fp  SHA256: sigtool --sha256 /path/to/false/positive/file >> /path/to/databases/false-positives.sfp  Here's an example adding the EICAR test file to an allow list by generating a sha256 false positive signature: ❯ clamscan ~/Downloads/eicar.com /mnt/c/Users/micah/Downloads/eicar.com: Win.Test.EICAR_HDB-1 FOUND ... ❯ sigtool --sha256 ~/Downloads/eicar.com >> /var/lib/clamav/false-positives.sfp ❯ clamscan ~/Downloads/eicar.com /mnt/c/Users/micah/Downloads/eicar.com: OK ...  Signature ignore lists To ignore a specific signature from the database you just add the signature name into a local file with the .ign2 extension and store it inside the database directory. E.g: Eicar-Test-Signature  Additionally, you can follow the signature name with the MD5 of the entire database entry for this signature. In such a case, the signature will no longer be ignored when its entry in the database gets modified (eg. the signature gets updated to avoid false alerts). E.g: Eicar-Test-Signature:bc356bae4c42f19a3de16e333ba3569c  Historically, signature ignores were added to .ign files. This format is still functional, though it has been replaced by the .ign2 database. File hash signatures The easiest way to create signatures for ClamAV is to use filehash checksums, however this method can be only used against static malware. MD5 hash-based signatures To create a MD5 signature for test.exe use the --md5 option of sigtool: zolw@localhost:/tmp/test$ sigtool --md5 test.exe > test.hdb
zolw@localhost:/tmp/test$cat test.hdb 48c4533230e1ae1c118c741c0db19dfb:17387:test.exe  That’s it! The signature is ready for use: zolw@localhost:/tmp/test$ clamscan -d test.hdb test.exe
test.exe: test.exe FOUND

----------- SCAN SUMMARY -----------
Known viruses: 1
Scanned directories: 0
Engine version: 0.92.1
Scanned files: 1
Infected files: 1
Data scanned: 0.02 MB
Time: 0.024 sec (0 m 0 s)


You can change the name (by default sigtool uses the name of the file) and place it inside a *.hdb file. A single database file can include any number of signatures. To get them automatically loaded each time clamscan/clamd starts just copy the database file(s) into the local virus database directory (eg. /usr/local/share/clamav).

The hash-based signatures shall not be used for text files, HTML and any other data that gets internally preprocessed before pattern matching. If you really want to use a hash signature in such a case, run clamscan with --debug and --leave-temps flags as described above and create a signature for a preprocessed file left in /tmp. Please keep in mind that a hash signature will stop matching as soon as a single byte changes in the target file.

SHA1 and SHA256 hash-based signatures

ClamAV 0.98 has also added support for SHA1 and SHA256 file checksums. The format is the same as for MD5 file checksum. It can differentiate between them based on the length of the hash string in the signature. For best backwards compatibility, these should be placed inside a *.hsb file. The format is:

HashString:FileSize:MalwareName


Hash signatures with unknown size

ClamAV 0.98 has also added support for hash signatures where the size is not known but the hash is. It is much more performance-efficient to use signatures with specific sizes, so be cautious when using this feature. For these cases, the ’*’ character can be used in the size field. To ensure proper backwards compatibility with older versions of ClamAV, these signatures must have a minimum functional level of 73 or higher. Signatures that use the wildcard size without this level set will be rejected as malformed.

Sample .hsb signature matching any size:

HashString:*:MalwareName:73


Sample .msb signature matching any size:

*:PESectionHash:MalwareName:73


PE section based hash signatures

You can create a hash signature for a specific section in a PE file. Such signatures shall be stored inside .mdb (MD5) and .msb files in the following format:

PESectionSize:PESectionHash:MalwareName


The easiest way to generate MD5 based section signatures is to extract target PE sections into separate files and then run sigtool with the option --mdb

ClamAV also has support for SHA1 and SHA256 section based signatures. The format is the same as for MD5 PE section based signatures. It can differentiate between them based on the length of the hash string in the signature. For best backwards compatibility, these should be placed inside a *.msb file.

Body-based Signature Content Format

ClamAV stores all body-based (content-based) signatures in a hexadecimal format, with exception to ClamAV's YARA rule support. In this section by a hex-signature we mean a fragment of malware’s body converted into a hexadecimal string which can be additionally extended using various wildcards.

You can use sigtool --hex-dump to convert any data into a hex-string:

zolw@localhost:/tmp/test$sigtool --hex-dump How do I look in hex? 486f7720646f2049206c6f6f6b20696e206865783f0a  Wildcards ClamAV supports the following wildcards for hex-signatures: • ?? Match any byte. • a? Match a high nibble (the four high bits). • ?a Match a low nibble (the four low bits). • * Match any number of bytes. • {n} Match n bytes. • {-n} Match n or less bytes. • {n-} Match n or more bytes. • {n-m} Match between n and m bytes (where m > n). • HEXSIG[x-y]aa or aa[x-y]HEXSIG Match aa anchored to a hex-signature, see Bugzilla ticket 776 for discussion and examples. The range signatures * and {} virtually separate a hex-signature into two parts, eg. aabbcc*bbaacc is treated as two sub-signatures aabbcc and bbaacc with any number of bytes between them. It’s a requirement that each sub-signature includes a block of two static characters somewhere in its body. Note that there is one exception to this restriction; that is when the range wildcard is of the form {n} with n<128. In this case, ClamAV uses an optimization and translates {n} to the string consisting of n ?? character wildcards. Character wildcards do not divide hex signatures into two parts and so the two static character requirement does not apply. Character classes ClamAV supports the following character classes for hex-signatures: • (B) Match word boundary (including file boundaries). • (L) Match CR, CRLF or file boundaries. • (W) Match a non-alphanumeric character. Alternate strings • Single-byte alternates (clamav-0.96) (aa|bb|cc|...) or !(aa|bb|cc|...) Match a member from a set of bytes (eg: aa, bb, cc, ...). • Negation operation can be applied to match any non-member, assumed to be one-byte in length. • Signature modifiers and wildcards cannot be applied. • Multi-byte fixed length alternates (aaaa|bbbb|cccc|...) or !(aaaa|bbbb|cccc|...) Match a member from a set of multi-byte alternates (eg: aaaa, bbbb, cccc, ...) of n-length. • All set members must be the same length. • Negation operation can be applied to match any non-member, assumed to be n-bytes in length (clamav-0.98.2). • Signature modifiers and wildcards cannot be applied. • Generic alternates (clamav-0.99) (alt1|alt2|alt3|...) Match a member from a set of alternates (eg: alt1, alt2, alt3, ...) that can be of variable lengths. • Negation operation cannot be applied. • Signature modifiers and nibble wildcards (eg: ??, a?, ?a) can be applied. • Ranged wildcards (eg: {n-m}) are limited to a fixed range of less than 128 bytes (eg: {1} -> {127}). Note: Using signature modifiers and wildcards classifies the alternate type to be a generic alternate. Thus single-byte alternates and multi-byte fixed length alternates can use signature modifiers and wildcards but will be classified as generic alternate. This means that negation cannot be applied in this situation and there is a slight performance impact. Logical signatures Logical signatures allow combining of multiple signatures in extended format using logical operators. They can provide both more detailed and flexible pattern matching. The logical sigs are stored inside *.ldb files in the following format: SignatureName;TargetDescriptionBlock;LogicalExpression;Subsig0; Subsig1;Subsig2;...  where: • TargetDescriptionBlock provides information about the engine and target file with comma separated Arg:Val pairs. For args where Val is a range, the minimum and maximum values should be expressed as min-max. • LogicalExpression specifies the logical expression describing the relationship between Subsig0...SubsigN. Basis clause: 0,1,...,N decimal indexes are SUB-EXPRESSIONS representing Subsig0, Subsig1,...,SubsigN respectively. Inductive clause: if A and B are SUB-EXPRESSIONS and X, Y are decimal numbers then (A&B), (A|B), A=X, A=X,Y, A>X, A>X,Y, A<X and A<X,Y are SUB-EXPRESSIONS • SubsigN is n-th subsignature in extended format possibly preceded with an offset. There can be specified up to 64 subsigs. Keywords used in TargetDescriptionBlock: • Target:X: A number specifying the type of the target file: Target Types. • Engine:X-Y: Required engine functionality level (range; 0.96). Note that if the Engine keyword is used, it must be the first one in the TargetDescriptionBlock for backwards compatibility. See the FLEVEL reference for details. • FileSize:X-Y: Required file size (range in bytes; 0.96) • EntryPoint: Entry point offset (range in bytes; 0.96) • NumberOfSections: Required number of sections in executable (range; 0.96) • Container:CL_TYPE_*: File type of the container which stores the scanned file. Specifying CL_TYPE_ANY matches on root objects only (i.e. the target file is explicitely not in a container). Chances slim that you would want to use CL_TYPE_ANY in a signature, because placing the malicious file in an archive will then prevent it from alerting. Every ClamAV file type has the potential to be a container for additional files, although some are more likely than others. When a file is parsed and data in the file is identified to be scanned as a unique type, that parent file becomes a container the moment the embedded content is scanned. For a list of possible CL_TYPEs, refer to the File Types Reference. • Intermediates:CL_TYPE_*>CL_TYPE_*: Specify one or more layers of file types containing the scanned file. This is an alternative to using Container. You may specify up to 16 layers of file types separated by ’>’ in top-down order. Note that the ’>’ separator is not needed if you only specify a single container. The last type should be the immediate container containing the malicious file. Unlike with the Container option, CL_TYPE_ANY can be used as a wildcard file type. (expr; 0.100.0) For a list of possible CL_TYPEs, refer to the File Types Reference. • IconGroup1: Icon group name 1 from .idb signature Required engine functionality (range; 0.96) • IconGroup2: Icon group name 2 from .idb signature Required engine functionality (range; 0.96) Modifiers for subexpressions: • A=X: If the SUB-EXPRESSION A refers to a single signature then this signature must get matched exactly X times; if it refers to a (logical) block of signatures then this block must generate exactly X matches (with any of its sigs). • A=0 specifies negation (signature or block of signatures cannot be matched) • A=X,Y: If the SUB-EXPRESSION A refers to a single signature then this signature must be matched exactly X times; if it refers to a (logical) block of signatures then this block must generate X matches and at least Y different signatures must get matched. • A>X: If the SUB-EXPRESSION A refers to a single signature then this signature must get matched more than X times; if it refers to a (logical) block of signatures then this block must generate more than X matches (with any of its sigs). • A>X,Y: If the SUB-EXPRESSION A refers to a single signature then this signature must get matched more than X times; if it refers to a (logical) block of signatures then this block must generate more than X matches and at least Y different signatures must be matched. • A<X: Just like A>Z above with the change of "more" to "less". If the SUB-EXPRESSION A refers to a single signature then this signature must get matched less than X times; if it refers to a (logical) block of signatures then this block must generate less than X matches (with any of its sigs). • A<X,Y: Similar to A>X,Y. If the SUB-EXPRESSION A refers to a single signature then this signature must get matched less than X times; if it refers to a (logical) block of signatures then this block must generate less than X matches and at least Y different signatures must be matched. Examples: Sig1;Target:0;(0&1&2&3)&(4|1);6b6f74656b;616c61;7a6f6c77;7374656 6616e;deadbeef Sig2;Target:0;((0|1|2)>5,2)&(3|1);6b6f74656b;616c61;7a6f6c77;737 46566616e Sig3;Target:0;((0|1|2|3)=2)&(4|1);6b6f74656b;616c61;7a6f6c77;737 46566616e;deadbeef Sig4;Engine:51-255,Target:1;((0|1)&(2|3))&4;EP+123:33c06834f04100 f2aef7d14951684cf04100e8110a00;S2+78:22??232c2d252229{-15}6e6573 (63|64)61706528;S3+50:68efa311c3b9963cb1ee8e586d32aeb9043e;f9c58 dcf43987e4f519d629b103375;SL+550:6300680065005c0046006900  Subsignature Modifiers ClamAV (clamav-0.99) supports a number of additional subsignature modifiers for logical signatures. This is done by specifying :: followed by a number of characters representing the desired options. Signatures using subsignature modifiers require Engine:81-255 for backwards-compatibility. • Case-Insensitive [i] Specifying the i modifier causes ClamAV to match all alphabetic hex bytes as case-insensitive. All patterns in ClamAV are case-sensitive by default. • Wide [w] Specifying the w causes ClamAV to match all hex bytes encoded with two bytes per character. Note this simply interweaves each character with NULL characters and does not truly support UTF-16 characters. Wildcards for ’wide’ subsignatures are not treated as wide (i.e. there can be an odd number of intermittent characters). This can be combined with a to search for patterns in both wide and ascii. • Fullword [f] Match subsignature as a fullword (delimited by non-alphanumeric characters). • Ascii [a] Match subsignature as ascii characters. This can be combined with w to search for patterns in both ascii and wide. Examples: • Match 'AAAA'(nocase) and 'BBBBBB'(nocase) clamav-nocase-A;Engine:81-255,Target:0;0&1;41414141::i;424242424242::i  • Match 'AAA' and 'hello'(fullword) clamav-fullword-A;Engine:81-255,Target:0;0&1;414141;68656c6c6f::f  • Match 'AAA' and 'hello'(fullword nocase) clamav-fullword-B;Engine:81-255,Target:0;0&1;414141;68656c6c6f::fi  • Match 'AAA' and 'hello'(wide ascii) clamav-wide-B2;Engine:81-255,Target:0;0&1;414141;68656c6c6f::wa  • Match 'AAA' and 'hello'(nocase wide fullword ascii) clamav-wide-C0;Engine:81-255,Target:0;0&1;414141;68656c6c6f::iwfa  Special Subsignature Types Macro subsignatures Introduced in ClamAV 0.96 Format: ${min-max}MACROID$ Macro subsignatures are used to combine a number of existing extended signatures (.ndb) into a on-the-fly generated alternate string logical signature (.ldb). Signatures using macro subsignatures require Engine:51-255 for backwards-compatibility. Example: test.ldb: TestMacro;Engine:51-255,Target:0;0&1;616161;${6-7}12$test.ndb: D1:0:$12:626262
D2:0:$12:636363 D3:0:$30:626264


The example logical signature TestMacro is functionally equivalent to:

TestMacro;Engine:51-255,Target:0;0;616161{3-4}(626262|636363)

• MACROID points to a group of signatures; there can be at most 32 macro groups.

• In the example, MACROID is 12 and both D1 and D2 are members of macro group 12. D3 is a member of separate macro group 30.
• {min-max} specifies the offset range at which one of the group signatures should match; the offset range is relative to the starting offset of the preceding subsignature. This means a macro subsignature cannot be the first subsignature.

• In the example, {min-max} is {6-7} and it is relative to the start of a 616161 match.

Byte Compare Subsignatures

Introduced in ClamAV 0.101

Format: subsigid_trigger(offset#byte_options#comparisons)

Byte compare subsignatures can be used to evaluate a numeric value at a given offset from the start of another (matched) subsignature within the same logical signature. These are executed after all other subsignatures within the logical subsignature are fired, with the exception of PCRE subsignatures. They can evaluate offsets only from a single referenced subsignature, and that subsignature must give a valid match for the evaluation to occur.

• subsigid_trigger is a required field and may refer to any single non-PCRE, non-Byte Compare subsignature within the lsig. The byte compare subsig will evaluate if subsigid_trigger matches. Triggering on multiple subsigs or logic based triggering is not currently supported.

• offset is a required field that consists of an offset_modifier and a numeric offset (hex or decimal offsets are okay).

• offset_modifier can be either >> or << where the former denotes a positive offset and the latter denotes a negative offset. The offset is calculated from the start of subsigid_trigger, which allows for byte extraction before the specified match, after the match, and within the match itself.

• offset must be a positive hex or decimal value. This will be the number of bytes from the start of the referenced subsigid_trigger match within the file buffer to begin the comparison.

• byte_options are used to specify the numeric type and endianess of the extracted byte sequence in that order as well as the number of bytes to be read. By default ClamAV will attempt to matchup up to the number of byte specified, unless the e (exact) option is specified or the numeric type is b (binary). This field follows the form [h|d|a|i][l|b][e]num_bytes

• h|d|a|i where h specifies the byte sequence will be in hex, d decimal, a automatic detection of hex or decimal at runtime, and i signifies raw binary data.

• l|b where l specifies the byte sequence will be in little endian order and b big endian. If decimal d is specified, big-endian is implied and using l will result in a malformed database error.

• e specifies that ClamAV will only evaluate the comparison if it can extract the exact number of bytes specified. This option is implicitly declared when using the i flag.

• num_bytes specifies the number of bytes to extract. This can be a hex or decimal value. If i is specified only 1, 2, 4, and 8 are valid options.

• comparisons are a required field which denotes how to evaluate the extracted byte sequence. Each Byte Compare signature can have one or two comparison_sets separated by a comma. Each comparison_set consists of a Comparison_symbol and a Comparison_value and takes the form Comparison_symbolComparison_value. Thus, comparisons takes the form comparison_set[,comparison_set]

• Comparison_symbol denotes the type of comparison to be done. The supported comparison symbols are <, >, =.

• Comparison_value is a required field which must be a numeric hex or decimal value. If all other conditions are met, the byte compare subsig will evalutate the extracted byte sequence against this number based on the provided comparison_symbol.

PCRE subsignatures

Introduced in ClamAV 0.99

Format: Trigger/PCRE/[Flags]

PCRE subsignatures are used within a logical signature (.ldb) to specify regex matches that execute once triggered by a conditional based on preceding subsignatures. Signatures using PCRE subsignatures require Engine:81-255 for backwards-compatibility.

• Trigger is a required field that is a valid LogicalExpression and may refer to any subsignatures that precede this subsignature. Triggers cannot be self-referential and cannot refer to subsequent subsignatures.

• PCRE is the expression representing the regex to execute. PCRE must be delimited by ’/’ and usage of ’/’ within the expression need to be escaped. For backward compatibility, ’;’ within the expression must be expressed as ’\x3B’. PCRE cannot be empty and (?UTF*) control sequence is not allowed. If debug is specified, named capture groups are displayed in a post-execution report.

• Flags are a series of characters which affect the compilation and execution of PCRE within the PCRE compiler and the ClamAV engine. This field is optional.

• g [CLAMAV_GLOBAL] specifies to search for ALL matches of PCRE (default is to search for first match). NOTE: INCREASES the time needed to run the PCRE.

• r [CLAMAV_ROLLING] specifies to use the given offset as the starting location to search for a match as opposed to the only location; applies to subsigs without maxshifts. By default, in order to facilatate normal ClamAV offset behavior, PCREs are auto-anchored (only attempt match on first offset); using the rolling option disables the auto-anchoring.

• e [CLAMAV_ENCOMPASS] specifies to CONFINE matching between the specified offset and maxshift; applies only when maxshift is specified.

Note: DECREASES time needed to run the PCRE.

• i [PCRE_CASELESS]

• s [PCRE_DOTALL]

• m [PCRE_MULTILINE]

• x [PCRE_EXTENDED]

• A [PCRE_ANCHORED]

• E [PCRE_DOLLAR_ENODNLY]

• U [PCRE_UNGREEDY]

Examples:

Find.All.ClamAV;Engine:81-255,Target:0;1;6265676c6164697427736e6f7462797465636f6465;0/clamav/g

Find.ClamAV.OnlyAt.299;Engine:81-255,Target:0;2;7374756c747a67657473;7063726572656765786c6f6c;299:0&1/clamav/

Find.ClamAV.StartAt.300;Engine:81-255,Target:0;3;616c61696e;62756731393238;636c6f736564;300:0&1&2/clamav/r

Find.All.Encompassed.ClamAV;Engine:81-255,Target:0;3;7768796172656e2774;796f757573696e67;79617261;200,300:0&1&2/clamav/ge

Named.CapGroup.Pcre;Engine:81-255,Target:0;3;636f75727479617264;616c62756d;74657272696572;50:0&1&2/variable=(?&lt;nilshell&gt;.{16})end/gr

Firefox.TreeRange.UseAfterFree;Engine:81-255,Target:0,Engine:81-255;0&1&2;2e766965772e73656c656374696f6e;2e696e76616c696461746553656c656374696f6e;0&1/\x2Eview\x2Eselection.*?\x2Etree\s*\x3D\s*null.*?\x2Einvalidate/smi

Firefox.IDB.UseAfterFree;Engine:81-255,Target:0;0&1;4944424b657952616e6765;0/^\x2e(only|lowerBound|upperBound|bound)\x28.*?\x29.*?\x2e(lower|upper|lowerOpen|upperOpen)/smi

Firefox.boundElements;Engine:81-255,Target:0;0&1&2;6576656e742e6


Signatures for Version Information (VI) metadata in PE files

Starting with ClamAV 0.96 it is possible to easily match certain information built into PE files (executables and dynamic link libraries). Whenever you lookup the properties of a PE executable file in windows, you are presented with a bunch of details about the file itself.

These info are stored in a special area of the file resources which goes under the name of VS_VERSION_INFORMATION (or versioninfo for short). It is divided into 2 parts. The first part (which is rather uninteresting) is really a bunch of numbers and flags indicating the product and file version. It was originally intended for use with installers which, after parsing it, should be able to determine whether a certain executable or library are to be upgraded/overwritten or are already up to date. Suffice to say, this approach never really worked and is generally never used.

The second block is much more interesting: it is a simple list of key/value strings, intended for user information and completely ignored by the OS. For example, if you look at ping.exe you can see the company being "Microsoft Corporation", the description "TCP/IP Ping command", the internal name "ping.exe" and so on... Depending on the OS version, some keys may be given peculiar visibility in the file properties dialog, however they are internally all the same.

To match a versioninfo key/value pair, the special file offset anchor VI was introduced. This is similar to the other anchors (like EP and SL) except that, instead of matching the hex pattern against a single offset, it checks it against each and every key/value pair in the file. The VI token doesn’t need nor accept a +/- offset like e.g. EP+1. As for the hex signature itself, it’s just the utf16 dump of the key and value. Only the ?? and (aa|bb) wildcards are allowed in the signature. Usually, you don’t need to bother figuring it out: each key/value pair together with the corresponding VI-based signature is printed by clamscan when the --debug option is given.

For example clamscan --debug freecell.exe produces:

[...]
Recognized MS-EXE/DLL file
versioninfo_cb: type: 10, name: 1, lang: 410, rva: 9608
cli_peheader: parsing version info @ rva 9608 (1/1)
VersionInfo (d2de): 'CompanyName'='Microsoft Corporation' -
VI:43006f006d00700061006e0079004e0061006d006500000000004d006900
630072006f0073006f0066007400200043006f00720070006f0072006100740
069006f006e000000
VersionInfo (d32a): 'FileDescription'='Entertainment Pack
FreeCell Game' - VI:460069006c006500440065007300630072006900700
0740069006f006e000000000045006e007400650072007400610069006e006d
0065006e00740020005000610063006b0020004600720065006500430065006
c006c002000470061006d0065000000
VersionInfo (d396): 'FileVersion'='5.1.2600.0 (xpclient.010817
-1148)' - VI:460069006c006500560065007200730069006f006e00000000
0035002e0031002e0032003600300030002e003000200028007800700063006
c00690065006e0074002e003000310030003800310037002d00310031003400
380029000000
VersionInfo (d3fa): 'InternalName'='freecell' - VI:49006e007400
650072006e0061006c004e0061006d006500000066007200650065006300650
06c006c000000
VersionInfo (d4ba): 'OriginalFilename'='freecell' - VI:4f007200
6900670069006e0061006c00460069006c0065006e0061006d0065000000660
0720065006500630065006c006c000000
VersionInfo (d4f6): 'ProductName'='Sistema operativo Microsoft
Windows' - VI:500072006f0064007500630074004e0061006d00650000000
000530069007300740065006d00610020006f00700065007200610074006900
76006f0020004d006900630072006f0073006f0066007400ae0020005700690
06e0064006f0077007300ae000000
VersionInfo (d562): 'ProductVersion'='5.1.2600.0' - VI:50007200
6f006400750063007400560065007200730069006f006e00000035002e00310
02e0032003600300030002e0030000000
[...]


Although VI-based signatures are intended for use in logical signatures you can test them using ordinary .ndb files. For example:

my_test_vi_sig:1:VI:paste_your_hex_sig_here


Final note. If you want to decode a VI-based signature into a human readable form you can use:

echo hex_string | xxd -r -p | strings -el


For example:

echo 460069006c0065004400650073006300720069007000740069006f006e000000000045006e007400650072007400610069006e006d0065006e00740020005000610063006b0020004600720065006500430065006c006c00200047006100
6d0065000000 | xxd -r -p | strings -el
FileDescription
Entertainment Pack FreeCell Game


Icon Signatures for PE files

While Icon Signatures are stored in a .idb file, they are a feature of Logical Signatures.

ClamAV 0.96 includes an approximate/fuzzy icon matcher to help detecting malicious executables disguising themselves as innocent looking image files, office documents and the like.

Icon matching is only triggered by Logical Signatures (.ldb) using the special attribute tokens IconGroup1 or IconGroup2. These identify two (optional) groups of icons defined in a .idb database file. The format of the .idb file is:

ICONNAME:GROUP1:GROUP2:ICON_HASH


where:

• ICON_NAME is a unique string identifier for a specific icon,

• GROUP1 is a string identifier for the first group of icons (IconGroup1)

• GROUP2 is a string identifier for the second group of icons (IconGroup2),

• ICON_HASH is a fuzzy hash of the icon image

The ICON_HASH field can be obtained from the debug output of libclamav. For example:

LibClamAV debug: ICO SIGNATURE:


Extended signature format

The extended signature format is ClamAV's most basic type of body-based signature since the deprecation of the original .db database format.

Extended sigantures allow for specification of additional information beyond just hexidecimal content such as a file "target type", virus offset, or engine functionality level (FLEVEL), making the detection more reliable.

The format is:

MalwareName:TargetType:Offset:HexSignature[:min_flevel:[max_flevel]]


MalwareName: The virus name. Should conform to the standards defined here.

TargetType: A number specifying the type of the target file: Target Types

Offset: An asterisk or a decimal number n possibly combined with a special modifier:

• * = any
• n = absolute offset
• EOF-n = end of file minus n bytes

Signatures for PE, ELF and Mach-O files additionally support:

• EP+n = entry point plus n bytes (EP+0 for EP)
• EP-n = entry point minus n bytes
• Sx+n = start of section x’s (counted from 0) data plus n bytes
• SEx = entire section x (offset must lie within section boundaries)
• SL+n = start of last section plus n bytes

All the above offsets except * can be turned into floating offsets and represented as Offset,MaxShift where MaxShift is an unsigned integer. A floating offset will match every offset between Offset and Offset+MaxShift, eg. 10,5 will match all offsets from 10 to 15 and EP+n,y will match all offsets from EP+n to EP+n+y. Versions of ClamAV older than 0.91 will silently ignore the MaxShift extension and only use Offset. Optional MinFL and MaxFL parameters can restrict the signature to specific engine releases. All signatures in the extended format must be placed inside *.ndb files.

HexSignature: The body-based content matching format.

min_flevel: (optional) The minimum ClamAV engine that the file type signature works with. See the FLEVEL reference for details. To be used in the event that file type support has been recently added.

max_flevel: (optional, requires min_flevel) The maximum ClamAV engine that the file type signature works with. To be used in the event that file type support has been recently removed.

Using YARA rules in ClamAV

ClamAV can process YARA rules. ClamAV virus database file names ending with .yar or .yara are parsed as YARA rule files. The link to the YARA rule grammar documentation may be found at https://virustotal.github.io/yara/. There are currently a few limitations on using YARA rules within ClamAV:

• YARA modules are not yet supported by ClamAV. This includes the “import” keyword and any YARA module-specific keywords.

• Global rules (global keyword) are not supported by ClamAV.

• External variables(contains and matches keywords) are not supported.

• YARA rules pre-compiled with the yarac command are not supported.

• As in the ClamAV logical and extended signature formats, YARA strings and segments of strings separated by wild cards must represent at least two octets of data.

• There is a maximum of 64 strings per YARA rule.

• YARA rules in ClamAV must contain at least one literal, hexadecimal, or regular expression string.

In addition, there are a few more ClamAV processing modes that may affect the outcome of YARA rules.

• File decomposition and decompression - Since ClamAV uses file decomposition and decompression to find viruses within de-archived and uncompressed inner files, YARA rules executed by ClamAV will match against these files as well.

• Normalization - By default, ClamAV normalizes HTML, JavaScript, and ASCII text files. YARA rules in ClamAV will match against the normalized result. The effects of normalization of these file types may be captured using clamscan --leave-temps --tempdir=mytempdir. YARA rules may then be written using the normalized file(s) found in mytempdir. Alternatively, starting with ClamAV 0.100.0, clamscan --normalize=no will prevent normalization and only scan the raw file. To obtain similar behavior prior to 0.99.2, use clamscan --scan-html=no. The corresponding parameters for clamd.conf are Normalize and ScanHTML.

• YARA conditions driven by string matches - All YARA conditions are driven by string matches in ClamAV. This saves from executing every YARA rule on every file. Any YARA condition may be augmented with a string match clause which is always true, such as:

rule CheckFileSize
{
strings:
$abc = "abc" condition: ($abc or not $abc) and filesize < 200KB }  This will ensure that the YARA condition always performs the desired action (checking the file size in this example), Phishing Signatures Table of Contents Database file format PDB format This file contains urls/hosts that are target of phishing attempts. It contains lines in the following format: R[Filter]:RealURL:DisplayedURL[:FuncLevelSpec] H[Filter]:DisplayedHostname[:FuncLevelSpec]  • R Regular expression, for the concatenated URL. The last 3 characters of the regular expression cannot regex special characters and much be an exact match. • H Matches the DisplayedHostname as a simple pattern (literally, no regular expression). • The pattern can match either the full hostname. • Or a subdomain of the specified hostname. • To avoid false matches in case of subdomain matches, the engine checks that there is a dot(.) or a space( ) before the matched portion. • Filter Is ignored for R and H for compatibility reasons. • RealURL Is the URL the user is sent to, example: href attribute of an html anchor (<a> tag). • DisplayedURL Is the URL description displayed to the user, where its claimed they are sent, example: contents of an html anchor (<a> tag). • DisplayedHostname Is the hostname portion of the DisplayedURL. • FuncLevelSpec An (optional) functionality level, 2 formats are possible: • minlevel all engines having functionality level >= minlevel will load this line. • minlevel-maxlevel engines with functionality level >= minlevel, and < maxlevel will load this line. GDB format This file contains URL hashes in the following format: S:P:HostPrefix[:FuncLevelSpec] S:F:Sha256hash[:FuncLevelSpec] S1:P:HostPrefix[:FuncLevelSpec] S1:F:Sha256hash[:FuncLevelSpec] S2:P:HostPrefix[:FuncLevelSpec] S2:F:Sha256hash[:FuncLevelSpec] S:W:Sha256hash[:FuncLevelSpec]  • S: These are hashes for Google Safe Browsing - malware sites, and should not be used for other purposes. • S2: These are hashes for Google Safe Browsing - phishing sites, and should not be used for other purposes. • S1: Hashes for blocking phishing sites. Virus name: Phishing.URL.Blocked. • S:W: Locally allowed hashes. • HostPrefix 4-byte prefix of the sha256 hash of the last 2 or 3 components of the hostname. If prefix doesn’t match, no further lookups are performed. • Sha256hash sha256 hash of the canonicalized URL, or a sha256 hash of its prefix/suffix according to the Google Safe Browsing “Performing Lookups” rules. There should be a corresponding :P:HostkeyPrefix entry for the hash to be taken into consideration. To see which hash/URL matched, look at the clamscan --debug output, and look for the following strings: Looking up hash, prefix matched, and Hash matched. To ignore .gdb entries, create a local.gdb file, and adding a line S:W:<HASH>. WDB format This file contains url pairs for links that may look suspicious but are safe and should be allowed. It contains lines in the following format: X:RealURL:DisplayedURL[:FuncLevelSpec] M:RealHostname:DisplayedHostname[:FuncLevelSpec]  • X Regular expression, for the entire URL, not just the hostname. • The regular expression is by default anchored to start-of-line and end-of-line, as if you have used ^RegularExpression$

• A trailing / is automatically added both to the regex, and the input string to avoid false matches.

• The regular expression matches the concatenation of the RealURL, a colon(:), and the DisplayedURL as a single string. It doesn’t separately match RealURL and DisplayedURL!

• The last 3 characters of the regular expression cannot regex special characters and much be an exact match.

• M

Matches hostname, or subdomain of it, see notes for H above.

Hints

• Empty lines are ignored

• The colons are mandatory

• Don’t leave extra spaces on the end of a line!

• If any of the lines don’t conform to this format, ClamAV will abort with a Malformed Database Error

• See section Extraction-of-RealURL for more details on RealURL/DisplayedURL

Examples of PDB signatures

To check for phishing mails that target amazon.com, or subdomains of amazon.com:

H:amazon.com


To do the same, but for amazon.co.uk:

H:amazon.co.uk


You can limit the signatures to certain engine versions. For example...

1. Restrict so that engine versions 20 through 30 can load it, but not 31+:

H:amazon.co.uk:20-30

2. Restrict so that engine versions >= 20 can load it:

H:amazon.co.uk:20-

3. Restrict so that engine versions <= 20 can load it:

H:amazon.co.uk:0-20


In a real situation, you’d probably use the second form. A situation like that would be if you are using a feature of the signatures not available in earlier versions, or if earlier versions have bugs with your signature. Its neither case here, the above examples are for illustrative purposes only.

Examples of WDB signatures

To allow Amazon’s country specific domains and amazon.com, to mix domain names in DisplayedURL, and RealURL:

X:.+\.amazon\.(at|ca|co\.uk|co\.jp|de|fr)([/?].*)?:.+\.amazon\.com([/?].*)?:17-


Explanation of this signature:

• X:

this is a regular expression

• :17-

load signature only for engines with functionality level >= 17

The regular expression is the following (X:, :17- stripped, and a / appended)

.+\.amazon\.(at|ca|co\.uk|co\.jp|de|fr)([/?].*)?:.+\.amazon\.com([/?].*)?/


Explanation of this regular expression (note that it is a single regular expression, and not 2 regular expressions splitted at the :).

• .+

any subdomain of

• \.amazon\.

domain we are allowing (RealURL part)

• (at|ca|co\.uk|co\.jp|de|fr)

country-domains: at, ca, co.uk, co.jp, de, fr

• ([/?].*)?

recomended way to end the real-url, this protects against embedded URLs (evilurl.example.com/amazon.co.uk/)

• :

RealURL and DisplayedURL are concatenated via a :, so match a literal : here

• .+

any subdomain of

• \.amazon\.com

allowed DisplayedURL

• ([/?].*)?

recommended way to end displayed url part, to protect against embedded URLs

• /

automatically added to further protect against embedded URLs

When you add an entry, make sure you check that both domains are owned by the same entity. This signature allows links claiming to point to amazon.com (DisplayedURL), when in fact they really go to a country-specific domain of amazon (RealURL).

Example for how the URL extractor works

Consider the following HTML file:

<html>
<a href="http://1.realurl.example.com/">
1.displayedurl.example.com
</a>
<a href="http://2.realurl.example.com">
2 d<b>i<p>splayedurl.e</b>xa<i>mple.com
</a>
<a href="http://3.realurl.example.com">
3.nested.example.com
<a href="http://4.realurl.example.com">
4.displayedurl.example.com
</a>
</a>
<form action="http://5.realurl.example.com">
sometext
<img src="http://5.displayedurl.example.com/img0.gif"/>
<a href="http://5.form.nested.displayedurl.example.com">
</a>
</form>
<a href="http://6.realurl.example.com">
6.displ
<img src="6.displayedurl.example.com/img1.gif"/>
ayedurl.example.com
</a>
<a href="http://7.realurl.example.com">
<iframe src="http://7.displayedurl.example.com">
</a>


The phishing engine extract the following RealURL/DisplayedURL pairs from it:

http://1.realurl.example.com/
1.displayedurl.example.com

http://2.realurl.example.com
2displayedurl.example.com

http://3.realurl.example.com
3.nested.example.com

http://4.realurl.example.com
4.displayedurl.example.com

http://5.realurl.example.com
http://5.displayedurl.example.com/img0.gif

http://5.realurl.example.com
http://5.form.nested.displayedurl.example.com

http://5.form.nested.displayedurl.example.com

http://6.realurl.example.com
6.displayedurl.example.com

http://6.realurl.example.com
6.displayedurl.example.com/img1.gif


How matching works

RealURL, DisplayedURL concatenation

The phishing detection module processes pairs of RealURL/DisplayedURL. Matching against daily.wdb is done as follows: the RealURL is concatenated with a :, and with the DisplayedURL, then that line is matched against the lines in daily.wdb/daily.pdb

So if you have this line in daily.wdb:

M:www.google.ro:www.google.com


This href: <a href='http://www.google.ro'>www.google.com</a> then it will be allowed, but: <a href='http://images.google.com'>www.google.com</a> will not.

What happens when a match is found

In the case of the allow list, a match means that the RealURL/DisplayedURL combination is considered clean, and no further checks are performed on it.

In the case of the domain list, a match means that the RealURL/DisplayedURL is going to be checked for phishing attempts.

Furthermore you can restrict what checks are to be performed by specifying the 3-digit hexnumber.

Extraction of RealURL, DisplayedURL from HTML tags

The html parser extracts pairs of RealURL/DisplayedURL based on the following rules.

After URLs have been extracted, they are normalized, and cut after the hostname. http://test.example.com/path/somecgi?queryparameters becomes http://test.example.com/

• a

(anchor) the href is the RealURL, its contents is the DisplayedURL

• contents

is the tag-stripped contents of the <a> tags, so for example <b> tags are stripped (but not their contents)

nesting another <a> tag withing an <a> tag (besides being invalid html) is treated as a </a><a...

• form

the action attribute is the RealURL, and a nested <a> tag is the DisplayedURL.

• img/area

if nested within an <a> tag, the RealURL is the href of the a tag, and the src/dynsrc/area is the DisplayedURL of the img

if nested withing a form tag, then the action attribute of the form tag is the RealURL.

• iframe

if nested withing an <a> tag the src attribute is the DisplayedURL, and the href of its parent a tag is the RealURL.

if nested withing a form tag, then the action attribute of the form tag is the RealURL.

Example

Consider this html file:

<a href=”evilurl”>www.paypal.com</a>
<form action=”evilurl_form”>
....
</form>
<a href=”evilurl”><img src=”images.paypal.com/secure.jpg”></a>


The resulting RealURL/DisplayedURL pairs will be (note that one tag can generate multiple pairs):

• evilurl / www.paypal.com

• evilurl2 / click here to sign in

• evilurl2 / www.ebay.com

• evilurl_form / cgi.ebay.com

• cgi.ebay.com / Ebay

• evilurl / image.paypal.com/secure.jpg

Simple patterns

Simple patterns are matched literally, i.e. if you say:

www.google.com


it is going to match www.google.com, and only that. The . (dot) character has no special meaning (see the section on regexes [sec:Regular-expressions] for how the .(dot) character behaves there)

POSIX regular expressions are supported, and you can consider that internally it is wrapped by ^, and $. In other words, this means that the regular expression has to match the entire concatenated (see section RealURL,-DisplayedURL-concatenation for details on concatenation) url. It is recomended that you read section Introduction-to-regular to learn how to write regular expressions, and then come back and read this for hints. Be advised that clamav contains an internal, very basic regex matcher to reduce the load on the regex matching core. Thus it is recomended that you avoid using regex syntax not supported by it at the very beginning of regexes (at least the first few characters). Currently the clamav regex matcher supports: • . (dot) character • \ (escaping special characters) • | (pipe) alternatives • [] (character classes) • () (parenthesis for grouping, but no group extraction is performed) • other non-special characters Thus the following are not supported: • + repetition • * repetition • {} repetition • backreferences • lookaround • other “advanced” features not listed in the supported list ;) This however shouldn’t discourage you from using the “not directly supported features “, because if the internal engine encounters unsupported syntax, it passes it on to the POSIX regex core (beginning from the first unsupported token, everything before that is still processed by the internal matcher). An example might make this more clear: *www$$\backslash$$.google$$\backslash$$.(com|ro|it) ($a-zA-Z$)+$$\backslash$$.google$$\backslash$$.(com|ro|it)*  Everything till ($a-zA-Z$)+ is processed internally, that parenthesis (and everything beyond) is processed by the posix core. Examples of url pairs that match: • www.google.ro images.google.ro • www.google.com images.google.ro Example of url pairs that don’t match: • www.google.ro images1.google.ro • images.google.com image.google.com Flags Flags are a binary OR of the following numbers: FlagValue HOST_SUFFICIENT1 DOMAIN_SUFFICIENT2 DO_REVERSE_LOOKUP4 CHECK_REDIR8 CHECK_SSL16 CHECK_CLOAKING32 CLEANUP_URL64 CHECK_DOMAIN_REVERSE128 CHECK_IMG_URL256 DOMAINLIST_REQUIRED512 The names of the constants are self-explanatory. These constants are defined in libclamav/phishcheck.h, you can check there for the latest flags. There is a default set of flags that are enabled, these are currently: ( CLEANUP_URL | CHECK_SSL | CHECK_CLOAKING | CHECK_IMG_URL )  ssl checking is performed only for a tags currently. You must decide for each line in the domain list if you want to filter any flags (that is you don’t want certain checks to be done), and then calculate the binary OR of those constants, and then convert it into a 3-digit hexnumber. For example you devide that domain_sufficient shouldn’t be used for ebay.com, and you don’t want to check images either, so you come up with this flag number: 2|256 => 258(decimal) => 102(hexadecimal) So you add this line to daily.wdb: R102 www.ebay.com .+  Introduction to regular expressions Recomended reading: Special characters • [ the opening square bracket - it marks the beginning of a character class, see sectionCharacter-classes • \ the backslash - escapes special characters, see section Escaping • ^ the caret - matches the beginning of a line (not needed in clamav regexes, this is implied) • $

the dollar sign - matches the end of a line (not needed in clamav regexes, this is implied)

• .

the period or dot - matches any character

• |

the vertical bar or pipe symbol - matches either of the token on its left and right side, see Alternation

• ?

the question mark - matches optionally the left-side token, see Optional-matching, and Repetition

• *

the asterisk or star - matches 0 or more occurences of the left-side token, see Optional-matching, and Repetition

• +

the plus sign - matches 1 or more occurences of the left-side token, see Optional-matching, and Repetition

• (

the opening round bracket - marks beginning of a group, see section Groups

• )

the closing round bracket - marks end of a group, see sectionGroups

Escaping

Escaping has two purposes:

• It allows you to actually match the special characters themselves, for example to match the literal +, you would write \+

• It also allows you to match non-printable characters, such as the tab (\t) and newline (\n)

However since non-printable characters are not valid inside an url, you won’t have a reason to use them.

Groups

Groups are usually used together with repetition, or alternation. For example: (com|it)+ means: match 1 or more repetitions of com or it, that is it matches: com, it, comcom, comcomcom, comit, itit, ititcom,... you get the idea.

Groups can also be used to extract substring, but this is not supported by the ClamAV, and not needed either in this case.

How to create database files

How to create and maintain the allow list (daily.wdb)

If the phishing code claims that a certain mail is phishing, but it's not, you have 2 choices:

• Examine your rules daily.pdb, and fix them if necessary (see: How to create database files)

• Add it to the allow list (discussed here)

Lets assume you are having problems because of links like this in a mail:

<a href=''http://69.0.241.57/bCentral/L.asp?L=XXXXXXXX''>
http://www.bcentral.it/
</a>


After investigating those sites further, you decide they are no threat, and create a line like this in daily.wdb:

R http://www$$\backslash$$.bcentral$$\backslash$$.it/.+
http://69$$\backslash$$.0$$\backslash$$.241$$\backslash$$.57/bCentral/L$$\backslash$$.asp?L=.+


Note: urls like the above can be used to track unique mail recipients, and thus know if somebody actually reads mails (so they can send more spam). However since this site required no authentication information, it is safe from a phishing point of view.

How to create and maintain the domain list (daily.pdb)

When not using --phish-scan-alldomains (production environments for example), you need to decide which urls you are going to check.

Although at a first glance it might seem a good idea to check everything, it would produce false positives. Particularly newsletters, ads, etc. are likely to use URLs that look like phishing attempts.

Lets assume that you’ve recently seen many phishing attempts claiming they come from Paypal. Thus you need to add paypal to daily.pdb:

R .+ .+$$\backslash$$.paypal$$\backslash$$.com


The above line will block (detect as phishing) mails that contain urls that claim to lead to paypal, but they don’t in fact.

Be careful not to create regexes that match a too broad range of urls though.

Dealing with false positives, and undetected phishing mails

False positives

Whenever you see a false positive (mail that is detected as phishing, but its not), ou might need to modify daily.pdb (if one of yours rules in there are too broad), or you need to add the url to daily.wdb. If you think the algorithm is incorrect, please file a bug report.

Undetected phish mails

If the mail is detected, if yes, then you need to add an appropriate line to daily.pdb (see How to create database files).

If the mail is not detected, then try using:

$clamscan/clamscan --debug undetected.eml | less  Then see what urls are being checked, see if any of them is in an allow list, see if all urls are detected, etc. Bytecode Signatures Bytecode Signatures are the means by which more complex matching can be performed by writing C code to parse sample content at various stages in file extraction. It is less complicated than it sounds. Essentially the signature author writes a function in C is compiled down to an intermediate language called "bytecode". This bytecode is encoded in ASCII .cbc file and distributed in bytecode.[cvd|cld]. When the database is loaded, ClamAV can interpret this bytecode to execute the function. Bytecode functions are provided with a set of APIs that may be used to access the sample data, and to access what metadata ClamAV already has concerning the sample. The function may at any time call an API to flag the sample as malicious, and may provide the signature/virus name at that time. This means a single bytecode signature (function) is written to handle a given file type and may trigger different alerts with different signature names as additional malicious characteristics for the file type are identified. That isn't to say that only one bytecode signature may be assigned to a given filetype, but that a single author may find it to be more efficient to use a bytecode signature to identify more than one type of malware. The specifics on how to write and compile bytecode signatures are outside of the scope of this documentation. Extensive documentation on ClamAV Bytecode Signatures are provided with the ClamAV Bytecode Compiler. Signatures based on container metadata ClamAV 0.96 allows creating generic signatures matching files stored inside different container types which meet specific conditions. The signature format is:  VirusName:ContainerType:ContainerSize:FileNameREGEX: FileSizeInContainer:FileSizeReal:IsEncrypted:FilePos: Res1:Res2[:MinFL[:MaxFL]]  where the corresponding fields are: • VirusName: Virus name to be displayed when signature matches. • ContainerType: The file type containing the target file. For example: • CL_TYPE_ZIP, • CL_TYPE_RAR, • CL_TYPE_ARJ, • CL_TYPE_MSCAB, • CL_TYPE_7Z, • CL_TYPE_MAIL, • CL_TYPE_(POSIX|OLD)_TAR, • CL_TYPE_CPIO_(OLD|ODC|NEWC|CRC) Use * as a wild card to indicate that container type may be any file type. For a full list of ClamAV file types, see the ClamAV File Types Reference. • ContainerSize: size of the container file itself (eg. size of the zip archive) specified in bytes as absolute value or range x-y. • FileNameREGEX: regular expression describing name of the target file • FileSizeInContainer: usually compressed size; for MAIL, TAR and CPIO == FileSizeReal; specified in bytes as absolute value or range. • FileSizeReal: usually uncompressed size; for MAIL, TAR and CPIO == FileSizeInContainer; absolute value or range. • IsEncrypted: 1 if the target file is encrypted, 0 if it’s not and * to ignore • FilePos: file position in container (counting from 1); absolute value or range. • Res1: when ContainerType is CL_TYPE_ZIP or CL_TYPE_RAR this field is treated as a CRC sum of the target file specified in hexadecimal format; for other container types it’s ignored. • Res2: not used as of ClamAV 0.96. The signatures for container files are stored inside .cdb files. Passwords for archive files [experimental] ClamAV allows for users to specify password attempts for certain password-compatible archives. Passwords will be attempted in order of appearance in the password signature file which use the extension of .pwdb. If no passwords apply or none are provided, ClamAV will default to the original behavior of parsing the file. Currently, as of ClamAV 0.99 [flevel 81], only .zip archives using the traditional PKWARE encryption are supported. The signature format is: SignatureName;TargetDescriptionBlock;PWStorageType;Password  where: • SignatureName: name to be displayed during debug when a password is successful • TargetDescriptionBlock: provides information about the engine and target file with comma separated Arg:Val pairs • Engine:X-Y: Required engine functionality level. See the FLEVEL reference for details. • Container:CL_TYPE_*: File type of applicable containers • PWStorageType: determines how the password field is parsed • 0 = cleartext • 1 = hex • Password: value used in password attempt The signatures for password attempts are stored inside .pwdb files. ClamAV Development This chapter aims to provide information useful when developing, debugging, or profiling ClamAV. Pull Request Basics If you're new to open source software development on GitHub, take a moment to read this quick introduction on GitHub Pull Requests. ClamAV Git Work Flow ClamAV's Git work flow isn't too complicated, but it is unique. See this section to get a better understanding of how we use Git. Working with Your Fork New core developers and community contributors can follow these steps to prepare an environment to work on ClamAV development. Reviewing Pull Requests If you need to review a pull request, it's best to not only eyeball the changes and review the test logs, but to also build and test the PR manually on your own computer. This section will help you check out someone else's PR so you can test it. Building for Development Basic instructions for building ClamAV can be in the Installing chapter and a comprehensive reference for compiling ClamAV with CMake is available in the INSTALL.md file accompanying the source code, but if you want a few extra tips on building ClamAV for development purposes, check this out. Dev Tips & Tricks This section contains a varied assortment of techniques you can use when coding on ClamAV to up your development game. libclamav Are you interested in using libclamav to scan for malware in your own C/C++ application? This section introduces the most important functions of the libclamav API. For a more comprehensive reference, inline documention can be found in the clamav.h header distributed with libclamav. Contribute If you're interested in contributing to ClamAV, we've assembled a page of bugs that need fixing as well as other project ideas that we feel might be great new-contributor projects. If you're looking for project ideas, check out the project ideas list to find out how you might be able to help out the project! GitHub Pull Request Basics Like most projects on GitHub, we use a pull request (PR) work flow for contributions to the clamav Git repository. This is true both for contributions from the community as well as for those from the core development team here at Cisco. Historically, our team PRs have been reviewed and merged on an internal upstream Git repository, though we are now migrating to do all work on GitHub directly, with a private backup fork of the project used exclusively for review of security-related fixes and in preparation of each security patch version release. The general pattern for working with Pull Requests on GitHub is this: 1. You create a fork of the project repository on GitHub. 2. You clone (download) a copy of your fork on your computer. 3. In your local fork, you create a new branch for the feature or bug fix. 4. For each change, you create a Git commit. Your commits may include incomplete work as you're going, so you can save your work each day, in the end you should edit or squash those commits down so that each of your commits represent a single completed task and that the build is never broken for any given commit. 5. You push your commits to your remote fork on GitHub as needed, both to back up your work and to prepare for submitting a pull request for team review. If you've pushed commits and then edited or squashed those commits, you may have a conflict and may need to "force push" in order to update your remote fork. 6. When ready, submit a pull request, either by using the link provided by Git when you do a push, or by using the GitHub website. Use the pull request description to include instructions for how to test your changes! 7. There are also some automated tests that get run when you submit a pull request, but you may need to re-run them if something goes wrong with the test infrastructure. Review the test results and work with the other developers to fix any issues with your pull request so it can be approved and merged. If you're new to all of this, have a look at GitHub's flow guide for their general recommendations on a basic PR work flow. Then continue in the next section to learn about ClamAV's work flow. ClamAV Git Work Flow ClamAV's Git work flow isn't very complicated, but it is more structured than most. It looks like this. Note that in the diagrams below, merged branches are regular merges and will add all of the commits from the source branch to the destination branch. The diagram doesn't show all the merged commits, for simplicity: dev/0.102, dev/0.103, and dev/0.104: The development branchs. During development, each are set to be the "default" branch. testing is done in pull-requests (PR's), so this branch should be stable, though we make no guarantees. We have found that having a different default branch for each feature development has not been as helpful as originally thought. We will be stopping this pratice after dev/0.104 is complete. See "Coming soon", below. master: The master branch was intended to always be stable and to be updated as needed from the feature development branches after extensive testing demonstrated that it was truly stable. However, in practice this wasn't useful and so we mostly stopped using master except to update it between feature releases. This is another reason for our upcoming work flow change. rel/0.102, rel/0.103: Feature release branches. These always contain the latest stable patch versions for each feature release. When development on a feature release (E.g. dev/0.102) or a patch release (E.g. dev/0.102.1) is complete, they are merged here and tagged. dev/0.102.1: A development branch used to test hotfixes prior to a patch release sec/dev/0.102.1: A private development branch used to test security-related hotfixes prior to a patch release. This branch will be rebased like any feature branch as needed up until the release at which point it is merged into the dev/0.102.1 branch and the dev/0.102.1 branch is merged into the rel/0.102 branch and tagged as "clamav-0.102.1". feature/blah: A long-running branch for adding a major feature. It may be rebased several times with the default branch before it is ready to merge. CLAM-####-description, issue-####-description, bb####-description: A branch for working a JIRA task, GitHub issue, or Bugzilla Bug. These are typically only found in a personal fork and appear as pull requests from the fork to the upstream clamav repository. Pull requests are ALWAYS rebased before being merged, to maintain a linear history. Coming soon: As mentioned above, the default branch will be changing. After 0.104.0 has been published, we will stop using dev/* branches for feature development work, after which all new development will be done in a main branch (replacing master). The new Git work flow will then look like this: main: the development branch. testing is done in pull-requests (PR's), so this branch should be stable, though we make no guarantees. rel/0.104, rel/1.0: Feature release branches. These always contain the latest stable patch versions for each feature release. When development on a feature release (E.g. dev/0.104) or a patch release (E.g. dev/0.104.1) is complete, they are merged here and tagged. dev/0.104.1: A development branch used to test hotfixes prior to a patch release sec/dev/0.104.1: A private development branch used to test security-related hotfixes prior to a patch release. This branch will be rebased like any feature branch as needed up until the release at which point it is merged into the dev/0.104.1 branch and the dev/0.104.1 branch is merged into the rel/0.104 branch and tagged as "clamav-0.104.1". feature/blah: A long-running branch for adding a major feature. It may be rebased several times with the default branch before > it is ready to merge. CLAM-####-description, issue-####-description, bb####-description: A branch for working a JIRA task, GitHub issue, or Bugzilla Bug. These are typically only found in a personal > fork and appear as pull requests from the fork to the upstream clamav repository. Working with a Your Own Fork of the ClamAV repository A "fork" on GitHub is a personal playground. Though the word "fork" in the concept of open source traditionally referred to creating (and maintaining) a new variant of a project, forks on GitHub/GitLab/BitBucket/etc these days typically refer to a personal copy of the project where a user can test modifications to fix a bug or add a feature before contributing it back to the project in the form of a "pull request". Create and Maintain a Personal Fork You may only have one for any project, but it is very easy to create: You can rename it as needed so you won't confused a clone of your fork with that of the upstream clamav repository. Go to the "Settings" page and change the name to add your name in a suffix: You're free to add or delete branches in your fork as you see fit, but I would advise against adding your own commits to the existing branches. The existing branches, particularly the default branch* are a reference from which you can create your own branches for your work. Adding your own commits to the existing branches will break your ability to synchronize with the upstream Cisco-Talos/clamav repository, and without more advanced Git experience you won't be able to correct it. Tip: If you've managed to screw up the commit history in your fork to the point where you don't know how to fix it, you can always delete your fork and create a new one. Your fork is a snapshot of the upstream clamav repository at the moment at which you created it. Left unmaintained, your fork's default branch will get left behind. Unlike BitBucket, GitHub will not sync branches for you automatically. If your branch is behind, it is simple to sync the branch on your fork using GitHub's GUI by pressing the "Fetch Upstream" button: You can sync other branches too. Simply switch branches to the desired branch and press "Fetch Upstream" again. Disclaimer: The ClamAV project has a history of changing default branches for development on each feature version. We've found that this causes more trouble than it is worth, and we intend to stop doing that after 0.104. Right now, the default branch is dev/0.104. After 0.104 is complete, it will be changed to main and we'll stop changing it. For more details, see the work flow changes in the section below. Tip: After we change the default branch for Cisco-Talos/clamav to main, you'll need to change your default branch too (it won't switch in your fork just because we changed the default in the upstream repo). Working with a Clone of your Fork on the Command Line If you don't already have an SSH key for your GitHub account, I recommend creating one. Navigate to your Account Settings and under SSH and GPG keys, click the "New SSH key" button. If you're unfamiliar with how to generate an SSH key, there's a nearby link "generating SSH keys" with additional instructions. Next, clone your ClamAV fork. Use the "Code" button on the default page for your fork to copy the "SSH" URL. If you don't want to use an SSH key for GitHub authentication, use the HTTPS URL instead: Now open up a terminal and type: git clone <paste that Git URL> cd clamav-YourNameHere  Create a branch off of the default branch where you will work. If working on a GitHub Issue, Bugzilla Bug, or JIRA task*, the following branch name prefixes will help you and others identify the branch: • For GitHub Issues: issue-####-short-description • For Bugzilla Bugs: bb-####-short-description • For JIRA task: CLAM-####-short-description Note: *The ClamAV JIRA task tracker is not accessible outside of the Cisco network. Create your working branch: git checkout -b issue-####-short-description  You're now ready to make edits to the source. Be sure your changes match our code format style. The easiest way is to install clang-format and enable "Format On Save" in your text editor. When you have made your changes, run: git add -u git commit  Leave a meaningful git commit message that has a high-level descriptive title, and a more technical message body describing why the change was needed what your commit does to resolve it. Run this to upload your commit to your fork on GitHub: git push -u origin <the_name_of_your_branch>  The -u origin argument will enable tracking between your local branch and your remote branch. In the future you will only need to do git push and it will know where to push it. Reviewing & Testing Pull Requests The tools available on GitHub are fantastic for reviewing code changes, but less so for checking out those code changes on your local machine to build and test them. With a simple tweak to your .git/config file in a clone of the Cisco-Talos/clamav repository, you can simply check out another developer's pull request as a branch to build and test it. First, if you don't already have a clone of the upstream repository, do this: git clone https://github.com/Cisco-Talos/clamav.git  Then, in your favorite text editor, open .git/config and add the following line at the end of the [remote "origin"] section. Don't delete or replace anything, just add the following line: fetch = +refs/pull/*/head:refs/remotes/origin/PR-*  Tip: The above works for GitHub Cloud and GitHub Enterprise servers. If you happen to work with GitLab or BitBucket, you can do this instead for the same effect: For BitBucket repos: fetch = +refs/pull-requests/*/from:refs/remotes/origin/PR-*  For GitLab repos: fetch = +refs/merge-requests/*/head:refs/remotes/origin/PR-*  Now you may run the following to test the pull request. Substitute # with the pull request number found on the website: git fetch git checkout PR-#  At this point, you should find yourself in a branch containing the PR contributor's changes. Building for Development The following are instructions for building ClamAV using CMake or Autotools with recommendations specific to ClamAV software development. Satisfying Build Dependencies To satisify all build dependencies: Debian Install build tools: sudo apt-get install -y \ autoconf automake libtool m4 \ bison flex gcc g++ make man-db ninja-build pkg-config \ git valgrind  To build with CMake you will also need to install cmake. CMake 3.13+ is required, so older systems may have better luck installing a modern verson via Python's pip package manager rather than using apt/apt-get. sudo apt-get install -y python3-pip python3 -m pip install --user cmake ~ or ~ sudo apt-get install -y cmake  Install ClamAV dependencies: sudo apt-get install -y check libbz2-dev libcurl4-openssl-dev libjson-c-dev libmilter-dev libncurses5-dev libpcre2-dev libssl-dev libxml2-dev zlib1g-dev  Ubuntu Tip: You may wish to set DEBIAN_FRONTEND=noninteractive if scripting the following so that the install will not hang while prompting you to select your geographic area. sudo export DEBIAN_FRONTEND=noninteractive  Install build tools: sudo apt-get install -y \ autoconf automake libtool m4 \ bison flex gcc g++ make man-db ninja-build pkg-config \ git valgrind  To build with CMake you will also need to install cmake. CMake 3.13+ is required, so older systems may have better luck installing a modern version via Python's pip package manager rather than using apt/apt-get. sudo apt-get install -y python3-pip python3 -m pip install --user cmake ~ or ~ sudo apt-get install -y cmake  Install ClamAV dependencies: sudo apt-get install -y check libbz2-dev libcurl4-openssl-dev libjson-c-dev libmilter-dev libncurses5-dev libpcre2-dev libssl-dev libxml2-dev zlib1g-dev  Fedora Install build tools: sudo dnf install -y \ autoconf automake libtool m4 \ bison flex gcc gcc-c++ make man-db ninja-build pkg-config \ git valgrind  To build with CMake you will also need to install cmake. CMake 3.13+ is required, so older systems may have better luck installing a modern version via Python's pip package manager rather than using dnf. sudo dnf install -y python3-pip python3 -m pip install --user cmake ~ or ~ sudo dnf install -y cmake  Install ClamAV dependencies: sudo dnf install -y bzip2-devel check-devel json-c-devel libcurl-devel libtool-ltdl-devel libxml2-devel ncurses-devel openssl-devel pcre2-devel sendmail-devel zlib-devel  CentOS/RHEL Install build tools: sudo dnf --enablerepo=PowerTools install -y \ autoconf automake libtool m4 \ bison flex gcc gcc-c++ make man-db ninja-build pkg-config \ git valgrind  To build with CMake you will also need to install cmake. CMake 3.13+ is required, so older systems may have better luck installing a modern version via Python's pip package manager rather than using dnf. sudo dnf install -y python3-pip python3 -m pip install --user cmake ~ or ~ sudo dnf --enablerepo=PowerTools install -y cmake  Install ClamAV dependencies: sudo dnf --enablerepo=PowerTools install -y bzip2-devel check-devel json-c-devel libcurl-devel libxml2-devel ncurses-devel openssl-devel pcre2-devel sendmail-devel zlib-devel  Solaris (using OpenCSW) Install build tools: sudo /opt/csw/bin/pkgutil -y -i \ common coreutils \ automake autoconf libtool \ gmake cmake libgcc_s1 libstdc++6 ggrep gsed pkgconfig ggettext gcc4core gcc4g++ libgcc_s1 libgccpp1 sudo pkg install system/header sudo ln -sf /opt/csw/bin/gnm /usr/bin/nm sudo ln -sf /opt/csw/bin/gsed /usr/bin/sed sudo ln -sf /opt/csw/bin/gmake /usr/bin/make  Install ClamAV dependencies: sudo /opt/csw/bin/pkgutil -y -i libxml2_2 libxml2_dev bzip2 libbz2_dev libcheck0 libcheck_dev libssl1_0_0 libssl_dev openssl_utils libiconv2 zlib1 libpcre1 libltdl7 lzlib_stub zlib_stub libmilter  If you receive an error message like gcc: error: /opt/csw/lib/libstdc++.so: No such file or directory, change versions with /opt/csw/sbin/alternatives --config automake FreeBSD Install build tools: sudo pkg install -y \ autoconf automake libtool m4 \ bison flex gmake cmake pkgconf \ git  Install ClamAV dependencies: sudo pkg install -y bzip2 check curl json-c libmilter libxml2 ncurses pcre2  macOS Install Homebrew: /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install.sh)"


Install Xcode command line tools (without Xcode):

xcode-select --install


Install build tools:

brew install \
autoconf automake libtool m4 \
bison flex cmake pkg-config \
git


Install ClamAV dependencies:

brew install bzip2 check curl-openssl json-c libxml2 ncurses openssl@1.1 pcre2 zlib


Windows

Install Windows Terminal.

Install Git for Windows.

You may also wish to install Visual Studio Code for a modern code editor (recommended for dev on any operating system).

Chocolatey is a great application package manager for Windows that makes it easy to install stuff on Windows. After you install Chocolatey, you can use it to install CMake and WiX simply like this:

choco install cmake wixtoolset


If you want to build the installer, you'll also need WiX Toolset. If not, you can skip it.

We support two options for sourcing and building ClamAV library dependencies:

For basic builds, vcpkg should do just fine, and is easier to get started.

If you want to customize how the dependencies are built, use Mussels. The ClamAV project uses Mussels to build the installers available on our website. The recipes to build the ClamAV dependencies, the definitions for finding and using the required development tools are hosted in the ClamAV Mussels Cookbook.

If you don't already have the source, use Git to clone it.

If you intend to make changes and submit a pull request, fork the Cisco-Talos/clamav repo first and then clone your fork of the repository instead.

git clone https://github.com/Cisco-Talos/clamav.git
cd clamav


Building ClamAV with CMake (v0.104 and newer)

CLamAV versions 0.103+ provide CMake build tooling. In 0.103, this is for experimental and development purposes only. Autotools should be used for production builds. In 0.104+, CMake is the only build system. Autotools and Visual Studio build systems have been removed.

The following will help you get started, but for FULL details on how to use CMake to build ClamAV, see the INSTALL.md file located in the clamav repository.

Ninja Build is recommended when doing development work. Builds using Ninja are significantly faster, both on Unix and Windows systems.

The following instructions assume you have installed CMake, Ninja, and either GCC, Clang, or Visual Studio 2015 or newer.

Linux/Unix

cmake .. -G Ninja                   \
-D CMAKE_BUILD_TYPE="Debug"     \
-D OPTIMIZE=OFF                 \
-D CMAKE_INSTALL_PREFIX=install \
-D ENABLE_MILTER=ON             \
-D ENABLE_EXAMPLES=ON           \
-D ENABLE_STATIC_LIB=ON         \
-D ENABLE_SYSTEMD=OFF           \
&& ninja && ninja install


Windows

vcpkg can be used to build the ClamAV library dependencies automatically. See the vcpkg README for installation instructions.

Once installed, set the variable $VCPKG_PATH to the location where you installed vcpkg: $VCPKG_PATH="..." # Path to your vcpkg installation


By default, CMake and vcpkg build for 32-bit. If you want to build for 64-bit, set the VCPKG_DEFAULT_TRIPLET environment variable:

$env:VCPKG_DEFAULT_TRIPLET="x64-windows"  Now run the following to build ClamAV's library dependencies: & "$VCPKG_PATH\vcpkg" install 'curl[openssl]' 'json-c' 'libxml2' 'pcre2' 'pthreads' 'zlib' 'pdcurses' 'bzip2' 'check'


Finally, you can use the following to build ClamAV using Ninja for super fast builds. Replace "2019" and "Community" with different versions or editions as needed to match your Visual Studio installation.

Configure (generate the build system):

pushd "C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\Tools"
cmd /c "VsDevCmd.bat -arch=amd64 & set" |
foreach {
if ($_ -match "=") {$v = $_.split("="); set-item -force -path "ENV:\$($v[0])" -value "$($v[1])" } } popd Write-Host "nVisual Studio 2019 Command Prompt variables set." -ForegroundColor Yellow cmake .. -G Ninja  -D CMAKE_BUILD_TYPE="Debug"  -D CMAKE_TOOLCHAIN_FILE="$VCPKG_PATH\scripts\buildsystems\vcpkg.cmake"  
-D CMAKE_INSTALL_PREFIX="install"


Build:

ninja


Install (to the CMAKE_INSTALL_PREFIX directory):

ninja install


Tip: I like to place the "Configure" script in a configure.ps1 script file in my home directory. This way I can simply run ~\configure.ps1 followed by ninja to do a build.

Testing with CTest

ClamAV version 0.104+ will include unit tests, integration tests, & feature tests performed via CMake's ctest toolset. All tests are executed within through ctest but within a Python test framework build around Python's unittest module. See clamav/unit_tests/testcase.py. Python 3.5+ is required.

Note: Valgrind tests are performed on Linux if Valgrind is installed.

Unit Tests

The libclamav unit tests use the libcheck framework. There are presently no unit tests for libfreshclam. See clamav/unit_tests/check_clamav.c for the libclamav unit tests.

Integration Tests

ClamAV is presently light on integration tests for libclamav, though you may think of the application feature as integration tests, because the apps integrate libclamav. Tests for additional features not easily exercised via the existing applications could be added by creating new example applications in clamav/examples and exercising those programs in new CTest tests. See clamav/unit_tests/CMakeLists.txt and clamav/examples/CMakeLists.txt for details.

Feature Tests

ClamAV primarily has feature tests for ClamD and ClamScan, though basic version tests do exist for FreshClam and SigTool as well. See clamav/unit_tests/CMakeLists.txt and clamav/unit_tests/clamscan_test.py for an example.

Building ClamAV with Autotools (v0.103 and older)

Running autogen.sh

ClamAV versions 0.103+ will require you to run autogen.sh before running configure when building from a git clone. The files generated by Autotools, such as configure, are no longer stored in the Git repo. When you run autogen.sh it will generate those files for you.

./autogen.sh


Running configure

To ensure that build artifacts don't clutter the source code directory, create a subdirectory named build.

mkdir build
cd build


For a basic build, just run ../configure. If you've installed the dependencies with your platforms respective package manager, it should detect the dependencies automatically. macOS users will need to use this option to properly detect openssl --with-openssl=/usr/local/opt/openssl@1.1.

Run ../configure --help to see a full list of options. The following suggestions will help you get started:

• Modify the CFLAGS, CXXFLAGS, OBJCFLAGS variables as follows (assuming you're build with gcc):

• Include gdb debugging information (-ggdb). This will make it easier to debug with gdb.

• Disable optimizations (-O0). This will ensure the line numbers you see in gdb match up with what is actually being executed.

Example:

CFLAGS="-ggdb -O0" CXXFLAGS="-ggdb -O0" OBJCFLAGS="-ggdb -O0" ../configure


NOTE: Setting OBJCFLAGS is needed because currently, clamsubmit gets built with the Objective-C compiler. See this Stack Overflow post for a discussion of why this occurs.

• Run configure with the following options:

• --prefix=pwd/../installed: This will cause make install to install into the specified directory (a directory named installed in the root of the ClamAV source code directory).

• --enable-debug: This will define CL_DEBUG, which mostly just enables additional print statements that are useful for debugging.

• --enable-check: Enables the unit tests, which can be run with make check.

• --enable-coverage: If using gcc, sets -fprofile-arcs -ftest-coverage so that code coverage metrics will get generated when the program is run. Note that the code inserted to store program flow data may show up in any generated flame graphs or profiling output, so if you don't care about code coverage, omit this.

• --enable-libjson: Enables libjson, which enables the --gen-json option. The json output contains additional metadata that might be helpful when debugging.

• --with-systemdsystemunitdir=no: Don't try to register clamd as a systemd service (on systems that use systemd). You likely don't want this development build of clamd to register as a service, and this eliminates the need to run make install with sudo.

• You might want to include the following flags also so that the optional functionality is enabled: --enable-experimental --enable-clamdtop --enable-milter --enable-xml --enable-pcre. Note that this may require you to install additional development libraries.

• --enable-llvm --with-system-llvm=no: When LLVM is enabled, LLVM provides the capability to just-in-time compile ClamAV bytecode signatures. Without LLVM, ClamAV uses a built-in bytecode interpreter to execute bytecode signatures. With LLVM, options, "system LLVM" and "internal LLVM". The bytecode interpreter is somewhat slower than using LLVM, though the results are the same. At present only LLVM versions up to LLVM 3.6.2 are supported by ClamAV, and LLVM 3.6.2 is old enough that newer distributions no longer provide it. Therefore, we recommend using the --enable-llvm --with-system-llvm=no configure option to use the "internal LLVM". It is worth noting that the internal LLVM can take a while to build, and that the JIT compilation process for loading bytecode signatures also takes a while when starting clamd or clamdscan. For compile speed and clamscan load speed, you may wish to instead ouse --disable-llvm.

Altogether, the following configure command can be used:

CFLAGS="-ggdb -O0" CXXFLAGS="-ggdb -O0" OBJCFLAGS="-ggdb -O0" ../configure --prefix=pwd/../installed --enable-debug --enable-check --enable-coverage --enable-libjson --with-systemdsystemunitdir=no --enable-experimental --enable-clamdtop --enable-xml --enable-pcre --enable-llvm --with-system-llvm=no


NOTE: It is possible to build libclamav as a static library and have it statically linked into clamscan/clamd (to do this, run ../configure with --enable-static --disable-shared). This is useful for using tools like gprof that do not support profiling code in shared objects. However, there are two drawbacks to doing this:

• clamscan/clamd will not be able to extract files from RAR archives. Based on the software license of the unrar library that ClamAV uses, the library can only be dynamically loaded. ClamAV will attempt to dlopen the unrar library shared object and will continue on without RAR extraction support if the library can't be found (or if it doesn't get built, which is what happens if you indicate that shared libraries should not be built).

• If you make changes to libclamav, you'll need to make clean, make, and make install again to have clamscan/clamd rebuilt using the new libclamav.a. The makefiles don't seem to know to rebuild clamscan/clamd when libclamav.a changes (TODO, fix this).

Running make

Run the following to finishing building. -j2 in the code below is used to indicate that the build process should use 2 cores. Increase this if your machine is more powerful.

make -j2
make install


The ClamAV executables will get installed in ../installed/bin/, so to invoke clamscan do:

cd ..
./installed/bin/clamscan


Testing with make check

You can run make check to run the unit tests and feature tests.

Unlike with the CTest tool used for CMake builds, you must use make check VG=1 if you wish to run extra tests using Valgrind (must be installed).

Development Tips & Tricks

The following are a collection of tips that may help you be a more productive ClamAV developer.

If you plan to use custom rules for testing, you can invoke clamscan via ./installed/bin/clamscan, specifying your custom rule files via -d parameters.

If you want to download the official ruleset to use with clamscan, do the following:

1. Run mkdir -p installed/share/clamav
2. Comment out line 8 of etc/freshclam.conf.sample
3. Run ./installed/bin/freshclam --config-file etc/freshclam.conf.sample

General Debugging

NOTE: Some of the debugging/profiling tools mentioned in the sections below are specific to Linux

Useful clamscan Flags

The following are useful flags to include when debugging clamscan:

• --debug --verbose: Print lots of helpful debug information

• --gen-json: Print some additional debug information in a JSON format

• --statistics=pcre --statistics=bytecode: Print execution statistics on any PCRE and bytecode rules that were evaluated

• --dev-performance: Print per-file statistics regarding how long scanning took and the times spent in various scanning stages

• --alert-broken: This will attempt to detect broken executable files. If an executable is determined to be broken, some functionality might not get invoked for the sample, and this could be an indication of an issue parsing the PE header or file. This causes those binary to generate an alert instead of just continuing on. This flag replaces the --detect-broken flag from releases prior to 0.101.

• --max-filesize=2000M --max-scansize=2000M --max-files=2000000 --max-recursion=2000000 --max-embeddedpe=2000M --max-htmlnormalize=2000000 --max-htmlnotags=2000000 --max-scriptnormalize=2000000 --max-ziptypercg=2000000 --max-partitions=2000000 --max-iconspe=2000000 --max-rechwp3=2000000 --pcre-match-limit=2000000 --pcre-recmatch-limit=2000000 --pcre-max-filesize=2000M --max-scantime=2000000:

Effectively disables all file limits and maximums for scanning. This is useful if you'd like to ensure that all files in a set get scanned, and would prefer clam to just run slowly or crash rather than skip a file because it encounters one of these thresholds

The following are useful flags to include when debugging rules that you're writing:

• -d: Allows you to specify a custom ClamAV rule file from the command line

• --bytecode-unsigned: If you are testing custom bytecode rules, you'll need this flag so that clamscan actually runs the bytecode signature

• --all-match: Allows multiple signatures to match on a file being scanned

• --leave-temps --tmpdir=/tmp: By default, ClamAV will attempt to extract embedded files that it finds, normalize certain text files before looking for matches, and unpack packed executables that it has unpacking support for. These flags tell ClamAV to write these intermediate files out to the directory specified. Usually when a file is written, it will mention the file name in the --debug output, so you can have some idea at what stage in the scanning process a tmp file was created.

• --dump-certs: For signed PE files that match a rule, display information about the certificates stored within the binary.

Note: sigtool has this functionality as well and doesn't require a rule match to view the cert data

Using gdb

Given that you might want to pass a lot of arguments to gdb, consider taking advantage of the --args parameter. For example:

gdb --args ./installed/bin/clamscan -d /tmp/test.ldb -d /tmp/block_list.crb -d --dumpcerts --debug --verbose --max-filesize=2000M --max-scansize=2000M --max-files=2000000 --max-recursion=2000000 --max-embeddedpe=2000M --max-iconspe=2000000 f8f101166fec5785b4e240e4b9e748fb6c14fdc3cd7815d74205fc59ce121515


When using ClamAV without libclamav statically linked, if you set breakpoints on libclamav functions by name, you'll need to make sure to indicate that the breakpoints should be resolved after libraries have been loaded.

For other documentation about how to use gdb, check out the following resources:

Hunting for Memory Leaks

You can easily hunt for memory leaks with valgrind. Check out this guide to get started: Valgrind Quick Start

If checking for leaks, be sure to run clamscan with samples that will hit as many of the unique code paths in the code you are testing. An example invocation is as follows:

valgrind --leak-check=full ./installed/bin/clamscan -d /tmp/test.ldb --leave-temps --tempdir /tmp/test --debug --verbose /tmp/upx-samples/ > /tmp/upx-results-2.txt 2>&1


Alternatively, on Linux, you can use glibc's built-in leak checking functionality:

MALLOC_CHECK_=7 ./installed/bin/clamscan


See the mallopt man page for more details

Performance Profiling

Flame Graph Profiling

FlameGraph is a great tool for generating interactive flamegraphs based collected profiling data. The github page has thorough documentation on how to use the tool, but an overview is presented below:

First, install perf, which on Linux can be done via:

sudo apt-get install linux-tools-common linux-tools-generic linux-tools-uname -r


Tip: If you're on Windows using WSL2 with Ubuntu 20.04, you may find that the above fails with this error message:

E: Unable to locate package linux-tools-4.19.104-microsoft-standard
E: Couldn't find any package by glob 'linux-tools-4.19.104-microsoft-standard'
E: Couldn't find any package by regex 'linux-tools-4.19.104-microsoft-standard'


You may have luck building and installing perf yourself using Microsoft's WSL2 Linux Kernel sources. At the time of writing, this doesn't work with the master branch because the perf build appears to be broken with newer versions of glibc. Instead, we can use the linux-msft-wsl-5.10.16.3 tag:

sudo apt install flex bison
git clone https://github.com/microsoft/WSL2-Linux-Kernel --depth 1 --branch linux-msft-wsl-5.10.16.3
cd WSL2-Linux-Kernel/tools/perf
make -j8
sudo cp perf /usr/local/bin


Technique courtesy of: https://gist.github.com/abel0b/b1881e41b9e1c4b16d84e5e083c38a13

Modify the system settings to allow perf record to be run by a standard user:

sudo su     # Run the following as root
cat /proc/sys/kernel/perf_event_paranoid
echo "1" > /proc/sys/kernel/perf_event_paranoid
exit


Invoke clamscan via perf record as follows, and run perf script to collect the profiling data. Note that in this example, ClamAV was compiled in a build subdirectory and installed to build/install:

perf record -F 100 -g -- ./install/bin/clamscan -d ./unit_tests/clamav.hdb --allmatch ./test/
perf script > /tmp/out.perf


The -F parameter indicates how many samples should be collected during program execution. If your scan will take a long time to run, a lower value should be sufficient. Otherwise, consider choosing a higher value (on Ubuntu 18.04, 7250 is the max frequency, but it can be increased via /proc/sys/kernel/perf_event_max_sample_rate.

Clone out the FlameGraph project and run the following commands inside the FlameGraph directory to generate the flame graph:

git clone https://github.com/brendangregg/FlameGraph.git
cd FlameGraph

perl stackcollapse-perf.pl /tmp/out.perf > /tmp/out.folded
perl flamegraph.pl /tmp/out.folded > /tmp/test.svg


The SVG that is generated is interactive, but some viewers don't support this. Be sure to open it in a web browser like Chrome to be able to take full advantage of it.

Here's an example flamegraph generated by scanning ClamAV test files:

Call Graph Profiling - Callgrind

Callgrind is a profiling tool included with valgrind. This can be done by prepending valgrind --tool=callgrind  to the clamscan command.

kcachegrind is a follow-on tool that will graphically present the profiling data and allow you to explore it visually, although if you don't already use KDE you'll have to install lots of extra packages to use it.

System Call Tracing / Fault Injection

strace can be used to track the system calls that are performed and provide the number of calls / time spent in each system call. This can be done by prepending strace -c  to a clamscan command. Results will look something like this:

    % time     seconds  usecs/call     calls    errors syscall
------ ----------- ----------- --------- --------- ----------------
3.22    0.028172          14      2053           munmap
0.69    0.006005           3      2102           mmap
0.16    0.001415           5       305         1 openat
0.13    0.001108           3       405           write
0.11    0.000932          23        40           mprotect
0.07    0.000632           2       310           close
0.07    0.000583           9        67        30 access
0.05    0.000395           1       444           lseek
0.04    0.000344           2       162           fstat
0.04    0.000338           1       253           brk
0.03    0.000262           1       422           fcntl
0.02    0.000218          16        14           futex
0.01    0.000119           1       212           getpid
0.01    0.000086          14         6           getdents
0.00    0.000043           7         6           dup
0.00    0.000038          19         2           rt_sigaction
0.00    0.000029           1        37           stat
0.00    0.000022          11         2           prlimit64
0.00    0.000021          21         1           sysinfo
0.00    0.000020           1        33           clock_gettime
0.00    0.000019          19         1           arch_prctl
0.00    0.000018          18         1           set_robust_list
0.00    0.000013           0        60           lstat
0.00    0.000002           0        68           geteuid
0.00    0.000000           0         1           execve
0.00    0.000000           0         1           uname
0.00    0.000000           0         1           getcwd
------ ----------- ----------- --------- --------- ----------------
100.00    0.874790                 69970        31 total


strace can also be used for cool things like system call fault injection. For instance, let's say you are curious whether the read bytecode API call is implemented in such a way that the underlying read system call could handle EINTR being returned (which can happen periodically). To test this, write the following bytecode rule:

    VIRUSNAME_PREFIX("BC.Heuristic.Test.Read.Passed")
VIRUSNAMES("")
TARGET(0)

SIGNATURES_DECL_BEGIN
DECLARE_SIGNATURE(zeroes)
SIGNATURES_DECL_END

SIGNATURES_DEF_BEGIN
DEFINE_SIGNATURE(zeroes, "0:0000")
SIGNATURES_DEF_END

bool logical_trigger()
{
return matches(Signatures.zeroes);
}

int entrypoint(void)
{
char buffer[65536];
int i;

for (i = 0; i < 256; i++)
{
debug(i);
debug("\n");
}

foundVirus("");
return 0;
}


Compiled the rule, and make a test file to match against it. Then run it under strace to determine what underlying read system call is being used for the bytecode read function:

clambc-compiler read_test.bc
dd if=/dev/zero of=/tmp/zeroes bs=65535 count=256
strace clamscan -d read_test.cbc --bytecode-unsigned /tmp/zeroes


It uses pread64 under the hood, so the following command could be used for fault injection:

strace -e fault=pread64:error=EINTR:when=20+10 clamscan -d read_test.cbc --bytecode-unsigned /tmp/zeroes


This command tells strace to skip the first 20 pread64 calls (these appear to be used by the loader, which didn't seem to handle EINTR correctly) but to inject EINTR for every 10th call afterward. We can see the injection in action and that the system call is retried successfully:

    pread64(3, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 65536, 15007744) = 65536
pread64(3, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 65536, 15073280) = 65536
pread64(3, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 65536, 15138816) = 65536
pread64(3, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 65536, 15204352) = 65536
pread64(3, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 65536, 15269888) = 65536
pread64(3, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 65536, 15335424) = 65536
pread64(3, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 65536, 15400960) = 65536
pread64(3, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 65536, 15466496) = 65536
pread64(3, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 65536, 15532032) = 65536
pread64(3, 0x7f6a7ff43000, 65536, 15597568) = -1 EINTR (Interrupted system call) (INJECTED)
pread64(3, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 65536, 15597568) = 65536


More documentation on using strace to perform system call fault injection, see this presentation from FOSDEM 2017.

Computing Code Coverage

Code coverage when using CMake (v0.104 and newer)

TO-DO: Help us figure out how to compute code coverage and document the process here.

Code coverage when using Autotools (v0.103 and older)

gcov/lcov can be used to produce a code coverage report indicating which lines of code were executed on a single run or by multiple runs of clamscan. NOTE: for these metrics to be collected, ClamAV needs to have been configured with the --enable-coverage option.

First, run the following to zero out all of the performance metrics:

lcov -z --directory . --output-file coverage.lcov.data


Next, run ClamAV through whatever test cases you have. Then, run lcov again to collect the coverage data as follows:

lcov -c --directory . --output-file coverage.lcov.data


Finally, run the genhtml tool that ships with lcov to produce the code coverage report:

genhtml coverage.lcov.data --output-directory report


The report directory will have an index.html page which can be loaded into any web browser.

Building and Testing ClamAV with Fuzzing Sanitizers

Build & Reproduce Fuzz Reports using OSS-Fuzz Tools

Check out the google/oss-fuzz repository and the clamav repo side by side. .

Then inside the oss-fuzz directory, run:

python3 infra/helper.py build_image clamav
python3 infra/helper.py build_fuzzers --sanitizer address clamav ../clamav
python3 infra/helper.py reproduce clamav clamav_scanmap_fuzzer /path/to/poc_file


Tip: You can substitute address argument in the second command that selects the Address Sanitizer (ASan) with memory or undefined to use the Memory Sanitizer (MSan) or the Undefined Behavior Sanitizer (UBSan).

Build & Test Fuzz Targets Sanitizers in CMake (v0.104 and newer)

Inside your clamav git clone, run:

mkdir build-fuzz && cd build-fuzz

export CC=which clang && \
export CXX=which clang++ && \
cmake .. -G Ninja \
-D OPTIMIZE=OFF \
-D CMAKE_BUILD_TYPE="Debug" \
-D ENABLE_FUZZ=ON \
&& \
ninja


This will build the fuzz target executables in the build-fuzz/fuzz/ directory. You can run them just like a regular program, passing the file as input.

E.g.:

./fuzz/clamav_scanfile_fuzzer /path/to/poc_file


ClamAV with Address Sanitizer (ASAN) in Autotools (v0.103 and older)

Building ClamAV with ASAN support can be extremely useful in detecting memory corruption and memory leaks. To build with ASAN, use a ..\configure line like the following:

CFLAGS="-ggdb -O0 -fsanitize=address -fno-omit-frame-pointer" LDFLAGS="-fsanitize=address" CXXFLAGS="-ggdb -O0 -fsanitize=address -fno-omit-frame-pointer" OBJCFLAGS="-ggdb -O0 -fsanitize=address -fno-omit-frame-pointer" ../configure --prefix=pwd/../installed --enable-debug --enable-libjson --with-systemdsystemunitdir=no --enable-experimental --enable-clamdtop --enable-libjson --enable-xml --enable-pcre --disable-llvm


Libclamav

Libclamav provides an easy and effective way to add a virus protection into your software. The library is thread-safe and transparently recognizes and scans within archives, mail files, MS Office document files, executables and other special formats.

Supported formats and features

Executables

The library has a built-in support for 32- and 64-bit Portable Executable, ELF and Mach-O files. Additionally, it can handle PE files compressed or obfuscated with the following tools:

• Aspack (2.12)
• UPX
• PE (Windows) built-in
• ELF, Mach-O enabled via bytecode signatures
• FSG (1.3, 1.31, 1.33, 2.0)
• Petite (2.x)
• PeSpin (1.1)
• NsPack
• wwpack32 (1.20)
• MEW
• Upack
• Y0da Cryptor (1.3)

Mail files

Libclamav can handle almost every mail file format including TNEF (winmail.dat) attachments.

Archives and compressed files

The following archive and compression formats are supported by internal handlers:

• Zip (+ SFX)
• RAR (+ SFX)
• 7Zip
• Tar
• CPIO
• Gzip
• Bzip2
• DMG
• IMG
• ISO 9660
• PKG
• HFS+ partition
• HFSX partition
• APM disk image
• GPT disk image
• MBR disk image
• XAR
• XZ
• MS OLE2
• MS Cabinet Files (+ SFX)
• MS CHM (Compiled HTML)
• MS SZDD compression format
• BinHex
• SIS (SymbianOS packages)
• AutoIt
• NSIS
• InstallShield

Documents

The most popular file formats are supported:

• MS Office and MacOffice files
• RTF
• PDF
• HTML

In the case of Office, RTF and PDF files, libclamav will only extract the embedded objects and will not decode the text data itself. The text decoding and normalization is only performed for HTML files.

Data Loss Prevention

Libclamav includes a DLP module which can detect the following credit card issuers: AMEX, VISA, MasterCard, Discover, Diner’s Club, and JCB and U.S. social security numbers inside text files.

Future versions of Libclamav may include additional features to detect other credit cards and other forms of PII (Personally Identifiable Information) which may be transmitted without the benefit of being encrypted.

Others

Libclamav can handle various obfuscators, encoders, files vulnerable to security risks such as:

• JPEG (exploit detection)
• RIFF (exploit detection)
• uuencode
• ScrEnc obfuscation
• CryptFF

API

Every program using libclamav must include the header file clamav.h:

    #include "clamav.h"


Initialization

Before using libclamav, you should call cl_init() to initialize it. CL_INIT_DEFAULT is a macro that can be passed to cl_init() representing the default initialization settings. When it’s done, you’re ready to create a new scan engine by calling cl_engine_new(). To free resources allocated by the engine use cl_engine_free(). Function prototypes:

    int cl_init(unsigned int options);
struct cl_engine *cl_engine_new(void);
int cl_engine_free(struct cl_engine *engine);


cl_init() and cl_engine_free() return CL_SUCCESS on success or another code on error. cl_engine_new() return a pointer or NULL if there’s not enough memory to allocate a new engine structure.

The following set of functions provides an interface for loading the virus database:

    const char *cl_retdbdir(void);

int cl_load(const char *path, struct cl_engine *engine,
unsigned int *signo, unsigned int options);


cl_retdbdir() returns the default (hardcoded) path to the directory with ClamAV databases. cl_load() loads a single database file or all databases from a given directory (when path points to a directory). The second argument is used for passing in the pointer to the engine that should be previously allocated with cl_engine_new(). A number of loaded signatures will be added to signo. The last argument can pass the following flags:

• CL_DB_STDOPT This is an alias for a recommended set of scan options.
• CL_DB_PHISHING_URLS Initialize the phishing detection module and load .wdb and .pdb files.
• CL_DB_PUA Load signatures for Potentially Unwanted Applications.
• CL_DB_OFFICIAL_ONLY Only load official signatures from digitally signed databases.

cl_load() returns CL_SUCCESS on success and another code on failure.

        ...
struct cl_engine *engine;
unsigned int sigs = 0;
int ret;

if((ret = cl_init(CL_INIT_DEFAULT)) != CL_SUCCESS) {
printf("cl_init() error: %s\n", cl_strerror(ret));
return 1;
}

if(!(engine = cl_engine_new())) {
printf("Can't create new engine\n");
return 1;
}

ret = cl_load(cl_retdbdir(), engine, &sigs, CL_DB_STDOPT);


Database verification

The cl_load() API will verify that the database is signed and is correct, although it will also return CL_SUCCESS for non-database files that of course cannot be loaded.

You can, however, use the cl_cvdverify() API to verify a database directly:

/**
*
* @param file          Filepath of CVD file.
* @return cl_error_t   CL_SUCCESS if success, else a CL_E* error code.
*/
extern cl_error_t cl_cvdverify(const char *file);


As the comment block explains, this will load-test the database. Be advised that for some larger databases, this may use a fair bit system RAM.

Error handling

Use cl_strerror() to convert error codes into human readable messages. The function returns a statically allocated string:

    if(ret != CL_SUCCESS) {
cl_engine_free(engine);
return 1;
}


Engine structure

When all required databases are loaded you should prepare the detection engine by calling cl_engine_compile(). In case of failure you should still free the memory allocated to the engine with cl_engine_free():

    int cl_engine_compile(struct cl_engine *engine);


In our example:

    if((ret = cl_engine_compile(engine)) != CL_SUCCESS) {
printf("cl_engine_compile() error: %s\n", cl_strerror(ret));
cl_engine_free(engine);
return 1;
}


Limits

When you create a new engine with cl_engine_new(), it will have all internal settings set to default values as recommended by the ClamAV authors. It’s possible to check and modify the values (numerical and strings) using the following set of functions:

    int cl_engine_set_num(struct cl_engine *engine,
enum cl_engine_field field, long long num);

long long cl_engine_get_num(const struct cl_engine *engine,
enum cl_engine_field field, int *err);

int cl_engine_set_str(struct cl_engine *engine,
enum cl_engine_field field, const char *str);

const char *cl_engine_get_str(const struct cl_engine *engine,
enum cl_engine_field field, int *err);


Please don’t modify the default values unless you know what you’re doing. Refer to the ClamAV sources (clamscan, clamd) for examples.

Database checks

It’s very important to keep the internal instance of the database up to date. You can watch database changes with the cl_stat..() family of functions.

    int cl_statinidir(const char *dirname, struct cl_stat *dbstat);
int cl_statchkdir(const struct cl_stat *dbstat);
int cl_statfree(struct cl_stat *dbstat);


Initialization:

        ...
struct cl_stat dbstat;

memset(&dbstat, 0, sizeof(struct cl_stat));
cl_statinidir(dbdir, &dbstat);


To check for a change you just need to call cl_statchkdir and check its return value (0 - no change, 1 - some change occurred). Remember to reset the cl_stat structure after reloading the database.

    if(cl_statchkdir(&dbstat) == 1) {
cl_statfree(&dbstat);
cl_statinidir(cl_retdbdir(), &dbstat);
}


Libclamav includes and additional call to check the number of signatures that can be loaded from a given directory:

    int cl_countsigs(const char *path, unsigned int countoptions,
unsigned int *sigs);


The first argument points to the database directory, the second one specifies what signatures should be counted: CL_COUNTSIGS_OFFICIAL (official signatures), CL_COUNTSIGS_UNOFFICIAL (third party signatures), CL_COUNTSIGS_ALL (all signatures). The last argument points to the counter to which the number of detected signatures will be added (therefore the counter should be initially set to 0). The call returns CL_SUCCESS or an error code.

Data scan functions

It’s possible to scan a file or descriptor using:

    int cl_scanfile(
const char *filename,
const char **virname,
unsigned long int *scanned,
const struct cl_engine *engine,
struct cl_scan_options *options);

int cl_scandesc(
int desc,
const char *filename,
const char **virname,
unsigned long int *scanned,
const struct cl_engine *engine,
struct cl_scan_options *options);


Both functions will store a virus name under the pointer virname, the virus name is part of the engine structure and must not be released directly. If the third argument (scanned) is not NULL, the functions will increase its value with the size of scanned data (in CL_COUNT_PRECISION units). The last argument (options) requires a pointer to a data structure that specifies the scan options. The data structure should be memset() Each variable in the structure is a bit-flag field. The structure definition is:

    struct cl_scan_options {
uint32_t general;
uint32_t parse;
uint32_t mail;
uint32_t dev;
};


Supported flags for each of the fields are as follows:

general - General scanning options.

• CL_SCAN_GENERAL_ALLMATCHES Scan in all-match mode
• CL_SCAN_GENERAL_HEURISTICS Option to enable heuristic alerts. Required for any of the heuristic alerting options to work.

parse - Options to enable/disable specific parsing capabilities. Generally you will want to enable all parsers. The easiest way to do this is to set the parse flags to ~0.

• CL_SCAN_PARSE_ARCHIVE This flag enables transparent scanning of various archive formats.
• CL_SCAN_PARSE_ELF Enable support for ELF files.
• CL_SCAN_PARSE_PDF Enables scanning within PDF files.
• CL_SCAN_PARSE_SWF Enables scanning within SWF files, notably compressed SWF.
• CL_SCAN_PARSE_HWP Enables scanning of Hangul Word Processor (HWP) files.
• CL_SCAN_PARSE_XMLDOCS Enables scanning of XML-formatted documents (e.g. Word, Excel, PowerPoint, HWP).
• CL_SCAN_PARSE_MAIL Enable support for mail files.
• CL_SCAN_PARSE_OLE2 Enables support for OLE2 containers (used by MS Office and .msi files).
• CL_SCAN_PARSE_HTML This flag enables HTML normalization (including ScrEnc decryption).
• CL_SCAN_PARSE_PE This flag enables deep scanning of Portable Executable files and allows libclamav to unpack executables compressed with run-time unpackers.

heuristic - Options to enable specific heuristic alerts

• CL_SCAN_GENERAL_HEURISTIC_PRECEDENCE Allow heuristic match to take precedence. When enabled, if a heuristic scan (such as phishingScan) detects a possible virus/phish it will stop scan immediately. Recommended, saves CPU scan-time. When disabled, virus/phish detected by heuristic scans will be reported only at the end of a scan. If an archive contains both a heuristically detected virus/phishing, and a real malware, the real malware will be reported.
• CL_SCAN_HEURISTIC_ENCRYPTED_ARCHIVE With this flag the library will mark encrypted archives as viruses (encrypted .zip, .7zip, .rar).
• CL_SCAN_HEURISTIC_ENCRYPTED_DOC With this flag the library will mark encrypted documents as viruses (encrypted .pdf).
• CL_SCAN_HEURISTIC_BROKEN libclamav will try to detect broken executables and mark them as Broken.Executable.
• CL_SCAN_HEURISTIC_EXCEEDS_MAX Alert when the scan of any file exceeds maximums such as max-filesize, max-scansize, max-recursion level.
• CL_SCAN_HEURISTIC_PHISHING_SSL_MISMATCH Heuristic for phishing module: alert on SSL mismatches in URLs.
• CL_SCAN_HEURISTIC_PHISHING_CLOAK Heuristic for phishing module: alert on cloaked URLs.
• CL_SCAN_HEURISTIC_MACROS OLE2 containers, which contain VBA macros will be marked infected (Heuristics.OLE2.ContainsMacros).
• CL_SCAN_HEURISTIC_PARTITION_INTXN alert if partition table size doesn't make sense
• CL_SCAN_HEURISTIC_STRUCTURED Enable the data loss prevention (DLP) module which scans for credit card and SSN numbers. i.e. alert when detecting personal information
• CL_SCAN_HEURISTIC_STRUCTURED_SSN_NORMAL Search for [and alert when detecting] SSNs formatted as xx-yy-zzzz.
• CL_SCAN_HEURISTIC_STRUCTURED_SSN_STRIPPED Search for [and alert when detecting] SSNs formatted as xxyyzzzz.

mail - Options to enable specific mail parsing features

$clamav-config --cflags -I/usr/local/include -g -O2  Example You will find an example scanner application in the clamav source under ./examples. In ClamaV 0.104+, you can build the example programs alongside ClamAV by configuring with -D ENABLE_EXAMPLES=ON. Or, if you have ClamAV already installed, execute the following to compile it: gcc -Wall ex1.c -o ex1 -lclamav  CVD format CVD (ClamAV Virus Database) is a digitally signed tarball containing one or more databases. The header is a 512-bytes long string with colon separated fields:  ClamAV-VDB:build time:version:number of signatures:functionality level required:MD5 checksum:digital signature:builder name:build time (sec)  sigtool --info displays detailed information on CVD files: $ sigtool -i daily.cvd
File: daily.cvd
Build time: 10 Mar 2008 10:45 +0000
Version: 6191
Signatures: 59084
Functionality level: 26
Builder: ccordes
MD5: 6e6e29dae36b4b7315932c921e568330
Digital signature: zz9irc9irupR3z7yX6J+OR6XdFPUat4HIM9ERn3kAcOWpcMFxq
Fs4toG5WJsHda0Jj92IUusZ7wAgYjpai1Nr+jFfXHsJxv0dBkS5/XWMntj0T1ctNgqmiF
+RLU6V0VeTl4Oej3Aya0cVpd9K4XXevEO2eTTvzWNCAq0ZzWNdjc
Verification OK.


Project Ideas

For ClamAV library & application projects, submit pull-requests to: https://github.com/Cisco-Talos/clamav

For ClamAV documentation projects, submit pull-requests to: https://github.com/Cisco-Talos/clamav-faq/pulls

Tip: If you find that any of the bugs or projects have already been completed, you can help out simply by updating the list in a pull-request to update this document.

Bugs

There's only so much our core dev team can schedule into each release. Many bugs probably won't be fixed without your help! Feel free to troll our open Bugzilla tickets and our open GitHub Issues if you're looking for project ideas!

Larger Projects

The following are a list of project ideas for someone looking to work on a larger project. Any projects labeled "Risky" or "Exploratory" are thought to be more likely to fail, or to have significant drawbacks that will result in the new feature being ultimately rejected.

Please don't take it personally if the ClamAV team decide not to merge your implementation due to perceived complexity, stability, or other such concerns.

Contributors are expected to implement ample documentation for any new code or feature. Directions on how to test the contribution as well as unit and/or system tests will significantly help with PR review and will improve the likelihood that your contribution will be accepted.

Unstable or incomplete work is not likely to be accepted. The core development team has a long backlog of tasks and a curated roadmap for the next 6-12 months and will not have time to complete an unfinished project for you.

Contributors submitting a sizeable new feature will be asked to sign a Contributors License Agreement (CLA) before the contribution can be accepted.

CMake: -D MAINTAINER_MODE=ON

The purpose of "maintainer" build-mode is to update source generated by tools like Flex, Bison, and GPerf which are not readily accessible on every platform.

In this case, the project is to add GNU gperf support to the our CMake build system's Maintainer-Mode (-D MAINTAINER_MODE=ON). To complete this task, you'll need to detect GPerf when using Maintainer-Mode, and it should be required. When the build runs, it should regenerate and overwrite the libclamav/jsparse/generated files in the source directory using gperf with jsparse-keywords.gperf.

The contributor should add the new option to CMakeOptions.cmake and document the feature in INSTALL.cmake.md as well as in the clamav-faq repo's development.md developer documentation, after the feature has merged.

Category: Low-hanging fruit, Development

What you will learn from this project:

• CMake C/C++ build system skills

Required skills:

• Linux/Unix familiarity. Familiarity with compiling C/C++ projects.

Project Size: Small

CMake: -D CODE_COVERAGE=ON

Add a -D CODE_COVERAGE=ON option to the CMake build system which will build ClamAV with code coverage features enabled.

An ideal solution would support code coverage in when using GCC, Clang, and MSVC.

See development.md in the clamav-faq repo for additional insight on how gcov, lcov, and genhtml can be used today with the Autotools build system.

The contributor should add the new option to CMakeOptions.cmake and document the feature in INSTALL.cmake.md as well as in the clamav-faq repo's development.md developer documentation, after the feature has merged.

Category: Low-hanging fruit, Development

What you will learn from this project:

• CMake C/C++ build system skills
• Familiarity with C/C++ code coverage

Required skills:

• Linux/Unix familiarity. Familiarity with compiling C/C++ projects.

Project Size: Small

Develop New Detection Capabilities for PE/ELF/MachO Executables

ClamAV parses the PE/ELF/MachO headers on executables that it scans, but doesn't make all of the data that it extracts available for use by NDB/LDB signatures. Some features that would be great to have include:

• The ability to distinguish between regular executables and DLLs/SOs/DYLIBs (add new keywords?)
• Subsignature modifiers that can limit subsigs to only being evaluated against sections with memory permission flags (Read/Write/Execute). This would allow signatures to be evaluated more efficiently and also would decrease the chance of signature false positives.
• Parsing digital signatures in signed MachO exes and evaluating against the certificate trust / block .crb rules
• Other features that might be helpful?

As PE, ELF, and MachO parsing features already exist in C, C is the mostly likely language of choice. However any major new self contained code would ideally be written in Rust.

Category: Core Development

What you will learn from this project:

• The PE, ELF, and MachO file formats
• How ClamAV parses executable headers, performs signature matching, and the capabilities are provided
• How to write ClamAV signatures to match on executable files

Required skills:

• Strong C development experience
• Rust development experince (as needed)

Project Size: Large

Develop Memory Scanning Capabilities for Unix

Today, ClamAV works by scanning files on disk for malware. It'd be great if ClamAV could also be used to scan process memory on a system its running on in order to detect malware that isn't present on disk.

The ClamAV team is already looking into integrating such a feature from clamav-win32, a project by Gianluigi Tiesi who has graciously agreed to allow us to include this memory scanning feature and others in the upstream clamav project.

This project would be to develop a similar capability for use on Linux and/or macOS and/or BSD Unix scanning clients.

As this is a relatively large new feature, an ideal solution would be written in Rust.

Category: Fun/Peripheral

What you will learn from this project:

• The techniques and OS APIs related to inspecting the memory of running processes
• The security mechanisms in place to limit arbitrary access to process memory

Required skills:

• Strong Rust development experience.
• Linux/Unix operating systems experience.

Project Size: Large

WebAssembly Runtime

Background: ClamAV has for a long time had runtime support for running portable plugins we call "bytecode signatures". ClamAV has a custom bytecode compiler to compile these plugins from a C-like language and uses LLVM or a homegrown "bytecode interpreter" to run the plugins. This solution is strikingly similar to a newer portable plugin technology: WebAssembly!

The goal of project would be to create a proof-of-concept WebAssembly (wasm) runtime in ClamAV so that "wasm signatures" could be written in Rust and executed in a wasm sandbox. As with our current bytecode signature technology, the wasm signatures would run at specific hooks in the ClamAV scanning process. They would need access to the file map (buffer) being scanned, and would be given a limited API to call into ClamAV functions.

For a proof-of-concept, executing a local wasm plugin that has access to the file being scanned (without copying the data) would be fine. A production solution would need to convert the wasm plugin to an ascii-text encoding so it can be distributed much the same way the current bytecode signature .cbc plugins are distributed. As with the bytecode signatures, clamscan and clamd must not load the plugins unless they've been digitally signed or the --bytecode-unsigned/BytecodeUnsigned options are set, which would disable this safety precaution.

Important Notes: The ClamAV bytecode compiler project is currently undergoing a major re-write. Once complete, the new bytecode compiler will effectively be a Python script that invokes clang with a collection of custom compiler passes that effectively compile C code into ClamAV-bytecode plugins. This project would have you extend that project to instead use rustc to compile Rust ClamAV-WASM plugins.

Category: Core Development, Fun

What you will learn from this project:

• Compilers
• LLVM, WebAssembly JIT
• Executable plugin sandboxing
• Rust

Required skills:

• C/C++ development experience.
• Rust development experience.

Project Size: Large

Add Unpacking Support for New Packers

ClamAV includes support for unpacking executables generated by several software packers so that malware can't use them to easily evade detection. The list of packers currently supported can be found in the Introduction of the ClamAV Manual. There are many packers out there, though, so there is always a need to write unpacking code for ones that are frequently used by malware authors. Some that are currently needed include:

• UPX for ELF
• MPRESS (although we do have some bytecode signatures for MPRESS - those might be sufficient)
• If anyone is interested in this, we can analyze thousands of samples and identify more candidates for this list

Improvements to existing executable (PE/ELF/MachO) parsing code would likely be in C, but any new standalone modules would ideally be written in Rust.

Category: Fun/Peripheral

What you will learn from this project:

• How packers function, the steps involved in run-time loading and fixing memory maps, and a general approach to unpacking
• You'll gain experience reverse-engineering real-world malware

Required skills:

• C development experience.
• Rust development experience.

Project Size: Large

Add Support for Matching on .NET Internals

YARA extracts certain properties of .NET executables and makes them available for signatures to use for detection: https://yara.readthedocs.io/en/v3.6.0/modules/dotnet.html

Can ClamAV do something similar? For instance, extract the GUIDs and allow matching on those the way we do entries in the PE VersionInfo section?

Tip: An ideal solution for this and any new file parsing feature should be written in Rust and called by our existing C code.

Category: Fun/Peripheral

What you will learn from this project:

• How .NET executables are structured, and how they work internally
• How to write .NET applications (for testing)
• You'll also test your code against real-world malware, and perform reverse-engineering of samples as needed (if they break your code).

Required skills:

• C development experience.
• Rust development experience.
• Any prior experience in the areas listed above is a plus.

Project Size: Large

Extract Macros from OXML docs

ClamAV and SigTool currently support parsing OLE Office files to decompress and extract macros for scanning. The newer version OOXML Office files do not have this support, resulting in detection possible for macros in these documents. The ability to both extract and scan macros would enable better coverage. This might mean creating a new target type to prevent creating two signatures one for OLE macros and another for OOXML macros.

Tip: An ideal solution for this and any new file parsing feature should be written in Rust and called by our existing C code.

Category:

What you will learn from this project:

• ClamAV and SigTool internals
• Office document macro compression (RLE compression)
• Macro storage in OOXML files

Required skills:

• C development experience.
• Rust development experience.
• Any prior experience in the areas listed above is a plus.

Project Size: Medium

Dynamically add new file types simply by adding file type magic (.ftm) signatures

Known file types are currently baked into each ClamAV versions along with file type magic signatures. See filetypes_int.h, filetypes.h, and filetypes.c. The hardcoded signature definitions for these hardcoded types are generally overridden by daily.ftm, a component of daily.cvd used to tweak file type identification definitions after release.

This project would be to re-architect how file types are stored in libclamav so new file types can be dynamically added when daily.ftm (or some other .ftm file) is loaded. Supplemental .ftm files should supplement the existing file type definitions, allowing an extra.ftm file to be tested alongside daily.cvd.

This new capability when combined with the ability to register bytecode signatures as new file type scanners will dramatically increase the ability to extend ClamAV functionality between major version updates. Even when combined with logical signatures that target specific file types (using the proposed new Type: keyword instead of Target:, see below project idea), will allow creative analysts to write more compact and efficient logical signatures.

Category: Fun, Core Development

What you will learn from this project:

• Software architecture experience.

Required skills:

• C development experience.

Project Size: Medium

Register scanners for each file type, Write bytecode "signature" scanners.

Bytecode signatures are the portable executable plugin format for ClamAV. If ClamAV file types each had one or more* linked list of file type handlers ("scanners"), then a bytecode API could be added to register a bytecode signature as a new scanner for a file type.

This project should be completed after the project to dynamically add new file types with new file type magic signatures (above). This new scanning architecture would be really powerful way to add features to the product without requiring a major version update. When combined with the project to run WebAssembly signatures written in Rust (project idea above) -- this plugin-based scanner feature would have the potential to become the fastest and safest way to add new capabilities to ClamAV.

Example use case:

One example use case of this feature would be to alert on the malicious use of crypto miner wallet IDs.

Cryptomining malware has become increasingly prevalent with the rise in cryptocurrency prices, and we have thousands of wallet identifiers known to be associated with malicious cryptomining campaigns. We don't have a robust way of using these IDs for detection, though, because we only want to raise an alert if the ID appears to be used in a malicious way (Ex: hardcoded into a mining application or as part of a coin miner configuration file) and not in legitimate ways (Ex: blog posts about campaigns or wallet block lists used by the mining pools).

The two use-cases that we want to alert on are miner config files and executables with the embedded wallet identifier. We could have two .ftm rules (one for each case) that indicate a CL_TYPE_MINER or something like that, and then scanning execution for CL_TYPE_MINER can go to the bytecode sig to perform any other checks that may be necessary.

*Additional Considerations: ClamAV has several locations in the scanning process for invoking file type scanners:

1. After initial file type identification, and before the "raw scan". In cli_magic_scan().
2. Once for each embedded file types found when using scanraw() to also match on embedded type recognition signatures*. In scanraw().
• *Embedded type recognition signature matching is a feature used to identify self-extracting archives and some harder to identify file formats, like XML-based office document formats, DMG files, master boot records (MBR), etc. It isn't used for some archive and disk image formats that we'll unpack later anyways because they cause excessive type false positives and duplicate file scanning. A common example without this safety measure was duplicate file extraction and scanning of zip file entries found in a tarball.
3. After scanning all of the found embedded types (above). At the end of scanraw(). These could probably be moved to (4) if it is deemed safe to remove the 1st "safety measure" call to scanraw() in cli_magic_scan() (i.e we'd only call scanraw() once, ever).
4. Again, after the call to scanraw() at the bottom of cli_magic_scan(), for types that have bytecode hooks that won't execute unless a logical signature matches, requiring scanraw() to perform matching first.

Considering that there are 3 or 4 placement options for scanners, it may be required to have 3 (or 4) different lists to add to when registering a new scanner to indicate when to run the scanner in the scanning process. An enum argument for the function would indicate which list to add it to. If inserting the new scanner for a given type from the front of the list, and only invoking the next scanner if the first one returns CL_EPARSE or CL_EFORMAT, then a scanner registration could be used to override an existing/built-in one or supplement it, whichever is desired.

This project would would require coming up with a common file-type-scanner API for all scanners (including bytecode scanners), and would enable moving all file-type-scanners out of scanners.c and into a new file for each in a scanners subdirectory. A separate parsers subdirectory should be added at this time and each file type parser would be moved there. The distinction between a "scanner" and a "parser" is this. A scanner uses a parser to extract bits to be scanned. A parser may simply be something like an archive extraction library. In some cases, particularly in internally developed code, the distinction may be less clear and so the entire thing may be better placed under the scanners directory as the entry-point will doubtless need to use the common file-type-scanner API.

This project will also require creating lots of regression tests for file type identification to ensure that the new architecture doesn't accidentally misclassify or fail to scan certain files.

The majority of the work won't actually change ClamAV's behavior, which may seem frustrating, but the end goal is super cool. Code cleanup and organization along the way will also make a meaningful difference. This project could be split into pieces:

1. Establish a common file type scanner function API and reorganize the scanners and parsers as described above.
2. Convert the API into a callback function pointer definition and create a registration API. Add a set of scanner callback lists to each file type. The built-in scanners should be initialized either at compile time or at least when libclamav is initialized, depending on the chosen design.

Category: Very Fun, Core Development

What you will learn from this project:

• Software architecture experience
• How to write ClamAV signatures (bytecode and LDB sigs)
• You'll test your code against real-world malware, and can do reverse engineering if you'd like to expand the initial coinminer classification logic.

Required skills:

• Strong C development experience.
• Any prior experience in the areas listed below is a plus.

Project Size: Very Large

Limit logical signature alerts based on file type

ClamAV signatures have a "Target Type" which is an integer type which can be used in signatures to limit signature matches to specific file types. ClamAV also categorizes signature patterns into two different Aho-Corasick pattern-matching trie's by Target Type. Target Type 1 (Windows executables (EXE/DLL/SYS/etc.) go in one trie, and everything else goes in the other trie. Unfortunately, not every file type has an associated target type. In addition, while it's conceivable to be able to add new text-based file types dynamically (see the above project idea about file type magic signatures), it is less feasible to dynamically add new numerical target types.

• <appendix/FileTypes.md>
• <manual/Signatures/LogicalSignatures.md>

This project is to add a new "Type:" keyword to the TargetDescriptionBlock for Logical Signature (.ldb) to limit logical signature alerts to specific file types, much like you currently can do with Target Types ("Target:"), Container File Types ("Container:"), and Container Intermediate Types ("Intermediates:"). While this isn't expected to improve scan times, it should reduce overall signature size as analysts will no longer need to duplicate the file-type-magic signature in order to limit alerting on a signature match by file type.

To illustrate, this is the file type magic signature for a Microsoft Shortcut File, aka CL_TYPE_LNK:

0:0:4C0000000114020000000000C000000000000046:Microsoft Windows Shortcut File:CL_TYPE_ANY:CL_TYPE_LNK:100


Though we can classify a file as CL_TYPE_LNK and even unpack the file with custom scanner using that type, there is presently no way to write a signature for CL_TYPE_LNK files without duplicating the 0:4C0000000114020000000000C000000000000046 bit.

At present a signature to alert on a "malicious" shortcut containing 0xdeadbeef might look like this:

SignatureName;Target:0;(0&1);0:4C0000000114020000000000C000000000000046;deadbeef


SignatureName;Target:0,Type:CL_TYPE_LNK;(0);deadbeef


Category: Low-hanging Fruit, Core Development

What you will learn from this project:

• Knowledge of ClamAV's signature databases, and logical signature evaluation.

Required skills:

• C development experience.

Project Size: Small

libclamav Callback Function to Request Additional File

Add a callback function to give libclamav file parsers the ability to request additional file data from the scanning application -- I.e. clamscan and clamd (and by extension clamdscan & clamonacc).

This feature would enable support for split-archive scans, if all components of the split archive are present and available to the scanning application. To make this work for clamdscan+clamd, or clamonacc+clamd, the request would also have to be relayed by clamd over the socket API to the scanning client, and the client would have to respond with additional data, filepath, or file descriptor for clamd to provide via the callback to file parser.

Disclaimer: It's entirely likely that this idea is bogus and wouldn't work over the clamd+clamdscan socket API. This task would require a fair amount exploratory coding.

When a file is scanned, the scanner (eg cli_scanrar) may call a callback function provided by clamscan or clamd to request scan access to other files by name, with the expectation that it would receive an fmap in response. Specifically, when the first file in a split archive is scanned, the parser could request fmaps for subsequent files to provide to the archive extraction library. Direct scanning of files other than the first file in a split archive will skip, because they are split and are not the first file.

Category: Risky/Exploratory, Core Development

What you will learn from this project:

• ClamAV and SigTool internals
• Socket programming

Required skills:

• C and C++ development experience.

Project Size: Large

ClamAV FAQ © 2021 Cisco Systems, Inc.

Clam AntiVirus is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.

ClamAV and Clam AntiVirus are trademarks of Cisco Systems, Inc.

Which Version of ClamAV should I use?

Stable release

For critical systems, please install using the latest stable release.

Beta and Release candidates Programs

If your system is not critical, we occasionally release beta and release candidate (RC) versions of the next feature release. Your participation in our beta and release candidate programs is always appreciated.

FreshClam FAQ

The following FAQ should help you understand why freshclam may have failed to fetch the latest updates.

Invalid DNS reply. Falling back to HTTP mode or ERROR: Can't query current.cvd.clamav.net

There is a problem with your DNS server. Please check the entries in /etc/resolv.conf and verify that you can resolve the TXT record manually:

$host -t txt current.cvd.clamav.net If you can't, it means your network is broken. You'll be still able to download the updates, but you'll waste a lot of bandwidth checking for updates. Please note that some not RFC compliant DNS servers (namely the one shipped with the Alcatel (now Thomson) SpeedTouch 510 modem) can't resolve TXT record. If that's the case, please recompile ClamAV with the flag --enable-dns-fix. ERROR: Connection with ??? failed Either your dns servers are not working or you are blocking port 53/tcp. You should manually check that you can resolve hostnames with: $ host database.clamav.net

If it doesn't work, check your dns settings in /etc/resolv.conf. If it works, check that you can receive dns answers longer than 512 bytes, e.g. check that your firewall is not blocking packets which originate from port 53/tcp. An easy way to find it out is:

$dig @ns1.clamav.net db.us.big.clamav.net WARNING: Incremental update failed, trying to download daily.cvd For some reason, incremental update failed. FreshClam can recover from this situation by downloading the whole daily.cvd. Database update process failed: Downloaded database had lower version than advertised For some reason, the content delivery network is not serving the latest updates yet. If you experience this problem, please report the issue on GitHub Issues. Update failed. Your network may be down or the ClamAV database content delivery network is experiencing an outage It's not your lucky day. Your network may be down or the ClamAV database content delivery network is experiencing an outage. Please wait a few minutes and try again. Remember to pass the -v option to freshclam. Update failed. Updating too frequently with an outdated version Starting from ClamAV 0.9x, whenever your ClamAV engine becomes outdated and the difference between the functionality level required by the CVD and the functionality level supported by your ClamAV engine is more than 3, freshclam will refuse to check for updates more often than 6 times per day. The reason for this is that bandwidth can be expensive. It is not helpful to generate extra traffic on our content delivery network if you cannot take advantage of all the signatures anyway. If you really care about catching as much malware as possible and you want to check for updates more often than 6 times per day, then you should also not run such an old version of ClamAV. Your ClamAV installation is OUTDATED This message does NOT indicate that you are unable to download the latest CVD update! You'll get this message whenever a new version of ClamAV is released. In order to detect all the latest viruses, it's not enough to keep your database up to date. You also need to run the latest version of the scanner. WARNING: Current functionality level = 1, required = 2 The functionality level of the database determines which scanner engine version is required to use all of its signatures. If you don't upgrade immediately you will still be able to download the latest CVD updates but the engine won't be able to use ALL of them. Ignoring mirror <IP> (has connected too many times with an outdated version) If you are experiencing this problem, please do the following: Stop the freshclam daemon if it's running, delete both mirrors.dat and daily.cvd, then restart the freshclam daemon. FreshClam will then download a new daily.cvd and will be up-to-date. HTTP Error Codes If you are receiving a 403, 503, or 1020 error codes when downloading from Cloudflare, then you are either explicitly blocked, using an EOL'ed version of ClamAV or you are downloading incorrectly. If FreshClam is failing and you're not sure why, you may run freshclam -v for "Verbose Mode" to see the HTTP request & response details (ClamAV 0.102+). After checking that you are using a current version of ClamAV, please discontinue whatever method of download you are using and immediately move to using either FreshClam or cvdupdate. These are the two supported methods for downloading AV updates from ClamAV. All other methods may be rate limited, or blocked at our discretion. Use of Wget, Curl, or other command line tools that are scripted are explicitly denied. If you are receiving a 429, that means you are rate limited. You're downloading too fast or too much. Please use Freshclam or cvdupdate. If you are using a shared hosting provider, like Amazon AWS, Google Cloud Computing, Oracle, Azure, etc, you will most likely be rate limited, however cvdupdate should handle this gracefully. If you continue to receive these, we recommend you try from a different external IP address. If you are receiving a 403 specifically on the safebrowsing.cvd file, please read this blog post immediately! Are you running a version of FreshClam/ClamAV lower than 0.103.2? If so, you should immediately upgrade to at least 0.103.2. If you have checked all of the above and you are still seeing errors, please open a ticket using the below link. Please report freshclam update failures or issues on GitHub Issues. ClamAV Virus Database FAQ How do I keep my virus database up to date? ClamAV comes with FreshClam, a tool which periodically checks for new database releases and keeps your database up to date. It is encouraged that you update to at least version 0.103.2, which respects our bandwidth limitations. How often is the virus database updated? The virus database is usually updated once or twice per day. Sign up for our VirusDB mailing list to see our response times to new threats. The virusdb team tries to keep up with the latest threats in the wild. You can contribute to make the virusdb updating process more efficient by submitting samples of viruses via our "Contact" page on ClamAV.net. The last CVD update crashed my ClamAV installation. Why? Before publishing a CVD update, we verify that it can be correctly loaded by the last two stable release series of ClamAV. The last CVD update detects a lot of false positives on my system. Why? Before publishing a CVD update, we test it for false positives using the latest stable release of ClamAV. If you want to avoid problems with false positives, you must run the latest stable version of ClamAV. Please stay tuned to our EOL policy for what versions are actively supported. I tried to submit a sample through the web interface, but it said the sample is already recognized by ClamAV. My ClamScan tells me it's not. I have already updated my database and ClamAV engine, what's wrong with my setup? Please run ClamScan with the --alert-broken option. Also check that FreshClam and ClamScan are using the same path for storing/reading the database. I found an infected file in my HD/USB/mailbox, but ClamAV doesn't recognize it yet. Can you help me? Our virus database is kept up to date with the help of the community. Whenever you find a new virus which is not detected by ClamAV you should complete this form. The virusdb team will review your submission and update the database if necessary. Before submitting a new sample: - check that the value of DatabaseDirectory, in both clamd.conf and freshclam.conf, is the same - and update your database by running FreshClam to ensure you've scanned it with the latest virus database. I'm running ClamAV on a lot of clients on my local network. Can I serve the cvd files from a local server so that each client doesn't have to download them from your servers? Sure, you can find more details on our Private Local Mirror page. 1. If you want to take advantage of incremental updates, install a proxy server and then configure your FreshClam clients to use it (watch for the HTTPProxyServer parameter in freshclam.conf). 2. The second possible solution is to: • Configure a local webserver on one of your machines (say machine1.mylan) • Let FreshClam download the *.cvd files from http://database.clamav.net to the webserver's DocumentRoot. • Finally, change freshclam.conf on your clients so that it includes: DatabaseMirror machine1.mylan ScriptedUpdates off  First the database will be downloaded to the local webserver and then the other clients on the network will update their copy of the database from it. Important: For this to work, you have to add ScriptedUpdates off on all of your machines! I can't wait for you to update the database! I need to use the new signature NOW! No problem, save your own signatures in a text file with the appropriate extension (see our signature writing documentation for more information). Put the signature files in the same directory where the .cvd files are located. This is typically /usr/local/share/clamav or /var/lib/clamav. ClamAV will load it after the official .cvd files. You do not need to sign your custom database files. Can I download the virus database manually? This practice is discouraged, please use either FreshClam or CVDUpdate to update your definitions. Please check out our FreshClam FAQ and our Private Mirror Documentation for further information and links to CVDUpdate. I am getting error codes such as 403, 429, etc when FreshClam (or other update system) attempts to download updates Are you attempting to download safebrowsing.cvd and getting a 403? If so, take a look at this blog post, otherwise check out our Freshclam FAQ under the section on "Error Codes". For other questions regarding issues with FreshClam, see our FreshClam Troubleshooting FAQ. Miscellaneous FAQ I see you have Bugzilla AND GitHub Issues. Which one should I use? Please use GitHub Issues. We're slowly phasing out Bugzilla. But please read the Security Policy and do not disclose anything in a ticket that should be kept private or that may represent a vulnerability. I reported a bug on Bugzilla, but no one can see it. What do I do? Bugs reported to ClamAV's Bugzilla ticket tracker are private by default. Our policy is to make tickets public if they are not security-related. If you believe your bug report isn't security-related, please ping the ticket requesting that the ticket be made public. Chances are high that we simply forgot to remove the tag when the report came in. Where can I find the bug ticket for a security bug fix? Our policy is to make security-related bugs public either: A. fourteen (14) days after a security patch version has been published with a fix for the bug, or B. after the non-disclosure agreement with a vulnerability reporter has expired and the bug details are otherwise already public. This policy serves to reduce the risk that a malicious party would find enough details in the ticket to craft their own exploit for the bug before users have had an opportunity to upgrade to a patched version. Where can I find a test file to prove that a security bug doesn't affect me or has been fixed in my version? We do not share test files for security bugs. Sharing these files puts users at risk for at least two reasons: 1. Sharing a test file outside of our organization increases the risk of it falling into the wrong hands and being used to craft an exploit. 2. Test files generated by a fuzzer are designed to demonstrate a bug in a specific test environment and do the bare minimum necessary to trigger the bug. Scanning a test file outside of that environment is unlikely to demonstrate the issue EVEN THOUGH THE ISSUE STILL EXISTS. A clever adversary may very well be able to craft a bigger and better exploit for that issue that does affect your unpatched system. Testing with the original fuzzer-generated file is most likely to give you a false sense of security. Can phishing be considered one kind of spam? ClamAV should not detect it as some kind of malware. Starting from release 0.90, ClamAV allows you to choose whether to detect phish as some kind of malware or not. This should put an end to the endless threads on our mailing lists. So long, and thanks for all the phish. Why is my legitimate HTML newsletter/email detected by ClamAV as Phishing.Heuristics.Email.SpoofedDomain? If it contains links in the form of href="http://yourdomain.example.tld"> otherdomain.tld, where otherdomain.tld (ProtectedDomain) doesn't belong to you and is listed in ClamAV database (like amazon.com, ebay.com, ...) then ClamAV detects it as a phishing attempt. My legitimate emails from yourdomain.tld are detected as Phishing.Heuristics.Email.SpoofedDomain Please submit a sample, marking it as a false positive, phishing. If it's really a false positive, we will add an allow list entry for it. Can I convert the new database format to the old one? Yes, install a recent version of sigtool and run: sigtool --unpack-current daily.cvd; sigtool --unpack-current main.cvd How do I read inside the CVD files? See previous FAQ. I'm using ClamAV in a production environment and a brand new virus is not being recognized by ClamAV. How long do I have to wait before ClamAV can start filtering the virus? No time at all! Find a signature for that virus and modify your virus database accordingly (see our signature writing documentation for details). Remember to submit the sample to the virusdb team. Why is ClamAV calling the XXX virus with another name? This usually happens when we add a signature before other AV vendors. No well-known name is available at that moment so we have to invent one. Renaming the virus after a few days would just confuse people more, so we usually keep on using our name for that virus. The only exception is when a new name is established soon after the signature addition. I get many false positives of Oversized.zip Whenever a file exceeds ArchiveMaxCompressionRatio (see clamd.conf man page), it's considered a logic bomb and marked as Oversized.zip. Try increasing your ArchiveMaxCompressionRatio setting. What is PUA? I get a lot of false positives named PUA. With the release of ClamAV 0.91.2 we introduce the option to scan for Potentially Unwanted Applications. The PUA database contains detection for applications that are not malicious by itself but can be used in a malicious or unwanted context. As an example: A tool to retrieve passwords from a system can be useful as long as the person who uses it, is authorized to do so. However, the same tool can be used to steal passwords from a system. To make use of the PUA database you can use the --detect-pua switch for clamscan or enable it in the config file for ClamD (add: DetectPUA yes). At this point we DO NOT recommend using it in production environments, because the detection may be too aggressive and lead to false positives. In one of the next releases we will provide additional features for fine-tuning allowing better adjustments to different setups. NOTE: A detection as PUA does NOT tell if an application is good or bad. All it says is, that a file MAY BE unwanted or MAYBE could compromise your system security and it MAY BE a good idea to check it twice. Can ClamAV disinfect files? No, it can't. We will add support for disinfecting OLE2 files in one of the next stable releases. There are no plans for disinfecting other types of files. There are many reasons for it: cleaning viruses from files is virtually pointless these days. It is very seldom that there is anything useful left after cleaning, and even if there is, would you trust it? When using clamscan, is there a way to know which message within an mbox is infected? There are two solutions: Run clamscan --debug, look for Deal with email number xxx Alternatively you can convert the mbox to Maildir format, run clamscan on it and then convert it back to mbox format. There are many tools available which can convert to and from Maildir format: formail, mbox2maildir and maildir2mbox What platforms does it support? Clam AntiVirus works with Linux®, Solaris, FreeBSD, OpenBSD, NetBSD, Mac OS X, Cygwin B20 on multiple architectures such as Intel, Alpha, Sparc, Cobalt MIPS boxes, PowerPC, RISC 6000. Where can I find more information about ClamAV? Please read the complete documentation in pdf/ps format. You will find it inside the package or in the documentation section of this website. You can also try searching the mailing list archives. If you can't find the answer, you can ask for support on the clamav-users mailing-list, but please before doing it, search the archives! Also, make sure that you don't send HTML messages and that you don't top post: these violate the netiquette and lessen your chances of being answered. Mailing Lists FAQ Where can I ask questions about using ClamAV? Subscribe to our clamav-users mailing-list. I want to take part to the development of ClamAV. Where can I get more info? Subscribe to the clamav-devel mailing-list. The mailing-lists generate too many messages per day. I can't handle them. What shall I do? There are two possible solutions: • Go to the mailing-list mailman interface, click on Unsubscribe or edit options, and turn digest mode on. • Access the mailing-lists using a "news reader". I sent a message to one of ClamAV's mailing-lists, but the mail was rejected/held for approval. Why? Only subscribers are allowed to post to the mailing-list. This is done to avoid spammers. I read the mailing-list from the Gmane news gateway. Can I post to the mailing-list? See previous FAQ. I've been unsubscribed from one of the mailing-lists. What happened? There are two possible reasons: If your account generates too many bounces you'll be automatically unsubscribed. Please subscribe again with a more reliable account. If we receive even one out of office notification from your vacation program, your address will be unsubscribed and banned from our mailing-lists forever. Sorry for that, there are just too many stupid people out there. How do I disable mail delivery from the mailing-list I'm subscribed to? Suppose you are subscribed to clamav-users. Go to clamav-users and enter your mail address at the bottom of the page. Click on Unsubscribe or edit options. At the next page enter your password and press Log in. Under Your clamav-users Subscription Options choose Disabled opposite Mail delivery and press Submit My Changes at the bottom of the page. Safebrowsing About Google Safe Browsing may be used to get advanced protection against emails with links to suspicious websites. Current Status The Safe Browsing feature has now been spun off into a related project. ClamAV previously provided a "safebrowsing" signature database derived from Google's Safe Browsing API using our own account and API key. Due to changes to the terms of service, we can no longer provide the signature content for you. Users that desire Safe Browsing coverage for non-commercial purposes can still generate their own safebrowsing signature database using the clamav-safebrowsing tools with a Google Safe Browsing API key. Briefly, clamav-safebrowsing tools are needed to: 1. Download the data from Google to a local MySQL database using Google's API [*]; 2. Produce a local copy of the safebrowsing database file in a form suitable for use by the ClamAV tools; You will have to decide how to distribute this database file to the systems which need it; and to notify any clamd daemons of the change so that they load the new signatures. [*] For efficiency, the API permits downloading differences, in much the same way that ClamAV itself uses .cdiff files. The clamav-safebrowsing tool uses a MySQL database to store the Safe Browsing data so it can apply these differences the next time you use it. For more information, please visit the ClamAV Safebrowsing project on Github. History ClamAV 0.95 introduced an optional "safebrowsing" signature database to provide advanced protection against emails with links to suspicious websites. This was generated using Google's Safe Browsing API. The "safebrowsing" signature database which was distributed in the same way as the other ClamAV database files via the ClamAV mirror network. Downloading the database was disabled by default, and the feature was to be enabled only with extreme caution. In order to enable this feature it was necessary to add the option SafeBrowsing Yes to freshclam.conf. As of Nov. 11, 2019, we stopped updating the "safebrowsing" signature database because Google announced changes to their Safe Browsing API terms of service. Google now requires commercial users to use the Google Web Risk API, a for-profit feature, instead of the Safe Browsing API. Though ClamAV itself is free and open-source, we cannot continue to provide Google Safe Browsing data to the general public. Troubleshooting FAQ After ClamAV is installed, then what? How do I update / refresh the virus database? You will need to edit the freshclam.conf.example file located in /usr/local/etc. Once that is done, you will need to run a sudo freshclam to download the signatures. You will need to run the command to update signatures often so that ClamAV has the most up to date signatures. How many times per hour shall I run FreshClam? You can check for database update as often as 4 times per hour provided that you have the following options in freshclam.conf: DNSDatabaseInfo current.cvd.clamav.net DatabaseMirror database.clamav.net  I get this error when running FreshClam: Invalid DNS reply. Falling back to HTTP mode or ERROR: Can't query current.cvd.clamav.net . What does it mean? There is a problem with your DNS server. Please check the entries in /etc/resolv.conf and verify that you can resolve the TXT record manually: host -t txt current.cvd.clamav.net  If you can't, it means your network is broken. You'll be still able to download the updates, but you'll waste a lot of bandwidth checking for updates. What does WARNING: DNS record is older than 3 hours mean? FreshClam attempts to detect potential problems with DNS caches and switches to use HTTPS if something looks suspicious. If this message appears seldomly, you can safely ignore it. If you get the error every time you run FreshClam, check your system clock. If it is set correctly, check your dns settings. If those didn't help, try putting this at the top of your cronjob: host -t txt current.cvd.clamav.net; perl -e 'printf "%d\n", time;'  The 4th field of the first line should be less than 3 ∗ 3600 behind the output of the second line. If not, you have a caching DNS server somewhere misbehaving. I get this error when running FreshClam: ERROR: Connection with ??? failed . What shall I do? Either your dns servers are not working or you are blocking port 53/tcp. You should manually check that you can resolve host names with: host database.clamav.net  If it doesn't work, check your dns settings in /etc/resolv.conf. If it works, check that you can receive dns answers longer than 512 bytes, e.g. check that your firewall is not blocking packets which originate from port 53/tcp. An easy way to find it out is: dig @ns1.clamav.net db.us.big.clamav.net  How do I know if my IP address has been blocked? Run FreshClam in verbose-mode (-v) to view the HTTP requests and responses. If you're seeing an HTTP 403 response, then you may have been blocked. If think you've been blocked, feel free to contact us for help getting un-blocked. For more information about HTTP error codes, see the FreshClam FAQ I can't resolve current.cvd.clamav.net! Is there a problem with your/my DNS servers? current.cvd.clamav.net has got only a TXT record, not a type A record! Try this command: $ host -t txt current.cvd.clamav.net


Please note that some not RFC compliant DNS servers (namely the one shipped with the Alcatel (now Thomson) SpeedTouch 510 modem) can't resolve TXT record. If that's the case, please recompile ClamAV with the flag --enable-dns-fix if using ./configure or -D ENABLE_FRESHCLAM_DNS_FIX=ON if using CMake.

For other questions regarding issues with the signature databases, see our Virus Database FAQ.

ClamAV alerted on a file during a scan. What do I do?

ClamAV may have found a malicious or suspicious file. However, you're probably asking yourself if the alert is a False Positive (FP). It may well be, so don't just delete the file out-of-hand.

Online Research

First, consider the file itself and whether or not the alert makes sense. If you're concerned, start by searching the name of the signature on Google. If FP's are being reported, you may see others complaining about the same thing, or you may be able to get an understanding of what the signature is trying to find.

Technical Investigation

Second, if you're technically inclined, you may want to try to read the signature details to understand how it works and what, specifically, it's alerting on. Take heed, this investigation might leave you more confused than when you started. ClamAV doesn't post write-ups on how each signature in-part because a good number of our signatures these days are generated automatically and not by a human mind.

1. Start by opening a command prompt in a new empty directory, for example:

user@laptop:~$mkdir /tmp/sigdump user@laptop:~$  cd /tmp/sigdump

2. Use the sigtool program to unpack the ClamAV databases into their separate components. SigTool should be installed alongside clamscan, probably in /usr/local/bin/sigtool. The ClamAV databases are traditionally installed in /usr/local/share/clamav although if you installed from a package manager, your paths may vary:

user@laptop:/tmp/sigdump$sigtool -u /usr/local/share/clamav/main.cvd user@laptop:/tmp/sigdump$  sigtool -u /usr/local/share/clamav/daily.cvd        # May be: daily.cld

user@laptop:/tmp/sigdump$sigtool -u /usr/local/share/clamav/bytecode.cvd # May be: bytecode.cld  3. Use ls to verify that you've successfully unpacked the databases: user@laptop:/tmp/sigdump$  ls

3986187.cbc    3986230.cbc    3986303.cbc    4553522.cbc    6335443.cbc    6399052.cbc    daily.cfg      daily.msb
3986188.cbc    3986231.cbc    3986305.cbc    4970075.cbc    6335540.cbc    6404655.cbc    daily.crb      daily.msu
3986206.cbc    3986232.cbc    3986306.cbc    5044126.cbc    6335560.cbc    6428210.cbc    daily.fp       daily.ndb
3986212.cbc    3986233.cbc    3986310.cbc    5588995.cbc    6335564.cbc    6428556.cbc    daily.ftm      daily.ndu
3986214.cbc    3986234.cbc    3986321.cbc    5819336.cbc    6335669.cbc    6441308.cbc    daily.hdb      daily.pdb
3986215.cbc    3986235.cbc    3986322.cbc    5999914.cbc    6336023.cbc    6442366.cbc    daily.hdu      daily.sfp
3986216.cbc    3986236.cbc    3986327.cbc    5999936.cbc    6336035.cbc    6447941.cbc    daily.hsb      daily.wdb
3986217.cbc    3986242.cbc    3986328.cbc    6300337.cbc    6336074.cbc    6453673.cbc    daily.hsu      main.crb
3986218.cbc    3986244.cbc    3986334.cbc    6311970.cbc    6336259.cbc    6471051.cbc    daily.idb      main.fp
3986219.cbc    3986249.cbc    3986337.cbc    6316126.cbc    6336260.cbc    6497366.cbc    daily.ign      main.hdb
3986220.cbc    3986259.cbc    4306126.cbc    6324281.cbc    6336630.cbc    6539706.cbc    daily.ign2     main.hsb
3986221.cbc    3986282.cbc    4306157.cbc    6327695.cbc    6336737.cbc    6566834.cbc    daily.info     main.info
3986222.cbc    3986283.cbc    4307467.cbc    6329916.cbc    6336739.cbc    6614848.cbc    daily.ldb      main.mdb
3986223.cbc    3986289.cbc    4416867.cbc    6329917.cbc    6364361.cbc    COPYING        daily.ldu      main.msb
3986224.cbc    3986292.cbc    4510302.cbc    6335400.cbc    6380163.cbc    bytecode.info  daily.mdb      main.ndb
3986229.cbc    3986301.cbc    4526683.cbc    6335427.cbc    6395243.cbc    daily.cdb      daily.mdu      main.sfp

4. Use grep to search for the signature in question. For example:

user@laptop:/tmp/sigdump$grep -r Win.Downloader.DDECmdExec-6683887-5 Win.Downloader.DDECmdExec-6683887-5;Engine:81-255,Target:0;4;0:1f8b;0:255044462d;0:4d5a{-100}50450000;7c27{-255}2721;(0=0&1=0&2=0)&3/(?<!\x20)[=+\-@]\s*?(\w+\s*?\x28)?.{0,50}(certutil|cmd|cmstp|cscript|dnscmd|msiexec|netsh|regsvr32|rpcping|rundll32|schtasks|telnet|tscon|tsdiscon|wmic|wscript).{0,50}\|\s*?\x27[^\x27]{5,255}\x27\s*?\x21/i  5. Reading ClamAV signatures is hard. You can familiarize yourself with the ClamAV signature format by reading the documentation on writing ClamAV Signatures. To get a jump start, you can make sigtool print out a more human readable represenation of what the signature is looking for. Pipe the output from grep directly into sigtool by using the --decode-sigs option: user@laptop:/tmp/sigdump$  grep Win.Downloader.DDECmdExec-6683887-5 -r . | ../../bin/sigtool --decode-sigs


The output will look something like this:

    VIRUS NAME: ./daily.ldb:Win.Downloader.DDECmdExec-6683887-5
TDB: Engine:81-255,Target:0
LOGICAL EXPRESSION: 4
* SUBSIG ID 0
+-> OFFSET: 0
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
�
* SUBSIG ID 1
+-> OFFSET: 0
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
%PDF-
* SUBSIG ID 2
+-> OFFSET: 0
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
MZ{WILDCARD_ANY_STRING(LENGTH<=100)}PE
* SUBSIG ID 3
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
|'{WILDCARD_ANY_STRING(LENGTH<=255)}'!
* SUBSIG ID 4
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
+-> TRIGGER: (0=0&1=0&2=0)&3
+-> CFLAGS: i

6. Interpret the results. ClamAV signatures can be as simple as a hash-based signature of a known-malicious file, but they can also be a complex logical test. You may not learn enough to make an educated decision. The above example is a pretty complicated one, so I will try to walk you through it.

You can see that there are 5 subsignatures (numbered 0 - 4). The LOGICICAL EXPRESSION indicates which subsignature(s) matter and why. This could be something like 0 AND 1 to indicate that 2 subsignatures must both trigger in order for the overall signature to alert. In this case, only subsignature 4 is required by the LOGICAL EXPRESSION.

If you look at SUBSIG ID 4, you'll see that has a has a TRIGGER which acts in much the same way as the above LOGICAL EXPRESSION. If the subsignatures in the logical expression are satisfied, then the regular expression REGEX will be tested. If the regular expression matches, then the SUBSIG ID 4 will trigger and the overall signature will alert.

Reporting

If you believe that the signature alerted on a benign file, please report the False Positive so our analysts can refine or remove the faulty signature. You can report false positives on our website or you can submit the report using the clamsubmit command-line program.

If you're concerned that the file may be malicious, and aren't comfortable quarantining and/or deleting the file, feel free to ask in the user mailing lists for advice. Please subscribe to clamav-users and then post a message to all the list members by sending an email to clamav-users -at- lists -dot- clamav -dot- net.

ClamAV from Packages

If you installed from a package, we suggest you find the approved package from your distro provider and install that. The ClamAV team does not maintain individual packages for every distribution build. If there are no new packages, you have three options:

• Wait
• Build ClamAV Package
• Install ClamAV From Source

Install ClamAV From Source

If you installed from sources, first uninstall the old version.

Depending on your installation method, you might want to backup configuration (located in /usr/local/etc by default) and signature database (located in /usr/local/share/clamav by default). Don't forget to restore backups before starting up updated ClamAV.

Backup your database signature (located in /usr/local/share/clamav by default) before upgrading to newer ClamAV version. Restore the backed up database signature before running the updated version. This is to avoid getting the /usr/local/share/clamav not locked error message when doing freshclam.

Webmin and Yum

To obtain a new version:

yum list clamav

yum update clamav


If everything updated properly, run freshclam to update your signature database.

What does "WARNING: Current functionality level = 1, required = 2" mean?

The functionality level of the database determines which scanner engine version is required to use all of its signatures. If you don't upgrade immediately you will be missing the latest viruses.

What does "Your ClamAV installation is OUTDATED" mean?

You'll get this message whenever a new version of ClamAV is released. In order to detect all the latest viruses, it's not enough to keep your database up to date. You also need to run the latest version of the scanner. You can download the sources of the latest release from our website. If you are afraid to break something while upgrading, use the pre-compiled packages for your operating system/distribution. Remember: running the latest stable release also improves stability.

I upgraded to the latest stable version but I still get the message "Your ClamAV installation is OUTDATED", why?

Make sure there is really only one version of ClamAV installed on your system:

whereis freshclam

whereis clamscan


Also make sure that you haven't got old libraries (libclamav.so*) lying around your filesystem. You can verify it using:

ldd $(which freshclam)  What does "Malformed hexstring: This ClamAV version has reached End of Life" mean? Please refer to our End-of-Life (EOL) policy. How do I verify the integrity of ClamAV sources? Using GnuPG you can easily verify the authenticity of your stable release downloads by using the following method: Download the Talos PGP public key from the VRT labs site. Import the key into your local public keyring: gpg --import vrt.gpg  Download the stable release AND the corresponding .sig file to the same directory. Verify that the stable release download is signed with the Talos PGP public key: gpg --verify clamav-X.XX.tar.gz.sig  Please note that the resulting output should look like the following:  gpg: Signature made Wed Jan 24 19:31:26 2018 EST gpg: using RSA key F13F9E16BCA5BFAD gpg: Good signature from "Talos (Talos, Cisco Systems Inc.) [email address]" [unknown]  For other PGP implementation, please refer to their manual. Where can I get the latest release, beta, or release candidate of ClamAV? Visit the source download page. Is my compiler/hardware/operating system supported by ClamAV? ClamAV supports a wide variety of compilers, hardware and operating systems. Our core compiler is GCC with Linux on 32 and 64 bit Intel platforms, LLVM/Clang on macOS, and MSVC on Windows. ClamAV on Microsoft Windows FAQ ClamAV offers a versions of ClamAV for Microsoft Windows compatible with both 32bit and 64bit versions of Windows 7 and newer. We provide both two install packages for Windows: • Portable Install Package • Zip file containing all you need to run ClamAV without running an installer. • Install Program • Traditional executable installer that will install ClamAV in the "Program Files" directory. In addition to the above ClamAV versions that run on Windows, Cisco offers two more endpoint security products powered in-part by ClamAV. These are: • Immunet • Immunet is a malware and antivirus protection system that utilizes cloud computing to provide enhanced community-based security. • Immunet is free for non-commercial use. • Commercial users should consider Cisco AMP. • Cisco Advanced Malware Protection (AMP) for Endpoints • AMP for Endpoints prevents threats at point of entry, then continuously tracks every file it lets onto your endpoints. AMP can uncover even the most advanced threats, including fileless malware and ransomware. • AMP for Endpoints is subscription-based, managed through a web-based management console, and may be deployed on a variety of platforms to include Windows, macOS, and Linux operating systems. • For details, please visit the AMP for Endpoints website. What is the difference between ClamAV, Immunet, and ClamWin? ClamAV is available for Windows with the same scanning and detection capabilities available when using ClamAV on macOS and Linux, with exception to the On-Access Scanning feature (Linux). Immunet is a real-time fully featured desktop AV solution. It contains cloud based detection technologies and the enterprise grade ClamAV detection engine. The product is produced and maintained by Cisco which owns both ClamAV and Immunet. ClamWin is a free application that provides a graphical front-end for ClamAV, similar to ClamTk. ClamWin is maintained by ClamWin Pty Ltd., and has no association with ClamAV, Cisco, or the Immunet product. Additionally, ClamWin does not contain an on-access real-time scanner, and can only be used to manually scan files. Is Immunet free for commercial use? Immunet is not free for commercial use. AMP for Endpoints is our product that replaced the commercial version. If you are interested in deploying this in a commercial environment, we highly suggest checking that out. Will Immunet send any sensitive data from my computer to the cloud? Immunet sends information about the files its scanning back to the cloud. This information is in the form of SHA hashes and file heuristics. Currently, this information is only collected for Windows PE files, or in other terms what most people refer to as executable files. No information is collected for other types of files, like Word, Excel, or PDF. Additionally, in some situations the entire PE file will be uploaded to the Cloud to determine if it is malicious. For a complete overview please see the privacy policy. Are you going to make use of the Cloud in the *nix version of ClamAV? The simple answer is “yes”. The complex answer is “when”. We are currently working on that roadmap and will keep everyone informed as that information becomes available. Can I use Immunet with my current AV solution? Yes. In fact it is encouraged. Where should I report false positives or undetected malware? Please report Undetected Malware here. Please report False Positives here. Are there 64 bit versions of ClamAV for Windows as well as 32 bit? Yes. You can find both versions at ClamAV/downloads. End of Life Policy (EOL) The naming convention for ClamAV releases uses three numbers (X.Y.Z) where the first two (X.Y) identify a feature release and the last one (Z) a patch version. As of July, 2021, the latest feature release is 0.103 and the latest patch version is 0.103.3. ClamAV Versions Supported by the Official Signature Databases Before releasing a signature database (CVD) update, we verify that it can be correctly loaded by the latest two feature releases of ClamAV and all the patch versions released after each of them. We only check the CVD update for false positives using the latest patch release (or feature release, in case there has been no patch release after the last feature release). Disclaimer: if this policy has to change due to a compatibility problem that prohibits the use of new detection technology, or impacts the stability of ClamAV infrastructure, we will announce the end of life for those versions four months before they become unsupported. Currently, every version from ClamAV 0.99 and down, including all patch versions, are unsupported, and are actively blocked from downloading new updates. ClamAV Versions Receiving Back-ported Security Patches Like all bugs, security patches are prepared for our upcoming feature release. Only security patches and other critical fixes or critical improvements are backported to previous feature releases. The ClamAV team is small and can't afford to port fixes back very far. To keep momentum making progress on new features, improvements, and minor bug fixes, our policy is to backport no further than 1 or 2 feature releases. Our team also feels strongly that as a security product, newer ClamAV versions offer improved malware detection efficacy and that it is important for users to upgrade to newer ClamAV versions even on older long-term-support (LTS) Linux distributions. We ask that package maintainers make every effort to upgrade packages to newer ClamAV versions during the lifetime of an LTS distribution, unless you have reason to believe that upgrading users to the new ClamAV version would break things for your users. Situation 1: Security Patches Less than 6 Months After a Feature Release If the non-disclosure / release date for a security patch falls within 6 months since the previous feature release was published, we will craft a security patch version for the future feature release, the current feature release, and the previous feature release. As an example, let's say ClamAV 0.102.0 was just released and development begins on 0.103. But shortly after the release or as we're preparing for the release, it is discovered that 0.102.0 contains one or more security issues. We understand with such a recent release, not everyone has had time to verify that they can indeed upgrade without some other supporting changes to their system or product. In this situation, we would prepare a security patch version for the 0.102 feature version (eg. 0.102.1) and for the 0.101 feature version (eg. 0.101.5). Once both releases have been published, the same or equivalent fixes will be merged into the main branch for inclusion into the next feature release (0.103.0). Situation 2: Security Patches After a Breaking Change On rare occasion we have made breaking changes to the way that users or other software interact with ClamAV or libclamav. The 0.101.0 release was one such example where we made a breaking change to the libclamav programming API. When this happens, we will provide extra time for users to upgrade to a newer feature release before we discontinue support for the older feature release. The amount of extra time before we discontinue support will vary depending on the severity of the breaking change and the level of difficulty to upgrade. Situation 3: Security Patches More than 6 Months After a Feature Release Has Been Available If the non-disclosure / release date for a security patch falls after 6 months since the previous feature release was published, we will only craft a security patch version for the future feature release and the current feature release. For example, if 0.102.0 was released in January and a security issue was found in May, but the non-disclosure agreement allowed for the bug to be patched after the standard 90 days, then a security patch release will likely be prepared for release in early August. This would exceed our 6-month policy, so we would publish the fix in 0.102.1 but would not publish a patch version for the 0.101 series. Potentially Unwanted Applications (PUA) ClamAV supports the detection of Potentially Unwanted Applications (PUA). PUA Config Options You can customize PUA detection for ClamD with these clamd.conf options:  DetectPUA yes # Detect Possibly Unwanted Applications ExcludePUA CAT # Skip PUA sigs of category CAT IncludePUA CAT # Load PUA sigs of category CAT  You can customize PUA detection for ClamScan with these command-line options:  --detect-pua # Detect Possibly Unwanted Applications --exclude-pua=CAT # Skip PUA sigs of category CAT --include-pua=CAT # Load PUA sigs of category CAT  The category name is a string match with the 2nd token in a PUA.* signature name.  PUA.category.subcategory.description-version  Some examples: • PUA.Win.Packer.BorlandDelphi-5 : The category name is Win. • PUA.Cert.Revoked.PEAuthenticode-5750538-0 : The category name is Cert. There is presently no support for including or excluding by subcategory. Current PUA Categories PUA categories are the product of signature naming conventions. These vary over time as new signatures are added. Disclaimer: PUA signatures are not as carefully curated as malware signatures because they are not as commonly used. You should expect more false positives when using PUA signatures. Further, inclusion or exclusion of specific categories may not be very intuitive or predictable. Specifically, excluding the Win category will not exclude all Windows application PUA signatures. There are undoubtedly more Windows PUA signatures in the Packed, Tool, Spy, NetTool, etc categories that target Windows applications. Similarly, excluding the Packed category will not guarantee that you exclude signatures like PUA.Win.Packer.Whatever-0123. In short, the inclusion and exclusion of PUA signatures will likely be frustrating. Improvements to PUA include/exclude options to support subcategories as well as SigTool features to enumerate current PUA categories and subcategories would be a good candidate for a community contribution project. Disclaimer 2: The Virus/Ransomeware/Trojan/etc malware categories or subcategories for PUA signatures were mistakenly selected by automated tools. Those tools have since been fixed and no new signatures should appear with these names. The existing malware-name categories for these PUA signatures are expected to be removed/renamed as time permits. The following is a snapshot of the PUA signature name categories and subcategories from daily.cvd & main.cvd (Jan 29, 2020): PUA.Andr.Adware PUA.Andr.Downloader PUA.Andr.Dropper PUA.Andr.Tool PUA.Andr.Trojan PUA.Andr.Virus PUA.Cert.Revoked PUA.Doc.Dropper PUA.Doc.Packed PUA.Doc.Tool PUA.Doc.Trojan PUA.Email.Phishing PUA.Email.Trojan PUA.Embedded.File PUA.Html.Exploit PUA.Html.Tool PUA.Html.Trojan PUA.Java.Exploit PUA.Java.Packer PUA.Js.Exploit PUA.Osx.File PUA.Osx.Trojan PUA.Packed.Tool PUA.Pdf.Exploit PUA.Pdf.Trojan PUA.Php.Trojan PUA.Rtf.Exploit PUA.Spy.Tool PUA.Swf.Spyware PUA.Tool.Countermeasure PUA.Tool.Tool PUA.Unix.Adware PUA.Unix.Coinminer PUA.Unix.Downloader PUA.Unix.File PUA.Unix.Malware PUA.Unix.Tool PUA.Unix.Trojan PUA.Unix.Virus PUA.Win.Adware PUA.Win.Coinminer PUA.Win.Downloader PUA.Win.Dropper PUA.Win.Exploit PUA.Win.File PUA.Win.Ircbot PUA.Win.Joke PUA.Win.Keylogger PUA.Win.Malware PUA.Win.Packed PUA.Win.Packer PUA.Win.Proxy PUA.Win.Ransomware PUA.Win.Spyware PUA.Win.Tool PUA.Win.Trojan PUA.Win.Virus  PUA Category Descriptions The following category descriptions should give you some idea of how the PUA signature naming conventions are used. Please note this list is not exhaustive. As noted above, PUA signatures are not as carefully curated and there will be exceptions: • Andr Potentially unwanted applications for Android mobile devices. • Java Potentially unwanted applications written for the Java runtime. • NetTool Applications that can be used to sniff, filter, manipulate or scan network traffic or networks. While a network scanner - for example - can be a extremely helpful tool for admins, you may not want to see an average user playing around with it. Same goes for tools like netcat and the like. • P2P Peer to Peer clients can be used to generate a lot of unwanted traffic and sometimes it happens that copyrights are violated by downloading copyright protected content (Music, Movies) - therefore we consider them possibly unwanted as well. • Packed This is a detection for files that use some kind of runtime packer. A runtime packer can be used to reduce the size of executable files without the need for an external unpacker. While this can't be considered malicious in general, runtime packers are widely used with malicious files since they can prevent a already known malware from detection by an anti-virus product. • PwTool Password tools are all applications that can be used to recover or decrypt passwords for various applications - like mail clients or system passwords. Such tools can be quite helpful if a password is lost, however, it can also be used to spy out passwords. • IRC IRC Clients can be a productivity killer and depending on the client - a powerful platform for malicious scripts (take mIRC for example). • Osx Potentially unwanted applications for macOS systems. • RAT Remote Access Trojans are used to remotely access systems, but can be used also by system admins, for example VNC or RAdmin. • Server Server based badware like DistributedNet. • Script Known "problem" scripts written in JavaScript, ActiveX or similar. • Spy Keyloggers, spying tools. • Tool General system tools, like process killers/finders. • Unix Potentially unwanted applications for Unix systems. • Win Potentially unwanted applications for Windows systems. How do I ignore a ClamAV signature? Creating an ignore file Change Directory into the location where your ClamAV databases are stored. Create a file called ignore_list.ign2, for example, like this: touch ignore_list.ign2 Ignore individual signatures Place the signatures you'd like to ignore, each on it's own line, within the file ignore_list.ign2. For example: Signature.Ignore-1 Signature.Ignore-2 Uninstalling ClamAV If you installed from source If you installed using Autotools (0.103.0 and older) If you installed from source, the easiest way to uninstall will require that same source and build configuration in order to uninstall. Then run: sudo make uninstall  Tip: If you don't have the old source / build directory from when you installed, you can get the source again and re-configure, as if for a build, so that you can use the build system to uninstall. Just be sure you use the same ./configure options as when you first installed. For example: ./configure sudo make uninstall  If you installed using CMake (0.104.0 and newer) CMake doesn't provide a simple command to uninstall. However, CMake does build an install_manifest.txt file when you do the install. You can use the manifest to remove the installed files. You will find the manifest in the directory where you compiled ClamAV. If you followed the recommendations in our Installing from Source section, then you will find it at <clamav source directory>/build/install_manifest.txt. Feel free to inspect the file so you're comfortable knowing what you're about to delete. Open a terminal and cd to that <clamav source directory>/build directory. Then run: xargs rm < install_manifest.txt  This will leave behind the directories, and will leave behind any files added after install including the signature databases and any config files. You will have to delete these extra files yourself. Tip: If you don't have the old source / build directory from when you installed, you can get the source again. Unlike with Autotools, you'll have to do more than just re-configure. You'll have to compile and re-install overtop of your existing install in order to get a new copy of the install_manifest.txt file. But once you do that, you should be able to use the command above to uninstall. For example: cmake . && make && sudo make install sudo xargs rm < install_manifest.txt  If you installed from packages • Debian/Ubuntu: apt remove clamav • Redhat/Fedora: dnf remove clamav* or, on older systems: yum remove clamav* • Mandriva: urpme clamav • Gentoo: emerge -C clamav • FreeBSD: pkg delete clamav • OpenBSD: pkg_delete clamav • NetBSD: pkgin remove clamav • Slackware: /etc/rc.d/rc.clamav stop; removepkg clamav Caveats Make sure that you haven’t got old libraries (libclamav.so) lying around your filesystem. You can verify it using: ldd which freshclam  Also make sure there is really only one version of ClamAV installed on your system: whereis freshclam whereis clamscan  Appendix Terminology General Terminology TermDescription adwareAdware is software that injects extra advertisements into other applications like your browser, or extra advertisements bundled by a third party into software that is ordinarily free of advertisements. Adware is often considered to be a type of Potentially Unwanted Application (PUA) when the the advertisements aren't used to fund development of the application but are injected by a third party. bytecodeBytecode is a partially compiled executable that is platform agnostic but must be further compiled or otherwise interpreted in order to be executed. For ClamAV, "bytecode signature" refer to ClamAV plugin with a .cbc file extension. Some bytecode signatures detect specific types of malware, as the name suggests. Other bytecode signatures extend file parser support within ClamAV, enabling faster deployment of new ClamAV features. CLDA CLD is the uncompressed ClamAV signature database archive. CLD files are created by FreshClam when a CVD or CLD database archive is updated with a CDIFF patch file. CVDA CVD is an compressed ClamAV signature database archive that is signed and distributed by Cisco-Talos. "CVD" refers to the .cvd file extension, although when updated using a CDIFF database patch file, the extension is changed to .cld. CDIFFA CDIFF is a patch file for a CVD or CLD database archive. CDIFFs allow for frequent updates to the ClamAV database set without requiring a large download each time. endpointAn endpoint is a computer that a human interacts with, such as a laptop, desktop, or mobile device. endpoint security suiteAn endpoint security suite is software that bundles a variety of services to protect a computer system. In addition to scheduled malware scanning, this may include features like a firewall, on-access scanning, network traffic monitoring, process behavioral monitoring, and other real time protection features. false negativeA false negative is when a scan fails to alert on a file. You can report false negatives on clamav.net. false positiveA false positive is when a scan incorrectly alerts on a file. You can report false positive detections on clamav.net. malwareMalware is a general term for software intended to cause harm, disrupt, or gain unauthorized access to a computer system. Trojans, worms, miners, rootkits, viruses, keyloggers, and ransomware are all examples of different types of malware. on-accessOn-access in the context of malware detection refers to a technology to scan files when they are created, opened, moved, or otherwise accessed. On-access scanning is one form of "real time protection". The scan may block access to the file and prevent access if an alert occurs, or it may simply scan as the file is being accessed to alert or take some action when the scan is complete. PUAA Potentially Unwanted Application (PUA) or Potentially Unwanted Program (PUP) is a program that probably isn't malware, but little benefit to the user and is considered to be undesirable by most people. This may include software like crypto currency mining software, adware, and other software that may be legitimate but may also be used to take advantage of unsuspecting users. See our FAQ page about PUA signatures for more information. ClamAV Components ComponentDescription clamav-configThis is a script for checking how ClamAV was compiled. clamav-config is not present on Windows installations. clamav-milterClamAV-Milter is a daemon that performs email filter scanning through clamd. clambc-compilerThe ClamAV Bytecode Compiler (ClamBC-Compiler or ClamBCC) is a compiler for building bytecode executable signature plugins. The Bytecode Compiler installed separately. See the ClamAV Bytecode Compiler project on Github for more details. clambcClamBC is another signature manipulation tool specifically for bytecode signatures. clamconfClamConf is a tool to check or generate ClamAV configuration files and collect additional information that may be needed to help remotely debug issues. clamdClamD is a multi threaded daemon that listens for scan requests on a network socket or unix socket. Client applications for clamd include clamdtop, clamdscan, clamav-milter, and clamonacc. The socket interface is documented and there are also a variety of third-party clients for clamd. See the Community Projects page for more details. clamdscanClamDScan is a command line program to scan files and directories through clamd. clamdtopClamDTop is a command line GUI to monitor ClamD. clamonaccClamOnAcc is a daemon that receives on-access events from the kernel for real-time protection scanning through ClamD. ClamOnAcc is only available for Linux at this time. clamscanClamScan is a command line program to scan files and directories that does not require the clamd daemon. freshclamFreshClam is the signature database (cvd) update tool. libclamavThe ClamAV library enables you to build the ClamAV engine into your programs. The C programming API can be found in clamav.h. libfreshclamThe FreshClam library enables you to build the signature update update features into your programs. The C programming API can be found in libfreshclam.h. sigtoolSigTool is a signature database (cvd) manipulation tool for malware analysts and signature writers. Private Local Mirrors There are some situations in which it may be desirable to set up a private mirror for distributing CVD updates. If you run ClamAV on many clients on your network, each installation will download a copy of new .cdiff files. This is a waste of bandwidth and resources for your network and for our mirrors network. Sometimes the servers which perform the scan are not directly connected to Internet and can only download updates from a server in the same network segment. For people who face these problems, we recommend using one of the following 3 setups. 1. Use an HTTP proxy This solution is really easy to implement and is bandwidth efficient. Install a proxy server (e.g. squid) and then tell your FreshClam clients to use it. This can be done by setting the HTTPProxyServer parameter in freshclam.conf (see man 5 freshclam.conf for the details). 2. Serve CVD files from a local web server This solution is really simple to implement but it's only effective if your clients are all on the same local network and bandwidth is not an issue for you. Configure a local webserver on one of your machines (say machine1.mylan) and let FreshClam download the *.cvd files from http://database.clamav.net to the webserver’s DocumentRoot. Add the following line to freshclam.conf on machine1.mylan: ScriptedUpdates no First the database will be downloaded to the local webserver and then the other clients on the network will update their copy of the database from it. For this to work you have to change freshclam.conf on each client so that it reads PrivateMirror machine1.mylan ScriptedUpdates no 3. Serve CVD and CDIFF files from a local web server This solution will be more bandwidth efficient for you. It will allow you to host a mirror that functions in the same way as the official database CDN, serving CVD and CDIFF files. These instructions use a tool named cvdupdate. cvdupdate requires: • Python 3.6 or newer. • An internet connection with DNS enabled. • It should work fine on Linux/Unix and on Windows. IMPORTANT: Please do NOT use cvdupdate if you don't need to host a private database mirror. FreshClam is far more efficient, even for a small cluster of installs, because it will update with CDIFF patches after the initial database downloads. You can easily install cvdupdate Python3's Pip package manager: pip3 install cvdupdate (optional) Once installed, you may wish to configure where the databases are stored: cvd config set --dbdir <your www path> Now run this as often as you need, or at least once a day to download/update the databases: cvd update If you didn't set a custom database path, the databases will be stored in ~/.cvdupdate/database You can use --help with any cvd command to learn more. For ore detailed instructions, or to report issues, please visit: https://github.com/Cisco-Talos/cvdupdate](https://github.com/Cisco-Talos/cvdupdate) Once you have the database files, host them with your favorite webserver, or use the cvd serve test-webserver (not intended for production). Set up your FreshClam clients' freshclam.conf config file to point to: DatabaseMirror http://machine1.mylan You may wish to set up a proxy to enable HTTPS. If you do, use: DatabaseMirror https://machine1.mylan 4. Serving a private mirror from Cloud Foundry This solution isn't necessarily bandwidth efficient, but very easy to deploy with pre-existing Cloud Foundry deployments. In a nutshell, it downloads the CVDs and stores them in-memory to serve them as an uber-fast mirror. While it is storing definitions in-memory, if the app is restarted/rebooted, it will reach out and re-download the CVDs. You can find the app here on Github, as well as instructions on how to push it to Cloud Foundry. The URL the app is configured with is where the ClamAV daemons can listen from. Microsoft Authenticode Signature Verification About Microsoft Authenticode Authenticode is Microsoft's system for using digital signatures to ensure that programs to be run/installed on Windows systems come from a verified source and has not been modified by anyone else. At a high level, it works by having software developers: 1. Obtain a code-signing certificate from a certificate authority trusted by the Windows OS. 2. Compute digital signatures for executables and related software installation files using that certificate. 3. Include the signatures as part of the software execution/installation process so that Windows can use them in the verification process. In addition, Authenticode signatures can be countersigned by a time-stamping service that allows signature verification to succeed even if the code-signing certificate expires or gets revoked. For more information, check-out the following resources: Authenticode and ClamAV ClamAV supports parsing the Authenticode section and performing signature verification on a given executable to determine whether it should be trusted (based on rules loaded in from ClamAV .crb files). An overview of this process, including information on the .crb file format and on how to add new trusted certificate entries, is explained in the Authenticode Certificate Chain Verification ClamAV blog post. There are a few things not covered in the blog post that are worth mentioning: • As of ClamAV 0.102, leaf certificates (the ones actually issued to the entity signing the binary) may be used for certificate verification in addition to certificates that issued the leaf certificate (and certificates higher up in the chain) can be used. • As of ClamAV 0.102, .crb rules may also be used to block malicious executables where in previous versions these block list entries just override .crb rules that would otherwise trust a given sample. • SigTool offers the --print-certs flag, which can be used to show information about embedded Authenticode signatures without having to first match on a signature (which is currently a requirement for clamscan) • External Authenticode signatures contained in .cat files can be loaded in to ClamAV by passing a -d flag and indicating the path to the .cat file from which to load signatures. Note, however, that at least one certificate in the .cat file's certificate chain must be trusted (in other words, it must have a backing .crb trusted certificate rule.) Helpful Info for Working with Authenticode Signatures Below is some useful information collected when improving ClamAV support for Authenticode signatures. Format Specifications The Windows Authenticode 2008 specification document can be found at the link below. Note, however, that it is not 100% accurate. For instance, the documented steps for computing the Authenticode hash are not correct in the case where you have sections that overlap with the PE header or with one another. Verifying the Signature On Linux, osslsigncode can be used to verify a signature: $ osslsigncode verify /path/to/signed/file
Current PE checksum   : 00092934
Calculated PE checksum: 00092934

Message digest algorithm  : SHA256
Current message digest    : 56924EB391B1B04572B1841ED5D5C10927CE7D6E9553A69F994B9BA855A73933
Calculated message digest : 56924EB391B1B04572B1841ED5D5C10927CE7D6E9553A69F994B9BA855A73933

Signature verification: ok

Number of signers: 1
Signer #0:
Issuer : /C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 SHA256 Code Signing CA

Number of certificates: 2
Cert #0:
Issuer : /C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 SHA256 Code Signing CA
Cert #1:
Subject: /C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 SHA256 Code Signing CA
Issuer : /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5

Succeeded


On Windows,

AnalyzePESig is a great tool for displaying signature information. In addition, signtool can be used.

NOTE that the machine on which these commands is run should have Internet connectivity so that revocation lists can be consulted. Otherwise, Windows may default to assuming that none of the certificates are revoked.

There is also the verify-sigs python script that performs verification, but this script is no longer maintained.

Extracting the Signature

On Linux, the osslsigncode command can be used to extract the contents of the PE security section:

osslsigncode extract-signature -in /path/to/exe -out /path/to/extracted

Note: This will also extract the 8-byte WIN_CERTIFICATE structure data. To skip this data, use:

dd if=/path/to/extracted of=/path/to/extracted.p7b bs=1 skip=8


Inspecting the Signature

On Linux, openssl has some useful functions for printing the certificate information and parsing the PKCS7 ASN1:

    $openssl pkcs7 -inform der -print_certs -in extracted.p7b -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 2a:9c:21:ac:aa:a6:3a:3c:58:a7:b9:32:2b:ee:94:8d Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA Validity Not Before: Dec 16 00:00:00 2015 GMT Not After : Dec 16 23:59:59 2018 GMT Subject: C=US, ST=California, L=Mountain View, O=Google Inc, CN=Google Inc Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:c4:0d:82:c4:41:29:28:e5:fd:0c:3f:a5:c7:0e: 66:bd:a5:c4:8b:b3:8a:ac:84:03:9f:84:2e:38:df: 06:b1:4e:fd:33:60:58:38:36:dd:22:cf:df:f1:50: 1f:47:f1:55:05:c1:81:01:e7:28:3e:ff:5f:89:12: 09:ea:df:aa:17:49:2c:71:ab:48:d1:9d:2e:f4:51: e0:03:e0:f7:16:6c:7b:0c:22:75:6d:7e:1f:49:c4: 43:28:88:41:dc:6c:ed:13:2a:03:99:eb:62:14:f9: 35:26:6e:12:2c:03:e2:f7:81:b9:1a:05:67:06:7c: a6:1a:5b:ed:20:15:e5:2d:83:de:8e:36:fa:1e:08: 41:1c:1a:48:9f:b6:f1:c3:2f:02:13:4b:a7:ca:ba: ef:1c:58:6f:8e:d3:0f:14:a4:0b:2b:5d:ba:f4:5a: a3:0d:64:34:a5:8a:d7:8f:4d:22:66:4d:a4:ae:e1: f9:cd:c6:58:e6:c6:11:77:32:df:ba:df:39:48:8a: d1:27:d7:33:77:a8:c9:e4:5e:ed:fa:12:cf:f3:fd: fa:ee:ab:80:86:13:34:eb:5a:7e:6f:6c:1b:ee:d8: 4b:b2:cc:77:98:87:ac:ca:f5:bb:64:6f:49:1e:5b: 91:63:50:1f:63:2d:83:27:73:07:9f:2b:16:f4:7b: 71:29 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: critical Digital Signature X509v3 Extended Key Usage: Code Signing X509v3 Certificate Policies: Policy: 2.16.840.1.113733.1.7.23.3 CPS: https://d.symcb.com/cps User Notice: Explicit Text: https://d.symcb.com/rpa X509v3 Authority Key Identifier: keyid:96:3B:53:F0:79:33:97:AF:7D:83:EF:2E:2B:CC:CA:B7:86:1E:72:66 X509v3 CRL Distribution Points: Full Name: URI:http://sv.symcb.com/sv.crl Authority Information Access: OCSP - URI:http://sv.symcd.com CA Issuers - URI:http://sv.symcb.com/sv.crt Netscape Cert Type: Object Signing 1.3.6.1.4.1.311.2.1.27: 0....... Signature Algorithm: sha256WithRSAEncryption 23:e7:93:93:af:db:a8:4d:af:af:54:e8:d8:26:95:80:cd:23: 91:70:ed:0b:5b:b1:e9:d8:dd:1e:40:37:78:97:18:ed:9f:e5: 84:67:85:06:50:b5:f1:ab:e6:83:5a:17:7b:51:be:7f:18:c6: 47:5e:2b:aa:f4:a0:1f:35:3e:05:9f:43:40:f7:9f:d1:f4:e1: a7:02:f3:8e:c9:71:fe:18:37:48:42:d7:e4:36:73:10:92:d4: d8:d9:1c:c4:26:58:18:67:b6:24:22:69:63:02:f7:49:51:6b: 75:f6:b4:7d:56:ff:2c:f4:88:f7:67:6f:08:86:f3:8b:0b:30: 02:7f:6d:92:d9:4e:bd:99:f7:7b:74:86:0c:cb:b9:ad:2c:bf: 44:79:a8:00:82:9c:62:f4:aa:11:df:d2:bf:f0:e1:92:28:11: 90:bb:5e:33:88:86:96:4d:dd:0b:af:c3:67:a1:95:2d:44:32: c6:fa:f7:b8:80:c1:4e:38:be:1f:b6:84:f7:f1:21:31:67:49: a8:9f:8a:75:07:df:3b:3a:c3:ea:72:cd:40:7f:a7:da:7c:c9: 2e:7c:a9:0c:f1:5d:5c:82:42:62:b9:49:94:8f:70:e6:a5:c0: 5f:17:fb:40:36:c1:3a:89:63:03:1c:3f:66:a0:3d:8f:a1:4c: 4e:5c:ac:bf ...  $ openssl asn1parse -inform der -i -in extracted.p7b
0:d=0  hl=4 l=6984 cons: SEQUENCE
4:d=1  hl=2 l=   9 prim:  OBJECT            :pkcs7-signedData
15:d=1  hl=4 l=6969 cons:  cont [ 0 ]
19:d=2  hl=4 l=6965 cons:   SEQUENCE
23:d=3  hl=2 l=   1 prim:    INTEGER           :01
26:d=3  hl=2 l=  15 cons:    SET
28:d=4  hl=2 l=  13 cons:     SEQUENCE
30:d=5  hl=2 l=   9 prim:      OBJECT            :sha256
41:d=5  hl=2 l=   0 prim:      NULL
43:d=3  hl=2 l=  92 cons:    SEQUENCE
45:d=4  hl=2 l=  10 prim:     OBJECT            :1.3.6.1.4.1.311.2.1.4
57:d=4  hl=2 l=  78 cons:     cont [ 0 ]
59:d=5  hl=2 l=  76 cons:      SEQUENCE
61:d=6  hl=2 l=  23 cons:       SEQUENCE
63:d=7  hl=2 l=  10 prim:        OBJECT            :1.3.6.1.4.1.311.2.1.15
75:d=7  hl=2 l=   9 cons:        SEQUENCE
77:d=8  hl=2 l=   1 prim:         BIT STRING
80:d=8  hl=2 l=   4 cons:         cont [ 0 ]
82:d=9  hl=2 l=   2 cons:          cont [ 2 ]
84:d=10 hl=2 l=   0 prim:           cont [ 0 ]
86:d=6  hl=2 l=  49 cons:       SEQUENCE
88:d=7  hl=2 l=  13 cons:        SEQUENCE
90:d=8  hl=2 l=   9 prim:         OBJECT            :sha256
101:d=8  hl=2 l=   0 prim:         NULL
103:d=7  hl=2 l=  32 prim:        OCTET STRING      [HEX DUMP]:56924EB391B1B04572B1841ED5D5C10927CE7D6E9553A69F994B9BA855A73933
...


On Windows, the certutil executable has a great ASN parser:

    C:\>certutil -asn extracted.p7b
0000: 30 82 1b 48                               ; SEQUENCE (1b48 Bytes)
0004: |  06 09                                  ; OBJECT_ID (9 Bytes)
0006: |  |  2a 86 48 86 f7 0d 01 07  02
|  |     ; 1.2.840.113549.1.7.2 PKCS 7 Signed
000f: |  a0 82 1b 39                            ; OPTIONAL[0] (1b39 Bytes)
0013: |     30 82 1b 35                         ; SEQUENCE (1b35 Bytes)
0017: |        02 01                            ; INTEGER (1 Bytes)
0019: |        |  01
001a: |        31 0f                            ; SET (f Bytes)
001c: |        |  30 0d                         ; SEQUENCE (d Bytes)
001e: |        |     06 09                      ; OBJECT_ID (9 Bytes)
0020: |        |     |  60 86 48 01 65 03 04 02  01
|        |     |     ; 2.16.840.1.101.3.4.2.1 sha256 (sha256NoSign)
0029: |        |     05 00                      ; NULL (0 Bytes)
002b: |        30 5c                            ; SEQUENCE (5c Bytes)
002d: |        |  06 0a                         ; OBJECT_ID (a Bytes)
002f: |        |  |  2b 06 01 04 01 82 37 02  01 04
|        |  |     ; 1.3.6.1.4.1.311.2.1.4 SPC_INDIRECT_DATA_OBJID
0039: |        |  a0 4e                         ; OPTIONAL[0] (4e Bytes)
003b: |        |     30 4c                      ; SEQUENCE (4c Bytes)
003d: |        |        30 17                   ; SEQUENCE (17 Bytes)
003f: |        |        |  06 0a                ; OBJECT_ID (a Bytes)
0041: |        |        |  |  2b 06 01 04 01 82 37 02  01 0f
|        |        |  |     ; 1.3.6.1.4.1.311.2.1.15 SPC_PE_IMAGE_DATA_OBJID
004b: |        |        |  30 09                ; SEQUENCE (9 Bytes)
...


There is also a website that offers ASN1 parser and allows you to interactively hide/view parts of the structure:

Creating Signed Executables

For Linux, Didier Stevens has a great post about how to create signed binaries using self-signed certificates:

On Windows, a program called signtool ships with the Windows SDK and can be used. See the following for tutorials/examples:

Samples with Interesting Authenticode Signatures

Below are some PE files with interesting Authenticode signatures. These are probably only interesting to other researchers who are looking at Authenticode in-depth. All samples are available via VirusTotal.

• SHA256-based code-signing signature without a countersignature

• 8886d96e9ed475e4686ffba3d242e97836de8a56b75cc915e21bb324cc89de03
• SHA256-based code-signing sig and SHA1-based timestamping countersig

• 20367d0e3a5ad12154095d424b8d9818c33e7d6087525e6a3304ef6c22a53665
• SHA384-based cert used in the code-signing chain

• 2249611fef630d666f667ac9dc7b665d3b9382956e41f10704e40bd900decbb8
• Uses SHA512 to compute the Authenticode hash

• eeb5469a214d5aac1dcd7e8415f93eca14edc38f47d1e360d3d97d432695207a
• Signed by an MS root cert that doesn't have a KU or EKU specified

• 69b61b2c00323cea3686315617d0f452e205dae10c47e02cbe1ea96fea38f582
• Has a v1 x509 cert and uses MD2-based hashing

• 1cb16f94cebdcad7dd05c8537375a6ff6379fcdb08528fc83889f26efaa84e2a
• Countersignature with version 0 instead of version 1

• 145fbbf59b1071493686bf41f4eb364627d8be3c9dc8fb927bbe853e593864ec
• Countersignature with contentType == timestampToken instead of pkcs7-data

• 8a364e0881fd7201cd6f0a0ff747451c9b93182d5699afb28ad8466f7f726660
• Countersignature with AlgoIdentifier sha1WithRSAEncryption instead of SHA1

• 2aa6b18d509090c60c3e4ecdd8aeb16e5f149807e3404c86892112710eab576d
• Countersignature uses v1 x509 certs

• 934860a4ac2446240e4c7053ddc27ff4c2463d4ad433cc28c9fcc2ea4690fb86
• Certificate chain has old certificates without a version

• 374a31b20fbafdcd31d52ae11a0dcad58baba556c8942a3cdfae0bb96ae117a1
• Has extra data after the PKCS7, a violation of MS13-098

• 0ee196bb23f0eafe4f61d30bf6c676fd7365cb12ae66a6bde278851e91901ac1
• Authenticode signature covers data not in a section

• 0123c163ac981e639565caff72ee3af2df7174613ee12003ac89124be461c6e6
• Authenticode signature with a section that overlaps the PE header (UPX-packed)

• 0059fb3f225c5784789622eeccb97197d591972851b63d59f5bd107ddfdb7a21
• Authenticode signature with overlapping sections

• 014b66cf2cef39620e9a985d237971b8cf272043e9ac372d5dcef44db754a1d2
• Uses certs with no NULL after AlgorithmIdentifier OID

• 66b797b3b4f99488f53c2b676610dfe9868984c779536891a8d8f73ee214bc4b
• Uses an ASN1 indefinite length object

• 8ca912e397a9e1b0cc54c216144ff550da9d43610392208193c0781b1aa5d695
• Unexpected contentType for embedded mode signature (copied from a .cat?)

• 6ed9b5f6d32f94b3d06456b176c8536be123e1047763cc0a31c6e8fd6a0242b1
• Security directory appears to overlap with the PE header

• ff482f69f2183b5fd3c1b45d9006156524b8f8a5f518e33d6e92ea079787e64d
• x509 cert with a public key using exponent 3

• 012760e582e541c6dd34a2cbd5d053f402eebcb8b60ed4a88fecb5589bd17bb9
• x509 UTCDate is missing the seconds field

• 05de45fd6a406dc147a4c8040a54eee947cd6eba02f28c0279ffd1a229e17130
• x509 cert with a negative serial number

• 6218d50eb5c898acd3482daaea8f615b4f1f87ef0d06220cc1d7f700bc35888b

ClamAV File Types

ClamAV has two file typing systems for filtering signature matches: Target Types and File Types.

Target Types

A Target Type is an integer that indicates which kind of file the signature will match against. Target Type notation was first created for the purposes writing efficient signatures. A signature with a target type of 0 will be run against every file type, and thus is not ideal. However, the Target Type notation is limited and it may be unavoidable.

Although the newer CL_TYPE string name notation has replaced the Target Type for some signature formats, many signature formats require a target type number.

This is the current list of available Target Types:

Target TypeDescription
0any file
1Portable Executable, both 32- and 64-bit
2OLE2 containers, including specific macros. Primarily used by MS Office and MSI installation files
3HTML (normalized)
4Mail file
5Graphics
6ELF
7ASCII text file (normalized)
8Unused
9Mach-O files
10PDF files
11Flash files
12Java class files

Important: HTML, ASCII, Javascript are all normalized:

• ASCII - All lowercase.
• HTML - Whitespace transformed to spaces, tags/tag attributes normalized, all lowercase.
• Javascript - All strings are normalized (hex encoding is decoded), numbers are parsed and normalized, local variables/function names are normalized to n001 format, argument to eval() is parsed as JS again, unescape() is handled, some simple JS packers are handled, output is whitespace normalized.

File Types

ClamAV maintains it's own file typing format and assigns these types using either:

• Evaluation of a unique sequence of bytes at the start of a file (File Type Magic).

• File type indicators when parsing container files.

• For example: CL_TYPE_SCRIPT may be assigned to data contained in a PDF when the PDF indicates that a stream of bytes is "Javascript"
• File type determination based on the names or characteristics contained within the file.

• For example: CL_TYPE_OOXML_WORD may be assigned to a Zip file containing files with specific names.

ClamAV File Types are prefixed with CL_TYPE_. The following is an exhaustive list of all current file types.

CL_TYPEDescription
CL_TYPE_7Z7-Zip Archive
CL_TYPE_7ZSFXSelf-Extracting 7-Zip Archive
CL_TYPE_APMDisk Image - Apple Partition Map
CL_TYPE_ARJARJ Archive
CL_TYPE_ARJSFXSelf-Extracting ARJ Archive
CL_TYPE_AUTOITAutoIt Automation Executable
CL_TYPE_BINARY_DATAbinary data
CL_TYPE_BINHEXBinHex Macintosh 7-bit ASCII email attachment encoding
CL_TYPE_BZBZip Compressed File
CL_TYPE_CABSFXSelf-Extracting Microsoft CAB Archive
CL_TYPE_CPIO_CRCCPIO Archive (CRC)
CL_TYPE_CPIO_NEWCCPIO Archive (NEWC)
CL_TYPE_CPIO_ODCCPIO Archive (ODC)
CL_TYPE_CPIO_OLDCPIO Archive (OLD, Little Endian or Big Endian)
CL_TYPE_CRYPTFFFiles encrypted by CryptFF malware
CL_TYPE_DMGApple DMG Archive
CL_TYPE_EGGESTSoft EGG Archive, new in 0.102
CL_TYPE_ELFELF Executable (Linux/Unix program or library)
CL_TYPE_GIFGIF Graphics File, new in 0.103
CL_TYPE_GPTDisk Image - GUID Partition Table
CL_TYPE_GRAPHICSOther graphics files; BMP, JPEG2000
CL_TYPE_GZGZip Compressed File
CL_TYPE_HTML_UTF16Wide-Character / UTF16 encoded HTML
CL_TYPE_HTMLHTML data
CL_TYPE_HWP3Hangul Word Processor (3.X)
CL_TYPE_HWPOLE2Hangul Word Processor embedded OLE2
CL_TYPE_INTERNALInternal properties
CL_TYPE_ISHIELD_MSIWindows Install Shield MSI installer
CL_TYPE_ISO9660ISO 9660 file system for optical disc media
CL_TYPE_JAVAJava Class File
CL_TYPE_JPEGJPEG Graphics File, new in 0.103.1
CL_TYPE_LNKMicrosoft Windows Shortcut File
CL_TYPE_MACHO_UNIBINUniversal Binary/Java Bytecode
CL_TYPE_MACHOApple/NeXTSTEP Mach-O Executable file format
CL_TYPE_MAILEmail file
CL_TYPE_MBRDisk Image - Master Boot Record
CL_TYPE_MHTMLMHTML Saved Web Page
CL_TYPE_MSCABMicrosoft CAB Archive
CL_TYPE_MSCHMMicrosoft CHM help archive
CL_TYPE_MSEXEMicrosoft EXE / DLL Executable file
CL_TYPE_MSOLE2Microsoft OLE2 Container file
CL_TYPE_MSSZDDMicrosoft Compressed EXE
CL_TYPE_NULSFTNullSoft Scripted Installer program
CL_TYPE_OLD_TARTAR archive (old)
CL_TYPE_OOXML_HWPHangul Office Open Word Processor (5.X)
CL_TYPE_OOXML_PPTMicrosoft Office Open XML PowerPoint
CL_TYPE_OOXML_WORDMicrosoft Office Open Word 2007+
CL_TYPE_OOXML_XLMicrosoft Office Open Excel 2007+
CL_TYPE_PART_HFSPLUSApple HFS+ partition
CL_TYPE_PDFAdobe PDF document
CL_TYPE_PNGPNG Graphics File, new in 0.103
CL_TYPE_POSIX_TARTAR archive
CL_TYPE_PSPostscript
CL_TYPE_RARRAR Archive
CL_TYPE_RARSFXSelf-Extracting RAR Archive
CL_TYPE_RIFFResource Interchange File Format container formatted file
CL_TYPE_RTFRich Text Format document
CL_TYPE_SCRENCFiles encrypted by ScrEnc malware
CL_TYPE_SCRIPTGeneric type for scripts (Javascript, Python, etc)
CL_TYPE_SISSymbian OS Software Installation Script Archive
CL_TYPE_SWFAdobe Flash File (LZMA, Zlib, or uncompressed)
CL_TYPE_TEXT_ASCIIASCII text
CL_TYPE_TEXT_UTF16BEUTF-16BE text
CL_TYPE_TEXT_UTF16LEUTF-16LE text
CL_TYPE_TEXT_UTF8UTF-8 text
CL_TYPE_TIFFTIFF Graphics File (Little or Big Endian), new in 0.103.1
CL_TYPE_TNEFMicrosoft Outlook & Exchange email attachment format
CL_TYPE_UUENCODEDUUEncoded (Unix-to-Unix) binary file (Unix email attachment)
CL_TYPE_XARXAR Archive
CL_TYPE_XDPAdobe XDP - Embedded PDF
CL_TYPE_XML_HWPHangul Word Processor XML (HWPML) Document
CL_TYPE_XML_WORDMicrosoft Word 2003 XML Document
CL_TYPE_XML_XLMicrosoft Excel 2003 XML Document
CL_TYPE_XZXZ Archive
CL_TYPE_ZIPZip Archive
CL_TYPE_ZIPSFX`Self-Extracting Zip Archive

Versions & Functionality Levels (FLEVELs)

The Functionality Level (or FLEVEL) is an integer that signatures may use to define which versions of ClamAV the signature features support. It is up to the signature writers to select the correct FLEVEL or range of FLEVELs when writing a signature so that it does not cause failures in older versions of ClamAV.

Setting appropriate FLEVELs in signatures is particularly crucial when using features added in the last 3-4 major release versions.

ClamAV Version to FLEVEL chart

Note: This markdown table is generated from a spreadsheet using this tool.

Release DateReleaseFLEVELFunctionalityLevel (bytecode enum)clamav lib.sofreshclam lib.soAPI/ABI changes, major features, other notes
n/a0.104.0130FUNC_LEVEL_0104CMake stabilized (autotools deprecated)
n/a0.103.4125FUNC_LEVEL_0103_49:05:009.0.52:01:002.0.1Critical bug fixes
2021-060.103.3124FUNC_LEVEL_0103_39:05:009.0.52:01:002.0.1Critical bug fixes
2021-040.103.2123FUNC_LEVEL_0103_29:05:009.0.52:01:002.0.1Security fixes
2021-020.103.1122FUNC_LEVEL_0103_19:05:009.0.52:01:002.0.1Fix PNG parser; Loosen GIF format validation (trailer byte); Fix scan issue on Windows RAM disks; Fix clamonacc FD-passing; Enable JPEG & TIFF validation; Add CL_TYPE_JPEG, CL_TYPE_TIFF; Adds ALERT_BROKEN_IMAGES scan heuristics option
2020-070.102.4115FUNC_LEVEL_0102_49:04:009.0.42:00:002.0.0Security fixes
2020-050.102.3114FUNC_LEVEL_0102_39:04:009.0.42:00:002.0.0Security fixes
2020-020.102.2113FUNC_LEVEL_0102_29:04:009.0.42:00:002.0.0Security fixes
2019-110.102.1112FUNC_LEVEL_0102_19:04:009.0.42:00:002.0.0Security fixes; Significant load time improvement for LDBs with common pattern prefixes
2019-110.101.5106FUNC_LEVEL_0101_59:04:009.0.4Security fixes; Significant load time improvement for LDBs with common pattern prefixes
2019-080.101.4105FUNC_LEVEL_0101_49:04:009.0.4Security fixes; Added scan time limit, bzip vuln fix
2019-080.101.3102FUNC_LEVEL_0101_39:03:009.0.3Security fixes; Flevel not incremented (whoops)
2019-030.101.2102FUNC_LEVEL_0101_29:02:009.0.2Security fixes; Flevel not incremented (whoops)
2018-120.101.0101FUNC_LEVEL_01019:00:009.0.0Non-backwards compatible API/ABI change: Added filename to scanfile & scandesc, and scan options became a struct; RAR5 Support; Byte-Compare Subsigs; Add CL_TYPE_LNK
2019-030.100.394FUNC_LEVEL_0100_38:02:017.1.2Security fixes
2018-090.100.293FUNC_LEVEL_0100_28:01:017.1.1Security fixes; Some lenience changes to FreshClam
2018-060.100.192FUNC_LEVEL_0100_18:01:017.1.1Security fixes; Add support for HTTPS in ClamSubmit
2018-030.100.091FUNC_LEVEL_01008:01:017.1.1Feature release 2 years in dev't; Many improvements; Notably Container/Intermediates changes; Changes to wildcard signatures
2018-030.99.485FUNC_LEVEL_099_48:01:017.1.1Security fixes; Other important bug fixes
2018-010.99.384FUNC_LEVEL_099_38:01:017.1.1Security fixes; Minor bug fixes
2016-050.99.282FUNC_LEVEL_099_28:01:017.1.1Various bug fixes
2016-030.99.182FUNC_LEVEL_099_18:01:017.1.1Security fixes; HWP support
2015-120.99.081FUNC_LEVEL_0998:01:017.1.1Add Yara and PCRE support; Add 'other' targets type (14) for non-listed target types; Improved on-access scanning.
2015-040.98.780FUNC_LEVEL_098_77:26:016.1.26Security fixes; MSXML & PDF fixes
2016-010.98.679FUNC_LEVEL_098_67:25:016.1.25Security fixes; Other bug fixes
2014-110.98.579FUNC_LEVEL_098_57:22:016.1.22Added internal target type (13); File properties JSON output.
2014-060.98.477FUNC_LEVEL_098_47:23:016.1.23
2014-050.98.377FUNC_LEVEL_098_37:22:016.1.22
2014-050.98.277FUNC_LEVEL_098_27:22:016.1.22Add engine_options bit field (and DisableCache option); Add stats callbacks and callback context
2014-010.98.176FUNC_LEVEL_098_17:20:016.1.20Added XZ support and ForceToDisk scan option; Added Libxml2 dependency + XAR, DMG, HFS+/HFSX support; Added FTM type 4 (for in-buffer partition magic, analogous to type 0 for files)
2013-090.98.074FUNC_LEVEL_0987:18:016.1.18Add Target-Types 10 - 13 (PDF, FLASH, JAVA, and INTERNAL); Introduced all-scan options; SWF and Java targets (11 & 12); Introduced with "SE" offset modifier; Introduced with ISO9660 scanning support; Add wild card bracket notation{} for body-based signatures; Disable SWF parser
2013-040.97.869FUNC_LEVEL_097_87:17:016.1.17Security fixes
2013-030.97.768FUNC_LEVEL_097_77:16:016.1.16Security fixes
2012-090.97.667FUNC_LEVEL_097_67:15:016.1.15Fixed error-handling issues
2012-060.97.565FUNC_LEVEL_097_57:14:016.1.14First Sourcefire ClamAV release
2012-030.97.464FUNC_LEVEL_097_47:13:016.1.13Support comment lines in ALL DB files
2011-100.97.363FUNC_LEVEL_097_37:12:016.1.12
2011-070.97.262FUNC_LEVEL_097_27:11:016.1.11
2011-060.97.161FUNC_LEVEL_097_17:10:016.1.10
2011-020.97.060FUNC_LEVEL_0977:09:016.1.9
2010-110.96.558FUNC_LEVEL_096_57:07:016.1.7
2010-100.96.456FUNC_LEVEL_096_47:06:016.1.6Minimal FLEVEL allowed for all current bytecode signatures (quadratic load-time before this point)
2010-090.96.355FUNC_LEVEL_096_37:05:016.1.5
2010-080.96.254FUNC_LEVEL_096_27:04:016.1.4
2010-050.96.153FUNC_LEVEL_096_17:03:016.1.3
2010-030.9651FUNC_LEVEL_0967:02:016.1.2Add bytecode & CDB signatures, Ignores should use IGN2 (or take name field only from IGN)
2009-100.95.3446:05:006.0.5
2009-060.95.2436:04:006.0.4
2009-040.95.1426:03:006.0.3
2009-030.95416:02:006.0.2Ignores should use IGN format (including line number)

For more information on ClamAV file type support, see the File Types Reference.