MINI MINI MANI MO
<!DOCTYPE HTML>
<html lang="en" class="sidebar-visible no-js clamav">
<head>
<!-- Book generated using mdBook -->
<meta charset="UTF-8">
<title>ClamAV Documentation</title>
<meta name="robots" content="noindex" />
<!-- Custom HTML head -->
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
<meta name="description" content="An open source malware detection toolkit and antivirus engine.">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="theme-color" content="#ffffff" />
<link rel="shortcut icon" href="favicon.png">
<link rel="stylesheet" href="css/variables.css">
<link rel="stylesheet" href="css/general.css">
<link rel="stylesheet" href="css/chrome.css">
<link rel="stylesheet" href="css/print.css" media="print">
<!-- Fonts -->
<link rel="stylesheet" href="FontAwesome/css/font-awesome.css">
<link rel="stylesheet" href="fonts/fonts.css">
<!-- Highlight.js Stylesheets -->
<link rel="stylesheet" href="highlight.css">
<link rel="stylesheet" href="tomorrow-night.css">
<link rel="stylesheet" href="ayu-highlight.css">
<!-- Custom theme stylesheets -->
<!-- MathJax -->
<script async type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.1/MathJax.js?config=TeX-AMS-MML_HTMLorMML"></script>
</head>
<body>
<!-- Provide site root to javascript -->
<script type="text/javascript">
var path_to_root = "";
var default_theme = window.matchMedia("(prefers-color-scheme: dark)").matches ? "clamav" : "clamav";
</script>
<!-- Work around some values being stored in localStorage wrapped in quotes -->
<script type="text/javascript">
try {
var theme = localStorage.getItem('mdbook-theme');
var sidebar = localStorage.getItem('mdbook-sidebar');
if (theme.startsWith('"') && theme.endsWith('"')) {
localStorage.setItem('mdbook-theme', theme.slice(1, theme.length - 1));
}
if (sidebar.startsWith('"') && sidebar.endsWith('"')) {
localStorage.setItem('mdbook-sidebar', sidebar.slice(1, sidebar.length - 1));
}
} catch (e) { }
</script>
<!-- Set the theme before any content is loaded, prevents flash -->
<script type="text/javascript">
var theme;
try { theme = localStorage.getItem('mdbook-theme'); } catch(e) { }
if (theme === null || theme === undefined) { theme = default_theme; }
var html = document.querySelector('html');
html.classList.remove('no-js')
html.classList.remove('clamav')
html.classList.add(theme);
html.classList.add('js');
</script>
<!-- Hide / unhide sidebar before it is displayed -->
<script type="text/javascript">
var html = document.querySelector('html');
var sidebar = 'hidden';
if (document.body.clientWidth >= 1080) {
try { sidebar = localStorage.getItem('mdbook-sidebar'); } catch(e) { }
sidebar = sidebar || 'visible';
}
html.classList.remove('sidebar-visible');
html.classList.add("sidebar-" + sidebar);
</script>
<nav id="sidebar" class="sidebar" aria-label="Table of contents">
<div class="sidebar-scrollbox">
<ol class="chapter"><li class="chapter-item expanded "><a href="Introduction.html"><strong aria-hidden="true">1.</strong> Introduction</a></li><li class="chapter-item expanded "><a href="manual/Installing.html"><strong aria-hidden="true">2.</strong> Installing</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="manual/Installing/Packages.html"><strong aria-hidden="true">2.1.</strong> Packages</a></li><li class="chapter-item expanded "><a href="manual/Installing/Docker.html"><strong aria-hidden="true">2.2.</strong> Docker</a></li><li class="chapter-item expanded "><a href="manual/Installing/Installing-from-source-Unix.html"><strong aria-hidden="true">2.3.</strong> Unix from source (v0.104+)</a></li><li class="chapter-item expanded "><a href="manual/Installing/Installing-from-source-Unix-old.html"><strong aria-hidden="true">2.4.</strong> Unix from source (v0.103-)</a></li><li class="chapter-item expanded "><a href="manual/Installing/Installing-from-source-Windows.html"><strong aria-hidden="true">2.5.</strong> Windows from source</a></li><li class="chapter-item expanded "><a href="manual/Installing/Community-projects.html"><strong aria-hidden="true">2.6.</strong> Community Projects</a></li><li class="chapter-item expanded "><a href="manual/Installing/Add-clamav-user.html"><strong aria-hidden="true">2.7.</strong> Add a service user account</a></li></ol></li><li class="chapter-item expanded "><a href="manual/Usage.html"><strong aria-hidden="true">3.</strong> Usage</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="manual/Usage/Configuration.html"><strong aria-hidden="true">3.1.</strong> Configuration</a></li><li class="chapter-item expanded "><a href="manual/Usage/SignatureManagement.html"><strong aria-hidden="true">3.2.</strong> Updating Signature Databases</a></li><li class="chapter-item expanded "><a href="manual/Usage/Scanning.html"><strong aria-hidden="true">3.3.</strong> Scanning</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="manual/OnAccess.html"><strong aria-hidden="true">3.3.1.</strong> On-Access Scanning</a></li></ol></li><li class="chapter-item expanded "><a href="manual/Usage/Services.html"><strong aria-hidden="true">3.4.</strong> Running ClamAV Services</a></li><li class="chapter-item expanded "><a href="manual/Usage/ReportABug.html"><strong aria-hidden="true">3.5.</strong> Report a Bug</a></li></ol></li><li class="chapter-item expanded "><a href="manual/Signatures.html"><strong aria-hidden="true">4.</strong> Signatures</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="manual/Signatures/DatabaseInfo.html"><strong aria-hidden="true">4.1.</strong> CVD Info File</a></li><li class="chapter-item expanded "><a href="manual/Signatures/DynamicConfig.html"><strong aria-hidden="true">4.2.</strong> Dynamic Configuration Settings</a></li><li class="chapter-item expanded "><a href="manual/Signatures/AuthenticodeRules.html"><strong aria-hidden="true">4.3.</strong> Trusted and Revoked EXE Certificates</a></li><li class="chapter-item expanded "><a href="manual/Signatures/FileTypeMagic.html"><strong aria-hidden="true">4.4.</strong> File Type Recognition</a></li><li class="chapter-item expanded "><a href="manual/Signatures/AllowLists.html"><strong aria-hidden="true">4.5.</strong> Allow Lists</a></li><li class="chapter-item expanded "><a href="manual/Signatures/HashSignatures.html"><strong aria-hidden="true">4.6.</strong> Hash-based Signatures</a></li><li class="chapter-item expanded "><a href="manual/Signatures/BodySignatureFormat.html"><strong aria-hidden="true">4.7.</strong> Content-based Signature Format</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="manual/Signatures/LogicalSignatures.html"><strong aria-hidden="true">4.7.1.</strong> Logical Signatures</a></li><li class="chapter-item expanded "><a href="manual/Signatures/ExtendedSignatures.html"><strong aria-hidden="true">4.7.2.</strong> Extended Signatures</a></li></ol></li><li class="chapter-item expanded "><a href="manual/Signatures/YaraRules.html"><strong aria-hidden="true">4.8.</strong> YARA Rules</a></li><li class="chapter-item expanded "><a href="manual/Signatures/PhishSigs.html"><strong aria-hidden="true">4.9.</strong> Phishing Signatures</a></li><li class="chapter-item expanded "><a href="manual/Signatures/BytecodeSignatures.html"><strong aria-hidden="true">4.10.</strong> Bytecode Signatures</a></li><li class="chapter-item expanded "><a href="manual/Signatures/ContainerMetadata.html"><strong aria-hidden="true">4.11.</strong> Container Metadata Signatures</a></li><li class="chapter-item expanded "><a href="manual/Signatures/EncryptedArchives.html"><strong aria-hidden="true">4.12.</strong> Archive Passwords (experimental)</a></li><li class="chapter-item expanded "><a href="manual/Signatures/SignatureNames.html"><strong aria-hidden="true">4.13.</strong> Signature Names</a></li></ol></li><li class="chapter-item expanded "><a href="manual/Development.html"><strong aria-hidden="true">5.</strong> For Developers</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="manual/Development/github-pr-basics.html"><strong aria-hidden="true">5.1.</strong> Pull Request Basics</a></li><li class="chapter-item expanded "><a href="manual/Development/clamav-git-work-flow.html"><strong aria-hidden="true">5.2.</strong> ClamAV Git Work Flow</a></li><li class="chapter-item expanded "><a href="manual/Development/personal-forks.html"><strong aria-hidden="true">5.3.</strong> Working with Your Fork</a></li><li class="chapter-item expanded "><a href="manual/Development/testing-pull-requests.html"><strong aria-hidden="true">5.4.</strong> Reviewing Pull Requests</a></li><li class="chapter-item expanded "><a href="manual/Development/development-builds.html"><strong aria-hidden="true">5.5.</strong> Building for Development</a></li><li class="chapter-item expanded "><a href="manual/Development/build-installer-packages.html"><strong aria-hidden="true">5.6.</strong> Building the Installer Packages</a></li><li class="chapter-item expanded "><a href="manual/Development/tips-and-tricks.html"><strong aria-hidden="true">5.7.</strong> Dev Tips & Tricks</a></li><li class="chapter-item expanded "><a href="manual/Development/performance-profiling.html"><strong aria-hidden="true">5.8.</strong> Performance Profiling</a></li><li class="chapter-item expanded "><a href="manual/Development/code-coverage.html"><strong aria-hidden="true">5.9.</strong> Computing Code Coverage</a></li><li class="chapter-item expanded "><a href="manual/Development/fuzzing-sanitizers.html"><strong aria-hidden="true">5.10.</strong> Fuzzing Sanitizers</a></li><li class="chapter-item expanded "><a href="manual/Development/libclamav.html"><strong aria-hidden="true">5.11.</strong> libclamav</a></li><li class="chapter-item expanded "><a href="manual/Development/Contribute.html"><strong aria-hidden="true">5.12.</strong> Contribute</a></li></ol></li><li class="chapter-item expanded "><a href="faq/faq.html"><strong aria-hidden="true">6.</strong> Frequently Asked Questions</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="faq/faq-whichversion.html"><strong aria-hidden="true">6.1.</strong> Selecting the Right Version of ClamAV for You</a></li><li class="chapter-item expanded "><a href="faq/faq-freshclam.html"><strong aria-hidden="true">6.2.</strong> FreshClam (Signature Updater)</a></li><li class="chapter-item expanded "><a href="faq/faq-cvd.html"><strong aria-hidden="true">6.3.</strong> Signature Database (CVD)</a></li><li class="chapter-item expanded "><a href="faq/faq-misc.html"><strong aria-hidden="true">6.4.</strong> Misc</a></li><li class="chapter-item expanded "><a href="faq/faq-ml.html"><strong aria-hidden="true">6.5.</strong> Mailing Lists</a></li><li class="chapter-item expanded "><a href="faq/faq-safebrowsing.html"><strong aria-hidden="true">6.6.</strong> Safe Browsing</a></li><li class="chapter-item expanded "><a href="faq/faq-troubleshoot.html"><strong aria-hidden="true">6.7.</strong> Troubleshooting</a></li><li class="chapter-item expanded "><a href="faq/faq-scan-alerts.html"><strong aria-hidden="true">6.8.</strong> Interpreting Scan Alerts</a></li><li class="chapter-item expanded "><a href="faq/faq-upgrade.html"><strong aria-hidden="true">6.9.</strong> Upgrading</a></li><li class="chapter-item expanded "><a href="faq/faq-rust.html"><strong aria-hidden="true">6.10.</strong> Rust</a></li><li class="chapter-item expanded "><a href="faq/faq-win32.html"><strong aria-hidden="true">6.11.</strong> Win32</a></li><li class="chapter-item expanded "><a href="faq/faq-pua.html"><strong aria-hidden="true">6.12.</strong> PUA (Potentially Unwanted Application)</a></li><li class="chapter-item expanded "><a href="faq/faq-ignore.html"><strong aria-hidden="true">6.13.</strong> Ignore</a></li><li class="chapter-item expanded "><a href="faq/faq-uninstall.html"><strong aria-hidden="true">6.14.</strong> Uninstall</a></li><li class="chapter-item expanded "><a href="faq/faq-eol.html"><strong aria-hidden="true">6.15.</strong> ClamAV EOL Policy</a></li><li class="spacer"></li></ol></li><li class="chapter-item expanded "><a href="community_resources/CommunityResources.html"><strong aria-hidden="true">7.</strong> Community Resources</a></li><li class="spacer"></li><li class="chapter-item expanded "><a href="appendix/Appendix.html"><strong aria-hidden="true">8.</strong> Appendix</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="appendix/Terminology.html"><strong aria-hidden="true">8.1.</strong> Terminology</a></li><li class="chapter-item expanded "><a href="appendix/CvdPrivateMirror.html"><strong aria-hidden="true">8.2.</strong> Hosting a Private Database Mirror</a></li><li class="chapter-item expanded "><a href="appendix/Authenticode.html"><strong aria-hidden="true">8.3.</strong> Microsoft Authenticode Signature Verification</a></li><li class="chapter-item expanded "><a href="appendix/FileTypes.html"><strong aria-hidden="true">8.4.</strong> ClamAV File Types and Target Types</a></li><li class="chapter-item expanded "><a href="appendix/FunctionalityLevels.html"><strong aria-hidden="true">8.5.</strong> ClamAV Versions and Functionality Levels</a></li></ol></li></ol>
</div>
<div id="sidebar-resize-handle" class="sidebar-resize-handle"></div>
</nav>
<div id="page-wrapper" class="page-wrapper">
<div class="page">
<div id="menu-bar-hover-placeholder"></div>
<div id="menu-bar" class="menu-bar sticky bordered">
<div class="left-buttons">
<button id="sidebar-toggle" class="icon-button" type="button" title="Toggle Table of Contents" aria-label="Toggle Table of Contents" aria-controls="sidebar">
<i class="fa fa-bars"></i>
</button>
<button id="theme-toggle" class="icon-button" type="button" title="Change theme" aria-label="Change theme" aria-haspopup="true" aria-expanded="false" aria-controls="theme-list">
<i class="fa fa-paint-brush"></i>
</button>
<ul id="theme-list" class="theme-popup" aria-label="Themes" role="menu">
<li role="none"><button role="menuitem" class="theme" id="clamav">Dark</button></li>
<li role="none"><button role="menuitem" class="theme" id="clamav_light">Light</button></li>
</ul>
<button id="search-toggle" class="icon-button" type="button" title="Search. (Shortkey: s)" aria-label="Toggle Searchbar" aria-expanded="false" aria-keyshortcuts="S" aria-controls="searchbar">
<i class="fa fa-search"></i>
</button>
</div>
<h1 class="menu-title">ClamAV Documentation</h1>
<div class="right-buttons">
<a href="print.html" title="Print this book" aria-label="Print this book">
<i id="print-button" class="fa fa-print"></i>
</a>
</div>
</div>
<div id="search-wrapper" class="hidden">
<form id="searchbar-outer" class="searchbar-outer">
<input type="search" name="search" id="searchbar" name="searchbar" placeholder="Search this book ..." aria-controls="searchresults-outer" aria-describedby="searchresults-header">
</form>
<div id="searchresults-outer" class="searchresults-outer hidden">
<div id="searchresults-header" class="searchresults-header"></div>
<ul id="searchresults">
</ul>
</div>
</div>
<!-- Apply ARIA attributes after the sidebar and the sidebar toggle button are added to the DOM -->
<script type="text/javascript">
document.getElementById('sidebar-toggle').setAttribute('aria-expanded', sidebar === 'visible');
document.getElementById('sidebar').setAttribute('aria-hidden', sidebar !== 'visible');
Array.from(document.querySelectorAll('#sidebar a')).forEach(function(link) {
link.setAttribute('tabIndex', sidebar === 'visible' ? 0 : -1);
});
</script>
<div id="content" class="content">
<main>
<h1 id="clamav"><a class="header" href="#clamav">ClamAV</a></h1>
<p align="center">
<a href="https://www.clamav.net/">
<img align="center" width="250" height="250" src="https://raw.githubusercontent.com/micahsnyder/clamav-documentation/main/src/images/logo.png" alt='Maeve, the ClamAV mascot'>
</a>
</p>
<p>ClamAV is an open source (GPLv2) anti-virus toolkit, designed especially for e-mail scanning on mail gateways. It provides a number of utilities including a flexible and scalable multi-threaded daemon, a command line scanner and advanced tool for automatic database updates. The core of the package is an anti-virus engine available in a form of shared library.</p>
<blockquote>
<p><em>Tip</em>: ClamAV is not a traditional anti-virus or endpoint security suite. For a fully featured modern endpoint security suite, check out <em>Cisco Secure Endpoint</em>. See <a href="Introduction.html#related-products">"related products"</a>, below, for more details.</p>
</blockquote>
<p>ClamAV is brought to you by Cisco Systems, Inc.</p>
<h2 id="community-projects"><a class="header" href="#community-projects">Community Projects</a></h2>
<p>ClamAV has a diverse ecosystem of <a href="manual/Installing/Community-projects.html">community projects, products, and other tools</a> that either depend on ClamAV to provide malware detection capabilities or supplement ClamAV with new features such as improved support for 3rd party signature databases, graphical user interfaces (GUI), and more.</p>
<h2 id="features"><a class="header" href="#features">Features</a></h2>
<ul>
<li>ClamAV is designed to scan files quickly.</li>
<li>Real time protection (Linux only). The ClamOnAcc client for the ClamD scanning daemon provides on-access scanning on modern versions of Linux. This includes an optional capability to block file access until a file has been scanned (on-access prevention).</li>
<li>ClamAV detects millions of viruses, worms, trojans, and other malware, including Microsoft Office macro viruses, mobile malware, and other threats.</li>
<li>ClamAV's bytecode signature runtime, powered by either LLVM or our custom bytecode interpreter, allows the ClamAV signature writers to create and distribute very complex detection routines and remotely enhance the scanner’s functionality.</li>
<li>Signed signature databases ensure that ClamAV will only execute trusted signature definitions.</li>
<li>ClamAV scans within archives and compressed files but also protects against archive bombs. Built-in archive extraction capabilities include:
<ul>
<li>Zip (including SFX, excluding some newer or more complex extensions)</li>
<li>RAR (including SFX, most versions)</li>
<li>7Zip</li>
<li>ARJ (including SFX)</li>
<li>Tar</li>
<li>CPIO</li>
<li>Gzip</li>
<li>Bzip2</li>
<li>DMG</li>
<li>IMG</li>
<li>ISO 9660</li>
<li>PKG</li>
<li>HFS+ partition</li>
<li>HFSX partition</li>
<li>APM disk image</li>
<li>GPT disk image</li>
<li>MBR disk image</li>
<li>XAR</li>
<li>XZ</li>
<li>Microsoft OLE2 (Office documments)</li>
<li>Microsoft OOXML (Office documments)</li>
<li>Microsoft Cabinet Files (including SFX)</li>
<li>Microsoft CHM (Compiled HTML)</li>
<li>Microsoft SZDD compression format</li>
<li>HWP (Hangul Word Processor documents)</li>
<li>BinHex</li>
<li>SIS (SymbianOS packages)</li>
<li>AutoIt</li>
<li>InstallShield</li>
<li>ESTsoft EGG</li>
</ul>
</li>
<li>Supports Windows executable file parsing, also known as Portable Executables (PE) both 32/64-bit, including PE files that are compressed or obfuscated with:
<ul>
<li>AsPack</li>
<li>UPX</li>
<li>FSG</li>
<li>Petite</li>
<li>PeSpin</li>
<li>NsPack</li>
<li>wwpack32</li>
<li>MEW</li>
<li>Upack</li>
<li>Y0da Cryptor</li>
</ul>
</li>
<li>Supports ELF and Mach-O files (both 32 and 64-bit)</li>
<li>Supports almost all mail file formats</li>
<li>Support for other special files/formats includes:
<ul>
<li>HTML</li>
<li>RTF</li>
<li>PDF</li>
<li>Files encrypted with CryptFF and ScrEnc</li>
<li>uuencode</li>
<li>TNEF (winmail.dat)</li>
</ul>
</li>
<li>Advanced database updater with support for scripted updates, digital signatures and DNS based database version queries</li>
</ul>
<blockquote>
<p><em>Disclaimer</em>: Many of the above file formats continue to evolve. Executable packing and obfuscation tools in particular are constantly changing. We cannot guarantee that we can unpack or extract every version or variant of the listed formats.</p>
</blockquote>
<h2 id="license"><a class="header" href="#license">License</a></h2>
<p>ClamAV is licensed under the GNU General Public License, Version 2.</p>
<h2 id="supported-platforms"><a class="header" href="#supported-platforms">Supported platforms</a></h2>
<p>Clam AntiVirus is highly cross-platform. The development team cannot test every OS, so we have chosen to test ClamAV using the two most recent Long Term Support (LTS) versions of each of the most popular desktop operating systems. Our regularly tested operating systems include:</p>
<ul>
<li>GNU/Linux
<ul>
<li>Alpine
<ul>
<li>3.11 (64bit)</li>
</ul>
</li>
<li>Ubuntu
<ul>
<li>18.04 (64bit, 32bit)</li>
<li>20.04 (64bit)</li>
</ul>
</li>
<li>Debian
<ul>
<li>9 (64bit, 32bit)</li>
<li>10 (64bit, 32bit)</li>
</ul>
</li>
<li>CentOS
<ul>
<li>7 (64bit, 32bit)</li>
<li>8 (64bit)</li>
</ul>
</li>
<li>Fedora
<ul>
<li>30 (64bit)</li>
<li>31 (64bit)</li>
</ul>
</li>
<li>openSUSE
<ul>
<li>Leap (64bit)</li>
</ul>
</li>
</ul>
</li>
<li>UNIX
<ul>
<li>FreeBSD
<ul>
<li>11 (64bit)</li>
<li>12 (64bit)</li>
</ul>
</li>
<li>macOS
<ul>
<li>10.13 High Sierra (x86_64)</li>
<li>10.15 Catalina (x86_64)</li>
<li>11.5 Big Sur (x86_64, arm64)</li>
</ul>
</li>
</ul>
</li>
<li>Windows
<ul>
<li>7 (64bit, 32bit)</li>
<li>10 (64bit, 32bit)</li>
</ul>
</li>
</ul>
<h2 id="recommended-system-requirements"><a class="header" href="#recommended-system-requirements">Recommended System Requirements</a></h2>
<p>The following minimum recommended system requirements are for using ClamScan or ClamD applications with the standard ClamAV signature database provided by Cisco.</p>
<p>Minimum recommended RAM for ClamAV:</p>
<ul>
<li>FreeBSD and Linux server edition: 2 GiB+</li>
<li>Linux non-server edition: 2 GiB+</li>
<li>Windows 7 & 10 32-bit: 2 GiB+</li>
<li>Windows 7 & 10 64-bit: 3 GiB+</li>
<li>macOS: 3 GiB+</li>
</ul>
<p>Minimum recommended CPU for ClamAV:</p>
<ul>
<li>1 CPU at 2.0 Ghz+</li>
</ul>
<p>Minimum available hard disk space required:</p>
<p>For the ClamAV application we recommend having 5 GB of free space available. This recommendation is in addition to the recommended disk space for each OS.</p>
<blockquote>
<p><em>Note</em>: The tests to determine these minimum requirements were performed on systems that were not running other applications. If other applications are being run on the system, additional resources will be required in addition to our recommended minimums.</p>
</blockquote>
<h2 id="mailing-lists-and-chat"><a class="header" href="#mailing-lists-and-chat">Mailing Lists and Chat</a></h2>
<p>If you have a trouble installing or using ClamAV try asking on our mailing lists. There are four lists available:</p>
<ul>
<li><strong>clamav-announce (at) lists.clamav.net</strong>
<ul>
<li>info about new versions, moderated.</li>
<li>Subscribers are not allowed to post to this mailing list.</li>
</ul>
</li>
<li><strong>clamav-users (at) lists.clamav.net</strong>
<ul>
<li>user questions</li>
</ul>
</li>
<li><strong>clamav-devel (at) lists.clamav.net</strong>
<ul>
<li>technical discussions</li>
</ul>
</li>
<li><strong>clamav-virusdb (at) lists.clamav.net</strong>
<ul>
<li>database update announcements, moderated</li>
</ul>
</li>
<li><strong>clamav-binary (at) lists.clamav.net</strong>
<ul>
<li>discussion and announcements for package maintainers</li>
</ul>
</li>
</ul>
<p>You can subscribe and search the mailing list archives <a href="https://www.clamav.net/contact.html#ml">here</a>.</p>
<p>You can also join the community on our <a href="https://discord.gg/6vNAqWnVgw">ClamAV Discord chat server</a>.</p>
<h2 id="submitting-new-or-otherwise-undetected-malware"><a class="header" href="#submitting-new-or-otherwise-undetected-malware">Submitting New or Otherwise Undetected Malware</a></h2>
<p>If you've got a virus which is not detected by the current version of ClamAV using the latest signature databases, please submit the sample for review at our website:</p>
<p><a href="https://www.clamav.net/reports/malware">https://www.clamav.net/reports/malware</a></p>
<p>Likewise, if you have a benign file that is flagging as a virus and you wish to report a False Positive, please submit the sample for review at our website:</p>
<p><a href="https://www.clamav.net/reports/fp">https://www.clamav.net/reports/fp</a></p>
<h2 id="related-products"><a class="header" href="#related-products">Related Products</a></h2>
<p><a href="https://www.cisco.com/c/en/us/products/security/amp-for-endpoints/index.html">Cisco Secure Endpoint</a> (formerly AMP for Endpoints) is Cisco's cloud-based security suite for commercial and enterprise customers. Secure Endpoint is available for Windows, Linux, and macOS and provides superior malware detection capabilities, behavioral monitoring, dynamic file analysis, endpoint isolation, analytics, and threat hunting. Secure Endpoint sports a modern administrative web interface (dashboard).</p>
<p><a href="https://www.immunet.com/">Immunet</a> is a cloud-based antivirus application for Windows that is free for non-commercial use. Immunet offers great malware detection efficacy but, as a completely free product, Immunet's does not have same features or the quality user experience that Secure Endpoint offers. There is an Immunet user forum but Cisco offers no official user support.</p>
<p align="center">
<a href="https://www.cisco.com/">
<img align="center" img width="80" src="https://raw.githubusercontent.com/micahsnyder/clamav-documentation/main/src/images/cisco.png" alt='Cisco Systems, Inc'>
</a>
</p>
<div style="break-before: page; page-break-before: always;"></div><h1 id="installing-clamav"><a class="header" href="#installing-clamav">Installing ClamAV</a></h1>
<ul>
<li><a href="manual/Installing.html#installing-clamav">Installing ClamAV</a>
<ul>
<li><a href="manual/Installing.html#installing-with-a-package-manager">Installing with a Package Manager</a></li>
<li><a href="manual/Installing.html#installing-with-an-installer">Installing with an Installer</a>
<ul>
<li><a href="manual/Installing.html#linux-deb-rpm">Linux (.deb, .rpm)</a>
<ul>
<li><a href="manual/Installing.html#rpm-packages-for-centos-redhat-fedora-suse-etc">RPM packages (for CentOS, Redhat, Fedora, SUSE, etc.)</a></li>
<li><a href="manual/Installing.html#deb-packages-for-debian-ubuntu-mint-etc">DEB packages (for Debian, Ubuntu, Mint, etc.)</a></li>
</ul>
</li>
<li><a href="manual/Installing.html#macos">macOS</a></li>
<li><a href="manual/Installing.html#windows">Windows</a></li>
</ul>
</li>
<li><a href="manual/Installing.html#official-clamav-docker-images">Official ClamAV Docker Images</a></li>
<li><a href="manual/Installing.html#installing-from-source">Installing from Source</a></li>
<li><a href="manual/Installing.html#what-now">What now?</a></li>
</ul>
</li>
</ul>
<h2 id="installing-with-a-package-manager"><a class="header" href="#installing-with-a-package-manager">Installing with a Package Manager</a></h2>
<p>ClamAV is widely available from third party package managers for most operating systems. This is often the quickest way to install ClamAV. It will make also upgrades easier.</p>
<p>Check out the <a href="manual/Installing/Packages.html">Packages page</a> to find installation instructions for your system.</p>
<h2 id="installing-with-an-installer"><a class="header" href="#installing-with-an-installer">Installing with an Installer</a></h2>
<p>Pre-compiled packages provided on <a href="https://www.clamav.net/downloads">the clamav.net downloads page</a> have all external library dependencies statically compiled in.</p>
<p>These installers likely differ from packages provided by other packaging tools in that you will need to create and configure the <code>freshclam.conf</code> and <code>clamd.conf</code> files. You may also need to add a <code>clamav</code> service user account and adjust the permissions on the database directory. We hope to round out these sharp corners in the future and to make setup more convenient, but for now be advised that setup from one of these packages is a little bit more work than you may be used to.</p>
<p>If you're interested in learning how these packages were built, you can check out <a href="manual/Development/build-installer-packages.html">these development instructions</a>.</p>
<blockquote>
<p><em>Note</em>: In the event that a vulnerability is found in one of the dependencies that may impact ClamAV, we will publish new packages with updated dependencies as soon as we're able.</p>
</blockquote>
<h3 id="linux-deb-rpm"><a class="header" href="#linux-deb-rpm">Linux (.deb, .rpm)</a></h3>
<p>Beginning with ClamAV 0.104, we offer Debian and RPM packages for x86_64 (64bit) and i686 (32bit) architectures. This will make it easier to get the latest version in the event that a package for your distribution is not readily available and you would prefer not to build ClamAV from source.</p>
<blockquote>
<p><em>Note</em>: These packages do not presently include <code>clamav-milter</code>. You can help help us add <code>clamav-milter</code> to the packages by developing a Mussels recipe for building the libmilter.a static library and contributing it to our <a href="https://github.com/Cisco-Talos/clamav-mussels-cookbook/">Mussels cookbook</a>.</p>
</blockquote>
<h4 id="rpm-packages-for-centos-redhat-fedora-suse-etc"><a class="header" href="#rpm-packages-for-centos-redhat-fedora-suse-etc">RPM packages (for CentOS, Redhat, Fedora, SUSE, etc.)</a></h4>
<p>These are compiled on CentOS 7. They should be compatible with all RPM-based linux distributions running <code>glibc</code> version <code>2.17</code> or newer.</p>
<p>To install, download the package for your system use <code>yum</code> or <code>dnf</code> to install the package. For example:</p>
<pre><code class="language-bash">sudo dnf install ~/Downloads/clamav-0.104.0-rc2.linux.x86_64.rpm
</code></pre>
<p>You can verify that the package was installed using:</p>
<pre><code class="language-bash">dnf info clamav
</code></pre>
<p>This package installs to <code>/usr/local</code>.</p>
<p>Unlike packages provided by Debian or other distributions, this package does not presently include a preconfigured <code>freshclam.conf</code>, <code>clamd.conf</code>, database directory, or <code>clamav</code> user accounts for FreshClam and ClamD. You can follow <a href="manual/Usage/Configuration.html">these instructions</a> to configure FreshClam and ClamD. You can follow <a href="manual/Installing/Add-clamav-user.html">these instructions</a> to create the <code>clamav</code> user account for running FreshClam and ClamD services.</p>
<p>And uninstall the package with:</p>
<pre><code class="language-bash">sudo dnf remove ~/Downloads/clamav-0.104.0-rc2.linux.x86_64.rpm
</code></pre>
<h4 id="deb-packages-for-debian-ubuntu-mint-etc"><a class="header" href="#deb-packages-for-debian-ubuntu-mint-etc">DEB packages (for Debian, Ubuntu, Mint, etc.)</a></h4>
<p>These are compiled on Ubuntu 16.04, and have all external library dependencies statically compiled in. They should be compatible with all Debian-based linux distributions running <code>glibc</code> version <code>2.23</code> or newer.</p>
<pre><code class="language-bash">sudo apt install ~/Downloads/clamav-0.104.0-rc2.libnux.x86_64.deb
</code></pre>
<p>You can verify that the package was installed using:</p>
<pre><code class="language-bash">apt info clamav
</code></pre>
<p>This package installs to <code>/usr/local</code>.</p>
<p>Unlike packages provided by Debian or other distributions, this package does not presently include a preconfigured <code>freshclam.conf</code>, <code>clamd.conf</code>, database directory, or <code>clamav</code> user accounts for FreshClam and ClamD. You can follow <a href="manual/Usage/Configuration.html">these instructions</a> to configure FreshClam and ClamD. You can follow <a href="manual/Installing/Add-clamav-user.html">these instructions</a> to create the <code>clamav</code> user account for running FreshClam and ClamD services.</p>
<p>And uninstall the package with:</p>
<pre><code class="language-bash">sudo apt remove clamav
</code></pre>
<h3 id="macos"><a class="header" href="#macos">macOS</a></h3>
<p>Beginning with ClamAV 0.104, we offer a PKG installer for macOS. These are universal binaries built for Intel x86_64 and Apple M1 arm64 processors.</p>
<blockquote>
<p><em>Disclaimer</em>: The release materials for 0.104.0-rc2 are not signed or notarized. We are working on adding signing and notarization to our CI processes, but for now you may be unable to use this PKG installer on macOS Big Sur or newer.</p>
</blockquote>
<p>To install, download the macOS <code>.pkg</code> installer. Double-click the installer and follow the directions.</p>
<p>This package installs to <code>/usr/local/clamav</code>. This is <strong>not</strong> in the default system <code>PATH</code> environment variable. You may wish to add <code>/usr/local/clamav/bin</code> and <code>/usr/local/clamav/sbin</code> to your <code>PATH</code> so you can run the ClamAV programs without entering the full path. To do this add this line to <code>~/.zshrc</code>:</p>
<pre><code class="language-bash">export PATH=/usr/local/clamav/bin:/usr/local/clamav/sbin:$PATH
</code></pre>
<p>Then run <code>source ~/.zshrc</code> or open a new terminal.</p>
<p>Unlike packages provided by Homebrew, this package does not presently include a preconfigured <code>freshclam.conf</code>, <code>clamd.conf</code>, or database directory. You can follow <a href="manual/Usage/Configuration.html">these instructions</a> to configure FreshClam and ClamD.</p>
<p>macOS package installers do not provide a mechanism for automatically uninstalling the package. In the future, we hope to add a script to aid with uninstallation. But for now, to make it easier to remove, our macOS installer installs to <code>/usr/local/clamav</code>. To uninstall, all you need to do is run:</p>
<pre><code class="language-bash">sudo rm -rf /usr/local/clamav
</code></pre>
<h3 id="windows"><a class="header" href="#windows">Windows</a></h3>
<p>The ClamAV team provides official ClamAV builds for Windows <a href="https://www.clamav.net/downloads#otherversions">on the ClamAV downloads page</a>. You can choose between a traditional executable installer or a portable install ZIP package.</p>
<p>To use the executable installer, double-click the installer and follow the instructions.</p>
<p>To install from a ZIP package, unzip the portable install package to any directory.</p>
<h2 id="official-clamav-docker-images"><a class="header" href="#official-clamav-docker-images">Official ClamAV Docker Images</a></h2>
<p>There are now official ClamAV images on Docker Hub. You can find the images on <a href="https://hub.docker.com/r/clamav/clamav">Docker Hub under <code>clamav</code></a>.</p>
<p>At present we offer images with builds of the latest development version. We call this "unstable". ClamAV 0.104 will be the first stable release that we'll publish on Docker Hub.. Once published 0.104.0+ will be available using a Docker image tag with the specific version number, or using "stable" to get the latest stable release.</p>
<p>Check out the <a href="manual/Installing/Docker.html">Docker page</a> to learn how to install and use ClamAV with Docker.</p>
<h2 id="installing-from-source"><a class="header" href="#installing-from-source">Installing from Source</a></h2>
<p>If you need, you can also compile and install ClamAV from source:</p>
<ul>
<li><a href="manual/Installing/Installing-from-source-Unix.html">Unix/Linux/Mac Instructions</a></li>
<li><a href="manual/Installing/Installing-from-source-Windows.html">Windows Instructions</a></li>
</ul>
<h2 id="what-now"><a class="header" href="#what-now">What now?</a></h2>
<p>Now that ClamAV is installed, you will want to customize your configuration and perhaps set up some scanning automation and alerting mechanisms.</p>
<p><a href="manual/Usage/Configuration.html">Continue on to "Configuration"...</a></p>
<div style="break-before: page; page-break-before: always;"></div><h1 id="clamav-packages"><a class="header" href="#clamav-packages">ClamAV Packages</a></h1>
<p>Many Linux and Unix distributions offer one or more ClamAV packages to make it easy for you to install ClamAV.</p>
<p>These packages are usually well maintained but if you find an issue with one, please consider helping the volunteers that maintain the packages.</p>
<blockquote>
<p><em>Disclaimer</em>: ClamAV packages may vary somewhat from the upstream version.
Some examples:</p>
<ul>
<li>
<p>The database and application config paths may vary:</p>
<ul>
<li>
<p>A default from-source install will go in <code>/usr/local</code>, with:</p>
<ul>
<li>applications in <code>/usr/local/bin</code></li>
<li>daemons in <code>/usr/local/sbin</code></li>
<li>libraries in <code>/usr/local/lib</code></li>
<li>headers in <code>/usr/local/include</code></li>
<li>configs in <code>/usr/local/etc/</code></li>
<li>databases in <code>/usr/local/share/clamav/</code></li>
</ul>
</li>
<li>
<p>A Linux package install will probably go in <code>/usr</code>, with:</p>
<ul>
<li>applications in <code>/usr/bin</code></li>
<li>daemons in <code>/usr/sbin</code></li>
<li>libraries in <code>/usr/lib</code></li>
<li>headers in <code>/usr/include</code></li>
<li>configs in <code>/etc/clamav</code></li>
<li>databases in <code>/var/lib/clamav</code></li>
</ul>
</li>
</ul>
</li>
<li>
<p>As of 0.103.x, a from-source install requires the user create a config for FreshClam, ClamD, and ClamAV-Milter in order to use each application. A package install, however, is likely to come pre-configured. Users may wish to modify the configs as needed.</p>
</li>
<li>
<p>Package installs sometimes carry extra patches for issues affecting their distribution, for issues the ClamAV developers haven't had time to fix or are unaware of, and for security issues when distributing older versions that are no longer maintained by the ClamAV developers.</p>
</li>
<li>
<p>Some distributions parcel up ClamAV components into separate packages. You don't necessarily need all of the packages. If this applies to your package system, you may need to review the applications described in the <a href="manual/Installing/../Usage/Scanning.html">scanning instructions</a> to understand which features you will need.</p>
</li>
</ul>
</blockquote>
<blockquote>
<p><em>Acknowledgments</em>: Thank you to all of the volunteers who maintain these packages! We appreciate your help!</p>
</blockquote>
<h2 id="the-packages"><a class="header" href="#the-packages">The Packages</a></h2>
<h3 id="debian"><a class="header" href="#debian">Debian</a></h3>
<p>Debian splits up ClamAV into a selection of different packages.</p>
<p>Realistically, you probably only need to <code>apt install clamav</code> and probably <code>apt install clamav-daemon</code>. If you require support for scanning compressed RAR files you first need to enable the "non-free" archive.<code>*</code></p>
<p>The full list of packages includes:</p>
<ul>
<li><code>clamav</code> - command-line interface</li>
<li><code>clamav-base</code> - base package</li>
<li><code>clamav-daemon</code> - scanner daemon</li>
<li><code>clamav-docs</code> - documentation</li>
<li><code>clamav-freshclam</code> - virus database update utility</li>
<li><code>clamav-milter</code> - sendmail integration</li>
<li><code>clamav-testfiles</code> - test files</li>
<li><code>libclamav-dev</code> - development files</li>
<li><code>libclamav9</code> - library</li>
<li><code>libclamunrar9</code> - unrar support</li>
</ul>
<blockquote>
<p><code>*</code> <em>RAR Support</em>: ClamAV's RAR support comes from UnRAR, which is open-source but not entirely free in so far as its license restricts users from reverse engineering it to create RAR archives. For this reason, it is bundled separately in the "non-free" archive. Enable it by adding "non-free" to <code>/etc/apt/sources.list</code>. Eg:</p>
<p><code>deb http://http.us.debian.org/debian stable main contrib non-free</code></p>
<p>Then you can install the RAR-plugin using: <code>apt install libclamunrar9</code></p>
</blockquote>
<p>There are a variety of other ClamAV related projects as well. Run <code>apt search clamav</code> to see a larger list.</p>
<p>To test the installation, you can try to scan the test files in the <code>clamav-testfiles</code> package.</p>
<blockquote>
<p><em>Note</em>: Debian packages are maintained by <a href="https://salsa.debian.org/clamav-team">Debian's ClamAV Team</a>.</p>
<p>The package maintainers can be reached at <a href="manual/Installing/pkg-clamav-devel@lists.alioth.debian.org">clamav-devel at lists.alith.debian.org</a>. More info at <a href="https://tracker.debian.org/pkg/clamav">tracker.debian.org/pkg/clamav</a>.</p>
<p>Patches: https://salsa.debian.org/clamav-team/clamav/tree/unstable/debian/patches</p>
</blockquote>
<h3 id="ubuntu"><a class="header" href="#ubuntu">Ubuntu</a></h3>
<p>Ubuntu's ClamAV packages are derived from the Debian packages (above). See the Debian instructions for installation details.</p>
<blockquote>
<p><em>RAR Support</em>: As with Debian, RAR support is not included in the base package. Users that desire RAR support will have to install <code>libclamunar9</code> separately. Unlike with Debian, there is no need to enable "non-free" packages for this to work.</p>
</blockquote>
<blockquote>
<p><em>Note</em>: Ubuntu packages are curated by <a href="https://wiki.ubuntu.com/UbuntuDevelopers">Ubuntu Developers</a>.
Package source: https://packages.ubuntu.com/source/clamav</p>
</blockquote>
<h3 id="opensuse"><a class="header" href="#opensuse">openSUSE</a></h3>
<p>openSUSE provides two packages:</p>
<ul>
<li><code>clamav</code> - The clamav package</li>
<li><code>clamav-devel</code> - The clamav package plus headers for software development.</li>
</ul>
<h4 id="rpm-download"><a class="header" href="#rpm-download">RPM download</a></h4>
<p>Find these packages at under http://download.opensuse.org/repositories/security
Eg.:</p>
<ul>
<li>http://download.opensuse.org/repositories/security/openSUSE_Leap_15.3/x86_64/clamav-0.103.1-lp153.234.4.x86_64.rpm.mirrorlist</li>
<li>http://download.opensuse.org/repositories/security/openSUSE_Leap_15.3/x86_64/clamav-devel-0.103.1-lp153.234.4.x86_64.rpm.mirrorlist</li>
</ul>
<p>Use the update variant for openSUSE, add it to your installation as another repository using YaST or zypper and give it a higher priority (lower number) than the repository that delivers the official updates.</p>
<blockquote>
<p><em>Tip</em>: RPMs of new ClamAV versions for existing SUSE products are provided through the respective online update channels. As these packages have to go through QA, it usually takes some time for a new ClamAV source release to appear as an official RPM. For those who want the newest version, packages are available from <a href="https://build.opensuse.org/package/show/security/clamav">the security project in the openSUSE Build Service</a>.</p>
</blockquote>
<h4 id="zypper"><a class="header" href="#zypper">Zypper</a></h4>
<p>Install ClamAV with <code>zypper</code>:</p>
<pre><code class="language-bash"> zypper install -y clamav
</code></pre>
<blockquote>
<p><em>Note</em>: openSUSE packages are maintained by Reinhard Max.</p>
</blockquote>
<h3 id="epel-fedora-rhel-and-centos"><a class="header" href="#epel-fedora-rhel-and-centos">EPEL: Fedora, RHEL, and CentOS</a></h3>
<p>EPEL creates ClamAV packages for Fedora (as well as EPEL-enabled CentOS and RHEL). For more information on EPEL, <a href="https://fedoraproject.org/wiki/EPEL">visit their wiki</a>.</p>
<p>To enable EPEL for CentOS:</p>
<pre><code class="language-bash">dnf install -y epel-release
</code></pre>
<p>EPEL offers a selection of packages to install ClamAV:</p>
<ul>
<li><code>clamd</code> - The Clam AntiVirus Daemon</li>
<li><code>clamav</code> - End-user tools for the Clam Antivirus scanner</li>
<li><code>clamav-data</code> - Virus signature data for the Clam Antivirus scanner</li>
<li><code>clamav-devel</code> - Header files and libraries for the Clam Antivirus scanner</li>
<li><code>clamav-lib</code> - Dynamic libraries for the Clam Antivirus scanner</li>
<li><code>clamav-milter</code> - Milter module for the Clam Antivirus scanner</li>
<li><code>clamav-update</code> - Auto-updater for the Clam Antivirus scanner data-files</li>
</ul>
<p>Most users will only need to run:</p>
<pre><code class="language-bash">dnf install -y clamav clamd clamav-update
</code></pre>
<blockquote>
<p><strong><em>Tips</em></strong></p>
<p><em>CentOS</em>: On Community Enterprise Operating System (CentOS) the ClamAV package requires the Extra Packages for Enterprise Linux (EPEL) repository.</p>
<p><em>RHEL</em>: On RedHat Enterprise Linux (RHEL) the EPEL release package has to be installed either manually or through RHN.</p>
<p><em>Fedora</em>: Fedora packages can be found at https://src.fedoraproject.org/rpms/clamav</p>
<p>Fedora's packaging is more customized than most. Please review the RPM notes when troubleshooting your Fedora package configuration.</p>
</blockquote>
<h3 id="gentoo"><a class="header" href="#gentoo">Gentoo</a></h3>
<p>ClamAV is available in portage under <code>/usr/portage/app-antivirus/clamav</code></p>
<p>To install, run:</p>
<pre><code class="language-bash">emerge clamav
</code></pre>
<p>For more details, see the package entry on <a href="https://packages.gentoo.org/packages/app-antivirus/clamav">Portage</a>.</p>
<h3 id="freebsd-openbsd-netbsd"><a class="header" href="#freebsd-openbsd-netbsd">FreeBSD, OpenBSD, NetBSD</a></h3>
<p>Although all these systems offer the possibility to use ports or pkgsrc, you can install the pre-built package:</p>
<h4 id="freebsd"><a class="header" href="#freebsd">FreeBSD</a></h4>
<p>FreeBSD offers two ClamAV ports (packages):</p>
<ul>
<li><code>clamav</code></li>
<li><code>clamav-devel</code></li>
</ul>
<p>To install, run:</p>
<pre><code class="language-bash">pkg install clamav
</code></pre>
<blockquote>
<p><em>Note</em>: For more details, see:</p>
<ul>
<li>https://www.freshports.org/security/clamav</li>
<li>https://www.freshports.org/security/clamav-devel</li>
</ul>
</blockquote>
<h4 id="openbsd"><a class="header" href="#openbsd">OpenBSD</a></h4>
<p>To install, run:</p>
<pre><code class="language-bash"> pkg_add clamav
</code></pre>
<h4 id="netbsd"><a class="header" href="#netbsd">NetBSD</a></h4>
<p>To install, run:</p>
<pre><code class="language-bash"> pkgin install clamav
</code></pre>
<h3 id="solaris"><a class="header" href="#solaris">Solaris</a></h3>
<p>OpenCSW is a community software project for Solaris 8+ on both Sparc and x86. It packages more than 2000 popular open source titles and they can all easily be installed with dependency handling via <em>pkgutil</em> which is modeled after Debian's <em>apt-get</em>.</p>
<pre><code class="language-bash">pkgutil -i clamav
</code></pre>
<blockquote>
<p><em>Note</em>: The package can be found on <a href="https://www.opencsw.org/packages/clamav/">OpenCSW</a> though it is unfortuantely quite out-of-date.</p>
</blockquote>
<blockquote>
<p><em>Disclaimer</em>: ClamAV is also no longer supported on Solaris because Solaris is proprietary, less commonly used, and difficult to work with. Future versions of ClamAV will depend on components written in the Rust programming language, which also does not support building directly on Solaris. It is likely that ClamAV will no longer work on Solaris in the future.</p>
</blockquote>
<h3 id="slackware"><a class="header" href="#slackware">Slackware</a></h3>
<p>You can download ClamAV builds for Slackware from https://slackbuilds.org/repository/14.2/system/clamav/</p>
<p>Download the package, and as root, install it like so (substituting the appropriate filename):</p>
<pre><code class="language-bash"> installpkg clamav.tar.gz
</code></pre>
<h3 id="macos-1"><a class="header" href="#macos-1">macOS</a></h3>
<p>ClamAV can be easily installed on macOS using one of these popular package managers:</p>
<ul>
<li><a href="https://brew.sh">Homebrew</a>: <a href="https://formulae.brew.sh/formula/clamav">ClamAV formula</a></li>
<li><a href="https://www.macports.org/install.php">MacPorts</a>: <a href="https://ports.macports.org/port/clamav/summary">ClamAV port</a></li>
</ul>
<h4 id="homebrew"><a class="header" href="#homebrew">Homebrew</a></h4>
<p>Install <a href="https://brew.sh">Homebrew</a> if you don't already have it. Then run:</p>
<pre><code class="language-bash"> brew install clamav
</code></pre>
<p>Homebrew installs versioned packages to <code>/usr/local/Cellar/<pacakge>/<version></code> with symlinks in <code>/usr/local/opt/<pacakge></code> to the current version. Symlinks for ClamAV's executables will be placed in <code>/usr/local/bin</code> to add them to your PATH. ClamAV's config files will be placed in <code>/usr/local/etc/clamav</code>.</p>
<p>As with most other installation methods, you may need to do the following at a minimum before you can run <code>freshclam</code>, <code>clamscan</code>, or use <code>clamdscan</code> with <code>clamd</code>:</p>
<ol>
<li>Create <code>/usr/local/etc/clamav/freshclam.conf</code> from <code>/usr/local/etc/clamav/freshclam.conf.sample</code>.</li>
<li>Remove or comment-out the <code>Example</code> line from <code>freshclam.conf</code></li>
<li>Run <code>freshclam</code> to download the latest malware definitions.</li>
</ol>
<p>If you wish to run <code>clamd</code> you'll also need to create <code>/usr/local/etc/clamav/clamd.conf</code> from <code>/usr/local/etc/clamav/clamd.conf.sample</code>, and configure <code>clamd.conf</code> with Local/Unix socket settings (preferred), or TCP socket settings.</p>
<h4 id="macports"><a class="header" href="#macports">MacPorts</a></h4>
<p>Install <a href="https://www.macports.org/install.php">MacPorts</a> if you don't already have it. Then run:</p>
<pre><code class="language-bash"> sudo port install clamav
</code></pre>
<p>MacPorts installs versioned packages to <code>/opt/local/</code>. ClamAV's config files will be placed in <code>/opt/local/etc</code>.</p>
<p>As with most other installation methods, you may need to do the following at a minimum before you can run <code>freshclam</code>, <code>clamscan</code>, or use <code>clamdscan</code> with <code>clamd</code>:</p>
<ol>
<li>Create <code>/opt/local/etc/freshclam.conf</code> from <code>/opt/local/etc/freshclam.conf.sample</code>.</li>
<li>Remove or comment-out the <code>Example</code> line from <code>freshclam.conf</code></li>
<li>Run <code>freshclam</code> to download the latest malware definitions.</li>
</ol>
<p>If you wish to run <code>clamd</code> you'll also need to create <code>/opt/local/etc/clamd.conf</code> from <code>/opt/local/etc/clamd.conf.sample</code>, and configure <code>clamd.conf</code> with Local/Unix socket settings (preferred), or TCP socket settings.</p>
<div style="break-before: page; page-break-before: always;"></div><h1 id="clamav-in-docker"><a class="header" href="#clamav-in-docker">ClamAV in Docker</a></h1>
<p>ClamAV can be run within a Docker container. This provides isolation from other processes by running it in a containerized environment. If new or unfamiliar with Docker, containers or cgroups see <a href="https://www.docker.com">docker.com</a>.</p>
<h2 id="the-official-images-on-docker-hub"><a class="header" href="#the-official-images-on-docker-hub">The official images on Docker Hub</a></h2>
<p>ClamAV image tags <a href="https://hub.docker.com/r/clamav/clamav">on Docker Hub</a> follow these naming conventions.</p>
<p>All images come in two forms:</p>
<ul>
<li>
<p><code>clamav/clamav:<version></code>: A release preloaded with signature databases.</p>
<p>Using this container will save the ClamAV project some bandwidth. Use this if you will keep the image around so that you don't download the entire database set every time you start a new container. Updating with FreshClam from existing databases set does not use much data.</p>
</li>
<li>
<p><code>clamav/clamav:<version>_base</code>: A release with no signature databases.</p>
<p>Use this container <strong>only</strong> if you mount a volume in your container under <code>/var/lib/clamav</code> to persist your signature database databases. This method is the best option because it will reduce data costs for ClamAV and for the Docker registry, but it does require advanced familiarity with Linux and Docker.</p>
<blockquote>
<p><em>Caution</em>: Using this image without mounting an existing database directory will cause FreshClam to download the entire database set each time you start a new container.</p>
</blockquote>
</li>
</ul>
<p>There are a selection of tags to help you get the versions you need:</p>
<ul>
<li>
<p><code>clamav/clamav:<MAJOR.MINOR.PATCH>_base</code> and <code>clamav/clamav:<MAJOR.MINOR.PATCH></code>: This is a tag for a specific image for a given patch version. The "base" version of this image will never change, and the non-base version will only ever be updated to have newer signature databases.</p>
<p>If we need to publish a new image to resolve CVE's in the underlying dependencies, then another image will be created with a build-number suffix.</p>
<p>For example: <code>0.104.2-2_base</code> is a new image to resolve security issues found in busybox in the <code>0.104.2_base</code> image.</p>
</li>
<li>
<p><code>clamav/clamav:<MAJOR.MINOR>_base</code> and <code>clamav/clamav:<MAJOR.MINOR></code>: This is a tag for the latest patch version of ClamAV 0.104. When the image for a new patch version is created, this tag will be updated so that it always points to the latest image for ClamAV 0.104.</p>
</li>
<li>
<p><code>clamav/clamav:stable_base</code> and <code>clamav/clamav:stable</code>: These tags point to the latest stable patch version image. We use the word "stable" to make it clear that these do not track the latest commit in Github. As of 2022-02-15, that makes these equivalent to <code>0.104</code> and <code>0.104_base</code>. When 0.105 is released, these will be updated to track <code>0.105</code> and <code>0.105_base</code>.</p>
</li>
<li>
<p><code>clamav/clamav:latest_base</code> and <code>clamav/clamav:latest</code>: These are the same as <code>clamav/clamav:stable_base</code> and <code>clamav/clamav:stable</code>. They exist because many users expect all images to have a "latest".</p>
</li>
<li>
<p><code>clamav/clamav:unstable_base</code> and <code>clamav/clamav:unstable</code>: These tags point to the latest commit in the <code>main</code> branch on github.com/Cisco-Talos/clamav. Provided something doesn't go wrong, these are updated every evening that something changes in the ClamAV Git repository.</p>
</li>
</ul>
<h3 id="image-selection-recommendations"><a class="header" href="#image-selection-recommendations">Image Selection Recommendations</a></h3>
<p>Instead of choosing the specific image for a patch release, choose the tag for a feature release, such as <code>clamav/clamav:0.104</code> or <code>clamav/clamav:0.104_base</code>.</p>
<p>Only select a "latest" or "stable" tags if you're comfortable with the the risk involved with updating to a new feature release right away without evaluating it first.</p>
<p>Choose the <code>_base</code> tag and set up a volume to persist your signature databases. This will save us and you bandwidth. You may choose to set up a container that has the Freshclam daemon enabled, and have multiple others that do not. The ClamD daemon in the all images will occasionally check to see if there are newer signatures in the mounted volume and will reload the databases as needed.</p>
<p>ClamAV uses quite a bit of RAM to load the signature databases into memory. 2GB may be insufficient. Configure your containers to have 4GB of RAM.</p>
<h3 id="end-of-life"><a class="header" href="#end-of-life">End of Life</a></h3>
<p>The ClamAV Docker images are subject to ClamAV's <a href="manual/Installing/../../faq/faq-eol.html">End-of-Life (EOL) policy</a>. After EOL for a given feature release, those images will no longer be updated and may be unable to download signature updates.</p>
<h2 id="building-the-clamav-image"><a class="header" href="#building-the-clamav-image">Building the ClamAV image</a></h2>
<p>While it is recommended to pull the image from our <a href="https://hub.docker.com/r/clamav/clamav">Docker Hub registry</a>, some may want to build the image locally instead. All that is needed is:</p>
<pre><code class="language-bash">docker build --tag "clamav:TICKET-123" .
</code></pre>
<p>in the current directory. This will build the ClamAV image and tag it with the name "clamav:TICKET-123". Any name can generally be used and it is this name that needs to be referred to later when running the image.</p>
<h2 id="running-clamd"><a class="header" href="#running-clamd">Running ClamD</a></h2>
<p>To run <code>clamd</code> in a Docker container, first, an image either has to be built or pulled from a Docker registry.</p>
<h3 id="running-clamd-using-the-official-clamav-images-from-docker-hub"><a class="header" href="#running-clamd-using-the-official-clamav-images-from-docker-hub">Running ClamD using the official ClamAV images from Docker Hub</a></h3>
<p>To pull the ClamAV "unstable" image from Docker Hub, run:</p>
<pre><code class="language-bash">docker pull clamav/clamav:unstable
</code></pre>
<blockquote>
<p><em>Tip</em>: Substitute <code>unstable</code> with a different version as needed.</p>
</blockquote>
<p>To pull <em>and run</em> the official ClamAV images from the Docker Hub registry, try the following command:</p>
<pre><code class="language-bash">docker run \
--interactive \
--tty \
--rm \
--name "clam_container_01" \
clamav/clamav:unstable
</code></pre>
<p>The above creates an interactive container with the current TTY connected to it. This is optional but useful when getting started as it allows one to directly see the output and, in the case of <code>clamd</code>, send <code>ctrl-c</code> to close the container. The <code>--rm</code> parameter ensures the container is cleaned up again after it exits and the <code>--name</code> parameter names the container, so it can be referenced through other (Docker) commands, as several containers of the same image can be started without conflicts.</p>
<blockquote>
<p><em>Note</em>: Pulling is not always required. <code>docker run</code> will pull the image if it cannot be found locally. <code>docker run --pull always</code> will always pull beforehand to ensure the most up-to-date container is being used. Do not use <code>--pull always</code> with the larger ClamAV images.</p>
</blockquote>
<blockquote>
<p><em>Tip</em>: It's common to see <code>-it</code> instead of <code>--interactive --tty</code>.</p>
</blockquote>
<h3 id="running-clamd-using-a-locally-built-image"><a class="header" href="#running-clamd-using-a-locally-built-image">Running ClamD using a Locally Built Image</a></h3>
<p>You can run a container using an image built locally (<a href="manual/Installing/Docker.html#building-the-clamav-image">see "Building the ClamAV Image"</a>). Just run:</p>
<pre><code class="language-bash">docker run -it --rm \
--name "clam_container_01" \
clamav:TICKET-123
</code></pre>
<h3 id="persisting-the-virus-database-volume"><a class="header" href="#persisting-the-virus-database-volume">Persisting the virus database (volume)</a></h3>
<p>The virus database in <code>/var/lib/clamav</code> is by default unique to each container and thus is normally not shared. For simple setups this is fine, where only one instance of <code>clamd</code> is expected to run in a dockerized environment. However some use cases may want to efficiently share the database or at least persist it across short-lived ClamAV containers.</p>
<p>To do so, you have two options:</p>
<ol>
<li>
<p>Create a <a href="https://docs.docker.com/storage/volumes/">Docker volume</a> using the
<code>docker volume</code> command.
Volumes are completely managed by Docker and are the best choice for creating a persistent database volume.</p>
<p>For example, create a "clam_db" volume:</p>
<pre><code class="language-bash">docker volume create clam_db
</code></pre>
<p>Then start one or more containers using this volume. The first container to use a new database volume will download the full database set. Subsequent containers will use the existing databases and may update them as needed:</p>
<pre><code class="language-bash">docker run -it --rm \
--name "clam_container_01" \
--mount source=clam_db,target=/var/lib/clamav \
clamav/clamav:unstable_base
</code></pre>
</li>
<li>
<p>Create a <a href="https://docs.docker.com/storage/bind-mounts/">Bind Mount</a> that maps a file system directory to a path within the container. Bind Mounts depend on the directory structure, permissions, and operating system of the Docker host machine.</p>
<p>Run the container with these arguments to mount the a directory from your host environment as a volume in the container.</p>
<pre><code class="language-bash"> --mount type=bind,source=/path/to/databases,target=/var/lib/clamav
</code></pre>
<p>When doing this, it's best to use the <code><version>_base</code> image tags so as to save on bandwith. E.g.:</p>
<pre><code class="language-bash">docker run -it --rm \
--name "clam_container_01" \
--mount type=bind,source=/path/to/databases,target=/var/lib/clamav \
clamav/clamav:unstable_base
</code></pre>
<blockquote>
<p><em>Disclaimer</em>: When using a Bind Mount, the container's entrypoint script will change ownership of this directory to its "clamav" user. This enables FreshClam and ClamD with the required permissions to read and write to the directory, though these changes will also affect those files on the host.</p>
</blockquote>
</li>
</ol>
<p>If you're thinking about running multiple containers that share a single database volume, <a href="manual/Installing/Docker.html#multiple-containers-sharing-the-same-mounted-databases">here are some notes on how this might work</a>.</p>
<h2 id="running-clamdscan"><a class="header" href="#running-clamdscan">Running Clam(D)Scan</a></h2>
<p>Scanning files using <code>clamscan</code> or <code>clamdscan</code> is possible in various ways with Docker. This section briefly describes them, but the other sections of this document are best read before hand to better understand some of the concepts.</p>
<p>One important aspect is however to realize that Docker by default does not have access to any of the hosts files. And so to scan these within Docker, they need to be mounted with a <a href="https://docs.docker.com/storage/bind-mounts/">bind mount</a> to be made accessible.</p>
<p>For example, running the container with these arguments ...</p>
<pre><code class="language-bash"> --mount type=bind,source=/path/to/scan,target=/scandir
--mount type=bind,source=/path/to/scan,target=/scandir
</code></pre>
<p>... would make the hosts file/directory <code>/path/to/scan</code> available in the container as <code>/scandir</code> and thus invoking <code>clamscan</code> would thus be done on <code>/scandir</code>.</p>
<p>Note that while technically possible to run either scanners via <code>docker exec</code> this is not described as it is unlikely the container has access to the files to be scanned.</p>
<h3 id="clamscan"><a class="header" href="#clamscan">ClamScan</a></h3>
<p>Using <code>clamscan</code> outside of the Docker container is how normally <code>clamscan</code> is invoked. To make use of the available shared dockerized resources however, it is possible to expose the virus database and share that for example. E.g. it could be possible to run a Docker container with only the <code>freshclam</code> daemon running, and share the virus database directory <code>/var/lib/clamav</code>. This could be useful for file servers for example, where only <code>clamscan</code> is installed on the host, and <code>freshclam</code> is managed in a Docker container.</p>
<blockquote>
<p><em>Note</em>: Running the <code>freshclam</code> daemon separated from <code>clamd</code> is less recommended, unless the <code>clamd</code> socket is shared with <code>freshclam</code> as <code>freshclam</code> would not be able to inform <code>clamd</code> of database updates.</p>
</blockquote>
<h3 id="dockerized-clamscan"><a class="header" href="#dockerized-clamscan">Dockerized ClamScan</a></h3>
<p>To run <code>clamscan</code> in a Docker container, the Docker container can be invoked as:</p>
<pre><code class="language-bash">docker run -it --rm \
--mount type=bind,source=/path/to/scan,target=/scandir \
clamav/clamav:unstable \
clamscan /scandir
</code></pre>
<p>However, this will use whatever signatures are found in the image, which may be slightly out of date. If using <code>clamscan</code> in this way, it would be best to use a <a href="manual/Installing/Docker.html#running-with-a-mounted-database-directory-volume">database volume</a> that is up-to-date so that you scan with the latest signatures. E.g.:</p>
<pre><code class="language-bash">docker run -it --rm \
--mount type=bind,source=/path/to/scan,target=/scandir \
--mount type=bind,source=/path/to/databases,target=/var/lib/clamav \
clamav/clamav:unstable_base \
clamscan /scandir
</code></pre>
<h3 id="clamdscan"><a class="header" href="#clamdscan">ClamDScan</a></h3>
<p>As with <code>clamscan</code>, <code>clamdscan</code> can also be run when installed on the host, by connecting to the dockerized <code>clamd</code>. This can be done by either pointing <code>clamdscan</code> to the exposed TCP/UDP port or unix socket.</p>
<h3 id="dockerized-clamdscan"><a class="header" href="#dockerized-clamdscan">Dockerized ClamDScan</a></h3>
<p>Running both <code>clamd</code> and <code>clamdscan</code> is also easily possible, as all that is needed is the shared socket between the two containers. The only cavaet here is to:</p>
<ol>
<li>mount the files to be scanned in the container that will run <code>clamd</code>, or</li>
<li>mount the files to be scanned in the container that will <code>clamdscan</code> run if using <code>clamdscan --stream</code>. The <code>--stream</code> option will be slower, but enables submitting files from a different machine on a network.</li>
</ol>
<p>For example:</p>
<pre><code class="language-bash">docker run -it --rm \
--mount type=bind,source=/path/to/scan,target=/scandir \
--mount type=bind,source=/var/lib/docker/data/clamav/sockets/,target=/run/clamav/ \
clamav/clamav:unstable
</code></pre>
<pre><code class="language-bash">docker run -it --rm \
--mount type=bind,source=/path/to/scan,target=/scandir \
--mount type=bind,source=/var/lib/docker/data/clamav/sockets/,target=/run/clamav/ \
clamav/clamav:unstable_base \
clamdscan /scandir
</code></pre>
<h2 id="controlling-the-container"><a class="header" href="#controlling-the-container">Controlling the container</a></h2>
<p>The ClamAV container actually runs both <code>freshclam</code> and <code>clamd</code> daemons by default. Optionally available to the container is ClamAV's milter daemon. To control the behavior of the services started within the container, the following flags can be passed to the <code>docker run</code> command with the <code>--env</code> (<code>-e</code>) parameter.</p>
<ul>
<li>CLAMAV_NO_CLAMD [true|<strong>false</strong>] Do not start <code>clamd</code>.
(default: <code>clamd</code> daemon is started)</li>
<li>CLAMAV_NO_FRESHCLAMD [true|<strong>false</strong>] Do not start the <code>freshclam</code> daemon.
(default: <code>freshclam</code> daemon is started)</li>
<li>CLAMAV_NO_MILTERD [<strong>true</strong>|false] Do not start the <code>clamav-milter</code> daemon.
(default: <code>clamav-milter</code> daemon is <strong>not</strong> started)</li>
<li>CLAMD_STARTUP_TIMEOUT [integer] Seconds to wait for <code>clamd</code> to start.
(default: 1800)</li>
<li>FRESHCLAM_CHECKS [integer] <code>freshclam</code> daily update frequency.
(default: once per day)</li>
</ul>
<p>So to additionally also enable <code>clamav-milter</code>, the following flag can be added:</p>
<pre><code class="language-bash"> --env 'CLAMAV_NO_MILTERD=false'
</code></pre>
<p>Further more, all of the configuration files that live in <code>/etc/clamav</code> can be overridden by doing a volume-mount to the specific file. The following argument can be added for this purpose. The example uses the entire configuration directory, but this can be supplied multiple times if individual files deem to be replaced.</p>
<pre><code class="language-bash"> --mount type=bind,source=/full/path/to/clamav/,target=/etc/clamav
</code></pre>
<blockquote>
<p><em>Note</em>: Even when disabling the <code>freshclam</code> daemon, <code>freshclam</code> will always run at least once during container startup if there is no virus database. While not recommended, the virus database location itself <code>/var/lib/clamav/</code> could be a persistent Docker volume. This however is slightly more advanced and out of scope of this document.</p>
</blockquote>
<h2 id="connecting-to-the-container"><a class="header" href="#connecting-to-the-container">Connecting to the container</a></h2>
<h3 id="executing-commands-within-a-running-container"><a class="header" href="#executing-commands-within-a-running-container">Executing commands within a running container</a></h3>
<p>To connect to a running ClamAV container, <code>docker exec</code> can be used to run a command on an already running container. To do so, the name needs to be either obtained from <code>docker ps</code> or supplied during container start via the <code>--name</code> parameter. The most interesting command in this case can be <code>clamdtop</code>.</p>
<pre><code class="language-bash">docker exec --interactive --tty "clamav_container_01" clamdtop
</code></pre>
<p>Alternatively, a shell can be started to inspect and run commands within the
container as well.</p>
<pre><code class="language-bash">docker exec --interactive --tty "clamav_container_01" /bin/sh
</code></pre>
<h3 id="unix-sockets"><a class="header" href="#unix-sockets">Unix sockets</a></h3>
<p>The default socket for <code>clamd</code> is located inside the container as <code>/run/clamav/clamd.sock</code> and can be connected to when exposed via a Docker volume mount. To ensure, that <code>clamd</code> within the container can freely create and remove the socket, the path for the socket is to be volume-mounted, to expose it for others on the same host to use. The following volume can be used for this purpose. Do ensure that the directory on the host actually exists and clamav inside the container has permission to access it. Caution is required when managing permissions, as incorrect permission could open clamd for anyone on the host system.</p>
<pre><code class="language-bash"> --mount type=bind,source=/var/lib/docker/data/clamav/sockets/,target=/run/clamav/
</code></pre>
<p>With the socket exposed to the host, any other service can now talk to <code>clamd</code> as well. If for example <code>clamdtop</code> where installed on the local host, calling</p>
<pre><code class="language-bash">clamdtop "/var/lib/docker/data/clamav/sockets/clamd.sock"
</code></pre>
<p>should work just fine. Likewise, running <code>clamdtop</code> in a different container, but sharing the socket will equally work. While <code>clamdtop</code> works well as an example here, it is of course important to realize, this can also be used to connect a mail server to <code>clamd</code>.</p>
<h3 id="tcp"><a class="header" href="#tcp">TCP</a></h3>
<p>ClamAV in the official Docker images is configured to listen for TCP connections on these ports:</p>
<ul>
<li><code>clamd</code>: 3310</li>
<li><code>clamav-milter</code>: 7357</li>
</ul>
<p>While <code>clamd</code> and <code>clamav-milter</code> will listen on the above TCP ports, Docker does not expose these by default to the host. Only within containers can these ports be accessed. To expose, or "publish", these ports to the host, and thus potentially over the (inter)network, the <code>--publish</code> (or <code>--publish-all</code>) flag to <code>docker run</code> can be used. While more advanced/secure mappings can be done as per documentation, the basic way is to <code>--publish [<host_port>:]<container_port></code> to make the port available to the host.</p>
<pre><code class="language-bash"> --publish 13310:3310 \
--publish 7357
</code></pre>
<p>The above would thus publish:</p>
<ul>
<li><code>clamd</code> port <code>3310</code> as <code>13310</code> on the host</li>
<li><code>milter</code> port <code>7357</code> as a <em>random</em> to the host. The <em>random</em> port can be inspected via <code>docker ps</code>.</li>
</ul>
<p>But if you're just running one ClamAV container, you probably will just want to use the default port numbers, which are the same port numbers suggested in the <code>clamd.conf.sample</code> file provided with ClamAV:</p>
<pre><code class="language-bash"> --publish 3310:3310 \
--publish 7357:7357
</code></pre>
<blockquote>
<p><strong>Warning</strong>: Extreme caution is to be taken when using <code>clamd</code> over TCP as there are no protections on that level. All traffic is un-encrypted. Extra care is to be taken when using TCP communications.</p>
</blockquote>
<h2 id="container-clamd-health-check"><a class="header" href="#container-clamd-health-check">Container ClamD health-check</a></h2>
<p>Docker has the ability to run simple <code>ping</code> checks on services running inside containers. If <code>clamd</code> is running inside the container, Docker will on occasion send a <code>ping</code> to <code>clamd</code> on the default port and wait for the pong from <code>clamd</code>. If <code>clamd</code> fails to respond, Docker will treat this as an error. The healthcheck results can be viewed with <code>docker inspect</code>.</p>
<h2 id="performance"><a class="header" href="#performance">Performance</a></h2>
<p>The performance impact of running <code>clamd</code> in Docker is negligible. Docker is in essence just a wrapper around Linux's cgroups and cgroups can be thought of as <code>chroot</code> or FreeBSD's <code>jail</code>. All code is executed on the host without any translation. Docker does however do some isolation (through cgroups) to isolate the various systems somewhat.</p>
<p>Of course, nothing in life is free, and so there is some overhead. Disk-space being the most prominent one. The Docker container might have some duplication of files for example between the host and the container. Further more, also RAM memory may be duplicated for each instance, as there is no RAM-deduplication. Both of which can be solved on the host however. A filesystem that supports disk-deduplication and a memory manager that does RAM-deduplication.</p>
<p>The base container in itself is already very small ~16 MiB, at the time of thiswriting, this cost is still very tiny, where the advantages are very much worththe cost in general.</p>
<p>The container including the virus database is about ~240 MiB at the time of this writing.</p>
<h2 id="bandwidth"><a class="header" href="#bandwidth">Bandwidth</a></h2>
<p>Please, be kind when using 'free' bandwidth, both for the virus databases but also the Docker registry. Try not to download the entire database set or the larger ClamAV database images on a regular basis.</p>
<h2 id="advanced-container-configurations"><a class="header" href="#advanced-container-configurations">Advanced container configurations</a></h2>
<h3 id="multiple-containers-sharing-the-same-mounted-databases"><a class="header" href="#multiple-containers-sharing-the-same-mounted-databases">Multiple containers sharing the same mounted databases</a></h3>
<p>You can run multiple containers that share the same database volume, but be aware that the FreshClam daemons on each would compete to update the databases. Most likely, one would update the databases and trigger its ClamD to load the new databases, while the others would be oblivious to the new databases and would continue with the old signatures until the next ClamD self-check.</p>
<p>This is fine, honestly. It won't take that long before the new signatures are detected by ClamD's self-check and the databases are reloaded automatically.</p>
<p>To reload the databases on all ClamD containers immediately after an update, you could <a href="manual/Installing/Docker.html#controlling-the-container">disable the FreshClam daemon</a> when you start the containers. Later, use <code>docker exec</code> to perform an update and again as needed to have ClamD load updated databases.</p>
<blockquote>
<p><em>Note</em>: This really isn't necessary but you could do this if you wish.</p>
</blockquote>
<p>Exactly how you orchestrate this will depend on your environment. You might do something along these lines:</p>
<ol>
<li>
<p>Create a "clam_db" volume, if you don't already have one:</p>
<pre><code class="language-bash">docker volume create clam_db
</code></pre>
</li>
<li>
<p>Start your containers:</p>
<pre><code class="language-bash">docker run -it --rm \
--name "clam_container_01" \
--mount source=clam_db,target=/var/lib/clamav \
--env 'CLAMAV_NO_FRESHCLAMD=true' \
clamav/clamav:0.104_base
</code></pre>
<p>Wait for the first one to download the databases (if it's a new database volume). Then start more:</p>
<pre><code class="language-bash">docker run -it --rm \
--name "clam_container_02" \
--mount source=clam_db,target=/var/lib/clamav \
--env 'CLAMAV_NO_FRESHCLAMD=true' \
clamav/clamav:0.104_base
</code></pre>
</li>
<li>
<p>Check for updates, as needed:</p>
<pre><code class="language-bash">docker exec -it clam_container_01 freshclam --on-update-execute=EXIT_1 || \
if [ $? == 1 ]; then \
docker exec -it clam_container_01 clamdscan --reload; \
docker exec -it clam_container_02 clamdscan --reload; \
fi
</code></pre>
</li>
</ol>
<div style="break-before: page; page-break-before: always;"></div><h1 id="building-clamav-with-cmake-v0104-and-newer"><a class="header" href="#building-clamav-with-cmake-v0104-and-newer">Building ClamAV with CMake (v0.104 and newer)</a></h1>
<p>The following are instructions to build ClamAV <em>version 0.104 and newer</em> using CMake.</p>
<blockquote>
<p><em>Tip</em>: If you wish to build ClamAV <em>version 0.103 or older</em> from source, follow <a href="manual/Installing/Installing-from-source-Unix-old.html">these instructions to build ClamAV using Autotools</a>.</p>
</blockquote>
<ul>
<li><a href="manual/Installing/Installing-from-source-Unix.html#building-clamav-with-cmake-v0104-and-newer">Building ClamAV with CMake (v0.104 and newer)</a>
<ul>
<li><a href="manual/Installing/Installing-from-source-Unix.html#install-prerequisites">Install prerequisites</a>
<ul>
<li><a href="manual/Installing/Installing-from-source-Unix.html#alpine">Alpine</a></li>
<li><a href="manual/Installing/Installing-from-source-Unix.html#redhat--centos--fedora">Redhat / Centos / Fedora</a></li>
<li><a href="manual/Installing/Installing-from-source-Unix.html#suse--opensuse">SUSE / openSUSE</a></li>
<li><a href="manual/Installing/Installing-from-source-Unix.html#ubuntu--debian">Ubuntu / Debian</a></li>
<li><a href="manual/Installing/Installing-from-source-Unix.html#macos">macOS</a></li>
<li><a href="manual/Installing/Installing-from-source-Unix.html#freebsd">FreeBSD</a></li>
</ul>
</li>
<li><a href="manual/Installing/Installing-from-source-Unix.html#install-rust-toolchain">Install Rust toolchain</a></li>
<li><a href="manual/Installing/Installing-from-source-Unix.html#adding-new-system-user-and-group">Adding new system user and group</a></li>
<li><a href="manual/Installing/Installing-from-source-Unix.html#download-the-source-code">Download the source code</a></li>
<li><a href="manual/Installing/Installing-from-source-Unix.html#build-clamav">Build ClamAV</a>
<ul>
<li><a href="manual/Installing/Installing-from-source-Unix.html#the-default-build">The Default Build</a></li>
<li><a href="manual/Installing/Installing-from-source-Unix.html#a-linux-distribution-style-build">A Linux Distribution-style Build</a></li>
<li><a href="manual/Installing/Installing-from-source-Unix.html#a-build-for-development">A Build for Development</a></li>
<li><a href="manual/Installing/Installing-from-source-Unix.html#about-the-tests">About the tests</a></li>
</ul>
</li>
<li><a href="manual/Installing/Installing-from-source-Unix.html#un-install">Un-install</a></li>
<li><a href="manual/Installing/Installing-from-source-Unix.html#what-now">What now?</a></li>
</ul>
</li>
</ul>
<blockquote>
<p><em>Note</em>: Some of the dependencies are optional if you elect to not build all of the command line applications, or elect to only build the libclamav library. Specifically:</p>
<ul>
<li>libcurl: <em>required for libfreshclam, freshclam, clamsubmit, clamonacc</em></li>
<li>ncurses: <em>required for clamdtop</em></li>
</ul>
<p>For more information about customized builds and which dependencies can be skipped, please see the <code>INSTALL.md</code> document accompanying the source code.</p>
</blockquote>
<h2 id="install-prerequisites"><a class="header" href="#install-prerequisites">Install prerequisites</a></h2>
<blockquote>
<p><em>Note</em>: Many of the instructions below rely on Python 3's Pip package manager to install CMake. This is because many distributions do not provide a new enough version of CMake required to build ClamAV.</p>
</blockquote>
<blockquote>
<p><em>Tip</em>: The Python 3 <code>pytest</code> package is recommended in the instructions below in case the unit tests fail so that the test output is easy to read. <em>You're welcome to skip it.</em> However, if you have Python 2's <code>pytest</code> installed but not Python 3's <code>pytest</code>, the tests may fail to run.</p>
</blockquote>
<h3 id="alpine"><a class="header" href="#alpine">Alpine</a></h3>
<p>As root or with <code>sudo</code>, run:</p>
<pre><code class="language-sh">apk update && apk add \
`# install tools` \
g++ gcc gdb make cmake py3-pytest python3 valgrind \
`# install clamav dependencies` \
bzip2-dev check-dev curl-dev json-c-dev libmilter-dev libxml2-dev \
linux-headers ncurses-dev openssl-dev pcre2-dev zlib-dev
</code></pre>
<p>Version 0.105+: install the Rust toolchain. The best option is to <a href="manual/Installing/Installing-from-source-Unix.html#install-rust-toolchain">install the Rust toolchain using rustup</a> your Rust toolchain. Alpine users on the latest release may also find an adequate Rust toolchain with:</p>
<pre><code class="language-sh">apk add cargo rust
</code></pre>
<h3 id="redhat--centos--fedora"><a class="header" href="#redhat--centos--fedora">Redhat / Centos / Fedora</a></h3>
<p><em>For RHEL 8 or Centos Stream</em>, you will probably need to run this to enable EPEL & PowerTools.
As root or with <code>sudo</code>, run:</p>
<pre><code class="language-sh">dnf install -y epel-release
dnf install -y dnf-plugins-core
dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
dnf config-manager --set-enabled PowerTools | \
dnf config-manager --set-enabled powertools | true
</code></pre>
<p>As root or with <code>sudo</code>, run:</p>
<pre><code class="language-sh">dnf install -y \
`# install tools` \
gcc gcc-c++ make python3 python3-pip valgrind \
`# install clamav dependencies` \
bzip2-devel check-devel json-c-devel libcurl-devel libxml2-devel \
ncurses-devel openssl-devel pcre2-devel sendmail-devel zlib-devel
</code></pre>
<blockquote>
<p><em>Note</em>: If you get <code>dnf: command not found</code>, use <code>yum</code> instead.</p>
</blockquote>
<p>As a regular user, run:</p>
<pre><code class="language-sh">python3 -m pip install --user cmake pytest
</code></pre>
<blockquote>
<p><em>Tip</em>: If you don't have a user account, e.g. in a Docker container, run:</p>
<pre><code class="language-sh">python3 -m pip install cmake pytest
</code></pre>
</blockquote>
<p>Version 0.105+: install the Rust toolchain. The best option is to <a href="manual/Installing/Installing-from-source-Unix.html#install-rust-toolchain">install the Rust toolchain using rustup</a> your Rust toolchain. Centos and RHEL users are unlikely to find an adequate Rust toolchain through the distribution's package manager. Fedora users that are unable or unwilling to use <code>rustup</code> may have luck with:</p>
<pre><code class="language-sh">dnf install -y cargo rust
</code></pre>
<h3 id="suse--opensuse"><a class="header" href="#suse--opensuse">SUSE / openSUSE</a></h3>
<p>As root or with <code>sudo</code>, run:</p>
<pre><code class="language-sh">zypper install -y \
`# install tools` \
gcc gcc-c++ make python3 python3-pip valgrind \
`# install clamav dependencies` \
libbz2-devel check-devel libjson-c-devel libcurl-devel libxml2-devel \
ncurses-devel libopenssl-devel pcre2-devel sendmail-devel zlib-devel
</code></pre>
<p>As a regular user, run:</p>
<pre><code class="language-sh">python3 -m pip install --user cmake pytest
</code></pre>
<blockquote>
<p><em>Tip</em>: If you don't have a user account, e.g. in a Docker container, run:</p>
<pre><code class="language-sh">python3 -m pip install cmake pytest
</code></pre>
</blockquote>
<p>Version 0.105+: install the Rust toolchain. The best option is to <a href="manual/Installing/Installing-from-source-Unix.html#install-rust-toolchain">install the Rust toolchain using rustup</a> your Rust toolchain. openSUSE users that are unable or unwilling to use <code>rustup</code> may have luck with:</p>
<pre><code class="language-sh">zypper install -y cargo rust
</code></pre>
<h3 id="ubuntu--debian"><a class="header" href="#ubuntu--debian">Ubuntu / Debian</a></h3>
<p>As root or with <code>sudo</code>, run:</p>
<pre><code class="language-sh">apt-get update && apt-get install -y \
`# install tools` \
gcc make pkg-config python3 python3-pip python3-pytest valgrind \
`# install clamav dependencies` \
check libbz2-dev libcurl4-openssl-dev libjson-c-dev libmilter-dev \
libncurses5-dev libpcre2-dev libssl-dev libxml2-dev zlib1g-dev
</code></pre>
<p>As a regular user, run:</p>
<pre><code class="language-sh">python3 -m pip install --user cmake
</code></pre>
<blockquote>
<p><em>Tip</em>: If you don't have a user account, e.g. in a Docker container, run:</p>
<pre><code class="language-sh">python3 -m pip install cmake
</code></pre>
</blockquote>
<p>Version 0.105+: install the Rust toolchain. The best option is to <a href="manual/Installing/Installing-from-source-Unix.html#install-rust-toolchain">install the Rust toolchain using rustup</a> your Rust toolchain. Debian users are unlikely to find an adequate Rust toolchain through the distribution's package manager. Ubuntu users will have better luck. At the time of writing, even Ubuntu 18.04 appears to have relatively recent Rust tools available (1.57.0, where the latest security patch for <code>rustc</code> is version 1.58.1). Debian and Ubuntu users may install the Rust toolchain with:</p>
<pre><code class="language-sh">apt-get install -y cargo rustc
</code></pre>
<blockquote>
<p><em>Note</em>: Debian and Ubuntu chose to call it <code>rustc</code> and not <code>rust</code>, like the others. Ubuntu users may instead install <code>rust-all</code> for a few additional Rust development tools that you would normally install through <code>rustup</code>. The <code>rust-all</code> package does not appear to exist for Debian 11 (bullseye).</p>
</blockquote>
<h3 id="macos-2"><a class="header" href="#macos-2">macOS</a></h3>
<p>The following instructions require you to install <a href="https://brew.sh/">HomeBrew</a> to install tools and library dependencies.</p>
<pre><code class="language-sh">brew update
packages=(
# install tools
python3 cmake
# install clamav dependencies
bzip2 check curl-openssl json-c libxml2 ncurses openssl@1.1 pcre2 zlib
)
for item in "${packages[@]}"; do
brew install $item || true; brew upgrade $item || brew upgrade $item
done
python3 -m pip install --user cmake pytest
</code></pre>
<blockquote>
<p><em>Note</em>: You may also need to install <code>pkg-config</code> if not already present on your system. You can use Homebrew to do this with: <code>brew install pkg-config</code></p>
</blockquote>
<p>Version 0.105+: install the Rust toolchain. The best option is to <a href="manual/Installing/Installing-from-source-Unix.html#install-rust-toolchain">install the Rust toolchain using rustup</a> your Rust toolchain.</p>
<h3 id="freebsd-1"><a class="header" href="#freebsd-1">FreeBSD</a></h3>
<p>As root or with <code>sudo</code>, run:</p>
<pre><code class="language-sh">pkg install -y \
`# install tools` \
gmake cmake pkgconf py38-pip python38 \
`# install clamav dependencies` \
bzip2 check curl json-c libmilter libxml2 ncurses pcre2
</code></pre>
<p>Now as a regular user, run:</p>
<pre><code class="language-sh">python3.8 -m pip install --user pytest
</code></pre>
<blockquote>
<p><em>Tip</em>: If you don't have a user account, e.g. in a Docker container, run:</p>
<pre><code class="language-sh">python3 -m pip install pytest
</code></pre>
</blockquote>
<p>Version 0.105+: install the Rust toolchain. The best option is to <a href="manual/Installing/Installing-from-source-Unix.html#install-rust-toolchain">install the Rust toolchain using rustup</a> . FreeBSD users may find an adequate version using the package manager to install the Rust toolchain, depending on their release. FreeBSD users may install the Rust toolchain with:</p>
<pre><code class="language-sh">pkg install -y rust
</code></pre>
<h2 id="install-rust-toolchain"><a class="header" href="#install-rust-toolchain">Install Rust toolchain</a></h2>
<p>Starting with ClamAV v0.105, a Rust toolchain is required to compile portions of libclamav. You can install the appropriate toolchain for your development environment by following the instructions on the <a href="https://rustup.rs">rustup</a> website. This ensures that you have the most up-to-date compiler available at the time of installation; keep your toolchain updated for new features and bug/security fixes by periodically executing: <code>rustup update</code>.</p>
<p>Building ClamAV requires, at a minimum, Rust compiler version 1.56, as it relies on features introduced in the <a href="https://doc.rust-lang.org/edition-guide/rust-2021/index.html">Rust 2021 Edition</a>.</p>
<p>Depending on your target environment, compilers may be manually installed without downloading and executing the <code>rustup</code> script. Some platforms (e.g., Alpine Linux) provide packages that are recent-enough to build ClamAV. However, some Linux distributions such as CentOS, provide no package, or toolchains that are too old. For these platforms, if you are unable or unwilling to utilize <code>rustup</code>, you may <a href="https://forge.rust-lang.org/infra/other-installation-methods.html#standalone">download and install prebuilt toolchain binaries directly from rust-lang.org</a>.</p>
<h2 id="adding-new-system-user-and-group"><a class="header" href="#adding-new-system-user-and-group">Adding new system user and group</a></h2>
<p>If installing to the system, and if you intend to run <code>freshclam</code> or <code>clamd</code> as as service, you should create a service account before compiling and installing ClamAV.</p>
<p><a href="manual/Installing/Add-clamav-user.html">Follow these steps to create a service account</a>.</p>
<h2 id="download-the-source-code"><a class="header" href="#download-the-source-code">Download the source code</a></h2>
<p>Download the source from <a href="https://www.clamav.net/downloads">the clamav.net downloads page</a>.</p>
<p>Extract the archive:</p>
<pre><code class="language-bash">tar xzf clamav-[ver].tar.gz
cd clamav-[ver]
</code></pre>
<h2 id="build-clamav"><a class="header" href="#build-clamav">Build ClamAV</a></h2>
<p>First, make a "build" subdirectory. This will enable you to easily delete your build files if something goes wrong and you need to re-configure and try again.</p>
<pre><code class="language-bash">mkdir build && cd build
</code></pre>
<p>Next, select the build options you desire. For a full list of configuration options, see the "Custom CMake options" section in the <code>INSTALL.md</code> file included with the source code.</p>
<p>To help you get started, here are some popular build configurations.</p>
<h3 id="the-default-build"><a class="header" href="#the-default-build">The Default Build</a></h3>
<p>The default build type is <code>RelWithDebInfo</code>, that is "Release mode with Debugging symbols". It will install to <code>/usr/local</code>.</p>
<pre><code class="language-bash">cmake ..
cmake --build .
ctest
sudo cmake --build . --target install
</code></pre>
<blockquote>
<p><em>Tip</em>: If building for macOS, you may need to override the system provided LibreSSL with the OpenSSL you installed using Homebrew.
For example:</p>
<pre><code class="language-sh">cmake .. \
-D CMAKE_INSTALL_PREFIX=/usr/local/clamav \
-D OPTIMIZE=OFF \
-D OPENSSL_ROOT_DIR=/usr/local/opt/openssl@1.1/ \
-D OPENSSL_CRYPTO_LIBRARY=/usr/local/opt/openssl@1.1/lib/libcrypto.1.1.dylib \
-D OPENSSL_SSL_LIBRARY=/usr/local/opt/openssl@1.1/lib/libssl.1.1.dylib
make
sudo make install
</code></pre>
</blockquote>
<h3 id="a-linux-distribution-style-build"><a class="header" href="#a-linux-distribution-style-build">A Linux Distribution-style Build</a></h3>
<p>This build type mimics the layout you may be familiar with if installing a ClamAV package on Debian, Ubuntu, Alpine, and some other distributions:</p>
<pre><code class="language-bash">cmake .. \
-D CMAKE_INSTALL_PREFIX=/usr \
-D CMAKE_INSTALL_LIBDIR=lib \
-D APP_CONFIG_DIRECTORY=/etc/clamav \
-D DATABASE_DIRECTORY=/var/lib/clamav \
-D ENABLE_JSON_SHARED=OFF
cmake --build .
ctest
sudo cmake --build . --target install
</code></pre>
<p>Using the above example:</p>
<ul>
<li>
<p><code>CMAKE_INSTALL_PREFIX</code> - The install "prefix" will be <code>/usr</code>.</p>
</li>
<li>
<p><code>CMAKE_INSTALL_LIBDIR</code> - The library directory will be <code>lib</code> (i.e. <code>/usr/lib</code>).</p>
<p>This may be the default anyways, but you may want to specify if CMake tries to install to <code>lib64</code> and if <code>lib64</code> is not desired.</p>
</li>
<li>
<p><code>APP_CONFIG_DIRECTORY</code> - The config directory will be <code>/etc/clamav</code>.</p>
<p><em>Note</em>: This absolute path is non-portable.</p>
</li>
<li>
<p><code>DATABASE_DIRECTORY</code> - The database directory will be <code>/var/lib/clamav</code>.</p>
<p><em>Note</em>: This absolute path is non-portable.</p>
</li>
</ul>
<blockquote>
<p><em>Tip</em>: Setting <code>ENABLE_JSON_SHARED=OFF</code> is preferred, but it will require json-c version 0.15 or newer unless you build json-c yourself with custom options. If json-c 0.15+ is not available to you, you may omit the option and just use the json-c shared library. But be warned that downstream applications which use <code>libclamav.so</code> may crash if they also use a different JSON library.</p>
</blockquote>
<p>Some other popular configuration options include:</p>
<ul>
<li>
<p><code>CMAKE_INSTALL_DOCDIR</code> - Specify exact documentation subdirectory, relative to the install prefix. The default may vary depending on your system and how you install CMake.</p>
<p>E.g., <code>-D CMAKE_INSTALL_DOCDIR=share/doc/packages/clamav</code></p>
</li>
<li>
<p><code>CMAKE_SKIP_RPATH</code> - If enabled, no RPATH is built into anything. This may be required when building packages for some Linux distributions. See the <a href="https://gitlab.kitware.com/cmake/community/-/wikis/doc/cmake/RPATH-handling">CMake wiki</a> for more detail about CMake's RPATH handling.</p>
<p>E.g., <code>-D CMAKE_SKIP_RPATH=ON</code></p>
</li>
</ul>
<p>Please see the <a href="https://cmake.org/cmake/help/latest/command/install.html#installing-files">CMake documentation</a> for more instructions on how to customize the install paths.</p>
<h3 id="a-build-for-development"><a class="header" href="#a-build-for-development">A Build for Development</a></h3>
<p>This suggested development configuration generates a Ninja-based build system instead of the default Makefile-based build system. Ninja is faster than Make, but you will have to install "ninja" (or "ninja-build"). With the following commands, ClamAV will be compiled in <code>Debug</code> mode with optimizations disabled. It will install to an "install" subdirectory and SystemD integration is disabled so that <code>sudo</code> is not required for the install and SystemD unit files are not installed to the system. This build also enables building a static <code>libclamav.a</code> library as well as building the example applications.</p>
<pre><code class="language-bash">cmake .. -G Ninja \
-D CMAKE_BUILD_TYPE=Debug \
-D OPTIMIZE=OFF \
-D CMAKE_INSTALL_PREFIX=`pwd`/install \
-D ENABLE_EXAMPLES=ON \
-D ENABLE_STATIC_LIB=ON \
-D ENABLE_SYSTEMD=OFF
cmake --build .
ctest --verbose
cmake --build . --target install
</code></pre>
<p>You can find additional instructions <a href="manual/Installing/../Development/development-builds.html">in our Development chapter</a>.</p>
<h3 id="about-the-tests"><a class="header" href="#about-the-tests">About the tests</a></h3>
<p>ClamAV's public test suite is run using <code>ctest</code>. On Linux systems, our build system will detect if you have Valgrind. If installed, each test will run a second time using Valgrind to check for leaks.</p>
<p>If a test fails, please <a href="https://github.com/Cisco-Talos/clamav/issues">report the issue on GitHub</a>. You will find <code>.log</code> files for each of the tests in the <code>build/unit_tests</code> directory. The output from <code>ctest --verbose</code> may give us enough information, but if not it could be helpful to zip up the <code>.log</code> files and attach them to the ticket.</p>
<h2 id="un-install"><a class="header" href="#un-install">Un-install</a></h2>
<p>CMake doesn't provide a simple command to uninstall. However, CMake does build an <code>install_manifest.txt</code> file when you do the install. You can use the manifest to remove the installed files.</p>
<p>You will find the manifest in the directory where you compiled ClamAV. If you followed the recommendations (above), then you will find it at <code><clamav source directory>/build/install_manifest.txt</code>.</p>
<p>Feel free to inspect the file so you're comfortable knowing what you're about to delete.</p>
<p>Open a terminal and <code>cd</code> to that <code><clamav source directory>/build</code> directory. Then run:</p>
<pre><code class="language-bash">xargs rm < install_manifest.txt
</code></pre>
<p>This will leave behind the directories, and will leave behind any files added after install including the signature databases and any config files. You will have to delete these extra files yourself.</p>
<blockquote>
<p><em>Tip</em>: You may need to use <code>sudo</code>, depending on where you installed to.</p>
</blockquote>
<h2 id="what-now-1"><a class="header" href="#what-now-1">What now?</a></h2>
<p>Now that ClamAV is installed, you will want to customize your configuration and perhaps set up some scanning automation and alerting mechanisms.</p>
<p><a href="manual/Installing/../Usage/Configuration.html">Continue on to "Configuration"...</a></p>
<div style="break-before: page; page-break-before: always;"></div><h1 id="building-clamav-with-autotools-v0103-and-older"><a class="header" href="#building-clamav-with-autotools-v0103-and-older">Building ClamAV with Autotools (v0.103 and older)</a></h1>
<p>The following are instructions to build ClamAV <em>version 0.103 and older</em> using Autotools.</p>
<ul>
<li><a href="manual/Installing/Installing-from-source-Unix-old.html#building-clamav-with-autotools-v0103-and-older">Building ClamAV with Autotools (v0.103 and older)</a>
<ul>
<li><a href="manual/Installing/Installing-from-source-Unix-old.html#install-prerequisites">Install prerequisites</a>
<ul>
<li><a href="manual/Installing/Installing-from-source-Unix-old.html#alpine">Alpine</a></li>
<li><a href="manual/Installing/Installing-from-source-Unix-old.html#redhat--centos--fedora">Redhat / Centos / Fedora</a></li>
<li><a href="manual/Installing/Installing-from-source-Unix-old.html#ubuntu--debian">Ubuntu / Debian</a></li>
<li><a href="manual/Installing/Installing-from-source-Unix-old.html#macos">macOS</a></li>
<li><a href="manual/Installing/Installing-from-source-Unix-old.html#freebsd">FreeBSD</a></li>
</ul>
</li>
<li><a href="manual/Installing/Installing-from-source-Unix-old.html#adding-new-system-user-and-group">Adding new system user and group</a></li>
<li><a href="manual/Installing/Installing-from-source-Unix-old.html#download-the-source-code">Download the source code</a></li>
<li><a href="manual/Installing/Installing-from-source-Unix-old.html#build-clamav">Build ClamAV</a>
<ul>
<li><a href="manual/Installing/Installing-from-source-Unix-old.html#the-default-build">The Default Build</a></li>
<li><a href="manual/Installing/Installing-from-source-Unix-old.html#a-linux-distribution-style-build">A Linux Distribution-style Build</a></li>
<li><a href="manual/Installing/Installing-from-source-Unix-old.html#a-build-for-development">A Build for Development</a></li>
<li><a href="manual/Installing/Installing-from-source-Unix-old.html#about-the-tests">About the tests</a></li>
</ul>
</li>
<li><a href="manual/Installing/Installing-from-source-Unix-old.html#un-install">Un-install</a></li>
<li><a href="manual/Installing/Installing-from-source-Unix-old.html#what-now">What now?</a></li>
</ul>
</li>
</ul>
<blockquote>
<p><em>Note</em>: Some of the dependencies are optional if you elect to not build all of the command line applications, or elect to only build the libclamav library. Specifically:</p>
<ul>
<li>libcurl: <em>required for libfreshclam, freshclam, clamsubmit, clamonacc</em></li>
<li>json-c: <em>required for clamsubmit, optional for libclamav</em></li>
<li>ncurses: <em>required for clamdtop</em></li>
</ul>
</blockquote>
<h2 id="install-prerequisites-1"><a class="header" href="#install-prerequisites-1">Install prerequisites</a></h2>
<h3 id="alpine-1"><a class="header" href="#alpine-1">Alpine</a></h3>
<p>As root or with <code>sudo</code>, run:</p>
<pre><code class="language-sh">apk update && apk add \
`# install tools` \
g++ gcc gdb make valgrind \
`# install clamav dependencies` \
bzip2-dev check-dev curl-dev json-c-dev libmilter-dev libxml2-dev \
linux-headers ncurses-dev openssl-dev pcre2-dev zlib-dev
</code></pre>
<h3 id="redhat--centos--fedora-1"><a class="header" href="#redhat--centos--fedora-1">Redhat / Centos / Fedora</a></h3>
<p><em>For Centos 8</em>, you will probably need to run this to enable EPEL & PowerTools.
As root or with <code>sudo</code>, run:</p>
<pre><code class="language-sh">dnf install -y epel-release
dnf install -y dnf-plugins-core
dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
dnf config-manager --set-enabled PowerTools | \
dnf config-manager --set-enabled powertools | true
</code></pre>
<p>As root or with <code>sudo</code>, run:</p>
<pre><code class="language-sh">dnf install -y \
`# install tools` \
gcc gcc-c++ make valgrind \
`# install clamav dependencies` \
bzip2-devel check-devel json-c-devel libcurl-devel libxml2-devel \
ncurses-devel openssl-devel pcre2-devel sendmail-devel zlib-devel
</code></pre>
<blockquote>
<p><em>Note</em>: If you get <code>dnf: command not found</code>, use <code>yum</code> instead.</p>
</blockquote>
<blockquote>
<p><em>Tip</em>: You need to run <code>autogen.sh</code> if you're not building from a release tarball from clamav.net. If so, visit the <a href="manual/Installing/../Development/development-builds.html#redhat--centos--fedora">developer section</a> to find out what packages are required to run <code>autogen.sh</code></p>
</blockquote>
<h3 id="ubuntu--debian-1"><a class="header" href="#ubuntu--debian-1">Ubuntu / Debian</a></h3>
<p>As root or with <code>sudo</code>, run:</p>
<pre><code class="language-sh">apt-get update && apt-get install -y \
`# install tools` \
gcc make pkg-config valgrind \
`# install clamav dependencies` \
check libbz2-dev libcurl4-openssl-dev libjson-c-dev libmilter-dev \
libncurses5-dev libpcre2-dev libssl-dev libxml2-dev zlib1g-dev
</code></pre>
<blockquote>
<p><em>Tip</em>: You need to run <code>autogen.sh</code> if you're not building from a release tarball from clamav.net. If so, visit the <a href="manual/Installing/../Development/development-builds.html#debian--ubuntu">developer section</a> to find out what packages are required to run <code>autogen.sh</code></p>
</blockquote>
<h3 id="macos-3"><a class="header" href="#macos-3">macOS</a></h3>
<p>The following instructions require you to install <a href="https://brew.sh/">HomeBrew</a> to install tools and library dependencies.</p>
<pre><code class="language-sh"># Install XCode's Command Line Tools
xcode-select --install
brew update
packages=(
# install tools
autoconf automake m4
# install clamav dependencies
bzip2 check curl-openssl json-c libxml2 ncurses openssl@1.1 pcre2 zlib
)
for item in "${packages[@]}"; do
brew install $item || true; brew upgrade $item || brew upgrade $item
done
</code></pre>
<h3 id="freebsd-2"><a class="header" href="#freebsd-2">FreeBSD</a></h3>
<p>As root or with <code>sudo</code>, run:</p>
<pre><code class="language-sh">pkg install -y \
`# install tools` \
gmake pkgconf \
`# install clamav dependencies` \
bzip2 check curl json-c libmilter libxml2 ncurses pcre2
</code></pre>
<h2 id="adding-new-system-user-and-group-1"><a class="header" href="#adding-new-system-user-and-group-1">Adding new system user and group</a></h2>
<p>If installing to the system, and if you intend to run <code>freshclam</code> or <code>clamd</code> as as service, you should create a service account before compiling and installing ClamAV.</p>
<p><a href="manual/Installing/Add-clamav-user.html">Follow these steps to create a service account</a>.</p>
<h2 id="download-the-source-code-1"><a class="header" href="#download-the-source-code-1">Download the source code</a></h2>
<p>Download the source from <a href="https://www.clamav.net/downloads">the clamav.net downloads page</a>.</p>
<p>Extract the archive:</p>
<pre><code class="language-bash">tar xzf clamav-[ver].tar.gz
cd clamav-[ver]
</code></pre>
<h2 id="build-clamav-1"><a class="header" href="#build-clamav-1">Build ClamAV</a></h2>
<p>First, make a "build" subdirectory. This will enable you to easily delete your build files if something goes wrong and you need to re-configure and try again.</p>
<pre><code class="language-bash">mkdir build && cd build
</code></pre>
<blockquote>
<p><em>Note</em>: The instructions in this page assume you're building from our source <code>clamav-[ver].tar.gz</code> file. <strong>If you aren't</strong>, you may need to install extra build tools (autoconf, automake, m4, libtool, and pkg-config/pkgconfig/pkgconf) then run:</p>
<pre><code class="language-bash">../autogen.sh
</code></pre>
</blockquote>
<p>Next, select the build options you desire. For a full list of configuration options, run:</p>
<pre><code class="language-bash">../configure --help
</code></pre>
<p>To help you get started, here are some popular build configurations.</p>
<h3 id="the-default-build-1"><a class="header" href="#the-default-build-1">The Default Build</a></h3>
<p>The default build type is "RelWithDebInfo", that is "Release mode with Debugging symbols". It will install to <code>/usr/local</code>.</p>
<pre><code class="language-bash">../configure
make
make check VG=1
sudo make install
</code></pre>
<h3 id="a-linux-distribution-style-build-1"><a class="header" href="#a-linux-distribution-style-build-1">A Linux Distribution-style Build</a></h3>
<p>This build type mimics the layout you may be familiar with if installing a ClamAV package on Debian, Ubuntu, Alpine, and some other distributions. This will be a "release build" (no debugging symbols, optimizations enabled) and will install to <code>/usr</code>. The config directory will be <code>/etc/clamav</code> and the database directory will be <code>/var/lib/clamav</code>.</p>
<pre><code class="language-bash">../configure \
--prefix=/usr
--sysconfdir=/etc/clamav \
--with-dbdir=/var/lib/clamav \
--with-libjson-static=/path/to/libjson-c.a \
--enable-milter
make
make check VG=1
sudo make install
</code></pre>
<blockquote>
<p><em>Note</em>: Setting <code>ENABLE_JSON_SHARED=OFF</code> is preferred, but it will require json-c version 0.15 or newer. If json-c 0.15+ is not available to you, you may omit the option and just use the json-c shared library. But be warned that downstream applications which use <code>libclamav.so</code> may crash if they also use a different JSON library.</p>
</blockquote>
<h3 id="a-build-for-development-1"><a class="header" href="#a-build-for-development-1">A Build for Development</a></h3>
<p>With the following commands, ClamAV will be compiled with debugging symbols and with optimizations disabled. It will install to an "install" subdirectory and SystemD integration is disabled so that <code>sudo</code> is not required for the install and SystemD unit files are not installed to the system.</p>
<pre><code class="language-bash">CFLAGS="-Wall -Wextra -ggdb -O0" CXXFLAGS="-Wall -Wextra -ggdb -O0" ../configure \
--prefix=`pwd`/install \
--with-systemdsystemunitdir=no
make -j12
make check VG=1
sudo make install
</code></pre>
<h3 id="about-the-tests-1"><a class="header" href="#about-the-tests-1">About the tests</a></h3>
<p>ClamAV's public test suite is run using <code>make check</code>. On Linux systems, the <code>VG=1</code> argument will enable extra tests that use Valgrind to check for leaks.</p>
<p>If a test fails, please <a href="https://github.com/Cisco-Talos/clamav/issues">report the issue on GitHub</a>. You will find <code>.log</code> files generated by the tests in the <code>build/unit_tests</code> directory. The output from <code>make check VG=1</code> may give us enough information, but if not it could be helpful to zip up the <code>.log</code> files and attach them to the ticket.</p>
<h2 id="un-install-1"><a class="header" href="#un-install-1">Un-install</a></h2>
<p>Run <code>make uninstall</code> to remove the installed files.</p>
<p>This will leave behind the directories, and will leave behind any files added after install including the signature databases and any config files. You will have to delete these extra files yourself.</p>
<blockquote>
<p><em>Tip</em>: You may need to use <code>sudo</code>, depending on where you installed to.</p>
</blockquote>
<h2 id="what-now-2"><a class="header" href="#what-now-2">What now?</a></h2>
<p>Now that ClamAV is installed, you will want to customize your configuration and perhaps set up some scanning automation and alerting mechanisms.</p>
<p><a href="manual/Installing/../Usage/Configuration.html">Continue on to "Configuration"...</a></p>
<div style="break-before: page; page-break-before: always;"></div><h1 id="installing-clamav-on-windows-from-source"><a class="header" href="#installing-clamav-on-windows-from-source">Installing ClamAV on Windows from Source</a></h1>
<p>The following are instructions to build ClamAV <em>version 0.104 and newer</em> using CMake.</p>
<blockquote>
<p><em>Tip</em>: If you wish to build ClamAV from source in ClamAV <em>version 0.103 and older</em>, you'll have to use the Visual Studio solution, please see the <a href="https://github.com/Cisco-Talos/clamav/blob/rel/0.103/win32/README.md">Win32 ClamAV Build Instructions</a> located in our source release materials on <a href="https://www.clamav.net/downloads">ClamAV.net</a> and on <a href="https://github.com/Cisco-Talos/clamav">GitHub</a>.</p>
</blockquote>
<ul>
<li><a href="manual/Installing/Installing-from-source-Windows.html#installing-clamav-on-windows-from-source">Installing ClamAV on Windows from Source</a>
<ul>
<li><a href="manual/Installing/Installing-from-source-Windows.html#install-prerequisites">Install prerequisites</a>
<ul>
<li><a href="manual/Installing/Installing-from-source-Windows.html#building-the-library-dependencies">Building the library dependencies</a></li>
<li><a href="manual/Installing/Installing-from-source-Windows.html#install-rust-toolchain">Install Rust toolchain</a></li>
</ul>
</li>
<li><a href="manual/Installing/Installing-from-source-Windows.html#download-the-source-code">Download the source code</a></li>
<li><a href="manual/Installing/Installing-from-source-Windows.html#build-clamav">Build ClamAV</a>
<ul>
<li><a href="manual/Installing/Installing-from-source-Windows.html#building-with-mussels">Building with Mussels</a>
<ul>
<li><a href="manual/Installing/Installing-from-source-Windows.html#building-the-library-dependencies-with-mussels">Building the library dependencies with Mussels</a></li>
<li><a href="manual/Installing/Installing-from-source-Windows.html#building-clamav">Building ClamAV</a></li>
</ul>
</li>
<li><a href="manual/Installing/Installing-from-source-Windows.html#building-with-vcpkg">Building with vcpkg</a></li>
<li><a href="manual/Installing/Installing-from-source-Windows.html#build-the-installer">Build the Installer</a></li>
</ul>
</li>
<li><a href="manual/Installing/Installing-from-source-Windows.html#what-now">What now?</a></li>
</ul>
</li>
</ul>
<blockquote>
<p><em>Note</em>: Some of the dependencies are optional if you elect to not build all of the command line applications, or elect to only build the libclamav library. Specifically:</p>
<ul>
<li>libcurl: <em>required for libfreshclam, freshclam, clamsubmit</em></li>
<li>ncurses: <em>required for clamdtop</em></li>
</ul>
<p>For more information about customized builds and which dependencies can be skipped, please see the <code>INSTALL.md</code> document accompanying the source code.</p>
</blockquote>
<h2 id="install-prerequisites-2"><a class="header" href="#install-prerequisites-2">Install prerequisites</a></h2>
<p><strong>The following commands for building on Windows are written for Powershell</strong>.</p>
<p>At a minimum you will need:</p>
<ul>
<li>Visual Studio 2015 or newer</li>
<li>CMake</li>
<li><a href="manual/Installing/Installing-from-source-Windows.html#install-rust-toolchain">The Rust programming language toolchain</a> (for ClamAV version 0.105+)</li>
</ul>
<p>If you want to build the installer, you'll also need WiX Toolset.</p>
<p>If you're using Chocolatey, you can install CMake and WiX simply like this:</p>
<pre><code class="language-ps1">choco install cmake wixtoolset
</code></pre>
<p>If you're using Mussels to build the library dependencies (see below), then you may also need to install Netwide Assembler (NASM) and ActivePerl. These are also simple to install using Chocolatey:</p>
<pre><code class="language-ps1">choco install nasm activeperl
</code></pre>
<p>Then open a new terminal so that CMake and WiX will be in your <code>$PATH</code>.</p>
<h3 id="building-the-library-dependencies"><a class="header" href="#building-the-library-dependencies">Building the library dependencies</a></h3>
<p>There are two options for building and supplying the library dependencies. These are Mussels and vcpkg.</p>
<p>Mussels is an open source project developed in-house by the ClamAV team. It offers great flexibility for defining your own collections (cookbooks) of build instructions (recipes) instead of solely relying on a centralized repository of ports. And unlike vcpkg, Mussels does not implement CMake build tooling for projects that don't support CMake, but instead leverages whatever build system is provided by the project. This means that Mussels builds may require installing additional tools, like NMake and ActivePerl rather than simply requiring CMake. The advantage is that you'll be building those projects the same way that those developers intended, and that Mussels recipes are generally very light weight. Mussels has some sharp edges because it's a newer and much smaller project than vcpkg.</p>
<p>Vcpkg is an open source project developed by Microsoft and is heavily oriented towards CMake projects. Vcpkg offers a very large collection of "ports" for almost any project you may need to build. It is very easy to get started with vcpkg.</p>
<p>Mussels is the preferred tool to supply the library dependencies at least until such time as the vcpkg Debug-build libclamav unit test heap-corruption crash is resolved <a href="manual/Installing/Installing-from-source-Windows.html#windows-build-with-vcpkg">(see below)</a>.</p>
<p><em><strong>Details for how to use Mussels and vcpkg will be provided with the build instructions (below), as the instructions differ <em>significantly</em> depending on which you choose.</strong></em></p>
<blockquote>
<p><em>Tip</em>: Installing the Python 3 <code>pytest</code> package is also recommended in case the unit tests fail so that the test output is easy to read. <em>You're welcome to skip it.</em> However, if you have Python 2's <code>pytest</code> installed but not Python 3's <code>pytest</code>, the tests may fail to run.</p>
<p>You can install pytest by running:</p>
<pre><code class="language-ps1">python3 -m pip install --user pytest
</code></pre>
</blockquote>
<h3 id="install-rust-toolchain-1"><a class="header" href="#install-rust-toolchain-1">Install Rust toolchain</a></h3>
<p>Starting with ClamAV version 0.105, the Rust toolchain is required to compile ClamAV. You can install the appropriate toolchain for your development environment by following the instructions on the <a href="https://rustup.rs">rustup</a> website. This ensures that you have the most up-to-date compiler available at the time of installation; keep your toolchain updated for new features and bug/security fixes by periodically executing: <code>rustup update</code>.</p>
<p>Building ClamAV requires, at a minimum, Rust compiler version 1.56, as it relies on features introduced in the <a href="https://doc.rust-lang.org/edition-guide/rust-2021/index.html">Rust 2021 Edition</a>.</p>
<h2 id="download-the-source-code-2"><a class="header" href="#download-the-source-code-2">Download the source code</a></h2>
<p>Download the source from <a href="https://www.clamav.net/downloads">the clamav.net downloads page</a>.</p>
<p>Extract the archive. You should be able to right click on it and extract it to a folder, then in that folder, do the same for the <code>clamav-[ver].tar</code> file.</p>
<p>The rest of the instructions will assume you've opened Powershell in the clamav source directory.</p>
<h2 id="build-clamav-2"><a class="header" href="#build-clamav-2">Build ClamAV</a></h2>
<p>First, make a "build" subdirectory. This will enable you to easily delete your build files if something goes wrong and you need to re-configure and try again.</p>
<pre><code class="language-ps1">mkdir build && cd build
</code></pre>
<h3 id="building-with-mussels"><a class="header" href="#building-with-mussels">Building with Mussels</a></h3>
<h4 id="building-the-library-dependencies-with-mussels"><a class="header" href="#building-the-library-dependencies-with-mussels">Building the library dependencies with Mussels</a></h4>
<p>Much like <code>vcpkg</code>, <a href="https://github.com/Cisco-Talos/Mussels">Mussels</a> can be used to automatically build the ClamAV library dependencies. Unlike <code>vcpkg</code>, Mussels does not provide a mechanism for CMake to automatically detect the
library paths.</p>
<p>To build the library dependencies with Mussels, use Python's <code>pip</code> package manager to install Mussels:</p>
<pre><code class="language-ps1">python3 -m pip install mussels
</code></pre>
<blockquote>
<p><em>Important</em>: Always run <code>mussels</code> or <code>msl</code> in a small sub-directory. Mussels will recursively search your current directory for YAML recipe files. In a large directory, such as your home directory, this may take a long time.</p>
</blockquote>
<p>Update the Mussels cookbooks to get the latest build recipes and set the
<code>clamav</code> cookbook to be trusted:</p>
<pre><code class="language-ps1">msl update
msl cookbook trust clamav
</code></pre>
<p>Use <code>msl list</code> if you wish to see the recipes provided by the <code>clamav</code> cookbook.</p>
<p>To build with Mussels, you may need to install a few extra tools required to build some of the libraries. These include NASM and ActivePerl. See <a href="manual/Installing/Installing-from-source-Windows.html#install-prerequisites">install prerequisites</a>, above.</p>
<p>Build the <code>clamav_deps</code> recipe to compile ClamAV's library dependencies. By default, Mussels will install them to <code>~\.mussels\install\<target></code></p>
<pre><code class="language-ps1">msl build clamav_deps
</code></pre>
<p>If this worked, you should be ready to build ClamAV.</p>
<blockquote>
<p><em>Tip</em>: You can also build for 32-bit systems, using <code>msl build clamav_deps -t x86</code>.</p>
</blockquote>
<h4 id="building-clamav"><a class="header" href="#building-clamav">Building ClamAV</a></h4>
<p>To configure the project, run the following, substiting "Visual Studio 16 2019" with your Visual Studio version:</p>
<pre><code class="language-ps1">cmake .. -G "Visual Studio 16 2019" -A x64 `
-D JSONC_INCLUDE_DIR="$home\.mussels\install\x64\include\json-c" `
-D JSONC_LIBRARY="$home\.mussels\install\x64\lib\json-c.lib" `
-D ENABLE_JSON_SHARED=OFF `
-D BZIP2_INCLUDE_DIR="$home\.mussels\install\x64\include" `
-D BZIP2_LIBRARY_RELEASE="$home\.mussels\install\x64\lib\libbz2.lib" `
-D CURL_INCLUDE_DIR="$home\.mussels\install\x64\include" `
-D CURL_LIBRARY="$home\.mussels\install\x64\lib\libcurl_imp.lib" `
-D OPENSSL_ROOT_DIR="$home\.mussels\install\x64" `
-D OPENSSL_INCLUDE_DIR="$home\.mussels\install\x64\include" `
-D OPENSSL_CRYPTO_LIBRARY="$home\.mussels\install\x64\lib\libcrypto.lib" `
-D OPENSSL_SSL_LIBRARY="$home\.mussels\install\x64\lib\libssl.lib" `
-D ZLIB_LIBRARY="$home\.mussels\install\x64\lib\libssl.lib" `
-D LIBXML2_INCLUDE_DIR="$home\.mussels\install\x64\include" `
-D LIBXML2_LIBRARY="$home\.mussels\install\x64\lib\libxml2.lib" `
-D PCRE2_INCLUDE_DIR="$home\.mussels\install\x64\include" `
-D PCRE2_LIBRARY="$home\.mussels\install\x64\lib\pcre2-8.lib" `
-D CURSES_INCLUDE_DIR="$home\.mussels\install\x64\include" `
-D CURSES_LIBRARY="$home\.mussels\install\x64\lib\pdcurses.lib" `
-D PThreadW32_INCLUDE_DIR="$home\.mussels\install\x64\include" `
-D PThreadW32_LIBRARY="$home\.mussels\install\x64\lib\pthreadVC2.lib" `
-D ZLIB_INCLUDE_DIR="$home\.mussels\install\x64\include" `
-D ZLIB_LIBRARY="$home\.mussels\install\x64\lib\zlibstatic.lib" `
-D LIBCHECK_INCLUDE_DIR="$home\.mussels\install\x64\include" `
-D LIBCHECK_LIBRARY="$home\.mussels\install\x64\lib\checkDynamic.lib" `
-D CMAKE_INSTALL_PREFIX="install"
</code></pre>
<blockquote>
<p><em>Tip</em>: You have to drop the <code>-A x64</code> arguments if you're building for 32-bits (or specify <code>-A win32</code>) and substitute <code>x64</code> with <code>x86</code> in the library paths.</p>
</blockquote>
<p>Now, go ahead and build the project:</p>
<pre><code class="language-ps1">cmake --build . --config RelWithDebInfo
</code></pre>
<blockquote>
<p><em>Tip</em>: If you're having include-path issues when building, try building with
detailed verbosity so you can verify that the paths are correct:</p>
</blockquote>
<pre><code class="language-ps1">cmake --build . --config RelWithDebInfo -- /verbosity:detailed
</code></pre>
<p>You can run the test suite with <code>ctest</code>:</p>
<pre><code class="language-ps1">ctest -C RelWithDebInfo
</code></pre>
<p>And you can install to the <code>install</code> (set above) like this:</p>
<pre><code class="language-ps1">cmake --build . --config RelWithDebInfo --target install
</code></pre>
<blockquote>
<p><em>Tip</em>: For a full list of configuration options, see the "Custom CMake Config Options" section of the <code>INSTALL.md</code> file included with the source code.</p>
</blockquote>
<h3 id="building-with-vcpkg"><a class="header" href="#building-with-vcpkg">Building with vcpkg</a></h3>
<p><code>vcpkg</code> can be used to build the ClamAV library dependencies automatically.</p>
<p><code>vcpkg</code> integrates really well with CMake, enabling CMake to find your compiled libraries automatically, so you don't have to specify the include & library paths manually as you do when using Mussels.</p>
<blockquote>
<p><em>DISCLAIMER</em>: There is a known issue with the unit tests when building with vcpkg in <code>Debug</code> mode. When you run the libclamav unit tests (<code>check_clamav</code>), the program will crash and a popup will claim there was heap corruption. If > you use Task Manager to kill the <code>check_clamav.exe</code> process, the rest of the tests pass just fine. This issue does not occur when using Mussels to supply the library dependencies. Commenting out the following lines in <code>readdb.c</code> resolves the heap corruption crash when running <code>check_clamav</code>, but of course introduces a memory leak:</p>
<pre><code class="language-c"> if (engine->stats_data)
free(engine->stats_data);
</code></pre>
<p>If anyone has time to figure out the real cause of the vcpkg <code>Debug</code>-build crash in <code>check_clamav</code>, it would be greatly appreciated.</p>
</blockquote>
<p>You'll need to install <a href="https://github.com/microsoft/vcpkg">vcpkg</a>. See the <code>vcpkg</code> README for installation instructions.</p>
<p>Once installed, set the variable <code>$VCPKG_PATH</code> to the location where you installed <code>vcpkg</code>:</p>
<pre><code class="language-ps1">$VCPKG_PATH="..." # Path to your vcpkg installation
</code></pre>
<p>By default, CMake and <code>vcpkg</code> build for 32-bit. If you want to build for 64-bit, set the <code>VCPKG_DEFAULT_TRIPLET</code> environment variable:</p>
<pre><code class="language-ps1">$env:VCPKG_DEFAULT_TRIPLET="x64-windows"
</code></pre>
<p>Next, use <code>vcpkg</code> to build the required library dependencies:</p>
<pre><code class="language-ps1">& "$VCPKG_PATH\vcpkg" install 'curl[openssl]' 'json-c' 'libxml2' 'pcre2' 'pthreads' 'zlib' 'pdcurses' 'bzip2' 'check'
</code></pre>
<p>Now configure the ClamAV build using the <code>CMAKE_TOOLCHAIN_FILE</code> variable which will enable CMake to automatically find the libraries we built with <code>vcpkg</code>.</p>
<pre><code class="language-ps1">cmake .. -A x64 `
-D CMAKE_TOOLCHAIN_FILE="$VCPKG_PATH\scripts\buildsystems\vcpkg.cmake" `
-D CMAKE_INSTALL_PREFIX="install"
</code></pre>
<p>Now, go ahead and build the project:</p>
<pre><code class="language-ps1">cmake --build . --config RelWithDebInfo
</code></pre>
<p>You can run the test suite with <code>ctest</code>:</p>
<pre><code class="language-ps1">ctest -C RelWithDebInfo
</code></pre>
<p>And you can install to the <code>install</code> directory (set above) like this:</p>
<pre><code class="language-ps1">cmake --build . --config RelWithDebInfo --target install
</code></pre>
<h3 id="build-the-installer"><a class="header" href="#build-the-installer">Build the Installer</a></h3>
<p>To build the installer, you must have WIX Toolset installed. If you're using Chocolatey, you can install it simply with <code>choco install wixtoolset</code> and then open a new terminal so that WIX will be in your PATH.</p>
<pre><code class="language-ps1">cpack -C RelWithDebInfo
</code></pre>
<h2 id="what-now-3"><a class="header" href="#what-now-3">What now?</a></h2>
<p>Now that ClamAV is installed, you will want to customize your configuration and perhaps set up some scanning automation and alerting mechanisms.</p>
<p><a href="manual/Installing/../Usage/Configuration.html">Continue on to "Configuration"...</a></p>
<div style="break-before: page; page-break-before: always;"></div><h1 id="community-projects-1"><a class="header" href="#community-projects-1">Community Projects</a></h1>
<blockquote>
<p><em>Disclaimer</em>: The software listed in this section is authored by third parties and not by the ClamAV Team. Compatibility may vary.</p>
</blockquote>
<h2 id="signatures"><a class="header" href="#signatures">Signatures</a></h2>
<p>The ClamAV Team provides FreshClam for ClamAV agents to update the official signature databases and provides <a href="https://pypi.org/project/cvdupdate/">CVD-Update</a> for <a href="manual/Installing/../../appendix/CvdPrivateMirror.html">Private Mirror</a> administrators to update their server content.</p>
<p>Both FreshClam and CVD-Update have some limited features to update signatures from third-party sources but community tools exist that are designed for this purpose and provide a more complete experience for users that want the extra coverage.</p>
<blockquote>
<p><strong>WARNING</strong>: While there are no known vulnerabilities in using traditional content-based and hash-based ClamAV signatures, bytecode signatures are a <em>different story</em>. Bytecode signatures are effectively cross-platform executable plugins <a href="manual/Installing/../Contribute.html#webassembly-runtime">similar to Web Assembly (WASM)</a> but with less sandboxing.</p>
<p>ClamScan and ClamD will not run unsigned bytecode signatures by default. Cisco-Talos' signing certificate is the <strong>only</strong> certificate trusted by ClamAV to run bytecode signatures.</p>
<p>Both ClamD and ClamScan have options to run unsigned bytecode signatures but you should <strong>NEVER</strong> enable unsigned bytecode signatures in production when using signatures from third-party sources or a malicious bytecode signature author could gain control of your systems.</p>
<p>ClamBC is a tool installed with ClamAV for testing bytecode signatures and should also <strong>NEVER</strong> be used to run signatures from an unknown or untrusted source.</p>
</blockquote>
<h3 id="fangfrish"><a class="header" href="#fangfrish">Fangfrish</a></h3>
<p>Fangfrisch (German for "freshly caught") is a sibling of the Clam Anti-Virus FreshClam utility. It allows downloading virus definition files that are not official ClamAV canon, e.g. from <a href="https://sanesecurity.com/">Sanesecurity</a>, <a href="https://urlhaus.abuse.ch/">URLhaus</a> and others. Fangfrisch was designed with security in mind, to be run by an unprivileged user only.</p>
<p><a href="https://rseichter.github.io/fangfrisch/">Detailed documentation</a> is available online.</p>
<p><a href="https://pypi.org/project/fangfrisch/">Get fangfrish</a></p>
<h2 id="mail-filters"><a class="header" href="#mail-filters">Mail Filters</a></h2>
<p>ClamAV is popular for filtering mail. The ClamAV Team maintains ClamAV-Milter, which is a filter for the Sendmail mail transfer agent and the ClamAV community have created a wide variety of other tools to use ClamAV with different mail transfer agents.</p>
<h3 id="generic-mail-transfer-agents"><a class="header" href="#generic-mail-transfer-agents">Generic Mail Transfer Agents</a></h3>
<h4 id="amavisd-new--clamd-clamscan"><a class="header" href="#amavisd-new--clamd-clamscan">amavisd-new | clamd, clamscan</a></h4>
<p>amavisd-new is a high-performance interface between mailer (MTA) and content checkers: virus scanners, and/or SpamAssassin. It is written in Perl for maintainability, without paying a significant price for speed. It talks to MTA via (E)SMTP or LMTP, or by using helper programs. Best with Postfix, fine with dual-sendmail setup and Exim v4, works with sendmail/milter, or with any MTA as a SMTP relay. For Courier and qmail MTA integration there is a patch in the distributed package.</p>
<p>amavisd-new is a rewritten version of Amavis and is maintained by Mark Martinec.</p>
<p>ClamScan is enabled automatically if <code>clamscan</code> binary is found at amavisd-new startup time. ClamD is activated by uncommenting its entry in the <code>@av_scanners</code> list in the file <code>/etc/amavisd.conf</code>.</p>
<p><a href="https://www.ijs.si/software/amavisd/">Get amavisd-new</a></p>
<h3 id="sendmail"><a class="header" href="#sendmail">Sendmail</a></h3>
<h4 id="mimedefang--clamscan-clamd"><a class="header" href="#mimedefang--clamscan-clamd">MIMEDefang | clamscan, clamd</a></h4>
<p>MIMEDefang is an efficient mail scanner for Sendmail/milter written in C, Perl.</p>
<p><a href="https://mimedefang.org/">Get MIMEDefang</a></p>
<h3 id="postfix"><a class="header" href="#postfix">Postfix</a></h3>
<h4 id="clamsmtp--clamd"><a class="header" href="#clamsmtp--clamd">ClamSMTP | clamd</a></h4>
<p>ClamSMTP is an SMTP filter for Postfix and other mail servers that checks for viruses using the ClamAV anti-virus software. It aims to be lightweight, reliable, and simple rather than have a myriad of options. Written in C without major dependencies.</p>
<p><a href="http://thewalter.net/stef/software/clamsmtp/">Get ClamSMTP</a></p>
<h4 id="clapf--libclamav"><a class="header" href="#clapf--libclamav">Clapf | libclamav</a></h4>
<p><a href="https://clapf.org/wiki/start">Clapf</a> is a clamav based virus scanning and anti-spam content filter for Postfix.</p>
<p><a href="https://bitbucket.org/jsuto/clapf/src/master/">Get clapf</a></p>
<h3 id="exim"><a class="header" href="#exim">Exim</a></h3>
<p>Starting with <a href="https://www.exim.org/exim-html-current/doc/html/spec_html/ch-content_scanning_at_acl_time.html">release 4.50</a>, <a href="https://www.exim.org/">Exim</a> natively supports ClamAV.</p>
<p><a href="https://www.exim.org/mirrors.html">Get exim</a></p>
<h3 id="others"><a class="header" href="#others">Others</a></h3>
<h4 id="mail-avenger--clamscan"><a class="header" href="#mail-avenger--clamscan">Mail Avenger | clamscan</a></h4>
<p><a href="https://www.mailavenger.org/">Mail Avenger</a> is a highly-configurable SMTP server. It allows you to reject spam during mail transactions, before spooling messages in your local mail queue. You can specify site-wide default policies for filtering mail, but individual users can also craft their own policies by creating avenger scripts in their home directories.</p>
<p><a href="https://www.mailavenger.org/dist/">Get Mail Avenger</a></p>
<h4 id="mailscanner--clamscan"><a class="header" href="#mailscanner--clamscan">MailScanner | clamscan</a></h4>
<p><a href="https://www.mailscanner.info/">MailScanner</a> scans all e-mail for viruses, spam and attacks against security vulnerabilities. It is not tied to any particular virus scanner, but can be used with any combination of 14 different virus scanners, allowing sites to choose the best of breed virus scanner.</p>
<p><a href="https://github.com/MailScanner/v5">Get Mail Scanner</a></p>
<h4 id="sagator--clamscan-clamd-libclamav"><a class="header" href="#sagator--clamscan-clamd-libclamav">Sagator | clamscan, clamd, libclamav</a></h4>
<p><a href="http://www.salstar.sk/sagator/">Sagator</a> is an email antivirus/antispam gateway. Its modular architecture can use any combination of antivirus/spamchecker according to configuration.</p>
<p><a href="http://www.salstar.sk/sagator/download">Get Sagator</a></p>
<h4 id="courier-mta--libclamav-clamavd"><a class="header" href="#courier-mta--libclamav-clamavd">Courier-MTA | libclamav, clamavd</a></h4>
<p><a href="http://www.courier-mta.org/">Courier MTA</a> includes four filers.</p>
<p>courier-pythonfilter by Gordon Messner. Included in a Python filter suite, it uses pyClamAV (libclamav with python)</p>
<p>Courier::Filter::Module::ClamAVd by Julian Mehnle. A Perl module for use with Courier::Filter, using clamavd.</p>
<p>ClamCour by Tony Di Monaco. A C++ (with Boost) multithreaded filter using libclamav</p>
<p>avfilter by Alessandro Vesely. A C forking filter using libclamav.</p>
<p><a href="https://sourceforge.net/projects/courier/">Get Courier-MTA</a></p>
<h4 id="haraka--clamd"><a class="header" href="#haraka--clamd">Haraka | clamd</a></h4>
<p>Haraka is a robust MTA written in node.js, with a modular architecture that lets plugins control nearly every aspect of the SMTP conversation. There is a large selection of included plugins, including a clamav plugin (docs, source) that filters messages <a href="https://github.com/haraka/Haraka/blob/master/docs/plugins/clamd.md">using clamd</a>.</p>
<p>Haraka is attractive to two audiences:</p>
<ol>
<li>
<p>Anyone managing mail systems with thousands or tens-of-thousands of concurrent incoming SMTP connections (like Craigslist) and wants to do with it fewer racks of servers.</p>
</li>
<li>
<p>Developers who need more control over mail routing, filtering, and processing than can be easily or efficiently handled with traditional (milter-based) MTAs.</p>
</li>
</ol>
<p><a href="https://github.com/haraka/Haraka">Get Haraka</a></p>
<h3 id="web--ftp-tools"><a class="header" href="#web--ftp-tools">Web & FTP Tools</a></h3>
<h4 id="clammit--clamd"><a class="header" href="#clammit--clamd">Clammit | clamd</a></h4>
<p>Clammit is a proxy that will perform virus scans of files uploaded via http requests, including multipart/form-data. If a virus exists, it will reject the request out of hand. If no virus exists, the request is then forwarded to the application and it's response returned in the upstream direction.</p>
<p>As the name implies, Clammit offloads the virus detection to the ClamAV virus detection server (clamd).</p>
<p><a href="https://github.com/ifad/clammit">Get Clammit</a></p>
<h4 id="clara"><a class="header" href="#clara">Clara</a></h4>
<p>Serverless, real-time, ClamAV+Yara scanning for your S3 Buckets</p>
<p><a href="https://github.com/abhinavbom/clara">Get Clara</a></p>
<h4 id="bucket-antivirus-function"><a class="header" href="#bucket-antivirus-function">bucket-antivirus-function</a></h4>
<p>Scan new objects added to any s3 bucket using AWS Lambda.</p>
<p><a href="https://github.com/upsidetravel/bucket-antivirus-function">Get bucket-antivirus-function</a></p>
<h4 id="cdk-serverless-clamscan"><a class="header" href="#cdk-serverless-clamscan">cdk-serverless-clamscan</a></h4>
<p>An aws-cdk construct that uses ClamAV® to scan objects in Amazon S3 for viruses. The construct provides a flexible interface for a system to act based on the results of a ClamAV virus scan.</p>
<p><a href="https://github.com/awslabs/cdk-serverless-clamscann">Get cdk-serverless-clamscan</a></p>
<h4 id="antivirus-for-amazon-s3"><a class="header" href="#antivirus-for-amazon-s3">Antivirus for Amazon S3</a></h4>
<p>A CloudFormation template to create an EC2 scanner cluster for S3 buckets.</p>
<p><a href="https://github.com/widdix/aws-s3-virusscan">Get Antivirus for Amazon S3</a></p>
<h4 id="havp--libclamav"><a class="header" href="#havp--libclamav">HAVP | libclamav</a></h4>
<p><a href="http://havp.org/">HAVP</a> is a proxy with an antivirus filter. It does not cache or filter content. At the moment the complete traffic is scanned. A reason for that is the chance of malicious code in nearly every filetypes e.g. HTML (JavaScript) or Jpeg.</p>
<p><a href="https://github.com/HaveSec/HAVP">Get HAVP</a></p>
<h4 id="mod_clamav--libclamav-clamd"><a class="header" href="#mod_clamav--libclamav-clamd">mod_clamav | libclamav, clamd</a></h4>
<p>mod_clamav is an Apache virus scanning filter. It was written and is currently maintained by Andreas Müller. The project is very well documented and the installation is quite easy.</p>
<p><a href="http://software.othello.ch/mod_clamav/">Get mod_clamav</a></p>
<h4 id="phpmussel--clamav"><a class="header" href="#phpmussel--clamav">phpMussel | clamav</a></h4>
<p><a href="http://phpmussel.github.io/">phpMussel</a> is a PHP-based script based upon ClamAV signatures designed to detect trojans, viruses, malware and other threats within files uploaded to your system wherever the script is hooked. Written by Maikuolan</p>
<p><a href="https://github.com/phpMussel/phpMussel">Get phpMussel</a></p>
<h4 id="spamassassin---clamavplugin--clamd"><a class="header" href="#spamassassin---clamavplugin--clamd">SpamAssassin - ClamAVPlugin | clamd</a></h4>
<p>A ClamAV plug in fpr SpamAssassin 3.X</p>
<p><a href="https://cwiki.apache.org/confluence/display/SPAMASSASSIN/ClamAVPlugin">Get ClamAVPlugin</a></p>
<h4 id="clamav-rest"><a class="header" href="#clamav-rest">clamav-rest</a></h4>
<p>Simple ClamAV REST proxy. Builds on top of <a href="manual/Installing/Community-projects.html#clamav-java">clamav-java</a> which is a minimal Java client for ClamAV.</p>
<p><a href="https://github.com/solita/clamav-rest">Get clamav-rest</a></p>
<h3 id="filesystem--on-access-scanning"><a class="header" href="#filesystem--on-access-scanning">Filesystem & On-Access Scanning</a></h3>
<h4 id="clam-sentinel"><a class="header" href="#clam-sentinel">Clam Sentinel</a></h4>
<p>Clam sentinel is a program that detects file system changes and automatically scans the files added or modified using ClamWin. Require the installation of ClamWin. For Microsoft Windows 98/98SE/Me/2000/XP/Vista, Windows 7 and Windows 8.1.</p>
<p><a href="https://sourceforge.net/projects/clamsentinel/">Get Clam Sentinel</a></p>
<h4 id="clamfs--clamd"><a class="header" href="#clamfs--clamd">ClamFS | clamd</a></h4>
<p>ClamFS is a FUSE-based user-space file system for Linux and BSD with on-access anti-virus file scanning through clamd daemon (a file scanning service developed by ClamAV Project).</p>
<p>Features:</p>
<ul>
<li>Scans files using ClamAV</li>
<li>User-space file system (no kernel patches, modules, recompilations, etc.)</li>
<li>Based on libFUSE version 3 (until version 1.1.0 on libFUSE v2)</li>
<li>Implements all clamd scan modes: fname, fdpass and stream</li>
<li>Supports remote clamd instances in stream mode over TCP/IP socket</li>
<li>Caches scan results in a LRU cache with time-based and out-of-memory expiration</li>
<li>Configuration stored in XML files</li>
<li>Supports ulockmgr</li>
<li>Sends mails to administrator when detects virus</li>
</ul>
<p><a href="https://github.com/burghardt/clamfs">Get ClamFS</a></p>
<h4 id="avfs--clamav"><a class="header" href="#avfs--clamav">Avfs | ClamAV</a></h4>
<p>Avfs, a true on-access anti-virus file system that incrementally scans files and prevents infected data from being committed to disk. Avfs is a stackable file system and therefore can add virus detection to any other file system: Ext3, NFS, etc. Avfs supports forensic modes that can prevent a virus from reaching the disk or automatically create versions of potentially infected files to allow safe recovery. Avfs can also quarantine infected files on disk and isolate them from user processes.</p>
<p>Avfs uses a matching algorithm that is derived from ClamAV but with changes to optimize scan time for larger signature sets. Though this project does not appear to be maintained or used elsewhere, the research was really good work and may inspire optimizations in ClamAV in the future.</p>
<p><a href="https://www.fsl.cs.sunysb.edu/docs/avfs-security04/index.html">More about Avfs</a></p>
<h3 id="mail-user-agents"><a class="header" href="#mail-user-agents">Mail User Agents</a></h3>
<h4 id="claws-mail"><a class="header" href="#claws-mail">Claws Mail</a></h4>
<p>Claws Mail is a user-friendly, lightweight, and fast email client. Claws Mail has a ClamD plugin for scanning received messages using ClamAV.</p>
<p><a href="https://www.claws-mail.org/index.php">Get Claws Mail</a></p>
<h4 id="kmail--clamscan"><a class="header" href="#kmail--clamscan">Kmail | clamscan</a></h4>
<p>Mail is a fully-featured email client that fits nicely into the K Desktop Environment, KDE. It supports <a href="https://docs.kde.org/stable5/en/kmail/kmail2/the-anti-virus-wizard.html">attachment scanning with clamscan</a>.</p>
<p><a href="https://apps.kde.org/kmail2/">Get Kmail</a></p>
<h4 id="open-webmail-modules--clamscan"><a class="header" href="#open-webmail-modules--clamscan">Open Webmail modules | clamscan</a></h4>
<p>Open WebMail by default can use ClamAV as the external viruscheck module to scan messages fetched from pop3 servers or all incoming messages. If a message or its attachments is found to have virus, Open WebMail will move the message from INBOX to the VIRUS folder automatically.</p>
<p><a href="https://openwebmail.org/">Get Open Webmail</a></p>
<h2 id="clamav-bindings"><a class="header" href="#clamav-bindings">ClamAV Bindings</a></h2>
<h3 id="rust"><a class="header" href="#rust">Rust</a></h3>
<h4 id="clamav-rs--libclamav"><a class="header" href="#clamav-rs--libclamav">clamav-rs | libclamav</a></h4>
<p>A safe Rust binding for libclamav. <code>clamav-rs</code> uses <a href="https://github.com/zaddach/clamav-sys/"><code>clamav-sys</code></a> to wrap the libclamav C API.</p>
<p><a href="https://github.com/zaddach/clamav-rs/">Get clamav-rs</a></p>
<h4 id="clamav-sys--libclamav"><a class="header" href="#clamav-sys--libclamav">clamav-sys | libclamav</a></h4>
<p>clamav-sys is a minimal Rust interface around libclamav. This package is not supposed to be used stand-alone, but only through its safe wrapper, clamav-rs.</p>
<p><a href="https://github.com/zaddach/clamav-sys/">Get clamav-sys</a></p>
<h4 id="rust-clamav--libclamav"><a class="header" href="#rust-clamav--libclamav">rust-clamav | libclamav</a></h4>
<p>Like <code>clamav-rs</code>. rust-clamav is a safe library for interacting with libclamav from Rust. The low-level C API is wrapped in idomatic and safe Rust code.</p>
<p><a href="https://github.com/icebergdefender/rust-clamav">Get rust-clamav</a></p>
<h3 id="perl"><a class="header" href="#perl">Perl</a></h3>
<h4 id="filescanclamav--clamd"><a class="header" href="#filescanclamav--clamd">File::Scan::ClamAV | clamd</a></h4>
<p>A Perl module for interacting with ClamD. File::Scan::ClamAV will connect to a local Clam Anti-Virus clamd service and send commands.</p>
<p><a href="https://metacpan.org/pod/release/CFABER/File-Scan-ClamAV-1.8/lib/File/Scan/ClamAV.pm">Get File::Scan::ClamAV</a></p>
<h4 id="mailclamav--libclamav"><a class="header" href="#mailclamav--libclamav">Mail::ClamAV | libclamav</a></h4>
<p>Perl extension for the ClamAV virus scanner.</p>
<p>Get Mail::ClamAV</p>
<h3 id="ruby"><a class="header" href="#ruby">Ruby</a></h3>
<h4 id="clamby--clamscan--freshclam"><a class="header" href="#clamby--clamscan--freshclam">Clamby | clamscan + freshclam</a></h4>
<p>Ruby binding for scanning file uploads using ClamScan. If you have a file upload on your site and you do not scan the files for viruses then you not only compromise your software, but also the users of the software and their files. This gem's function is to simply scan a given file.</p>
<p><a href="https://github.com/kobaltz/clamby">Get Clamby</a></p>
<h4 id="clamavclient--clamd"><a class="header" href="#clamavclient--clamd">ClamAV::Client | clamd</a></h4>
<p>ClamAV::Client is a client library that can talk to the clam daemon.</p>
<p><a href="https://github.com/franckverrot/clamav-client">Get ClamAV::Client</a></p>
<h3 id="php"><a class="header" href="#php">PHP</a></h3>
<h4 id="php-clamav--clamd"><a class="header" href="#php-clamav--clamd">PHP ClamAV | clamd</a></h4>
<p>PHP Client to connect to ClamAV daemon over TCP or using a local socket from command line and scan your storage files for viruses.</p>
<p><a href="https://github.com/appwrite/php-clamav">Get PHP ClamAV</a></p>
<h4 id="php-clamav-scan--clamd"><a class="header" href="#php-clamav-scan--clamd">PHP ClamAV Scan | clamd</a></h4>
<p>A simple PHP class for scanning files using a LOCAL ClamAV/clamd install either via a socket file or network socket (windows). Can either be used on its own or dropped into a Codeigniter app as a library. The main reason this was created was because the legacy php-clamav module is not compatible with PHP 7 and all other options I found were either not drop in compatible with CodeIgniter or were designed for use with Composer.</p>
<p><a href="https://github.com/kissit/php-clamav-scan">Get PHP ClamAV</a></p>
<h3 id="python"><a class="header" href="#python">Python</a></h3>
<h4 id="clamd--clamd"><a class="header" href="#clamd--clamd">clamd | clamd</a></h4>
<p>clamd is a portable Python module to use the ClamAV anti-virus engine on Windows, Linux, MacOSX and other platforms. It requires a running instance of the clamd daemon.</p>
<p>This is a fork of pyClamd v0.2.0 created by Philippe Lagadec and published on his website: http://www.decalage.info/en/python/pyclamd which in turn is a slightly improved version of pyClamd v0.1.1 created by Alexandre Norman and published on his website: http://xael.org/norman/python/pyclamd/</p>
<p><a href="https://github.com/graingert/python-clamd">Get clamd</a></p>
<h4 id="python-clamav--libclamav"><a class="header" href="#python-clamav--libclamav">Python ClamAV | libclamav</a></h4>
<p>Python wrapper for libclamav using <code>ctypes</code>. Python ClamAV is a part of the ClamWin project.</p>
<p><a href="https://github.com/clamwin/python-clamav">Get Python ClamAV</a></p>
<h4 id="pyclamd--clamd"><a class="header" href="#pyclamd--clamd">pyClamd | clamd</a></h4>
<p>Add virus detection capabilities to your python software in an efficient and easy way.</p>
<p><a href="http://www.decalage.info/en/python/pyclamd">Get pyClamd</a></p>
<h3 id="java"><a class="header" href="#java">Java</a></h3>
<h4 id="clamav-java"><a class="header" href="#clamav-java">clamav-java</a></h4>
<p>Simple ClamAV Java client. See also <a href="manual/Installing/Community-projects.html#clamav-rest">ClamAV REST service</a> which builds on top of this.</p>
<p><a href="https://github.com/solita/clamav-java">Get clamav-java</a></p>
<h2 id="miscellaneous-tools"><a class="header" href="#miscellaneous-tools">Miscellaneous Tools</a></h2>
<h3 id="ipcop--clamav"><a class="header" href="#ipcop--clamav">IPCop | ClamAV</a></h3>
<p>IPCop Linux is a complete Linux Distribution whose sole purpose is to protect the networks it is installed on. ClamAV is included.</p>
<p><a href="https://www.ipcop.org/">Get IPCop</a></p>
<h3 id="endian-firewall--clamav"><a class="header" href="#endian-firewall--clamav">Endian Firewall | ClamAV</a></h3>
<p>Endian Firewall Community (EFW) is a turn-key Linux security distribution that can transform any bare-metal appliance into a full-featured Unified Threat Management solution. Endian is designed to be the easiest security product to install, configure and use!</p>
<p><a href="https://www.endian.com/community/features/">Get Endian Firewall</a></p>
<h3 id="clamtk--clamav"><a class="header" href="#clamtk--clamav">ClamTK | ClamAV</a></h3>
<p>ClamTk is a GUI front-end for ClamAV using gtk2-perl. It is designed to be an easy-to-use, on-demand scanner for Linux systems. ClamTk has been ported to Fedora, Debian, RedHat, openSUSE, ALT Linux, Ubuntu, CentOS, Gentoo, Archlinux, Mandriva, PCLinuxOS, FreeBSD, and others.</p>
<p><a href="https://github.com/dave-theunsub/clamtk">Get ClamTK</a></p>
<h3 id="clamav-gui--clamav"><a class="header" href="#clamav-gui--clamav">ClamAV-GUI | ClamAV</a></h3>
<p>ClamAV-GUI is a GUI front-end for ClamAV using Qt. The ClamAV-GUI sports a dropzone in a corner where files and folders can be dragged and dropped into for scanning. This GUI is brought to you by Joerg Zopes.</p>
<p><a href="https://store.kde.org/p/1127892/">Get ClamAV-GUI</a></p>
<h3 id="clamwin--clamav"><a class="header" href="#clamwin--clamav">ClamWin | ClamAV</a></h3>
<p>ClamWin is a Free Antivirus program for Microsoft Windows 10 / 8 / 7 / Vista / XP / Me / 2000 / 98 and Windows Server 2012, 2008 and 2003.</p>
<p><a href="https://clamwin.com/">Get ClamWin</a></p>
<div style="break-before: page; page-break-before: always;"></div><h1 id="add-a-service-user-account"><a class="header" href="#add-a-service-user-account">Add a service user account</a></h1>
<p>If you're planning to run <code>freshclam</code> or <code>clamd</code> as a service on a Linux or Unix system, you should create a service account. The following instructions assume that you will use the an account named "clamav" for both services, although you may create a different account name for each if you wish.</p>
<blockquote>
<p><em>Note</em>: <em>These instructions are mostly just for folks building & installing from source.</em> If you installed a package from your Linux/Unix distribution, it probably created the account(s) for you.</p>
</blockquote>
<h2 id="create-a-service-user-account-and-group"><a class="header" href="#create-a-service-user-account-and-group">Create a service user account (and group)</a></h2>
<h3 id="linux--unix"><a class="header" href="#linux--unix">Linux / Unix</a></h3>
<p>As root or with <code>sudo</code>, run:</p>
<pre><code class="language-sh">groupadd clamav
useradd -g clamav -s /bin/false -c "Clam Antivirus" clamav
</code></pre>
<p>If your operating system does not have the <code>groupadd</code> and <code>useradd</code> utilities, consult a system manual. <strong>Don’t forget to lock access to the account!</strong></p>
<h3 id="macos-4"><a class="header" href="#macos-4">macOS</a></h3>
<p>Prep by identifying an unused group id (gid), and an unused user UniqueID.</p>
<p>This command will display all current group PrimaryGroupIDs:</p>
<pre><code class="language-bash">dscl . list /Groups PrimaryGroupID | tr -s ' ' | sort -n -t ' ' -k2,2
</code></pre>
<p>This command will display all current user UniqueIDs:</p>
<pre><code class="language-bash">dscl . list /Users UniqueID | tr -s ' ' | sort -n -t ' ' -k2,2
</code></pre>
<p>Then, these commands can be used to create the <code>clamav</code> group and <code>clamav</code> user.</p>
<pre><code class="language-bash">sudo dscl . create /Groups/clamav
sudo dscl . create /Groups/clamav RealName "Clam Antivirus Group"
sudo dscl . create /Groups/clamav gid 799 # Ensure this is unique!
sudo dscl . create /Users/clamav
sudo dscl . create /Users/clamav RealName "Clam Antivirus User"
sudo dscl . create /Users/clamav UserShell /bin/false
sudo dscl . create /Users/clamav UniqueID 599 # Ensure this is unique!
sudo dscl . create /Users/clamav PrimaryGroupID 799 # Must match the above gid!
</code></pre>
<h2 id="about-how-the-service-accounts-are-used"><a class="header" href="#about-how-the-service-accounts-are-used">About how the service accounts are used</a></h2>
<p>At present, the behavior differs slightly between <code>clamd</code> and <code>freshclam</code>. When run as root:</p>
<ul>
<li>
<p><code>freshclam</code> will always switch to run as the "DatabaseOwner" user account. The default account name is "clamav", or may be customized by specifying the "DatabaseOwner" setting in <code>freshclam.conf</code>.</p>
</li>
<li>
<p><code>clamd</code> will only switch to run as the "User" user account if the "User" setting is specified in <code>clamd.conf</code>. If you do not specify a "User" in the config, <code>clamd</code> will continue to run as the root user! We may change this behavior in a future version to prevent <code>clamd</code> from being run as root.</p>
</li>
</ul>
<blockquote>
<p><em>Caution</em>: We do not recommend running <code>clamd</code> as root for safety reasons because ClamAV scans untrusted files that may be <em>malware</em>. Always configure the "User" setting in <code>clamd.conf</code> if you plan to run <code>clamd</code> as a service.</p>
</blockquote>
<p>On Unix/Linux systems, <code>freshclam</code> and <code>clamd</code> will switch to run as a different user if you start them as the root user, or using <code>sudo</code>. By default, that user account is named "clamav". The purpose is t</p>
<p>If you are running <code>freshclam</code> and <code>clamd</code> as root or with <code>sudo</code>, and you did not explicitly configure with <code>--disable-clamav</code>, you will want to ensure that the <code>DatabaseOwner</code> user specified in <code>freshclam.conf</code> owns the database directory so it can download signature updates.</p>
<p>The user that <code>clamd</code>, <code>clamdscan</code>, and <code>clamscan</code> run as may be the same user, but if it isn't -- it merely needs <em>read</em> access to the database directory.</p>
<p>If you choose to use the default <code>clamav</code> user to run <code>freshclam</code> and <code>clamd</code>, you'll need to create the clamav group and the clamav user account the first time you install ClamAV.</p>
<h2 id="after-installation-make-the-service-account-own-the-database-directory"><a class="header" href="#after-installation-make-the-service-account-own-the-database-directory"><em>After installation</em>: Make the service account own the database directory</a></h2>
<p>After you've installed ClamAV, you will want to make it so that the database directory is owned by the same service account as you're using for <code>freshclam</code>.</p>
<p>As root or with <code>sudo</code>, run:</p>
<pre><code class="language-bash">sudo chown -R clamav:clamav /usr/local/share/clamav
</code></pre>
<p>Or (if you customized the database path):</p>
<pre><code class="language-bash">chown -R clamav:clamav /var/lib/clamav/
</code></pre>
<div style="break-before: page; page-break-before: always;"></div><h1 id="usage"><a class="header" href="#usage">Usage</a></h1>
<p>Table Of Contents</p>
<ul>
<li><a href="manual/Usage.html#usage">Usage</a>
<ul>
<li><a href="manual/Usage.html#purpose">Purpose</a></li>
<li><a href="manual/Usage.html#daemon">Daemon</a></li>
<li><a href="manual/Usage.html#scanner">Scanner</a></li>
<li><a href="manual/Usage.html#signature-testing-and-management">Signature Testing and Management</a></li>
<li><a href="manual/Usage.html#configuration">Configuration</a></li>
</ul>
</li>
</ul>
<h2 id="purpose"><a class="header" href="#purpose">Purpose</a></h2>
<p>This user guide presents an overview of the various ways that <em>libclamav</em> can be used through the tools provided by ClamAV. To learn more about how to better use each facet of ClamAV that interests you, please follow the links provided.</p>
<h2 id="daemon"><a class="header" href="#daemon">Daemon</a></h2>
<p>The ClamAV Daemon, or <a href="manual/Usage/Scanning.html#clamd"><code>clamd</code></a>, is a multi-threaded daemon that uses <em>libclamav</em> to <a href="manual/Usage/Scanning.html">scan files for viruses</a>. ClamAV provides a number of tools which interface with this daemon. They are, as follows:</p>
<ul>
<li><a href="manual/Usage/Scanning.html#clamdscan"><code>clamdscan</code></a> - a simple scanning client</li>
<li><a href="manual/Usage/Scanning.html#On-access-scanning"><code>on-access scanning</code></a> - provides real-time protection via a <code>clamd</code> instance</li>
<li><a href="manual/Usage/Scanning.html#clamdtop"><code>clamdtop</code></a> - a resource monitoring interface for <code>clamd</code></li>
</ul>
<h2 id="scanner"><a class="header" href="#scanner">Scanner</a></h2>
<p>ClamAV also provides a command-line tool for <a href="manual/Usage/Scanning.html">simple scanning</a> tasks with <em>libclamav</em> called <a href="manual/Usage/Scanning.html#clamscan"><code>clamscan</code></a>. Unlike the daemon, <code>clamscan</code> is not a persistent process and is best suited for use cases where one-time scanning with minimal setup is needed.</p>
<h2 id="signature-testing-and-management"><a class="header" href="#signature-testing-and-management">Signature Testing and Management</a></h2>
<p>A number of tools allow for <a href="manual/Usage/SignatureManagement.html">testing and management of signatures</a>. Of note are the following:</p>
<ul>
<li><a href="manual/Usage/SignatureManagement.html#clambc"><code>clambc</code></a> - specifically for testing bytecode</li>
<li><a href="manual/Usage/SignatureManagement.html#sigtool"><code>sigtool</code></a> - for general signature testing and analysis</li>
<li><a href="manual/Usage/SignatureManagement.html#freshclam"><code>freshclam</code></a> - used to update signature database sets to the latest version</li>
</ul>
<h2 id="configuration"><a class="header" href="#configuration">Configuration</a></h2>
<p>The more complex tools ClamAV provides each require some degree of <a href="manual/Usage/Configuration.html">configuration</a>. ClamAV supplies two example configuration files:</p>
<ul>
<li><a href="manual/Usage/Configuration.html#clamdconf"><code>clamd.conf</code></a> - for configuring the behavior of the ClamAV Daemon <code>clamd</code> and associated tools</li>
<li><a href="manual/Usage/Configuration.html#freshclamconf"><code>freschclam.conf</code></a> - for configuring the behavior of the signature database update tool, <code>freshclam</code></li>
</ul>
<p>ClamAV also provides a mail filtering tool called <a href="manual/Usage/Configuration.html#clamav-milter"><code>clamav-milter</code></a> which can be attached to a <code>clamd</code> instance for mail scanning purposes.</p>
<p>Additionally, a tool called <a href="manual/Usage/Configuration.html#clamconf"><code>clamconf</code></a> allows users to check the configurations used by each other tool, pulling information from the configuration files listed above, alongside other relevant information.</p>
<div style="break-before: page; page-break-before: always;"></div><h1 id="configuration-1"><a class="header" href="#configuration-1">Configuration</a></h1>
<p>Table Of Contents</p>
<ul>
<li><a href="manual/Usage/Configuration.html#configuration">Configuration</a>
<ul>
<li><a href="manual/Usage/Configuration.html#first-time-set-up">First Time Set-Up</a>
<ul>
<li><a href="manual/Usage/Configuration.html#unix">Unix</a></li>
<li><a href="manual/Usage/Configuration.html#windows">Windows</a>
<ul>
<li><a href="manual/Usage/Configuration.html#additional-notes-about-the-config-files-and-database-directories">Additional notes about the config files and database directories</a></li>
</ul>
</li>
</ul>
</li>
<li><a href="manual/Usage/Configuration.html#freshclamconf">freshclam.conf</a>
<ul>
<li><a href="manual/Usage/Configuration.html#other-freshclamconf-settings">Other freshclam.conf settings</a></li>
</ul>
</li>
<li><a href="manual/Usage/Configuration.html#clamdconf">clamd.conf</a>
<ul>
<li><a href="manual/Usage/Configuration.html#other-clamdconf-settings">Other clamd.conf settings</a></li>
<li><a href="manual/Usage/Configuration.html#on-access-scanning">On-Access Scanning</a></li>
</ul>
</li>
<li><a href="manual/Usage/Configuration.html#clamav-milterconf">clamav-milter.conf</a>
<ul>
<li><a href="manual/Usage/Configuration.html#users-and-on-user-privileges">Users and on user privileges</a></li>
</ul>
</li>
<li><a href="manual/Usage/Configuration.html#configure-selinux-for-clamav">Configure SELinux for ClamAV</a></li>
<li><a href="manual/Usage/Configuration.html#clamconf">ClamConf</a></li>
<li><a href="manual/Usage/Configuration.html#next-steps">Next Steps</a></li>
</ul>
</li>
</ul>
<h2 id="first-time-set-up"><a class="header" href="#first-time-set-up">First Time Set-Up</a></h2>
<p>Depending on your install method and your operating system, some configuration options may have been pre-configured. For example a clamav install on Ubuntu with <code>apt install</code> will place configs in <code>/etc/clamav</code>.</p>
<p>However, it is likely that you will need to create new config files or modify the existing ones with custom settings that make the most sense for your use case. A from-source install will require you to create a <code>freshclam.conf</code> before you can use FreshClam, a <code>clamd.conf</code> before you can use ClamD, and a <code>clamav-milter.conf</code> before you can use ClamAV-Milter.</p>
<p>A default install from source will place the example configs in <code>/usr/local/etc/</code> on Unix/Linux systems and in the install directory under <code>conf_examples</code> on Windows. These examples demonstrate each of the options and may help you decide how to configure ClamAV to suit your needs. But again the location of these examples may vary depending on how you installed ClamAV. To continue with the Ubuntu example, you may find the FreshClam config from an <code>apt install</code> in <code>/usr/share/doc/clamav-freshclam/examples/</code>. So if you're unsure where the example configs are on your system, you may wish to use <a href="manual/Usage/Configuration.html#clamconf">ClamConf</a> to generate them.</p>
<p>Here are some quick steps to get you started.</p>
<h3 id="unix"><a class="header" href="#unix">Unix</a></h3>
<p>Run these to generate example configs, if needed:</p>
<pre><code class="language-bash">clamconf -g freshclam.conf > freshclam.conf
clamconf -g clamd.conf > clamd.conf
clamconf -g clamav-milter.conf > clamav-milter.conf
</code></pre>
<p>Or if you have the examples already, copy them to drop the <code>.example</code> extension:</p>
<pre><code class="language-bash">cp freshclam.conf.example freshclam.conf
cp clamd.conf.example clamd.conf
cp clamav-milter.conf.example clamav-milter.conf
</code></pre>
<p>Next up, edit the configs you need. There are tips below for each of <a href="manual/Usage/Configuration.html#freshclamconf">freshclam.conf</a>, <a href="manual/Usage/Configuration.html#clamdconf">clamd.conf</a>, and <a href="manual/Usage/Configuration.html#clamav-milter">clamav-milter</a>.</p>
<h3 id="windows-1"><a class="header" href="#windows-1">Windows</a></h3>
<p>In a PowerShell terminal in the install directory, perform the following tasks:</p>
<p>Run:</p>
<pre><code class="language-ps1">copy .\conf_examples\freshclam.conf.sample .\freshclam.conf
copy .\conf_examples\clamd.conf.sample .\clamd.conf
</code></pre>
<p>Run:</p>
<pre><code class="language-ps1">write.exe .\freshclam.conf
</code></pre>
<p>WordPad will pop up. Delete the line that says "Example". You may also wish to set additional options to enable features or alter default behavior, such as the receive-timeout. Save the file and close WordPad.</p>
<p>Run:</p>
<pre><code class="language-ps1">write.exe .\clamd.conf
</code></pre>
<p>WordPad will pop up. Delete the line that says "Example". You may also wish to set additional options to enable features or alter default behavior, such as enabling logging. Save the file and close WordPad.</p>
<h4 id="additional-notes-about-the-config-files-and-database-directories"><a class="header" href="#additional-notes-about-the-config-files-and-database-directories">Additional notes about the config files and database directories</a></h4>
<p>The install directory is but one of a few locations ClamAV may search for configs and for signature databases.</p>
<p>Config files path search order:</p>
<ol>
<li>The content of the registry key:
"HKEY_LOCAL_MACHINE/Software/ClamAV/ConfDir"</li>
<li>The directory where libclamav.dll is located:
"C:\Program Files\ClamAV"</li>
<li>"C:\ClamAV"</li>
</ol>
<p>Database files path search order:</p>
<ol>
<li>The content of the registry key:
"HKEY_LOCAL_MACHINE/Software/ClamAV/DataDir"</li>
<li>The directory "database" inside the directory where libclamav.dll is located:
"C:\Program Files\ClamAV\database"</li>
<li>"C:\ClamAV\db"</li>
</ol>
<h2 id="freshclamconf"><a class="header" href="#freshclamconf">freshclam.conf</a></h2>
<p><code>freshclam</code> is the automatic database update tool for Clam AntiVirus. It can be configured to work in two modes:</p>
<ul>
<li>interactive - on demand from command line</li>
<li>daemon - silently in the background</li>
</ul>
<p><code>freshclam</code> is an advanced tool: it supports scripted updates (instead of transferring the whole CVD file at each update it only transfers the differences between the latest and the current database via a special script), database version checks through DNS, proxy servers (with authentication), digital signatures and various error scenarios.</p>
<p><strong>Quick test: run freshclam (as superuser) with no parameters and check the output.</strong></p>
<pre><code class="language-bash">freshclam
</code></pre>
<blockquote>
<p><em>Tip</em>: Depending on how you installed Freshclam and depending on which version of ClamAV you're running, you may encounter errors the first time you run Freshclam. See <a href="manual/Usage/../../faq/faq-freshclam.html">the Freshclam section of our FAQ</a> for help!</p>
</blockquote>
<p>If everything is OK you may create the log file in /var/log (ensure the directory is owned either by <em>clamav</em> or whichever user <code>freshclam</code> will be running as):</p>
<pre><code class="language-bash">touch /var/log/freshclam.log
chmod 600 /var/log/freshclam.log
chown clamav /var/log/freshclam.log
</code></pre>
<p>Now you <em>should</em> edit the configuration file <code>freshclam.conf</code> and point the <em>UpdateLogFile</em> directive to the log file. Finally, to run <code>freshclam</code> in the daemon mode, execute:</p>
<pre><code class="language-bash">freshclam -d
</code></pre>
<p>The other way is to use the <em>cron</em> daemon. You have to add the following line to the <em>crontab</em> of <strong>root</strong> or <strong>clamav</strong> user:</p>
<pre><code>N * * * * /usr/local/bin/freshclam --quiet
</code></pre>
<p>to check for a new database every hour. <strong>N should be a number between 3 and 57 of your choice. Please don’t choose any multiple of 10, because there are already too many clients using those time slots.</strong> Proxy settings are only configurable via the configuration file and <code>freshclam</code> will require strict permission settings for the config file when <code>HTTPProxyPassword</code> is turned on.</p>
<pre><code class="language-ini">HTTPProxyServer myproxyserver.com
HTTPProxyPort 1234
HTTPProxyUsername myusername
HTTPProxyPassword mypass
</code></pre>
<h3 id="other-freshclamconf-settings"><a class="header" href="#other-freshclamconf-settings">Other freshclam.conf settings</a></h3>
<p>If your <code>freshclam.conf</code> was derived from the <code>freshclam.conf.sample</code>, you should find many other options that are simply commented out. If not, seek out the <code>freshclam.conf.sample</code> file, or on Linux/Unix systems run <code>man freshclam.conf</code>.</p>
<p>Take the time to look through the options. You can enable the sample options by deleting the <code>#</code> comment characters.</p>
<p>Some popular options to enable include:</p>
<ul>
<li><code>LogTime</code></li>
<li><code>LogRotate</code></li>
<li><code>NotifyClamd</code></li>
<li><code>DatabaseOwner</code></li>
</ul>
<h2 id="clamdconf"><a class="header" href="#clamdconf">clamd.conf</a></h2>
<p>Currently, ClamAV requires users to edit their <code>clamd.conf.example</code> file before they can run the daemon. At a bare minimum, users will need to comment out the line that reads "Example", else <code>clamd</code> will consider the configuration invalid, ala:</p>
<pre><code class="language-ini"># Comment or remove the line below.
#Example
</code></pre>
<p>You will also need to rename <code>clamd.conf.example</code> to <code>clamd.conf</code> via:</p>
<pre><code class="language-bash">mv ./clamd.conf.example ./clamd.conf
</code></pre>
<p>If you are setting up a simple, local <a href="manual/Usage/Scanning.html#clamd"><code>clamd</code> instance</a> then some other configuration options of interests to you will be as follows:</p>
<pre><code class="language-ini"># Path to a local socket file the daemon will listen on.
# Default: disabled (must be specified by a user)
LocalSocket /tmp/clamd.socket
...
# Sets the permissions on the unix socket to the specified mode.
# Default: disabled (socket is world accessible)
LocalSocketMode 660
</code></pre>
<p>Beyond that, <code>clamd.conf</code> is well commented and configuration should be straightforward.</p>
<p>If needed, you can find out even more about the formatting and options available in <code>clamd.conf</code> with the command:</p>
<pre><code class="language-bash">man clamd.conf
</code></pre>
<h3 id="other-clamdconf-settings"><a class="header" href="#other-clamdconf-settings">Other clamd.conf settings</a></h3>
<p>If your <code>clamd.conf</code> was derived from the <code>clamd.conf.sample</code>, you should find many other options that are simply commented out. If not, seek out the <code>clamd.conf.sample</code> file, or on Linux/Unix systems run <code>man clamd.conf</code>.</p>
<p>Take the time to look through the options. You can enable the sample options by deleting the <code>#</code> comment characters.</p>
<p>Some popular options to enable include:</p>
<ul>
<li><code>LogTime</code></li>
<li><code>LogClean</code></li>
<li><code>LogRotate</code></li>
<li><code>User</code></li>
<li><code>ScanOnAccess</code>
<ul>
<li><code>OnAccessIncludePath</code></li>
<li><code>OnAccessExcludePath</code></li>
<li><code>OnAccessPrevention</code></li>
</ul>
</li>
</ul>
<h3 id="on-access-scanning"><a class="header" href="#on-access-scanning">On-Access Scanning</a></h3>
<p>You can configure On-Access Scanning through <code>clamd.conf</code>. Configuration for On-Access Scanning starts in the second half of <code>clamd.conf.sample</code> starting with "On-access Scan Settings". All options are grouped acording to use and roughly ordered by importance in those groupings. Please carefully read the explanation of each option to see if it might be of use to you.</p>
<p>Also read the <a href="manual/Usage/../OnAccess.html">on-access</a> section of the Usage manual for further details on using On-Access Scanning.</p>
<h2 id="clamav-milterconf"><a class="header" href="#clamav-milterconf">clamav-milter.conf</a></h2>
<p>ClamAV includes a mail filtering tool called <code>clamav-milter</code>. This tool interfaces directly with <code>clamd</code>, and thus requires a working <a href="manual/Usage/Scanning.html#clamd"><code>clamd</code> instance</a> to run. However, <code>clamav-milter</code>'s configuration and log files are separate from that of <code>clamd</code>.</p>
<p>Ensuring ClamAV compiles with <code>clamav-milter</code> must be done at configure time with the command:</p>
<pre><code class="language-bash">./configure [options] --enable-milter
</code></pre>
<p>This requires having the milter library installed on your system. If <em>libmilter</em> is not installed, <code>./configure</code> will exit with this error message:</p>
<pre><code class="language-bash">checking for mi_stop in -lmilter... no
configure: error: Cannot find libmilter
</code></pre>
<p>While not necessarily <em>complicated</em>, setting up the <code>clamav-milter</code> is an involved process. Thus, we recommend consulting your MTA’s manual on how to best connect ClamAV with the <code>clamav-milter</code>.</p>
<h3 id="users-and-on-user-privileges"><a class="header" href="#users-and-on-user-privileges">Users and on user privileges</a></h3>
<p>If you are running <code>freshclam</code> and <code>clamd</code> as root or with <code>sudo</code>, and you did not explicitly configure with <code>--disable-clamav</code>, you will want to ensure that the <code>DatabaseOwner</code> user specified in <code>freshclam.conf</code> owns the database directory so it can download signature updates.</p>
<p>The user that <code>clamd</code>, <code>clamdscan</code>, and <code>clamscan</code> run as may be the same user, but if it isn't -- it merely needs <em>read</em> access to the database directory.</p>
<p>If you choose to use the default <code>clamav</code> user to run <code>freshclam</code> and <code>clamd</code>, you'll need to create the clamav group and the clamav user account the first time you install ClamAV.</p>
<pre><code class="language-bash">groupadd clamav
useradd -g clamav -s /bin/false -c "Clam Antivirus" clamav
</code></pre>
<p>Finally, you will want to set user ownership of the database directory. For example:</p>
<pre><code class="language-bash">sudo chown -R clamav:clamav /usr/local/share/clamav
</code></pre>
<h2 id="configure-selinux-for-clamav"><a class="header" href="#configure-selinux-for-clamav">Configure SELinux for ClamAV</a></h2>
<p>Certain distributions (notably RedHat variants) when operating with SELinux enabled use the non-standard <code>antivirus_can_scan_system</code> SELinux option instead of <code>clamd_can_scan_system</code>.</p>
<p>At this time, libclamav only sets the <code>clamd_can_scan_system</code> option, so you may need to manually enable <code>antivirus_can_scan_system</code>. If you don't perform this step, <code>freshclam</code> will log something like this when it tests the newly downloaded signature databases:</p>
<pre><code class="language-bash">During database load : LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Permission denied
</code></pre>
<p>To allow ClamAV to operate under SELinux, run the following:</p>
<pre><code class="language-bash">setsebool -P antivirus_can_scan_system 1
</code></pre>
<h2 id="clamconf"><a class="header" href="#clamconf">ClamConf</a></h2>
<p><code>clamconf</code> is a tool ClamAV provides for checking your entire system configuration, as it relates to your ClamAV installation. When run, it displays values used when configuring ClamAV at compilation time, important OS details, the contents (and validity) of both <code>clamd.conf</code> and <code>freshclam.conf</code>, along with other important engine, database, platform, and build information.</p>
<p>It can also generate example configuration files for <a href="manual/Usage/Configuration.html#clamdconf"><code>clamd.conf</code></a> and <a href="manual/Usage/Configuration.html#freshclamconf"><code>freshclam.conf</code></a>.</p>
<p>To use <code>clamconf</code>, and see all the information it provides, simply run the following command:</p>
<pre><code class="language-bash">clamconf
</code></pre>
<p>For more detailed information on <code>clamconf</code>, run:</p>
<pre><code class="language-bash">clamconf --help
</code></pre>
<p>or on Unix systems:</p>
<pre><code class="language-bash">man clamconf
</code></pre>
<h2 id="next-steps"><a class="header" href="#next-steps">Next Steps</a></h2>
<p>Now that you have the config file basics, it's time to <a href="manual/Usage/SignatureManagement.html">learn about signature databases and how to keep yours up-to-date</a>.</p>
<div style="break-before: page; page-break-before: always;"></div><h1 id="signature-testing-and-management-1"><a class="header" href="#signature-testing-and-management-1">Signature Testing and Management</a></h1>
<p>Table Of Contents</p>
<ul>
<li><a href="manual/Usage/SignatureManagement.html#signature-testing-and-management">Signature Testing and Management</a>
<ul>
<li><a href="manual/Usage/SignatureManagement.html#freshclam">FreshClam</a></li>
<li><a href="manual/Usage/SignatureManagement.html#sigtool">SigTool</a></li>
<li><a href="manual/Usage/SignatureManagement.html#clambc">ClamBC</a></li>
<li><a href="manual/Usage/SignatureManagement.html#next-steps">Next Steps</a></li>
<li><a href="manual/Usage/SignatureManagement.html#create-your-own-signatures">Create your own signatures</a></li>
</ul>
</li>
</ul>
<blockquote>
<p><em>Tip</em>: The commands on Windows are generally the same, but you may need to add the <code>.exe</code> extension to run the ClamAV applications.</p>
</blockquote>
<h2 id="freshclam"><a class="header" href="#freshclam">FreshClam</a></h2>
<p>Before you can start the ClamAV scanning engine (using either <code>clamd</code> or <code>clamscan</code>), you must <em>first</em> have ClamAV Virus Database (.cvd) file(s) installed in the appropriate location on your system.</p>
<p>The tool <code>freshclam</code> is used to download and update ClamAV’s official virus signature databases. While easy to use in its base configuration, <code>freshclam</code> does require a working <a href="manual/Usage/Configuration.html#freshclamconf"><code>freshclam.conf</code> configuration file</a> to run (the location of which can be passed in via command line if the default search location does not fit your needs).</p>
<p>Once you have a valid configuration file, you can invoke FreshClam with the following command:</p>
<pre><code class="language-bash">freshclam
</code></pre>
<p>By default, <code>freshclam</code> will then attempt to connect to ClamAV's virus signature database distribution network. If no databases exist in the directory specified, <code>freshclam</code> will do a fresh download of the requested databases. Otherwise, <code>freshclam</code> will attempt to update existing databases, pairing them against downloaded cdiffs. If a database is found to be corrupted, it is not updated and instead replaced with a fresh download.</p>
<p>Of course, all this behavior--and more--can be changed to suit your needs by <a href="manual/Usage/Configuration.html#freshclamconf">modifying <code>freshclam.conf</code> and/or using various command line options</a>.</p>
<p>You can find more information about FreshClam with the commands:</p>
<p>Unix/Linux:</p>
<pre><code class="language-bash">freshclam --help
</code></pre>
<p>Or (Unix/Linux only):</p>
<pre><code class="language-bash">man freshclam
</code></pre>
<blockquote>
<p><em>Tip</em>: Newer versions of FreshClam will create your database directory if it doesn't already exist. Older versions won't, and may fail unless you create it first.</p>
</blockquote>
<blockquote>
<p><em>Important</em>: It is common on Ubuntu after a fresh install to see the following error the first time you use ClamAV:</p>
<pre><code class="language-bash">freshclam
freshclam: error while loading shared libraries: libclamav.so.7: cannot open shared object file: No such file or directory
</code></pre>
<p>You can fix this error by using <code>ldconfig</code> to rebuild the library search path.</p>
<pre><code class="language-bash">sudo ldconfig
</code></pre>
</blockquote>
<p>If you are having issues updating the signature databases with <code>freshclam</code>, please review <a href="manual/Usage/../../faq/faq-freshclam.html">the <code>freshclam</code> FAQ</a>.</p>
<h2 id="sigtool"><a class="header" href="#sigtool">SigTool</a></h2>
<p>ClamAV provides <code>sigtool</code> as a command-line testing tool for assisting users in their efforts creating and working with virus signatures. While sigtool has many uses--including crafting signatures--of particular note, is sigtool's ability to help users and analysts in determining if a file detected by <em>libclamav</em>'s virus signatures is a false positive.</p>
<p>This can be accomplished by using the command:</p>
<pre><code class="language-bash">sigtool --unpack=FILE
</code></pre>
<p>Where FILE points to your virus signature databases. Then, once <code>sigtool</code> has finished unpacking the database into the directory from which you ran the command, you can search for the offending signature name (provided either by <a href="manual/Usage/Scanning.html#clamscan"><code>clamscan</code></a> scan reports or <a href="manual/Usage/Scanning.html#clamd"><code>clamd</code></a> logs). As an example:</p>
<pre><code class="language-bash">grep "Win.Test.EICAR" ./*
</code></pre>
<p>Or, do all that in one step with:</p>
<pre><code class="language-bash">sigtool --find="Win.Test.EICAR"
</code></pre>
<p>This should give you the offending signature(s) in question, which can then be included as part of your <a href="https://www.clamav.net/reports/fp">false positive report</a>.</p>
<p>To learn more in depth information on how <code>sigtool</code> can be used to help create virus signatures and work with malicious (and non-malicious) files please reference the many online tutorials on the topic.</p>
<p>Otherwise, information on available sigtool functions can be easily referenced with:</p>
<pre><code class="language-bash">sigtool --help
</code></pre>
<p>Or (Unix/Linux only):</p>
<pre><code class="language-bash">man sigtool
</code></pre>
<h2 id="clambc"><a class="header" href="#clambc">ClamBC</a></h2>
<p><code>clambc</code> is Clam Anti-Virus’ bytecode signature testing tool. It can be used to test newly crafted bytecode signatures or to help verify existing bytecode is executing against a sample as expected.</p>
<p>For more detailed help, please use:</p>
<pre><code class="language-bash">clambc --help
</code></pre>
<p>Or (Unix/Linux only):</p>
<pre><code class="language-bash">man clambc
</code></pre>
<h2 id="next-steps-1"><a class="header" href="#next-steps-1">Next Steps</a></h2>
<p>Now that you know more about FreshClam and tools to work with the signature databases, it's time to <a href="manual/Usage/Scanning.html">run your first scan</a>.</p>
<h2 id="create-your-own-signatures"><a class="header" href="#create-your-own-signatures">Create your own signatures</a></h2>
<p>There is a whole community of malware researchers and signature writers. If you'd like to learn how to <a href="manual/Usage/../Signatures.html">craft your own signatures</a>, you can!</p>
<div style="break-before: page; page-break-before: always;"></div><h1 id="scanning"><a class="header" href="#scanning">Scanning</a></h1>
<p>Table Of Contents</p>
<ul>
<li><a href="manual/Usage/Scanning.html#scanning">Scanning</a>
<ul>
<li><a href="manual/Usage/Scanning.html#daemon">Daemon</a>
<ul>
<li><a href="manual/Usage/Scanning.html#clamd">ClamD</a></li>
<li><a href="manual/Usage/Scanning.html#clamdscan">ClamDScan</a></li>
<li><a href="manual/Usage/Scanning.html#clamdtop">ClamDTop</a></li>
<li><a href="manual/Usage/Scanning.html#on-access-scanning">On-Access Scanning</a>
<ul>
<li><a href="manual/Usage/Scanning.html#clamonacc-v0102">ClamOnAcc (v0.102+)</a></li>
</ul>
</li>
<li><a href="manual/Usage/Scanning.html#clamd-v0101">ClamD (v0.101)</a></li>
</ul>
</li>
<li><a href="manual/Usage/Scanning.html#one-time-scanning">One-Time Scanning</a>
<ul>
<li><a href="manual/Usage/Scanning.html#clamscan">ClamScan</a>
<ul>
<li><a href="manual/Usage/Scanning.html#some-basic-scans">Some basic scans</a></li>
</ul>
</li>
</ul>
</li>
<li><a href="manual/Usage/Scanning.html#process-memory-scanning">Process Memory Scanning</a></li>
<li><a href="manual/Usage/Scanning.html#disclaimers">Disclaimers</a></li>
<li><a href="manual/Usage/Scanning.html#windows-specific-issues">Windows-specific Issues</a>
<ul>
<li><a href="manual/Usage/Scanning.html#globbing">Globbing</a></li>
<li><a href="manual/Usage/Scanning.html#file-paths">File paths</a>
<ul>
<li><a href="manual/Usage/Scanning.html#socket-and-libclamav-api-input">Socket and libclamav API Input</a></li>
</ul>
</li>
</ul>
</li>
</ul>
</li>
</ul>
<blockquote>
<p><em>Tip</em>: The commands on Windows are generally the same, but you may need to add the <code>.exe</code> extension to run the ClamAV applications.</p>
</blockquote>
<h2 id="daemon-1"><a class="header" href="#daemon-1">Daemon</a></h2>
<h3 id="clamd"><a class="header" href="#clamd">ClamD</a></h3>
<p><code>clamd</code> is a multi-threaded daemon that uses <em>libclamav</em> to scan files for viruses. Scanning behavior can be fully configured to fit most needs by modifying <code>clamd.conf</code>.</p>
<p>As <code>clamd</code> requires a virus signature database to run, we recommend setting up ClamAV's official signatures before running <code>clamd</code> using <code>freshclam</code>.</p>
<p>The daemon works by listening for commands on the sockets specified in <code>clamd.conf</code>. Listening is supported over both unix local sockets and TCP sockets.</p>
<p><strong>IMPORTANT:</strong> <code>clamd</code> does not currently protect or authenticate traffic coming over the TCP socket, meaning it will accept any and all of the following commands listed from <em>any</em> source. Thus, we strongly recommend following best networking practices when setting up your <code>clamd</code> instance. I.e. don't expose your TCP socket to the Internet.</p>
<p>Here is a quick list of the commands accepted by <code>clamd</code> over the socket.</p>
<ul>
<li><code>PING</code></li>
<li><code>VERSION</code></li>
<li><code>RELOAD</code></li>
<li><code>SHUTDOWN</code></li>
<li><code>SCAN</code> <em>file/directory</em></li>
<li><code>RAWSCAN</code> <em>file/directory</em></li>
<li><code>CONTSCAN</code> <em>file/directory</em></li>
<li><code>MULTISCAN</code> <em>file/directory</em></li>
<li><code>ALLMATCHSCAN</code> <em>file/directory</em></li>
<li><code>INSTREAM</code></li>
<li><code>FILDES</code></li>
<li><code>STATS</code></li>
<li><code>IDSESSION, END</code></li>
</ul>
<p>As with most ClamAV tools, you can find out more about these by invoking the command:</p>
<pre><code class="language-bash">man clamd
</code></pre>
<p>The daemon also handles the following signals as so:</p>
<ul>
<li><code>SIGTERM</code> - perform a clean exit</li>
<li><code>SIGHUP</code> - reopen the log file</li>
<li><code>SIGUSR2</code> - reload the database</li>
</ul>
<p>It should be noted that <code>clamd</code> should not be started using the shell operator <code>&</code> or other external tools which would start it as a background process. Instead, you should run <code>clamd</code> which will load the database and then daemonize itself (unless you have specified otherwise in <code>clamd.conf</code>). After that, clamd is ready to accept connections and perform file scanning.</p>
<p>Once you have set up your configuration to your liking, and understand how you will be sending commands to the daemon, running <code>clamd</code> itself is simple. Simply execute the command:</p>
<pre><code class="language-bash">clamd
</code></pre>
<h3 id="clamdscan-1"><a class="header" href="#clamdscan-1">ClamDScan</a></h3>
<p><code>clamdscan</code> is a <code>clamd</code> client, which greatly simplifies the task of scanning files with <code>clamd</code>. It sends commands to the <code>clamd</code> daemon across the socket specified in <code>clamd.conf</code> and generates a scan report after all requested scanning has been completed by the daemon.</p>
<p>Thus, <strong>to run <code>clamdscan</code>, you must have an instance of <code>clamd</code> already running</strong> as well.</p>
<p>Please keep in mind, that as a simple scanning client, <code>clamdscan</code> cannot change scanning and engine configurations. These are tied to the <code>clamd</code> instance and the configuration you set up in <code>clamd.conf</code>. Therefore, while <code>clamdscan</code> will accept many of the same commands as its sister tool <code>clamscan</code>, it will simply ignore most of them as (by design) no mechanism exists to make ClamAV engine configuration changes over the <code>clamd</code> socket.</p>
<p>Again, running <code>clamdscan</code>, once you have a working <code>clamd</code> instance, is simple:</p>
<pre><code class="language-bash">clamdscan [*options*] [*file/directory/-*]
</code></pre>
<h3 id="clamdtop"><a class="header" href="#clamdtop">ClamDTop</a></h3>
<p><code>clamdtop</code> is a tool to monitor one or multiple instances of <code>clamd</code>. It has a colorized <em>ncurses</em> interface, which shows each job queued, memory usage, and information about the loaded signature database for the connected <code>clamd</code> instance(s). By default it will attempt to connect to the local <code>clamd</code> as defined in <code>clamd.conf</code>. However, you can specify other <code>clamd</code> instances at the command line.</p>
<p>To learn more, use the commands</p>
<pre><code class="language-bash">man clamdtop
</code></pre>
<p>or</p>
<pre><code class="language-bash">clamdtop --help
</code></pre>
<h3 id="on-access-scanning-1"><a class="header" href="#on-access-scanning-1">On-Access Scanning</a></h3>
<p>The ClamOnAcc application provides On-Access Scanning for Linux systems. On-Access Scanning is a form of real-time protection that uses ClamD to scan files when they're accessed.</p>
<h4 id="clamonacc-v0102"><a class="header" href="#clamonacc-v0102">ClamOnAcc (v0.102+)</a></h4>
<p>ClamAV's On-Access Scanning (<code>clamonacc</code>) is a client that runs in its own application alongside, but separately from the <code>clamd</code> instance. The On-Access Scanner is capable of preventing access to/from any malicious files it discovers--based on the verdict it receives from <code>clamd</code>--but by default it is configured to run in notify-only mode, which means it will simply alert the user if a malicious file is detected, then take any additional actions that the user may have specified at the command line, but it will not actively prevent processes from reading or writing to that file.</p>
<blockquote>
<p><strong>Disclaimer</strong>: Enabling Prevention mode will seriously impact performance if used on commonly accessed directories.</p>
</blockquote>
<blockquote>
<p><em>Tip</em>: You can run ClamOnAcc multiple times simultaneously, each with a different config. If you want to enable Prevention-mode for one directory, while sticking to notify-only mode for any other monitored directories, that's an option!</p>
</blockquote>
<p>On-Access Scanning is primarily set up <a href="manual/Usage/Configuration.html#on-access-scanning">through <code>clamd.conf</code></a>. However, you can learn more about all the configuration and command line options available to you by reading the <a href="manual/Usage/../OnAccess.html">On-Access Scanning User Guide</a>.</p>
<p>Once you have set up the On-Access Scanner (and <code>clamd</code>) to your liking, you will first need to run <code>clamd</code> before you can start it. If your <code>clamd</code> instance is local, it is required you run clamd as a user that is excluded (via <code>OnAccessExcludeUname</code> or <code>OnAccessExcludeUID</code>) from On-Access scanning events (e.g.) to prevent <code>clamonacc</code> from triggering events endlessly as it sends scan requests to <code>clamd</code>:</p>
<pre><code class="language-bash">su - clamav -c "/usr/local/bin/clamd
</code></pre>
<p>After the daemon is running, you can start the On-Access Scanner. <code>clamonacc</code> must be run as root in order to utilize its kernel event detection and intervention features:</p>
<pre><code class="language-bash">sudo clamonacc
</code></pre>
<p>It will run a number of startup checks to test for a sane configuration, and ensure it can connect to <code>clamd</code>, and if everything checks out <code>clamonacc</code> will automatically fork to the background and begin monitoring your system for events.</p>
<h3 id="clamd-v0101"><a class="header" href="#clamd-v0101">ClamD (v0.101)</a></h3>
<p>In older versions, ClamAV's On-Access Scanner is a thread that runs within a <code>clamd</code> instance. The On-Access Scanner is capable of blocking access to/from any malicious files it discovers--based on the verdict it finds using the engine it shares with <code>clamd</code>--but by default it is configured to run in <code>notify-only</code> mode, which means it will simply alert the user if a malicious file is detected, but it will not actively prevent processes from reading or writing to that file.</p>
<p>On-Access Scanning is primarily set up <a href="manual/Usage/Configuration.html#on-access-scanning">through <code>clamd.conf</code></a>. However, you can learn more about all the configuration and command line options available to you by reading the <a href="manual/Usage/../OnAccess.html">On-Access Scanning User Guide</a>.</p>
<p>Once you have set up the On-Access Scanner to your liking, you will need to run <code>clamd</code> with elevated permissions to start it.</p>
<pre><code class="language-bash">sudo clamd
</code></pre>
<h2 id="one-time-scanning"><a class="header" href="#one-time-scanning">One-Time Scanning</a></h2>
<h3 id="clamscan-1"><a class="header" href="#clamscan-1">ClamScan</a></h3>
<p><code>clamscan</code> is a command line tool which uses <em>libclamav</em> to scan files and/or directories for viruses. Unlike <code>clamdscan</code>, <code>clamscan</code> does <em>not</em> require a running <code>clamd</code> instance to function. Instead, <code>clamscan</code> will create a new engine and load in the virus database each time it is run. It will then scan the files and/or directories specified at the command line, create a scan report, and exit.</p>
<p>By default, when loading databases, <code>clamscan</code> will check the location to which <code>freshclam</code> installed the virus database signatures. This behavior, along with a myriad of other scanning and engine controls, can be modified by providing flags and other options at the command line.</p>
<p>There are too many options to list all of them here. So we'll only cover a few common and more interesting ones:</p>
<ul>
<li><code>--log=FILE</code> - save scan report to FILE</li>
<li><code>--database=FILE/DIR</code> - load virus database from FILE or load all supported db files from DIR</li>
<li><code>--official-db-only[=yes/no(*)]</code> - only load official signatures</li>
<li><code>--max-filesize=#n</code> - files larger than this will be skipped and assumed clean</li>
<li><code>--max-scansize=#n</code> - the maximum amount of data to scan for each container file</li>
<li><code>--leave-temps[=yes/no(*)]</code>- do not remove temporary files</li>
<li><code>--file-list=FILE</code> - scan files from FILE</li>
<li><code>--quiet</code> - only output error messages</li>
<li><code>--bell</code> - sound bell on virus detection</li>
<li><code>--cross-fs[=yes(*)/no]</code> - scan files and directories on other filesystems</li>
<li><code>--move=DIRECTORY</code> - move infected files into DIRECTORY</li>
<li><code>--copy=DIRECTORY</code> - copy infected files into DIRECTORY</li>
<li><code>--bytecode-timeout=N</code> - set bytecode timeout (in milliseconds)</li>
<li><code>--heuristic-alerts[=yes(*)/no]</code> - toggles heuristic alerts</li>
<li><code>--alert-encrypted[=yes/no(*)]</code> - alert on encrypted archives and documents</li>
<li><code>--nocerts</code> - disable authenticode certificate chain verification in PE files</li>
<li><code>--disable-cache</code> - disable caching and cache checks for hash sums of scanned files</li>
</ul>
<p>To learn more about the options available when using <code>clamscan</code> please reference:</p>
<pre><code class="language-bash">man clamscan
</code></pre>
<p>and</p>
<pre><code class="language-bash">clamscan --help
</code></pre>
<p>Otherwise, the general usage of clamscan is:</p>
<pre><code class="language-bash">clamscan [options] [file/directory/-]
</code></pre>
<h4 id="some-basic-scans"><a class="header" href="#some-basic-scans">Some basic scans</a></h4>
<p>Run this to scan the files in the current directory:</p>
<pre><code class="language-bash">clamscan .
</code></pre>
<p>This will scan the current directory. At the end of the scan, it will display a summary. If you notice in the clamscan output, it only scanned something like 60 files, even though there are more files in subdirectories. By default, clamscan will only scan files in the current directory.</p>
<p>Run this to scan all the files in the current directory:</p>
<pre><code class="language-bash">clamscan --recursive .
</code></pre>
<p>Run this to scan ALL the files on your system, it will take <strong>quite</strong> a while. Keep in mind that you can cancel it at any time by pressing <code>Ctrl-C</code>:</p>
<p>Linux/Unix:</p>
<pre><code class="language-bash">clamscan --recursive /
</code></pre>
<p>Windows:</p>
<pre><code class="language-bash">clamscan.exe --recursive C:\
</code></pre>
<h2 id="process-memory-scanning"><a class="header" href="#process-memory-scanning">Process Memory Scanning</a></h2>
<blockquote>
<p><em>Note</em>: This feature requires Windows and ClamAV version 0.105 or newer. You must also be running ClamAV as Administrator.</p>
</blockquote>
<p><code>clamscan</code> and <code>clamdscan</code> are able to scan the virtual memory of currently executing processes. To do so, use the <code>--memory</code> option:</p>
<pre><code class="language-bash">clamscan --memory
</code></pre>
<p>The <code>--kill</code> and <code>--unload</code> options allow for killing/unloading infected loaded modules.</p>
<h2 id="disclaimers"><a class="header" href="#disclaimers">Disclaimers</a></h2>
<blockquote>
<p><strong>Disclaimer</strong>: ClamAV doesn't have a "quick scan" mode. ClamAV is malware detection toolkit, not an endpoint security suite. It's up to you to decide what to scan. A full system scan is going to take a long time with ClamAV or with any anti-virus software.</p>
</blockquote>
<blockquote>
<p><strong>Disclaimer 2</strong>: ClamScan, ClamOnAcc, and ClamDScan each include <code>--remove</code> options for deleting any file which alerts during a scan. This is generally a terrible idea, unless you're monitoring an upload/downloads directory. False positives happen! You do not want to have the wrong file accidentally deleted. Instead, consider using <code>--move</code> or perhaps just <code>--copy</code> and set up script with the ClamD <code>VirusEvent</code> feature to notify you when something has been detected.</p>
</blockquote>
<h2 id="windows-specific-issues"><a class="header" href="#windows-specific-issues">Windows-specific Issues</a></h2>
<h3 id="globbing"><a class="header" href="#globbing">Globbing</a></h3>
<p>Since the Windows command prompt doesn't take care of wildcard expansion, minimal emulation of unix glob() is performed internally. It supports <code>*</code> and <code>?</code> only.</p>
<h3 id="file-paths"><a class="header" href="#file-paths">File paths</a></h3>
<p>Please always use the backslash as the path separator. SMB Network shares and UNC paths are supported.</p>
<h4 id="socket-and-libclamav-api-input"><a class="header" href="#socket-and-libclamav-api-input">Socket and libclamav API Input</a></h4>
<p>The Windows version of ClamAV requires all the input to be UTF-8 encoded.</p>
<p>This affects:</p>
<ul>
<li>The API, notably the <code>cl_scanfile()</code> function</li>
<li>ClamD socket input, e.g. the commands <code>SCAN</code>, <code>CONTSCAN</code>, <code>MUTLISCAN</code>, etc.</li>
<li>ClamD socket output, i.e replies to the above queries</li>
</ul>
<p>For legacy reasons ANSI (i.e. <code>CP_ACP</code>) input will still be accepted and processed as before, but with two important remarks:</p>
<ol>
<li>Socket replies to ANSI queries will still be UTF-8 encoded.</li>
<li>ANSI sequences which are also valid UTF-8 sequences will be handled as UTF-8.</li>
</ol>
<p>As a side note, console output (stdin and stderr) will always be OEM encoded, even when redirected to a file.</p>
<div style="break-before: page; page-break-before: always;"></div><h1 id="on-access-scanning-2"><a class="header" href="#on-access-scanning-2">On-Access Scanning</a></h1>
<h2 id="purpose-1"><a class="header" href="#purpose-1">Purpose</a></h2>
<p>This guide is for users interested in leveraging and understanding ClamAV's On-Access Scanning feature. It will walk through how to set up and use the On-Access Scanner and step through some common issues and their solutions.</p>
<h2 id="requirements"><a class="header" href="#requirements">Requirements</a></h2>
<p>On-Access is only available on Linux systems. On Linux, On-Access requires a <code>kernel version >= 3.8</code>. This is because it leverages a kernel api called <a href="http://man7.org/linux/man-pages/man7/fanotify.7.html">fanotify</a> to block processes from attempting to access malicious files. This prevention occurs in kernel-space, and thus offers stronger protection than a purely user-space solution.</p>
<h4 id="for-versions--01020"><a class="header" href="#for-versions--01020">For Versions >= 0.102.0</a></h4>
<p>It also requires <code>Curl version >= 7.45 </code> to ensure support for all curl options used by clamonacc. Users on Linux operating systems that package older versions of libcurl have a number of options:</p>
<ol>
<li>Wait for your package maintainer to provide a newer version of libcurl.</li>
<li>Install a newer version of libcurl <a href="https://curl.haxx.se/download.html">from source</a>.</li>
<li>Disable installation of <code>clamonacc</code> and On-Access Scanning capabilities with the <code>./configure</code> flag <code>--disable-clamonacc</code>.</li>
</ol>
<h2 id="general-use"><a class="header" href="#general-use">General Use</a></h2>
<p>To use ClamAV's On-Access Scanner, operation will vary depending on version.</p>
<h4 id="for-versions--01020-1"><a class="header" href="#for-versions--01020-1">For Versions >= 0.102.0</a></h4>
<p>You will need to run the <code>clamd</code> and <code>clamonacc</code> applications side by side. First, you will need to configure and run <code>clamd</code>. For instructions on how to do that, see <a href="manual/Usage/Configuration.html#clamdconf">the clamd configuration guide</a>. One important thing to note while configuring <code>clamd.conf</code> is that--like <code>clamdscan</code>--the <code>clamonacc</code> application will connect to <code>clamd</code> using the <code>clamd.conf</code> settings for either <code>LocalSocket</code> or <code>TCPAddr</code>/<code>TCPSocket</code>. Another important thing to note, is that when using a <code>clamd.conf</code> that specifies a <code>LocalSocket</code>, then <code>clamd</code> will need to be run under a user with the right permissions to scan the files you plan on including in your watch-path.</p>
<p>Next, you will need to configure <code>clamonacc</code>. For a very simple configuration, follow these steps:</p>
<pre><code>1. Open `clamd.conf` for editing
2. Specify the path(s) you would like to recursively watch by setting the `OnAccessIncludePath` option
3. Set `OnAccessPrevention` to `yes`
4. Check what username `clamd` is running under
5. Set `OnAccessExcludeUname` to `clamd`'s uname
6. Save your work and close `clamd.conf`
</code></pre>
<p>For slightly more nuanced configurations, which may be adapted to your use case better, please check out the <a href="manual/OnAccess.html#configuration-and-recipes">recipe guide below</a>.</p>
<p>Then, run <code>clamonacc</code> with elevated permissions:</p>
<pre><code class="language-bash">sudo clamonacc
</code></pre>
<p>If all went well, the On-Access scanner will fork to the background, and will now be actively protecting the path(s) specified with <code>OnAccessIncludePath</code>. You can test this by dropping an eicar file into the specified path, and attempting to read/access it (e.g. <code>cat eicar.txt</code>). This will result in an "Operation not permitted" message, triggered by fanotify blocking the access attempt at the kernel level.</p>
<p>Finally, you will have to restart both <code>clamd</code> and <code>clamonacc</code>. If default <code>clamonacc</code> performance is not to your liking, and your system has the resources available, we reccomend increasing the values for the following <code>clamd.conf</code> configuration options to increase performance:</p>
<ul>
<li><code>MaxQueue</code></li>
<li><code>MaxThreads</code></li>
<li><code>OnAccessMaxThreads</code></li>
</ul>
<h4 id="for-versions--0101x"><a class="header" href="#for-versions--0101x">For Versions <= 0.101.x</a></h4>
<p>You will only need to run the <code>clamd</code> application in older versions. First,
we reccomend you configure <code>clamd</code> for your environment. For instructions on how
to do that, see <a href="manual/Usage/Configuration.html#clamdconf">the clamd configuration guide</a>.</p>
<p>Next, you will need to configure On Access Scanning using the <code>clamd.conf</code> file. For a very simple configuration follow these steps:</p>
<pre><code>1. Open `clamd.conf` for editing
2. Set the `ScanOnAccess` option to `yes`
3. Specify the path(s) you would like to recursively watch by setting the `OnAccessIncludePath` option
4. Set `OnAccessPrevention` to `yes`
6. Save your work and close `clamd.conf`
</code></pre>
<p>For slightly more nuanced configurations, which may be adapted to your use case better, please check out the <a href="manual/configuration-and-recipes">recipe guide below</a>.</p>
<p>Then, run <code>clamd</code> with elevated permissions:</p>
<pre><code class="language-bash">sudo clamd
</code></pre>
<p>If all went well, the On-Access scanner will fork to the background, and will now be actively protecting the path(s) specified with <code>OnAccessIncludePath</code>. You can test this by dropping an eicar file into the specified path, and attempting to read/access it (e.g. <code>cat eicar.txt</code>). This will result in an "Operation not permitted" message, triggered by fanotify blocking the access attempt at the kernel level.</p>
<h2 id="troubleshooting"><a class="header" href="#troubleshooting">Troubleshooting</a></h2>
<p>Some OS distributors have disabled fanotify, despite kernel support. You can check for fanotify support on your kernel by running the command:</p>
<pre><code class="language-bash">cat /boot/config-<kernel_version> | grep FANOTIFY
</code></pre>
<p>You should see the following:</p>
<pre><code class="language-bash">CONFIG_FANOTIFY=y
CONFIG_FANOTIFY_ACCESS_PERMISSIONS=y
</code></pre>
<p>If you see this...</p>
<pre><code class="language-bash">CONFIG_FANOTIFY_ACCESS_PERMISSIONS is not set
</code></pre>
<p>... then ClamAV's On-Access Scanner will still function, scanning and alerting on files normally in real time. However, it will be unable to block access attempts on malicious files. We call this <code>notify-only</code> mode.</p>
<p>ClamAV's On-Access Scanning system uses a scheme called Dynamic Directory Determination (DDD for short) which is a shorthand way of saying that it tracks the layout of every directory specified with <code>OnAccessIncludePath</code> dynamically, and recursively, in real time. It does this by leveraging <a href="http://man7.org/linux/man-pages/man7/inotify.7.html"><code>inotify</code></a> which by default has a limited number of watch-points available for use by a process at any given time. Given the complexity of some directory hierarchies, ClamAV may warn you that it has exhausted its supply of <code>inotify</code> watch-points (8192 by default). To increase the number of <code>inotify</code> watch-points available for use by ClamAV (to 524288), run the following command:</p>
<pre><code class="language-bash">echo 524288 | sudo tee -a /proc/sys/fs/inotify/max_user_watches
</code></pre>
<p>The <code>OnAccessIncludePath</code> option will not accept <code>/</code> as a valid path. This is because fanotify works by blocking a process' access to a file until a access_ok or access_denied determination has been made by the original fanotify calling process. Thus, by placing fanotify watch-points on the entire filesystem, key system files may have their access blocked to key processes at the kernel level, which will result in a system lockup.</p>
<p>This restriction was made to prevent users from "shooting themselves in the foot." However, clever users will find it's possible to circumvent this restriction by using multiple <code>OnAccessIncludePath</code> options to recursively protect most of the filesystem anyways, or better still, simply the paths they truly care about.</p>
<p>The <code>OnAccessMountPath</code> option uses a different fanotify api configuration which makes it incompatible with <code>OnAccessIncludePath</code> and the DDD System. Therefore, <code>inotify</code> watch-point limitations will not be a concern when using this option. Unfortunately, this also means that the following options cannot be used in conjunction with <code>OnAccessMountPath</code>:</p>
<ul>
<li><code>OnAccessExtraScanning</code> - is built around catching <code>inotify</code> events.</li>
<li><code>OnAccessExcludePath</code> - is built upon the DDD System.</li>
<li><code>OnAccessPrevention</code> - would lock up the system if <code>/</code> was selected for <code>OnAccessMountPath</code>. If you need <code>OnAccessPrevention</code>, you should use <code>OnAccessIncludePath</code> instead of <code>OnAccessMountPath</code>.</li>
</ul>
<h2 id="configuration-and-recipes"><a class="header" href="#configuration-and-recipes">Configuration and Recipes</a></h2>
<p>More nuanced behavior can be coerced from ClamAV's On-Access Scanner via careful modification to <code>clamd.conf</code>. Each option related to On-Access Scanning is easily identified by looking for the <code>OnAccess</code> prefix pre-pended to each option. The default <code>clamd.conf</code> file contains descriptions of each option, along with any documented limitations or safety features.</p>
<p>Below are examples of common use cases, recipes for the correct minimal configuration, and the expected behavioral result.</p>
<h3 id="use-case-0x0"><a class="header" href="#use-case-0x0">Use Case 0x0</a></h3>
<ul>
<li>User needs to watch the entire file system, but blocking malicious access attempts isn't a concern</li>
</ul>
<pre><code class="language-bash"> ScanOnAccess yes ## versions <= 0.101.x
OnAccessMountPath /
OnAccessExcludeRootUID yes
OnAccessExcludeUname clamav ## versions >= 0.102
</code></pre>
<p>This configuration will put the On-Access Scanner into <code>notify-only</code> mode. It will also ensure only non-root, non-clam, user processes will trigger scans against the filesystem.</p>
<h3 id="use-case-0x1"><a class="header" href="#use-case-0x1">Use Case 0x1</a></h3>
<ul>
<li>System Administrator needs to watch the home directory of multiple Users, but not all users. Blocking access attempts is un-needed.</li>
</ul>
<pre><code class="language-bash"> ScanOnAccess yes ## versions <= 0.101.x
OnAccessIncludePath /home
OnAccessExcludePath /home/user2
OnAccessExcludePath /home/user4
OnAccessExcludeUname clamav ## versions >= 0.102
</code></pre>
<p>With this configuration, the On-Access Scanner will watch the entirety of the <code>/home</code> directory recursively in <code>notify-only</code> mode. However, it will recursively exclude the <code>/home/user2</code> and <code>/home/user4</code> directories.</p>
<h3 id="use-case-0x2"><a class="header" href="#use-case-0x2">Use Case 0x2</a></h3>
<ul>
<li>The user needs to protect a single directory non-recursively and ensure all access attempts on malicious files are blocked.</li>
</ul>
<pre><code class="language-bash"> ScanOnAccess yes ## versions <= 0.101.x
OnAccessIncludePath /home/user/Downloads
OnAccessExcludeUname clamav ## versions >= 0.102
OnAccessPrevention yes
OnAccessDisableDDD yes
</code></pre>
<p>The configuration above will result in non-recursive real-time protection of the <code>/home/user/Downloads</code> directory by ClamAV's On-Access Scanner. Any access attempts that ClamAV detects on malicious files within the top level of the directory hierarchy will be blocked by fanotify at the kernel level.</p>
<h2 id="command-line-options-for-versions--0102"><a class="header" href="#command-line-options-for-versions--0102">Command Line Options for Versions >= 0.102</a></h2>
<p>Beyond <code>clamd.conf</code> configuration, you can change the behavior of the On-Access scanner by passing in a number of command line options. A list of all options can be retrieved with <code>--help</code>, but below is a list and explanation of some of options you might find most useful.</p>
<ul>
<li><code>--log=FILE</code> (<code>-l FILE</code>) - passing this option is important if you want a record of scan results, otherwise <code>clamonacc</code> will operate silently.</li>
<li><code>--verbose</code> (<code>-v</code>) - primarily for debugging as this will increase the amount of noise in your log by quite a lot, but useful for troubleshooting potential connection problems</li>
<li><code>--foreground</code> (<code>-F</code>) - forces <code>clamonacc</code> to not for the background, which is useful for debugging potential issues with during startup or runtime</li>
<li><code>--include-list=FILE</code> (<code>-e FILE</code>) - allows users to pass a list of directories for clamonacc to watch, each directory must be a full path and separated by a newline</li>
<li><code>--exclude-list=FILE</code> (<code>-e FILE</code>) - same as include-list option, but for excluding at startup</li>
<li><code>--remove</code> - after an infected verdict, an attempt will be made to remove the infected file</li>
<li><code>--move=DIRECTORY</code> - just like the remove option, but infected file will be moved to the specified quarantine location instead</li>
<li><code>--copy=DIRECTORY</code> - just like the move, except infected file is also left in place</li>
</ul>
<div style="break-before: page; page-break-before: always;"></div><h1 id="running-clamav-services"><a class="header" href="#running-clamav-services">Running ClamAV Services</a></h1>
<p>Table Of Contents</p>
<ul>
<li><a href="manual/Usage/Services.html#windows">Windows Services</a></li>
</ul>
<!--- - [Unix Services](#unix) --->
<h2 id="windows-services"><a class="header" href="#windows-services">Windows Services</a></h2>
<blockquote>
<p><em>Note</em>: This feature requires ClamAV version 0.104 or newer.</p>
</blockquote>
<p>On Windows, <code>clamd</code> and <code>freshclam</code> have options that enable them to run in the background. </p>
<p>To install the services, first use the command:</p>
<pre><code class="language-bash">clamd --install-service
</code></pre>
<p>Then use <code>net start clamd</code> and <code>net stop clamd</code> to start/stop the service.</p>
<p>To uninstall the service, use:</p>
<pre><code class="language-bash">clamd --uninstall-service
</code></pre>
<p>Services can also be managed via the Services application on Windows.</p>
<div style="break-before: page; page-break-before: always;"></div><h1 id="how-to-report-a-bug"><a class="header" href="#how-to-report-a-bug">How to Report A Bug</a></h1>
<blockquote>
<h2 id="warning-against-accidental-vulnerability-disclosure"><a class="header" href="#warning-against-accidental-vulnerability-disclosure">Warning Against Accidental Vulnerability Disclosure</a></h2>
<p>You may not realize it, but your bug could be a security issue. Please <a href="https://github.com/Cisco-Talos/clamav/security">review our Security Policy</a> to determine if your bug is a security issue <em><strong>before</strong></em> you create a public ticket on GitHub issues.</p>
<p>GitHub Issues are <em>public</em> reports and security issues <strong>must</strong> be reported in private.</p>
</blockquote>
<h2 id="steps-before-you-report"><a class="header" href="#steps-before-you-report">Steps Before You Report</a></h2>
<p>If you find a bug in ClamAV, please do the following before you submit a bug report:</p>
<ol>
<li>
<p>Verify if the bug exists in the most recent stable release or ideally check if the bug exists in the latest unreleased code in Git before reporting the issue.</p>
</li>
<li>
<p>Review <a href="https://github.com/Cisco-Talos/clamav/issues?q=is%3Aopen+is%3Aissue">the open issues</a> to make sure someone else hasn't already reported the same issue.</p>
<blockquote>
<p><em>Tip</em>: Before switching to GitHub Issues, ClamAV used Bugzilla. You can also review <a href="https://bugzilla.clamav.net/buglist.cgi?bug_status=UNCONFIRMED&bug_status=NEW&bug_status=ASSIGNED&bug_status=NEEDINFO&bug_status=REOPENED&classification=ClamAV&limit=0&list_id=162358&order=changeddate%20DESC%2Cbug_status%2Cpriority%2Cassigned_to%2Cbug_id&product=ClamAV&query_format=advanced&resolution=---">older open tickets from the Bugzilla archive</a>.</p>
</blockquote>
</li>
<li>
<p>Collect the required information, described below, to include with your report.</p>
</li>
<li>
<p>Create a <a href="https://github.com/Cisco-Talos/clamav/issues/new">new ticket on GitHub</a>.</p>
</li>
</ol>
<p>Please do not submit bugs for third party software.</p>
<h2 id="required-information"><a class="header" href="#required-information">Required Information</a></h2>
<p>Please be sure to include all of the following information so that we can effectively address your bug:</p>
<ul>
<li>
<p><strong>ClamAV version, settings, and system details:</strong></p>
<p>On the command line, run:</p>
<pre><code class="language-bash">clamconf -n
</code></pre>
<p>ClamConf will print out configuration information and some system information. The <code>-n</code> option prints out only non-default options. This information will help the team identify possible triggers for your bug.</p>
</li>
<li>
<p><strong>3rd party signatures:</strong></p>
<p>Please tell us if you are using any unofficial signature databases, that is anything other than <code>main.cvd/cld</code>, <code>daily.cvd/cld</code>, and <code>bytecode.cvd/cld</code></p>
</li>
<li>
<p><strong>How to reproduce the problem:</strong></p>
<p>Include specific steps needed to reproduce the issue.</p>
<p>If the issue is reproducible only when scanning a specific file, attach it to the ticket.</p>
<p><em>Large Files</em>: The maximum size for file attachments on GitHub Issues is 25MB and the maximum size for images is 10MB. If the file is too big to mail it, you can upload it to a password protected website and send us the URL and the credentials to access it.</p>
<p>If your file must be kept confidential you can reach out on the <a href="https://discord.gg/6vNAqWnVgw">ClamAV Discord chat server</a> to exchange email addresses and to share the zipped file or to share the zip password.</p>
<blockquote>
<p><strong>CAUTION</strong>: Don’t forget to encrypt it or you may cause damage to the mail servers between you and us!</p>
<p>On the command line, run:</p>
<pre><code class="language-bash">zip -P virus -e file.zip file.ext
</code></pre>
</blockquote>
</li>
</ul>
<div style="break-before: page; page-break-before: always;"></div><h1 id="creating-signatures-for-clamav"><a class="header" href="#creating-signatures-for-clamav">Creating signatures for ClamAV</a></h1>
<p>Table Of Contents</p>
<ul>
<li><a href="manual/Signatures.html#creating-signatures-for-clamav">Creating signatures for ClamAV</a>
<ul>
<li><a href="manual/Signatures.html#introduction">Introduction</a></li>
<li><a href="manual/Signatures.html#database-formats">Database formats</a>
<ul>
<li><a href="manual/Signatures.html#settings-databases">Settings databases</a></li>
<li><a href="manual/Signatures.html#signature-databases">Signature databases</a>
<ul>
<li><a href="manual/Signatures.html#body-based-signatures">Body-based Signatures</a></li>
<li><a href="manual/Signatures.html#hash-based-signatures">Hash-based Signatures</a></li>
<li><a href="manual/Signatures.html#alternative-signature-support">Alternative signature support</a></li>
</ul>
</li>
<li><a href="manual/Signatures.html#other-database-files">Other database files</a></li>
<li><a href="manual/Signatures.html#signature-names">Signature names</a></li>
</ul>
</li>
<li><a href="manual/Signatures.html#signature-writing-tips-and-tricks">Signature Writing Tips and Tricks</a>
<ul>
<li><a href="manual/Signatures.html#testing-rules-with-clamscan">Testing rules with <code>clamscan</code></a></li>
<li><a href="manual/Signatures.html#debug-information-from-libclamav">Debug information from libclamav</a></li>
<li><a href="manual/Signatures.html#writing-signatures-for-special-files">Writing signatures for special files</a>
<ul>
<li><a href="manual/Signatures.html#html">HTML</a></li>
<li><a href="manual/Signatures.html#text-files">Text files</a></li>
<li><a href="manual/Signatures.html#compressed-portable-executable-files">Compressed Portable Executable files</a></li>
</ul>
</li>
<li><a href="manual/Signatures.html#using-sigtool">Using <code>sigtool</code></a></li>
<li><a href="manual/Signatures.html#inspecting-signatures-inside-a-cvd-file">Inspecting signatures inside a CVD file</a></li>
<li><a href="manual/Signatures.html#external-tools">External tools</a></li>
</ul>
</li>
</ul>
</li>
</ul>
<h2 id="introduction"><a class="header" href="#introduction">Introduction</a></h2>
<p>In order to detect malware and other file-based threats, ClamAV relies on signatures to differentiate clean and malicious/unwanted files. ClamAV signatures are primarily text-based and conform to one of the ClamAV-specific signature formats associated with a given method of detection. These formats are explained in the <a href="manual/Signatures.html#signature-formats">Signature formats</a> section below. In addition, ClamAV 0.99 and above support signatures written in the YARA format. More information on this can be found in the <a href="manual/Signatures.html#using-yara-rules-in-clamav">Using YARA rules in ClamAV</a> section.</p>
<p>The ClamAV project distributes a collection of signatures in the form of CVD (ClamAV Virus Database) files. The CVD file format provides a digitally-signed container that encapsulates the signatures and ensures that they can't be modified by a malicious third-party. This signature set is actively maintained by <a href="https://www.talosintelligence.com/">Cisco Talos</a> and can be downloaded using the <code>freshclam</code> application that ships with ClamAV. For more details on this, see the <a href="manual/Signatures.html#inspecting-signatures-inside-a-CVD-file">CVD file</a> section.</p>
<h2 id="database-formats"><a class="header" href="#database-formats">Database formats</a></h2>
<p>ClamAV CVD and CLD database archives may be unpacked to the current directory using <code>sigtool -u <database name></code>. For more details on inspecting CVD and CLD files, see <a href="manual/Signatures.html#inspecting-signatures-inside-a-cvd-file">Inspecting signatures inside a CVD file</a>. Once unpacked, you'll observe a large collection of database files with various extensions described below.</p>
<p>The CVD and CLD database archives may be supplemented with custom database files in the formats described to gain additional detection functionality. This is done simply by adding files of the following formats to the database directory, typically <code>/usr/local/share/clamav</code> or <code>"C:\Program Files\ClamAV\database"</code>. Alternatively, <code>clamd</code> and <code>clamscan</code> can be instructed to load the database from an alternative database file or database directory manually using the <code>clamd</code> <code>DatabaseDirectory</code> config option or the <code>clamscan -d</code> command line option.</p>
<h3 id="settings-databases"><a class="header" href="#settings-databases">Settings databases</a></h3>
<p>ClamAV provides a handful of configuration related databases along side the signature definitions.</p>
<p><code>*.cfg</code>: <a href="manual/Signatures/DynamicConfig.html">Dynamic config settings</a></p>
<p><code>*.cat</code> <code>*.crb</code>: <a href="manual/Signatures/AuthenticodeRules.html">Trusted and revoked PE certs</a></p>
<p><code>*.ftm</code>: <a href="manual/Signatures/FileTypeMagic.html">File Type Magic (FTM)</a></p>
<h3 id="signature-databases"><a class="header" href="#signature-databases">Signature databases</a></h3>
<blockquote>
<p><em>Note</em>: Signature databases with an extension ending in <code>u</code> are only loaded when Potentially Unwanted Application (PUA) signatures are enabled (default: off).</p>
</blockquote>
<h4 id="body-based-signatures"><a class="header" href="#body-based-signatures">Body-based Signatures</a></h4>
<p>Body-based signature content is a definition that matches not based on a hash but based on the specific sequences of bytes exhibited by the target file.</p>
<p>ClamAV body-based signature content has a <a href="manual/Signatures/BodySignatureFormat.html">special format</a> to allow regex-like matching of data that is not entirely known. This format is used extensively in both Extended Signatures and Logical Signatures.</p>
<p><code>*.ndb</code> <code>*.ndu</code>: <a href="manual/Signatures/ExtendedSignatures.html">Extended signatures</a></p>
<p><code>*.ldb</code> <code>*.ldu</code>; <code>*.idb</code>: <a href="manual/Signatures/LogicalSignatures.html">Logical Signatures</a></p>
<p><code>*.cdb</code>: <a href="manual/Signatures/ContainerMetadata.html">Container Metadata Signatures</a></p>
<p><code>*.cbc</code>: <a href="manual/Signatures/BytecodeSignatures.html">Bytecode Signatures</a></p>
<p><code>*.pdb</code> <code>*.gdb</code> <code>*.wdb</code>: <a href="manual/Signatures/PhishSigs.html">Phishing URL Signatures</a>)</p>
<h4 id="hash-based-signatures"><a class="header" href="#hash-based-signatures">Hash-based Signatures</a></h4>
<p><code>*.hdb</code> <code>*.hsb</code> <code>*.hdu</code> <code>*.hsu</code>: File hash signatures</p>
<p><code>*.mdb</code> <code>*.msb</code> <code>*.mdu</code> <code>*.msu</code>: PE section hash signatures</p>
<p><a href="manual/Signatures/HashSignatures.html">Hash-based Signature format</a></p>
<h4 id="alternative-signature-support"><a class="header" href="#alternative-signature-support">Alternative signature support</a></h4>
<p><code>*.yar</code> <code>*.yara</code>: <a href="manual/Signatures/YaraRules.html">YARA rules</a></p>
<h3 id="other-database-files"><a class="header" href="#other-database-files">Other database files</a></h3>
<p><code>*.fp</code> <code>*.sfp</code> <code>*.ign</code> <code>*.ign2</code>: <a href="manual/Signatures/AllowLists.html">allowed files, ignored signatures</a></p>
<p><code>*.pwdb</code>: <a href="manual/Signatures/EncryptedArchives.html">Encrypted archive passwords</a></p>
<p><code>*.info</code>: <a href="manual/Signatures/DatabaseInfo.html">Database information</a>`</p>
<h3 id="signature-names"><a class="header" href="#signature-names">Signature names</a></h3>
<p>ClamAV signatures <em>must</em> only use alphanumeric characters, dash (<code>-</code>), dot (<code>.</code>), underscores (<code>_</code>) to delimit words. <em>Never</em> use a space, apostrophe, colon, semi-colon, or quote mark.</p>
<p>ClamAV signature names found in the official signature databases generally follow this format:</p>
<pre><code>{platform}.{category}.{name}-{signature id}-{revision}
</code></pre>
<p>Older signatures and <a href="manual/../../faq/faq-pua.html">Potentially Unwanted Applications (PUA) signatures</a> may deviate from these guidelines.</p>
<p>Naming conventions in 3rd party databases vary. You can find Cisco-Talos <a href="manual/Signatures/SignatureNames.html">guidelines for naming signatures for the official database here</a>.</p>
<h2 id="signature-writing-tips-and-tricks"><a class="header" href="#signature-writing-tips-and-tricks">Signature Writing Tips and Tricks</a></h2>
<h3 id="testing-rules-with-clamscan"><a class="header" href="#testing-rules-with-clamscan">Testing rules with <code>clamscan</code></a></h3>
<p>To test a new signature, first create a text file with the extension corresponding to the signature type (Ex: <code>.ldb</code> for logical signatures). Then, add the signature as it's own line within the file. This file can be passed to <code>clamscan</code> via the <code>-d</code> option, which tells ClamAV to load signatures from the file specified. If the signature is not formatted correctly, ClamAV will display an error - run <code>clamscan</code> with <code>--debug --verbose</code> to see additional information about the error message. Some common causes of errors include:</p>
<ul>
<li>The signature file has the incorrect extension type for the signatures contained within</li>
<li>The file has one or more blank lines</li>
<li>For logical signatures, a semicolon exists at the end of the file</li>
</ul>
<p>If the rule is formatted correctly, <code>clamscan</code> will load the signature(s) in and scan any files specified via the command line invocation (or all files in the current directory if none are specified). A successful detection will look like the following:</p>
<pre><code class="language-bash">clamscan -d test.ldb text.exe
test.exe: Win.Malware.Agent.UNOFFICIAL FOUND
----------- SCAN SUMMARY -----------
Known viruses: 1
Engine version: 0.100.0
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 17.45 MB
Data read: 17.45 MB (ratio 1.00:1)
Time: 0.400 sec (0 m 0 s)
</code></pre>
<p>If the rule did not match as intended:</p>
<ul>
<li>The file may have exceeded one or more of the default scanning limits built-in to ClamAV. Try running <code>clamscan</code> with the following options to see if raising the limits addresses the issue: <code>--max-filesize=2000M --max-scansize=2000M --max-files=2000000 --max-recursion=2000000 --max-embeddedpe=2000M --max-htmlnormalize=2000000 --max-htmlnotags=2000000 --max-scriptnormalize=2000000 --max-ziptypercg=2000000 --max-partitions=2000000 --max-iconspe=2000000 --max-rechwp3=2000000 --pcre-match-limit=2000000 --pcre-recmatch-limit=2000000 --pcre-max-filesize=2000M</code>.</li>
<li>If matching on HTML or text files, ClamAV might be performing normalization that causes the content of the scanned file to change. See the <a href="manual/Signatures.html#html">HTML</a> and <a href="manual/Signatures.html#text-file">Text file</a> sections for more details.</li>
<li>libclamav may have been unable to unpack or otherwise process the file. See <a href="manual/Signatures.html#debug-information-from-libclamav">Debug information from libclamav</a> for more details.</li>
</ul>
<p>NOTE: If you run <code>clamscan</code> with a <code>-d</code> flag, ClamAV will not load in the signatures downloaded via <code>freshclam</code>. This means that:</p>
<ul>
<li>some of ClamAV's unpacking support might be disabled, since some unpackers are implemented as bytecode signatures</li>
<li>PE certificate trust verification based on Authenticode signatures won't work, since this functionality relies on <code>.crb</code> rules</li>
</ul>
<p>If any of this functionality is needed, load in the CVD files manually with additional <code>-d</code> flags.</p>
<h3 id="debug-information-from-libclamav"><a class="header" href="#debug-information-from-libclamav">Debug information from libclamav</a></h3>
<p>In order to create efficient signatures for ClamAV it’s important to understand how the engine handles input files. The best way to see how it works is having a look at the debug information from libclamav. You can do it by calling <code>clamscan</code> with the <code>--debug</code> and <code>--leave-temps</code> flags. The first switch makes <code>clamscan</code> display all the interesting information from libclamav and the second one avoids deleting temporary files so they can be analyzed further.</p>
<p>The now important part of the info is:</p>
<pre><code class="language-bash"> $ clamscan --debug attachment.exe
[...]
LibClamAV debug: Recognized MS-EXE/DLL file
LibClamAV debug: Matched signature for file type PE
LibClamAV debug: File type: Executable
</code></pre>
<p>The engine recognized a windows executable.</p>
<pre><code class="language-bash"> LibClamAV debug: Machine type: 80386
LibClamAV debug: NumberOfSections: 3
LibClamAV debug: TimeDateStamp: Fri Jan 10 04:57:55 2003
LibClamAV debug: SizeOfOptionalHeader: e0
LibClamAV debug: File format: PE
LibClamAV debug: MajorLinkerVersion: 6
LibClamAV debug: MinorLinkerVersion: 0
LibClamAV debug: SizeOfCode: 0x9000
LibClamAV debug: SizeOfInitializedData: 0x1000
LibClamAV debug: SizeOfUninitializedData: 0x1e000
LibClamAV debug: AddressOfEntryPoint: 0x27070
LibClamAV debug: BaseOfCode: 0x1f000
LibClamAV debug: SectionAlignment: 0x1000
LibClamAV debug: FileAlignment: 0x200
LibClamAV debug: MajorSubsystemVersion: 4
LibClamAV debug: MinorSubsystemVersion: 0
LibClamAV debug: SizeOfImage: 0x29000
LibClamAV debug: SizeOfHeaders: 0x400
LibClamAV debug: NumberOfRvaAndSizes: 16
LibClamAV debug: Subsystem: Win32 GUI
LibClamAV debug: ------------------------------------
LibClamAV debug: Section 0
LibClamAV debug: Section name: UPX0
LibClamAV debug: Section data (from headers - in memory)
LibClamAV debug: VirtualSize: 0x1e000 0x1e000
LibClamAV debug: VirtualAddress: 0x1000 0x1000
LibClamAV debug: SizeOfRawData: 0x0 0x0
LibClamAV debug: PointerToRawData: 0x400 0x400
LibClamAV debug: Section's memory is executable
LibClamAV debug: Section's memory is writeable
LibClamAV debug: ------------------------------------
LibClamAV debug: Section 1
LibClamAV debug: Section name: UPX1
LibClamAV debug: Section data (from headers - in memory)
LibClamAV debug: VirtualSize: 0x9000 0x9000
LibClamAV debug: VirtualAddress: 0x1f000 0x1f000
LibClamAV debug: SizeOfRawData: 0x8200 0x8200
LibClamAV debug: PointerToRawData: 0x400 0x400
LibClamAV debug: Section's memory is executable
LibClamAV debug: Section's memory is writeable
LibClamAV debug: ------------------------------------
LibClamAV debug: Section 2
LibClamAV debug: Section name: UPX2
LibClamAV debug: Section data (from headers - in memory)
LibClamAV debug: VirtualSize: 0x1000 0x1000
LibClamAV debug: VirtualAddress: 0x28000 0x28000
LibClamAV debug: SizeOfRawData: 0x200 0x1ff
LibClamAV debug: PointerToRawData: 0x8600 0x8600
LibClamAV debug: Section's memory is writeable
LibClamAV debug: ------------------------------------
LibClamAV debug: EntryPoint offset: 0x8470 (33904)
</code></pre>
<p>The section structure displayed above suggests the executable is packed
with UPX.</p>
<pre><code class="language-bash"> LibClamAV debug: ------------------------------------
LibClamAV debug: EntryPoint offset: 0x8470 (33904)
LibClamAV debug: UPX/FSG/MEW: empty section found - assuming
compression
LibClamAV debug: UPX: bad magic - scanning for imports
LibClamAV debug: UPX: PE structure rebuilt from compressed file
LibClamAV debug: UPX: Successfully decompressed with NRV2B
LibClamAV debug: UPX/FSG: Decompressed data saved in
/tmp/clamav-90d2d25c9dca42bae6fa9a764a4bcede
LibClamAV debug: ***** Scanning decompressed file *****
LibClamAV debug: Recognized MS-EXE/DLL file
LibClamAV debug: Matched signature for file type PE
</code></pre>
<p>Indeed, libclamav recognizes the UPX data and saves the decompressed
(and rebuilt) executable into
<code>/tmp/clamav-90d2d25c9dca42bae6fa9a764a4bcede</code>. Then it continues by
scanning this new file:</p>
<pre><code class="language-bash"> LibClamAV debug: File type: Executable
LibClamAV debug: Machine type: 80386
LibClamAV debug: NumberOfSections: 3
LibClamAV debug: TimeDateStamp: Thu Jan 27 11:43:15 2011
LibClamAV debug: SizeOfOptionalHeader: e0
LibClamAV debug: File format: PE
LibClamAV debug: MajorLinkerVersion: 6
LibClamAV debug: MinorLinkerVersion: 0
LibClamAV debug: SizeOfCode: 0xc000
LibClamAV debug: SizeOfInitializedData: 0x19000
LibClamAV debug: SizeOfUninitializedData: 0x0
LibClamAV debug: AddressOfEntryPoint: 0x7b9f
LibClamAV debug: BaseOfCode: 0x1000
LibClamAV debug: SectionAlignment: 0x1000
LibClamAV debug: FileAlignment: 0x1000
LibClamAV debug: MajorSubsystemVersion: 4
LibClamAV debug: MinorSubsystemVersion: 0
LibClamAV debug: SizeOfImage: 0x26000
LibClamAV debug: SizeOfHeaders: 0x1000
LibClamAV debug: NumberOfRvaAndSizes: 16
LibClamAV debug: Subsystem: Win32 GUI
LibClamAV debug: ------------------------------------
LibClamAV debug: Section 0
LibClamAV debug: Section name: .text
LibClamAV debug: Section data (from headers - in memory)
LibClamAV debug: VirtualSize: 0xc000 0xc000
LibClamAV debug: VirtualAddress: 0x1000 0x1000
LibClamAV debug: SizeOfRawData: 0xc000 0xc000
LibClamAV debug: PointerToRawData: 0x1000 0x1000
LibClamAV debug: Section contains executable code
LibClamAV debug: Section's memory is executable
LibClamAV debug: ------------------------------------
LibClamAV debug: Section 1
LibClamAV debug: Section name: .rdata
LibClamAV debug: Section data (from headers - in memory)
LibClamAV debug: VirtualSize: 0x2000 0x2000
LibClamAV debug: VirtualAddress: 0xd000 0xd000
LibClamAV debug: SizeOfRawData: 0x2000 0x2000
LibClamAV debug: PointerToRawData: 0xd000 0xd000
LibClamAV debug: ------------------------------------
LibClamAV debug: Section 2
LibClamAV debug: Section name: .data
LibClamAV debug: Section data (from headers - in memory)
LibClamAV debug: VirtualSize: 0x17000 0x17000
LibClamAV debug: VirtualAddress: 0xf000 0xf000
LibClamAV debug: SizeOfRawData: 0x17000 0x17000
LibClamAV debug: PointerToRawData: 0xf000 0xf000
LibClamAV debug: Section's memory is writeable
LibClamAV debug: ------------------------------------
LibClamAV debug: EntryPoint offset: 0x7b9f (31647)
LibClamAV debug: Bytecode executing hook id 257 (0 hooks)
attachment.exe: OK
[...]
</code></pre>
<p>No additional files get created by libclamav. By writing a signature for the decompressed file you have more chances that the engine will detect the target data when it gets compressed with another packer.</p>
<p>This method should be applied to all files for which you want to create signatures. By analyzing the debug information you can quickly see how the engine recognizes and preprocesses the data and what additional files get created. Signatures created for bottom-level temporary files are usually more generic and should help detecting the same malware in different forms.</p>
<h3 id="writing-signatures-for-special-files"><a class="header" href="#writing-signatures-for-special-files">Writing signatures for special files</a></h3>
<h4 id="html"><a class="header" href="#html">HTML</a></h4>
<p>ClamAV contains HTML normalization code which makes it easier to write signatures for HTML data that might differ based on white space, capitalization, and other insignificant differences. Running <code>sigtool --html-normalise</code> on a HTML file can be used to see what a file's contents will look like after normalization. This command should generate the following files:</p>
<ul>
<li>
<p>nocomment.html - the file is normalized, lower-case, with all comments and superfluous white space removed</p>
</li>
<li>
<p>notags.html - as above but with all HTML tags removed</p>
</li>
<li>
<p>javascript - any script contents are normalized and the results appended to this file</p>
</li>
</ul>
<p>The code automatically decodes JScript.encode parts and char ref’s (e.g. <code>&#102;</code>). To create a successful signature for the input file type, the rule must match on the contents of one of the created files. Signatures matching on normalized HTML should have a target type of 3. For reference, see <a href="manual/appendix/FileTypes.html">Target Types</a>.</p>
<h4 id="text-files"><a class="header" href="#text-files">Text files</a></h4>
<p>Similarly to HTML all ASCII text files get normalized (converted to lower-case, all superfluous white space and control characters removed, etc.) before scanning. Running <code>sigtool --ascii-normalise</code> on a text file will result in a normalized version being written to the file named <code>normalised\_text</code>. Rules matching on normalized ASCII text should have a target type of 7. For reference, see <a href="manual/appendix/FileTypes.html">Target Types</a>.</p>
<h4 id="compressed-portable-executable-files"><a class="header" href="#compressed-portable-executable-files">Compressed Portable Executable files</a></h4>
<p>If the file is compressed with UPX, FSG, Petite or another PE packer supported by libclamav, ClamAV will attempt to automatically unpack the executable and evaluate signatures against the unpacked executable. To inspect the executable that results from ClamAV's unpacking process, run <code>clamscan</code> with <code>--debug --leave-temps</code>. Example output for a FSG compressed file:</p>
<pre><code class="language-bash"> LibClamAV debug: UPX/FSG/MEW: empty section found - assuming compression
LibClamAV debug: FSG: found old EP @119e0
LibClamAV debug: FSG: Unpacked and rebuilt executable saved in
/tmp/clamav-f592b20f9329ac1c91f0e12137bcce6c
</code></pre>
<p>In the example above, <code>/tmp/clamav-f592b20f9329ac1c91f0e12137bcce6c</code> is the unpacked executable, and a signature can be written based off of this file.</p>
<h3 id="using-sigtool"><a class="header" href="#using-sigtool">Using <code>sigtool</code></a></h3>
<p><code>sigtool</code> pulls in libclamav and provides shortcuts to doing tasks that <code>clamscan</code> does behind the scenes. These can be really useful when writing a signature or trying to get information about a signature that might be causing FPs or performance problems.</p>
<p>The following <code>sigtool</code> flags can be especially useful for signature writing:</p>
<ul>
<li>
<p><code>--md5</code> / <code>--sha1</code> / <code>--sha256</code>: Generate the MD5/SHA1/SHA256 hash and calculate the file size, outputting both as a properly-formatted <code>.hdb</code>/<code>.hsb</code> signature</p>
</li>
<li>
<p><code>--mdb</code>: Generate section hashes of the specified file. This is useful when generating <code>.mdb</code> signatures.</p>
</li>
<li>
<p><code>--decode</code>: Given a ClamAV signature from STDIN, show a more user-friendly representation of it. An example usage of this flag is <code>cat test.ldb | sigtool --decode</code>.</p>
</li>
<li>
<p><code>--hex-dump</code>: Given a sequence of bytes from STDIN, print the hex equivalent. An example usage of this flag is <code>echo -n "Match on this" | sigtool --hex-dump</code>.</p>
</li>
<li>
<p><code>--html-normalise</code>: Normalize the specified HTML file in the way that <code>clamscan</code> will before looking for rule matches. Writing signatures off of these files makes it easier to write rules for target type HTML (you'll know what white space, capitalization, etc. to expect). See the <a href="manual/Signatures.html#html">HTML</a> section for more details.</p>
</li>
<li>
<p><code>--ascii-normalise</code>: Normalize the specified ASCII text file in the way that <code>clamscan</code> will before looking for rule matches. Writing signatures off of this normalized file data makes it easier to write rules for target type Txt (you'll know what white space, capitalization, etc. to expect). See the <a href="manual/Signatures.html#text-files">Text files</a> sectino for more details.</p>
</li>
<li>
<p><code>--print-certs</code>: Print the Authenticode signatures of any PE files specified.
This is useful when writing signature-based <code>.crb</code> rule files.</p>
</li>
<li>
<p><code>--vba</code>: Extract VBA/Word6 macro code</p>
</li>
<li>
<p><code>--test-sigs</code>: Given a signature and a sample, determine whether the signature matches and, if so, display the offset into the file where the match occurred. This can be useful for investigating false positive matches in clean files.</p>
</li>
</ul>
<h3 id="inspecting-signatures-inside-a-cvd-file"><a class="header" href="#inspecting-signatures-inside-a-cvd-file">Inspecting signatures inside a CVD file</a></h3>
<p>CVD (ClamAV Virus Database) is a digitally signed container that includes signature databases in various text formats. The header of the container is a 512 bytes long string with colon separated fields:</p>
<pre><code class="language-bash"> ClamAV-VDB:build time:version:number of signatures:functionality level required:MD5 checksum:digital signature:builder name:build time (sec)
</code></pre>
<p><code>sigtool --info</code> displays detailed information about a given CVD file:</p>
<pre><code class="language-bash"> zolw@localhost:/usr/local/share/clamav$ sigtool -i main.cvd
File: main.cvd
Build time: 09 Dec 2007 15:50 +0000
Version: 45
Signatures: 169676
Functionality level: 21
Builder: sven
MD5: b35429d8d5d60368eea9630062f7c75a
Digital signature: dxsusO/HWP3/GAA7VuZpxYwVsE9b+tCk+tPN6OyjVF/U8
JVh4vYmW8mZ62ZHYMlM903TMZFg5hZIxcjQB3SX0TapdF1SFNzoWjsyH53eXvMDY
eaPVNe2ccXLfEegoda4xU2TezbGfbSEGoU1qolyQYLX674sNA2Ni6l6/CEKYYh
Verification OK.
</code></pre>
<p>The ClamAV project distributes a number of CVD files, including <code>main.cvd</code> and <code>daily.cvd</code>.</p>
<p>To view the signature associated with a given detection name, the CVD files can be unpacked and the underlying text files searched for a rule definition using a tool like <code>grep</code>. To do this, use <code>sigtool</code>'s <code>--unpack</code> flag as follows:</p>
<pre><code class="language-bash"> $ mkdir /tmp/clamav-sigs
$ cd /tmp/clamav-sigs/
$ sigtool --unpack /var/lib/clamav/main.cvd
$ ls
COPYING main.fp main.hsb main.mdb main.ndb
main.crb main.hdb main.info main.msb main.sfp
</code></pre>
<h3 id="external-tools"><a class="header" href="#external-tools">External tools</a></h3>
<p>Below are tools that can be helpful when writing ClamAV signatures:</p>
<ul>
<li><a href="https://github.com/Cisco-Talos/CASC">CASC</a> - CASC is a plugin for IDA Pro that allows the user to highlight sections of code and create a signature based on the underlying instructions (with options to ignore bytes associated with registers, addresses, and offsets). It also contains SigAlyzer, a tool to take an existing signature and locate the regions within the binary that match the subsignatures.</li>
</ul>
<div style="break-before: page; page-break-before: always;"></div><h1 id="database-info"><a class="header" href="#database-info">Database Info</a></h1>
<p>The <code>.info</code> file format specifies information about the other database files unpacked from a CVD or CLD database archive. This file exists for the purposes of validating the correctness of the official ClamAV database container files and cannot be loaded a la carte.</p>
<p>The format is simply:</p>
<pre><code>name:size:sha256
</code></pre>
<p><code>name</code>: The database file name.</p>
<p><code>size</code>: The size in bytes of the database.</p>
<p><code>sha256</code>: A SHA256 hash of the database.</p>
<div style="break-before: page; page-break-before: always;"></div><h1 id="dynamic-configuration-dconf"><a class="header" href="#dynamic-configuration-dconf">Dynamic Configuration (DCONF)</a></h1>
<p>ClamAV supports a limited set of configuration options that may be enabled or disabled via settings in the <code>*.cfg</code> database. At this time, these settings are distributed in <code>daily.cfg</code>.</p>
<p>The goal of DCONF is to enable the ClamAV team to rapidly disable new or experimental features for specific ClamAV versions if a significant defect is discovered after release.</p>
<p>This database is small, and the settings are largely vestigial. The team has not had a need to disable many features in a long time, and so the ClamAV versions in the settings at this time should no longer be in use.</p>
<p>The strings and values referenced in <code>daily.cfg</code> are best cross-referenced with the macros and structures defined here:</p>
<ul>
<li>https://github.com/Cisco-Talos/clamav/blob/main/libclamav/dconf.h#L49</li>
<li>https://github.com/Cisco-Talos/clamav/blob/main/libclamav/dconf.c#L54</li>
</ul>
<p>The format for a DCONF signature is:</p>
<pre><code>Category:Flags:StartFlevel:EndFlevel
</code></pre>
<p><code>Category</code> may be one of:</p>
<ul>
<li>PE</li>
<li>ELF</li>
<li>MACHO</li>
<li>ARCHIVE</li>
<li>DOCUMENT</li>
<li>MAIL</li>
<li>OTHER</li>
<li>PHISHING</li>
<li>BYTECODE</li>
<li>STATS</li>
<li>PCRE</li>
</ul>
<p><code>Flags</code>:</p>
<p>Every feature that may be configured via DCONF is listed in <code>struct dconf_module modules</code> in <code>libclamav/dconf.c</code>. Any given feature may be default-on or default-off. Default-on features have the 4th field set to a <code>1</code> and default off are set to <code>0</code>. The <code>Flags</code> field for a given <code>Category</code> overrides the defaults for all of the options listed under that category.</p>
<p>A settings of <code>0x0</code>, for example, means that all options the category be disabled.</p>
<p>The macros listed in <code>libclamav/dconf.h</code> will help you identify which bits to set to get the desired results.</p>
<p><code>StartFlevel</code>:</p>
<p>This is the <a href="manual/Signatures/../../appendix/FunctionalityLevels.html">FLEVEL</a> of the minimum ClamAV engine for which you want the settings to be in effect.</p>
<p><code>EndFlevel</code>:</p>
<p>This is the <a href="manual/Signatures/../../appendix/FunctionalityLevels.html">FLEVEL</a> of the maximum ClamAV engine for which you want the settings to be in effect. You may wish to select <code>255</code> to override the defaults of future releases.</p>
<h2 id="example"><a class="header" href="#example">Example</a></h2>
<p>Consider the <code>OTHER_CONF_PDFNAMEOBJ</code> option in the <code>category</code> <code>OTHER</code>.</p>
<pre><code class="language-c">#define OTHER_CONF_UUENC 0x1 // Default: 1
#define OTHER_CONF_SCRENC 0x2 // Default: 1
#define OTHER_CONF_RIFF 0x4 // Default: 1
#define OTHER_CONF_JPEG 0x8 // Default: 1
#define OTHER_CONF_CRYPTFF 0x10 // Default: 1
#define OTHER_CONF_DLP 0x20 // Default: 1
#define OTHER_CONF_MYDOOMLOG 0x40 // Default: 1
#define OTHER_CONF_PREFILTERING 0x80 // Default: 1
#define OTHER_CONF_PDFNAMEOBJ 0x100 // Default: 1
#define OTHER_CONF_PRTNINTXN 0x200 // Default: 1
#define OTHER_CONF_LZW 0x400 // Default: 1
</code></pre>
<p>All of the <code>OTHER</code> options, including <code>OTHER_CONF_PDFNAMEOBJ</code> are default-on. To disable the option for ClamAV v0.100.X but leave the other options in their default settings, we would need to set the flags to:</p>
<pre><code>0110 1111 1111
^pdfnameobj off
</code></pre>
<p>Or in hex: <code>0x6FF</code></p>
<p>The example setting to place in <code>daily.cfg</code> then woudl be:</p>
<pre><code>OTHER:0x6FF:90:99
</code></pre>
<div style="break-before: page; page-break-before: always;"></div><h1 id="trusted-and-revoked-certificates"><a class="header" href="#trusted-and-revoked-certificates">Trusted and Revoked Certificates</a></h1>
<p>Clamav 0.98 checks signed PE files for certificates and verifies each certificate in the chain against a database of trusted and revoked certificates. The signature format is</p>
<pre><code>Name;Trusted;Subject;Serial;Pubkey;Exponent;CodeSign;TimeSign;CertSign;
NotBefore;Comment[;minFL[;maxFL]]
</code></pre>
<p>where the corresponding fields are:</p>
<ul>
<li>
<p><code>Name:</code> name of the entry</p>
</li>
<li>
<p><code>Trusted:</code> bit field, specifying whether the cert is trusted. 1 for trusted. 0 for revoked</p>
</li>
<li>
<p><code>Subject:</code> sha1 of the Subject field in hex</p>
</li>
<li>
<p><code>Serial:</code> the serial number as <code>clamscan --debug --verbose</code> reports</p>
</li>
<li>
<p><code>Pubkey:</code> the public key in hex</p>
</li>
<li>
<p><code>Exponent:</code> the exponent in hex. Currently ignored and hardcoded to 010001 (in hex)</p>
</li>
<li>
<p><code>CodeSign:</code> bit field, specifying whether this cert can sign code. 1 for true, 0 for false</p>
</li>
<li>
<p><code>TimeSign:</code> bit field. 1 for true, 0 for false</p>
</li>
<li>
<p><code>CertSign:</code> bit field, specifying whether this cert can sign other certs. 1 for true, 0 for false</p>
</li>
<li>
<p><code>NotBefore:</code> integer, cert should not be added before this variable. Defaults to 0 if left empty</p>
</li>
<li>
<p><code>Comment:</code> comments for this entry</p>
</li>
</ul>
<p>The signatures for certs are stored inside <code>.crb</code> files.</p>
<div style="break-before: page; page-break-before: always;"></div><h1 id="file-type-magic"><a class="header" href="#file-type-magic">File Type Magic</a></h1>
<p>ClamAV's primary mechanism for determining file types is to match the file with a File Type Magic signature. These file type signatures are compiled into ClamAV, and may also be overridden dynamically using the definition founds found in a <code>*.ftm</code> file.</p>
<p>The ClamAV standard signature database includes these definitions in <code>daily.ftm</code>.</p>
<p>The signature format is not too disimilar from NDB body-based signatures.</p>
<p>The format is:</p>
<pre><code>magictype:offset:magicbytes:name:rtype:type[:min_flevel[:max_flevel]]
</code></pre>
<p>Where:</p>
<p><code>magictype</code>: Supported magic types include:</p>
<ul>
<li><code>0</code> - direct memory comparison of <code>magicbytes</code> for file types</li>
<li><code>1</code> - The <code>magicbytes</code> use the body-based content matching <a href="manual/Signatures/BodySignatureFormat.html">format</a>.</li>
<li><code>4</code> - direct memory comparison of <code>magicbytes</code> for partition types (HFS+, HFSX)</li>
</ul>
<p><code>offset</code>: The offset from start of the file to match against. May be <code>*</code> if <code>magictype</code> is 1.</p>
<p><code>name</code>: A descriptive name for the file type.</p>
<p><code>rtype</code>: Previously detected file type. Usually CL_TYPE_ANY as a wild-card.</p>
<p><code>type</code>: The CL_TYPE corresponding with the file type signature. See the <a href="manual/Signatures/../../appendix/FileTypes.html">CL_TYPE reference</a> for details.</p>
<p><code>min_flevel</code>: (optional) The minimum ClamAV engine that the file type signature works with. See the <a href="manual/Signatures/../../appendix/FunctionalityLevels.html">FLEVEL reference</a> for details. To be used in the event that file type support has been recently added.</p>
<p><code>max_flevel</code>: (optional, requires <code>min_flevel</code> field, though the <code>min_flevel</code> number itself can be left empty) The maximum ClamAV engine that the file type signature works with. To be used in the event that file type support has been recently removed or replaced.</p>
<div style="break-before: page; page-break-before: always;"></div><h1 id="allow-list-databases"><a class="header" href="#allow-list-databases">Allow List Databases</a></h1>
<h2 id="file-allow-lists"><a class="header" href="#file-allow-lists">File Allow Lists</a></h2>
<p>To allow a specific file use the MD5 signature format and place it inside a database file with the extension of <code>.fp</code> (for "false positive"). To allow a specific file with the SHA1 or SHA256 file hash signature format, place the signature inside a database file with the extension of <code>.sfp</code> (for "SHA false positive").</p>
<p>To generate FP or SFP signatures, try something like this...</p>
<p>MD5:</p>
<pre><code class="language-bash">sigtool --md5 /path/to/false/positive/file >> /path/to/databases/false-positives.fp
</code></pre>
<p>SHA256:</p>
<pre><code class="language-bash">sigtool --sha256 /path/to/false/positive/file >> /path/to/databases/false-positives.sfp
</code></pre>
<p>Here's an example adding the EICAR test file to an allow list by generating a sha256 false positive signature:</p>
<pre><code class="language-bash">❯ clamscan ~/Downloads/eicar.com
/mnt/c/Users/micah/Downloads/eicar.com: Win.Test.EICAR_HDB-1 FOUND
...
❯ sigtool --sha256 ~/Downloads/eicar.com >> /var/lib/clamav/false-positives.sfp
❯ clamscan ~/Downloads/eicar.com
/mnt/c/Users/micah/Downloads/eicar.com: OK
...
</code></pre>
<h2 id="signature-ignore-lists"><a class="header" href="#signature-ignore-lists">Signature Ignore Lists</a></h2>
<p>To ignore a specific signature from the database you just add the signature name into a local file with the <code>.ign2</code> extension and store it inside the database directory.</p>
<p>E.g:</p>
<pre><code>Eicar-Test-Signature
</code></pre>
<p>Additionally, you can follow the signature name with the MD5 of the entire database entry for this signature. In such a case, the signature will no longer be ignored when its entry in the database gets modified (eg. the signature gets updated to avoid false alerts). E.g:</p>
<pre><code>Eicar-Test-Signature:bc356bae4c42f19a3de16e333ba3569c
</code></pre>
<p>Historically, signature ignores were added to <code>.ign</code> files. This format is still functional, though it has been replaced by the <code>.ign2</code> database.</p>
<h2 id="phishing-heuristic-allow-lists"><a class="header" href="#phishing-heuristic-allow-lists">Phishing Heuristic Allow Lists</a></h2>
<p>ClamAV may alert on suspicious links with alerts along the lines of "<code>Heuristics.Phishing.Email.SpoofedDomain</code>". If you encounter a false positive for this kind of detection, you can create an allow list signature.</p>
<p>Allow list signatures for suspicious HTML links are added to the <code>.wdb</code> phishing signature database. Read the <a href="manual/Signatures/PhishSigs.html#wdb-format">Phishing Signature documentation</a> to learn more. </p>
<div style="break-before: page; page-break-before: always;"></div><h1 id="file-hash-signatures"><a class="header" href="#file-hash-signatures">File hash signatures</a></h1>
<p>The easiest way to create signatures for ClamAV is to use filehash checksums, however this method can be only used against static malware.</p>
<h2 id="md5-hash-based-signatures"><a class="header" href="#md5-hash-based-signatures">MD5 hash-based signatures</a></h2>
<p>To create a MD5 signature for <code>test.exe</code> use the <code>--md5</code> option of
sigtool:</p>
<pre><code class="language-bash">zolw@localhost:/tmp/test$ sigtool --md5 test.exe > test.hdb
zolw@localhost:/tmp/test$ cat test.hdb
48c4533230e1ae1c118c741c0db19dfb:17387:test.exe
</code></pre>
<p>That’s it! The signature is ready for use:</p>
<pre><code class="language-bash">zolw@localhost:/tmp/test$ clamscan -d test.hdb test.exe
test.exe: test.exe FOUND
----------- SCAN SUMMARY -----------
Known viruses: 1
Scanned directories: 0
Engine version: 0.92.1
Scanned files: 1
Infected files: 1
Data scanned: 0.02 MB
Time: 0.024 sec (0 m 0 s)
</code></pre>
<p>You can change the name (by default sigtool uses the name of the file) and place it inside a <code>*.hdb</code> file. A single database file can include any number of signatures. To get them automatically loaded each time <code>clamscan</code>/<code>clamd</code> starts just copy the database file(s) into the local virus database directory (eg. <code>/usr/local/share/clamav</code>).</p>
<p><em>The hash-based signatures shall not be used for text files, HTML and any other data that gets internally preprocessed before pattern matching. If you really want to use a hash signature in such a case, run <code>clamscan</code> with <code>--debug</code> and <code>--leave-temps</code> flags as described above and create a signature for a preprocessed file left in <code>/tmp</code>. Please keep in mind that a hash signature will stop matching as soon as a single byte changes in the target file.</em></p>
<h2 id="sha1-and-sha256-hash-based-signatures"><a class="header" href="#sha1-and-sha256-hash-based-signatures">SHA1 and SHA256 hash-based signatures</a></h2>
<p>ClamAV 0.98 has also added support for SHA1 and SHA256 file checksums. The format is the same as for MD5 file checksum. It can differentiate between them based on the length of the hash string in the signature. For best backwards compatibility, these should be placed inside a <code>*.hsb</code> file. The format is:</p>
<pre><code>HashString:FileSize:MalwareName
</code></pre>
<h2 id="special-hash-based-signatures-for-pe-files-windows-exe-dll-and-sys-files"><a class="header" href="#special-hash-based-signatures-for-pe-files-windows-exe-dll-and-sys-files">Special hash-based signatures for PE files (Windows EXE, DLL, and SYS files)</a></h2>
<h3 id="pe-section-based-hash-signatures"><a class="header" href="#pe-section-based-hash-signatures">PE section based hash signatures</a></h3>
<p>You can create a hash signature for a specific section in a PE file. Such signatures shall be stored inside <code>.mdb</code> (MD5) and <code>.msb</code> files in the following format:</p>
<pre><code>PESectionSize:PESectionHash:MalwareName
</code></pre>
<p>Note that the order of <code>PESectionSize</code> and <code>PESectionHash</code> are essentially reversed from the <code>.hdb</code> signature format.</p>
<p>You can generate your own PE section hash signatures using <code>sigtool</code>:</p>
<pre><code>sigtool --mdb /path/to/32bit/PE/file
</code></pre>
<pre><code>❯ ./sigtool/sigtool --mdb ~/Downloads/ChromeSetup.exe
LibClamAV debug: cli_peheader: SizeOfHeader is not aligned to the SectionAlignment
LibClamAV debug: Section{0}: 83456:83620eda4d054fe35c19faaa89d515f3
LibClamAV debug: Section{1}: 28160:ebb39bf5679d566074c9666fd9548d22
LibClamAV debug: Section{2}: 2560:3cbd45b86866e61bd3cbd759aa40888d
LibClamAV debug: Section{3}: 1199616:6555d93d90a4642c9b3feb4bdb075ec1
LibClamAV debug: Section{4}: 4608:80335bb2fda8c0e537fcf4d0af14bc89
LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0
LibClamAV debug: Cleaning up phishcheck
LibClamAV debug: Phishcheck cleaned up
</code></pre>
<p>ClamAV also has support for SHA1 and SHA256 section based signatures. The format is the same as for MD5 PE section based signatures. It can differentiate between them based on the length of the hash string in the signature. For best backwards compatibility, these should be placed inside a <code>*.msb</code> file.</p>
<blockquote>
<p><em>Known issues</em>: </p>
<p>Support for 64-bit PE files is missing at this time. You can create an section-hash signatures using sigtool. But as of 0.105, the parser stops processing 64bit PE files (PE32+ files) a little before it would try to match those hashes, so they will never alert.</p>
</blockquote>
<h3 id="pe-import-table-hash-signatures-func-level-90"><a class="header" href="#pe-import-table-hash-signatures-func-level-90">PE import table hash signatures (func. level 90)</a></h3>
<p>You can create a hash signature for the import table in a PE file. Such signatures shall be stored inside <code>.imp</code> files in the following format:</p>
<pre><code>PEImportTableHash:PEImportTableSize:MalwareName
</code></pre>
<p>Unlike with PE section hash signatures, the file format for PE import table hash signatures is essentially the same as HDB signatures.</p>
<p>Some example sigs:</p>
<pre><code>f93b5d76132f6e6068946ec238813ce1:154:calc.exe
1ac946b228ebba41514c52672b33d623:140:calc64.exe
</code></pre>
<p>You can generate your own PE import table hash signatures using <code>sigtool</code>:</p>
<pre><code>sigtool --imp /path/to/32bit/PE/file
</code></pre>
<p>The details will be in debug log output, like:</p>
<pre><code>❯ ./sigtool/sigtool --imp ./unit_tests/input/clamav_hdb_scanfiles/clam.exe
LibClamAV debug: cli_peheader: SizeOfHeader is not aligned to the SectionAlignment
LibClamAV debug: Imphash: 98c88d882f01a3f6ac1e5f7dfd761624:39
LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0
LibClamAV debug: Cleaning up phishcheck
LibClamAV debug: Phishcheck cleaned up
</code></pre>
<p>The hash is an MD5 hash. </p>
<p>Unlike some signature features, you <em>may not</em> rely on the <code>clamscan</code> debug-log to provide imp-hashes. <code>clamscan</code> will only every log out the imp-hash info if you have one or more imp-hash sig loaded. If not, you won't see it.</p>
<p>Given the <code>Imphash:</code> line from the <code>sigtool</code> debug log, all that is left is to add a signature name. Like this:</p>
<pre><code>98c88d882f01a3f6ac1e5f7dfd761624:39:clam.exe
</code></pre>
<blockquote>
<p><em>Known issues</em>: </p>
<p>Support for 64-bit PE files is missing at this time. You can create an imp-hash signatures using sigtool. But as of 0.105, the parser stops processing 64bit PE files (PE32+ files) a little before it would try to match those hashes, so they will never alert.</p>
<p>Support for <code>*</code>-wildcard import hash table sizes is broken in every release up through 0.105. The size field can technically be a wildcard using the <code>*</code>. But, because of a known issue with the all-match feature, the signature will only alert in all-match mode, which is not the default scanning mode.</p>
</blockquote>
<h2 id="hash-signatures-with-unknown-size"><a class="header" href="#hash-signatures-with-unknown-size">Hash signatures with unknown size</a></h2>
<p>ClamAV 0.98 has also added support for hash signatures where the size is not known but the hash is. It is much more performance-efficient to use signatures with specific sizes, so be cautious when using this feature. For these cases, the ’*’ character can be used in the size field. To ensure proper backwards compatibility with older versions of ClamAV, these signatures must have a minimum functional level of 73 or higher. Signatures that use the wildcard size without this level set will be rejected as malformed.</p>
<p>Sample .hsb signature matching any size:</p>
<pre><code>HashString:*:MalwareName:73
</code></pre>
<p>Sample .msb signature matching any size:</p>
<pre><code>*:PESectionHash:MalwareName:73
</code></pre>
<div style="break-before: page; page-break-before: always;"></div><h1 id="body-based-signature-content-format"><a class="header" href="#body-based-signature-content-format">Body-based Signature Content Format</a></h1>
<p>ClamAV stores all body-based (content-based) signatures in a hexadecimal format, with exception to ClamAV's YARA rule support. In this section by a hex-signature we mean a fragment of malware’s body converted into a hexadecimal string which can be additionally extended using various wildcards.</p>
<h2 id="hexadecimal-format"><a class="header" href="#hexadecimal-format">Hexadecimal format</a></h2>
<p>You can use <code>sigtool --hex-dump</code> to convert any data into a hex-string:</p>
<pre><code class="language-bash">zolw@localhost:/tmp/test$ sigtool --hex-dump
How do I look in hex?
486f7720646f2049206c6f6f6b20696e206865783f0a
</code></pre>
<h2 id="wildcards"><a class="header" href="#wildcards">Wildcards</a></h2>
<p>ClamAV supports the following wildcards for hex-signatures:</p>
<ul>
<li>
<p><code>??</code></p>
<p>Match any byte.</p>
</li>
<li>
<p><code>a?</code></p>
<p>Match a high nibble (the four high bits).</p>
</li>
<li>
<p><code>?a</code></p>
<p>Match a low nibble (the four low bits).</p>
</li>
<li>
<p><code>*</code></p>
<p>Match any number of bytes.</p>
</li>
<li>
<p><code>{n}</code></p>
<p>Match <code>n</code> bytes.</p>
</li>
<li>
<p><code>{-n}</code></p>
<p>Match <code>n</code> or less bytes.</p>
</li>
<li>
<p><code>{n-}</code></p>
<p>Match <code>n</code> or more bytes.</p>
</li>
<li>
<p><code>{n-m}</code></p>
<p>Match between <code>n</code> and <code>m</code> bytes (where <code>m > n</code>).</p>
</li>
<li>
<p><code>HEXSIG[x-y]aa</code> or <code>aa[x-y]HEXSIG</code></p>
<p>Match <code>aa</code> anchored to a hex-signature, see <a href="https://bugzilla.clamav.net/show_bug.cgi?id=776">Bugzilla ticket 776</a> for discussion and
examples.</p>
</li>
</ul>
<p>The range signatures <code>*</code> and <code>{}</code> virtually separate a hex-signature into two parts, eg. <code>aabbcc*bbaacc</code> is treated as two sub-signatures <code>aabbcc</code> and <code>bbaacc</code> with any number of bytes between them. It’s a requirement that each sub-signature includes a block of two static characters somewhere in its body. Note that there is one exception to this restriction; that is when the range wildcard is of the form <code>{n}</code> with <code>n<128</code>. In this case, ClamAV uses an optimization and translates <code>{n}</code> to the string consisting of <code>n ??</code> character wildcards. Character wildcards do not divide hex signatures into two parts and so the two static character requirement does not apply.</p>
<h2 id="character-classes"><a class="header" href="#character-classes">Character classes</a></h2>
<p>ClamAV supports the following character classes for hex-signatures:</p>
<ul>
<li>
<p><code>(B)</code></p>
<p>Match word boundary (including file boundaries).</p>
</li>
<li>
<p><code>(L)</code></p>
<p>Match CR, CRLF or file boundaries.</p>
</li>
<li>
<p><code>(W)</code></p>
<p>Match a non-alphanumeric character.</p>
</li>
</ul>
<h2 id="alternate-strings"><a class="header" href="#alternate-strings">Alternate strings</a></h2>
<ul>
<li>
<p>Single-byte alternates (clamav-0.96) <code>(aa|bb|cc|...)</code> or <code>!(aa|bb|cc|...)</code> Match a member from a set of bytes (eg: <code>aa</code>, <code>bb</code>, <code>cc</code>, ...).</p>
<ul>
<li>Negation operation can be applied to match any non-member, assumed to be one-byte in length.</li>
<li>Signature modifiers and wildcards cannot be applied.</li>
</ul>
</li>
<li>
<p>Multi-byte fixed length alternates <code>(aaaa|bbbb|cccc|...)</code> or <code>!(aaaa|bbbb|cccc|...)</code> Match a member from a set of multi-byte alternates (eg: aaaa, bbbb, cccc, ...) of n-length.</p>
<ul>
<li>All set members must be the same length.</li>
<li>Negation operation can be applied to match any non-member, assumed to be n-bytes in length (clamav-0.98.2).</li>
<li>Signature modifiers and wildcards cannot be applied.</li>
</ul>
</li>
<li>
<p>Generic alternates (clamav-0.99) <code>(alt1|alt2|alt3|...)</code> Match a member from a set of alternates (eg: alt1, alt2, alt3, ...) that can be of variable lengths.</p>
<ul>
<li>Negation operation cannot be applied.</li>
<li>Signature modifiers and nibble wildcards (eg: <code>??, a?, ?a</code>) can be applied.</li>
<li>Ranged wildcards (eg: <code>{n-m}</code>) are limited to a fixed range of less than 128 bytes (eg: <code>{1} -> {127}</code>).</li>
</ul>
</li>
</ul>
<blockquote>
<p><em>Note</em>: Using signature modifiers and wildcards classifies the alternate type to be a generic alternate. Thus single-byte alternates and multi-byte fixed length alternates can use signature modifiers and wildcards but will be classified as generic alternate. This means that negation cannot be applied in this situation and there is a slight performance impact.</p>
</blockquote>
<div style="break-before: page; page-break-before: always;"></div><h1 id="logical-signatures"><a class="header" href="#logical-signatures">Logical signatures</a></h1>
<p>Logical signatures allow combining of multiple signatures in extended format using logical operators. They can provide both more detailed and flexible pattern matching. The logical sigs are stored inside <code>*.ldb</code> files in the following format:</p>
<pre><code>SignatureName;TargetDescriptionBlock;LogicalExpression;Subsig0;
Subsig1;Subsig2;...
</code></pre>
<p>where:</p>
<ul>
<li>
<p><code>TargetDescriptionBlock</code> provides information about the engine and target file with comma separated <code>Arg:Val</code> pairs. For args where <code>Val</code> is a range, the minimum and maximum values should be expressed as <code>min-max</code>.</p>
</li>
<li>
<p><code>LogicalExpression</code> specifies the logical expression describing the relationship between <code>Subsig0...SubsigN</code>. <strong>Basis clause:</strong> 0,1,...,N decimal indexes are SUB-EXPRESSIONS representing <code>Subsig0, Subsig1,...,SubsigN</code> respectively. <strong>Inductive clause:</strong> if <code>A</code> and <code>B</code> are SUB-EXPRESSIONS and <code>X, Y</code> are decimal numbers then <code>(A&B)</code>, <code>(A|B)</code>, <code>A=X</code>, <code>A=X,Y</code>, <code>A>X</code>, <code>A>X,Y</code>, <code>A<X</code> and <code>A<X,Y</code> are SUB-EXPRESSIONS</p>
</li>
<li>
<p><code>SubsigN</code> is n-th subsignature in extended format possibly preceded with an offset. There can be specified up to 64 subsigs.</p>
</li>
</ul>
<p>Keywords used in <code>TargetDescriptionBlock</code>:</p>
<ul>
<li>
<p><code>Engine:X-Y</code>: Required engine functionality level (range; 0.96).</p>
<blockquote>
<p><em>Note</em>: If the <code>Engine</code> keyword is used, it <em>must be the first keyword</em> in the <code>TargetDescriptionBlock</code> for backwards compatibility.
See the <a href="manual/Signatures/../../appendix/FunctionalityLevels.html">FLEVEL reference</a> for details.</p>
</blockquote>
</li>
<li>
<p><code>Target:X</code>: A number specifying the type of the target file: <a href="manual/Signatures/../../appendix/FileTypes.html#Target-Types">Target Types</a>.</p>
</li>
<li>
<p><code>FileSize:X-Y</code>: Required file size (range in bytes; 0.96)</p>
</li>
<li>
<p><code>EntryPoint</code>: Entry point offset (range in bytes; 0.96)</p>
</li>
<li>
<p><code>NumberOfSections</code>: Required number of sections in executable (range; 0.96)</p>
</li>
<li>
<p><code>Container:CL_TYPE_*</code>: File type of the container which stores the scanned file.</p>
<p>Specifying <code>CL_TYPE_ANY</code> matches on root objects only (i.e. the target file is explicitely <em>not</em> in a container). Chances slim that you would want to use <code>CL_TYPE_ANY</code> in a signature, because placing the malicious file in an archive will then prevent it from alerting.</p>
<p>Every ClamAV file type has the potential to be a container for additional files, although some are more likely than others. When a file is parsed and data in the file is identified to be scanned as a unique type, that parent file becomes a container the moment the embedded content is scanned. For a list of possible CL_TYPEs, refer to the <a href="manual/Signatures/../../appendix/FileTypes.html">File Types Reference</a>.</p>
</li>
<li>
<p><code>Intermediates:CL_TYPE_*>CL_TYPE_*</code>: Specify one or more layers of file types containing the scanned file. <em>This is an alternative to using <code>Container</code>.</em></p>
<p>You may specify up to 16 layers of file types separated by ’<code>></code>’ in top-down order. Note that the ’<code>></code>’ separator is not needed if you only specify a single container. The last type should be the immediate container containing the malicious file. Unlike with the <code>Container</code> option, <code>CL_TYPE_ANY</code> can be used as a wildcard file type. (expr; 0.100.0)</p>
<p>For a list of possible CL_TYPEs, refer to the <a href="manual/Signatures/../../appendix/FileTypes.html">File Types Reference</a>.</p>
</li>
<li>
<p><code>IconGroup1</code>: Icon group name 1 from .idb signature Required engine functionality (range; 0.96)</p>
</li>
<li>
<p><code>IconGroup2</code>: Icon group name 2 from .idb signature Required engine functionality (range; 0.96)</p>
</li>
</ul>
<p>Modifiers for subexpressions:</p>
<ul>
<li>
<p><code>A=X</code>: If the SUB-EXPRESSION A refers to a single signature then this signature must get matched exactly X times; if it refers to a (logical) block of signatures then this block must generate exactly X matches (with any of its sigs).</p>
</li>
<li>
<p><code>A=0</code> specifies negation (signature or block of signatures cannot be matched)</p>
</li>
<li>
<p><code>A=X,Y</code>: If the SUB-EXPRESSION A refers to a single signature then this signature must be matched exactly X times; if it refers to a (logical) block of signatures then this block must generate X matches and at least Y different signatures must get matched.</p>
</li>
<li>
<p><code>A>X</code>: If the SUB-EXPRESSION A refers to a single signature then this signature must get matched more than X times; if it refers to a (logical) block of signatures then this block must generate more than X matches (with any of its sigs).</p>
</li>
<li>
<p><code>A>X,Y</code>: If the SUB-EXPRESSION A refers to a single signature then this signature must get matched more than X times; if it refers to a (logical) block of signatures then this block must generate more than X matches <em>and</em> at least Y different signatures must be matched.</p>
</li>
<li>
<p><code>A<X</code>: Just like <code>A>Z</code> above with the change of "more" to "less".</p>
<p>If the SUB-EXPRESSION A refers to a single signature then this signature must get matched less than X times; if it refers to a (logical) block of signatures then this block must generate less than X matches (with any of its sigs).</p>
</li>
<li>
<p><code>A<X,Y</code>: Similar to <code>A>X,Y</code>. If the SUB-EXPRESSION A refers to a single signature then this signature must get matched less than X times; if it refers to a (logical) block of signatures then this block must generate less than X matches <em>and</em> at least Y different signatures must be matched.</p>
</li>
</ul>
<p>Examples:</p>
<pre><code>Sig1;Target:0;(0&1&2&3)&(4|1);6b6f74656b;616c61;7a6f6c77;7374656
6616e;deadbeef
Sig2;Target:0;((0|1|2)>5,2)&(3|1);6b6f74656b;616c61;7a6f6c77;737
46566616e
Sig3;Target:0;((0|1|2|3)=2)&(4|1);6b6f74656b;616c61;7a6f6c77;737
46566616e;deadbeef
Sig4;Engine:51-255,Target:1;((0|1)&(2|3))&4;EP+123:33c06834f04100
f2aef7d14951684cf04100e8110a00;S2+78:22??232c2d252229{-15}6e6573
(63|64)61706528;S3+50:68efa311c3b9963cb1ee8e586d32aeb9043e;f9c58
dcf43987e4f519d629b103375;SL+550:6300680065005c0046006900
</code></pre>
<h2 id="subsignature-modifiers"><a class="header" href="#subsignature-modifiers">Subsignature Modifiers</a></h2>
<p>ClamAV (clamav-0.99) supports a number of additional subsignature
modifiers for logical signatures. This is done by specifying <code>::</code>
followed by a number of characters representing the desired options.
Signatures using subsignature modifiers require <code>Engine:81-255</code> for
backwards-compatibility.</p>
<ul>
<li>
<p>Case-Insensitive [<code>i</code>]</p>
<p>Specifying the <code>i</code> modifier causes ClamAV to match all alphabetic hex bytes as case-insensitive. All patterns in ClamAV are case-sensitive by default.</p>
</li>
<li>
<p>Wide [<code>w</code>]</p>
<p>Specifying the <code>w</code> causes ClamAV to match all hex bytes encoded with two bytes per character. Note this simply interweaves each character with NULL characters and does not truly support UTF-16 characters. Wildcards for ’wide’ subsignatures are not treated as wide (i.e. there can be an odd number of intermittent characters). This can be combined with <code>a</code> to search for patterns in both wide and ascii.</p>
</li>
<li>
<p>Fullword [<code>f</code>]</p>
<p>Match subsignature as a fullword (delimited by non-alphanumeric characters).</p>
</li>
<li>
<p>Ascii [<code>a</code>]</p>
<p>Match subsignature as ascii characters. This can be combined with <code>w</code> to search for patterns in both ascii and wide.</p>
</li>
</ul>
<p>Examples:</p>
<ul>
<li>Match 'AAAA'(nocase) and 'BBBBBB'(nocase)</li>
</ul>
<pre><code>clamav-nocase-A;Engine:81-255,Target:0;0&1;41414141::i;424242424242::i
</code></pre>
<ul>
<li>Match 'AAA' and 'hello'(fullword)</li>
</ul>
<pre><code>clamav-fullword-A;Engine:81-255,Target:0;0&1;414141;68656c6c6f::f
</code></pre>
<ul>
<li>Match 'AAA' and 'hello'(fullword nocase)</li>
</ul>
<pre><code>clamav-fullword-B;Engine:81-255,Target:0;0&1;414141;68656c6c6f::fi
</code></pre>
<ul>
<li>Match 'AAA' and 'hello'(wide ascii)</li>
</ul>
<pre><code>clamav-wide-B2;Engine:81-255,Target:0;0&1;414141;68656c6c6f::wa
</code></pre>
<ul>
<li>Match 'AAA' and 'hello'(nocase wide fullword ascii)</li>
</ul>
<pre><code>clamav-wide-C0;Engine:81-255,Target:0;0&1;414141;68656c6c6f::iwfa
</code></pre>
<h2 id="special-subsignature-types"><a class="header" href="#special-subsignature-types">Special Subsignature Types</a></h2>
<h3 id="macro-subsignatures"><a class="header" href="#macro-subsignatures">Macro subsignatures</a></h3>
<p>Introduced in ClamAV 0.96</p>
<p>Format: <code>${min-max}MACROID$</code></p>
<p>Macro subsignatures are used to combine a number of existing extended
signatures (<code>.ndb</code>) into a on-the-fly generated alternate string logical
signature (<code>.ldb</code>). Signatures using macro subsignatures require
<code>Engine:51-255</code> for backwards-compatibility.</p>
<p>Example:</p>
<pre><code>test.ldb:
TestMacro;Engine:51-255,Target:0;0&1;616161;${6-7}12$
test.ndb:
D1:0:$12:626262
D2:0:$12:636363
D3:0:$30:626264
</code></pre>
<p>The example logical signature <code>TestMacro</code> is functionally equivalent
to:</p>
<pre><code>TestMacro;Engine:51-255,Target:0;0;616161{3-4}(626262|636363)
</code></pre>
<ul>
<li>
<p><code>MACROID</code> points to a group of signatures; there can be at most 32 macro groups.</p>
<ul>
<li>In the example, <code>MACROID</code> is <code>12</code> and both <code>D1</code> and <code>D2</code> are members of macro group <code>12</code>. <code>D3</code> is a member of separate macro group <code>30</code>.</li>
</ul>
</li>
<li>
<p><code>{min-max}</code> specifies the offset range at which one of the group signatures should match; the offset range is relative to the starting offset of the preceding subsignature. This means a macro subsignature cannot be the first subsignature.</p>
<ul>
<li>In the example, <code>{min-max}</code> is <code>{6-7}</code> and it is relative to the start of a <code>616161</code> match.</li>
</ul>
</li>
<li>
<p>For more information and examples please see <a href="https://bugzilla.clamav.net/show_bug.cgi?id=164">https://bugzilla.clamav.net/show_bug.cgi?id=164</a>.</p>
</li>
</ul>
<h3 id="byte-compare-subsignatures"><a class="header" href="#byte-compare-subsignatures">Byte Compare Subsignatures</a></h3>
<p>Introduced in ClamAV 0.101</p>
<p>Format: <code>subsigid_trigger(offset#byte_options#comparisons)</code></p>
<p>Byte compare subsignatures can be used to evaluate a numeric value at a given offset from the start of another (matched) subsignature within the same logical signature. These are executed after all other subsignatures within the logical subsignature are fired, with the exception of PCRE subsignatures. They can evaluate offsets only from a single referenced subsignature, and that subsignature must give a valid match for the evaluation to occur.</p>
<ul>
<li>
<p><code>subsigid_trigger</code> is a required field and may refer to any single non-PCRE, non-Byte Compare subsignature within the lsig. The byte compare subsig will evaluate if <code>subsigid_trigger</code> matches. Triggering on multiple subsigs or logic based triggering is not currently supported.</p>
</li>
<li>
<p><code>offset</code> is a required field that consists of an <code>offset_modifier</code> and a numeric <code>offset</code> (hex or decimal offsets are okay).</p>
<ul>
<li>
<p><code>offset_modifier</code> can be either <code>>></code> or <code><<</code> where the former denotes a positive offset and the latter denotes a negative offset. The offset is calculated from the start of <code>subsigid_trigger</code>, which allows for byte extraction before the specified match, after the match, and within the match itself.</p>
</li>
<li>
<p><code>offset</code> must be a positive hex or decimal value. This will be the number of bytes from the start of the referenced <code>subsigid_trigger</code> match within the file buffer to begin the comparison.</p>
</li>
</ul>
</li>
<li>
<p><code>byte_options</code> are used to specify the numeric type and endianess of the extracted byte sequence in that order as well as the number of bytes to be read. By default ClamAV will attempt to matchup up to the number of byte specified, unless the <code>e</code> (exact) option is specified or the numeric type is <code>b</code> (binary). This field follows the form <code>[h|d|a|i][l|b][e]num_bytes</code></p>
<ul>
<li>
<p><code>h|d|a|i</code> where <code>h</code> specifies the byte sequence will be in hex, <code>d</code> decimal, <code>a</code> automatic detection of hex or decimal at runtime, and <code>i</code> signifies raw binary data.</p>
</li>
<li>
<p><code>l|b</code> where <code>l</code> specifies the byte sequence will be in little endian order and <code>b</code> big endian. If decimal <code>d</code> is specified, big-endian is implied and using <code>l</code> will result in a malformed database error.</p>
</li>
<li>
<p><code>e</code> specifies that ClamAV will only evaluate the comparison if it can extract the exact number of bytes specified. This option is implicitly declared when using the <code>i</code> flag.</p>
</li>
<li>
<p><code>num_bytes</code> specifies the number of bytes to extract. This can be a hex or decimal value. If <code>i</code> is specified only 1, 2, 4, and 8 are valid options.</p>
</li>
</ul>
</li>
<li>
<p><code>comparisons</code> are a required field which denotes how to evaluate the extracted byte sequence. Each Byte Compare signature can have one or two <code>comparison_sets</code> separated by a comma. Each <code>comparison_set</code> consists of a <code>Comparison_symbol</code> and a <code>Comparison_value</code> and takes the form <code>Comparison_symbolComparison_value</code>. Thus, <code>comparisons</code> takes the form <code>comparison_set[,comparison_set]</code></p>
<ul>
<li>
<p><code>Comparison_symbol</code> denotes the type of comparison to be done. The supported comparison symbols are <code><</code>, <code>></code>, <code>=</code>.</p>
</li>
<li>
<p><code>Comparison_value</code> is a required field which must be a numeric hex or decimal value. If all other conditions are met, the byte compare subsig will evalutate the extracted byte sequence against this number based on the provided <code>comparison_symbol</code>.</p>
</li>
</ul>
</li>
</ul>
<h3 id="pcre-subsignatures"><a class="header" href="#pcre-subsignatures">PCRE subsignatures</a></h3>
<p>Introduced in ClamAV 0.99</p>
<p>Format: <code>Trigger/PCRE/[Flags]</code></p>
<p>PCRE subsignatures are used within a logical signature (<code>.ldb</code>) to specify regex matches that execute once triggered by a conditional based on preceding subsignatures. Signatures using PCRE subsignatures require <code>Engine:81-255</code> for backwards-compatibility.</p>
<ul>
<li>
<p><code>Trigger</code> is a required field that is a valid <code>LogicalExpression</code> and may refer to any subsignatures that precede this subsignature. Triggers cannot be self-referential and cannot refer to subsequent subsignatures.</p>
</li>
<li>
<p><code>PCRE</code> is the expression representing the regex to execute. ClamAV identifies the regex string by searching from the beginning of the subsignature for the start-<code>/</code> and searching from the end for the end-<code>/</code>. You may <code>\</code>-escape any use of <code>/</code> within the regex string, but it is not required. For backward compatibility, <code>;</code> within the expression must be expressed as <code>\x3B</code>. The regex string cannot be empty and <code>(?UTF\*)</code> control sequences are not allowed. If debug messages are enabled (i.e. <code>clamscan --debug</code>), then named capture groups are displayed in a post-execution report.</p>
</li>
<li>
<p><code>Flags</code> are a series of characters which affect the compilation and execution of <code>PCRE</code> within the PCRE compiler and the ClamAV engine. This field is optional.</p>
<ul>
<li>
<p><code>g [CLAMAV_GLOBAL]</code> specifies to search for ALL matches of PCRE (default is to search for first match). NOTE: INCREASES the time needed to run the PCRE.</p>
</li>
<li>
<p><code>r [CLAMAV_ROLLING]</code> specifies to use the given offset as the starting location to search for a match as opposed to the only location; applies to subsigs without maxshifts. By default, in order to facilatate normal ClamAV offset behavior, PCREs are auto-anchored (only attempt match on first offset); using the rolling option disables the auto-anchoring.</p>
</li>
<li>
<p><code>e [CLAMAV_ENCOMPASS]</code> specifies to CONFINE matching between the specified offset and maxshift; applies only when maxshift is specified.</p>
<blockquote>
<p><em>Note</em>: DECREASES time needed to run the PCRE.</p>
</blockquote>
</li>
<li>
<p><code>i [PCRE_CASELESS]</code></p>
</li>
<li>
<p><code>s [PCRE_DOTALL]</code></p>
</li>
<li>
<p><code>m [PCRE_MULTILINE]</code></p>
</li>
<li>
<p><code>x [PCRE_EXTENDED]</code></p>
</li>
<li>
<p><code>A [PCRE_ANCHORED]</code></p>
</li>
<li>
<p><code>E [PCRE_DOLLAR_ENODNLY]</code></p>
</li>
<li>
<p><code>U [PCRE_UNGREEDY]</code></p>
</li>
</ul>
</li>
</ul>
<p>Examples:</p>
<pre><code>Find.All.ClamAV;Engine:81-255,Target:0;1;6265676c6164697427736e6f7462797465636f6465;0/clamav/g
Find.ClamAV.OnlyAt.299;Engine:81-255,Target:0;2;7374756c747a67657473;7063726572656765786c6f6c;299:0&1/clamav/
Find.ClamAV.StartAt.300;Engine:81-255,Target:0;3;616c61696e;62756731393238;636c6f736564;300:0&1&2/clamav/r
Find.All.Encompassed.ClamAV;Engine:81-255,Target:0;3;7768796172656e2774;796f757573696e67;79617261;200,300:0&1&2/clamav/ge
Named.CapGroup.Pcre;Engine:81-255,Target:0;3;636f75727479617264;616c62756d;74657272696572;50:0&1&2/variable=(?&lt;nilshell&gt;.{16})end/gr
Firefox.TreeRange.UseAfterFree;Engine:81-255,Target:0,Engine:81-255;0&1&2;2e766965772e73656c656374696f6e;2e696e76616c696461746553656c656374696f6e;0&1/\x2Eview\x2Eselection.*?\x2Etree\s*\x3D\s*null.*?\x2Einvalidate/smi
Firefox.IDB.UseAfterFree;Engine:81-255,Target:0;0&1;4944424b657952616e6765;0/^\x2e(only|lowerBound|upperBound|bound)\x28.*?\x29.*?\x2e(lower|upper|lowerOpen|upperOpen)/smi
Firefox.boundElements;Engine:81-255,Target:0;0&1&2;6576656e742e6
26f756e64456c656d656e7473;77696e646f772e636c6f7365;0&1/on(load|click)\s*=\s*\x22?window\.close\s*\x28/si
</code></pre>
<h3 id="image-fuzzy-hash-subsignatures"><a class="header" href="#image-fuzzy-hash-subsignatures">Image Fuzzy Hash subsignatures</a></h3>
<p>Introduced in ClamAV 0.105</p>
<p>Format: <code>fuzzy_img#<hash>#<dist></code></p>
<p>For example if you wanted to match on this image...</p>
<p><img src="manual/Signatures/../../images/cisco.png" alt="logo.png" /></p>
<p>...you would make a signature like this:</p>
<pre><code>logo.png;Engine:150-255,Target:0;0;fuzzy_img#af2ad01ed42993c7#0
</code></pre>
<p>Image fuzzy hash signatures in 0.105 do not support matching with a hamming distance greater than zero. Support for matching with a hamming distance may be added in a future release. The signatures above explicitly set the hamming distance to <code>0</code>. But you could also omit it, like this:</p>
<pre><code>logo.png;Engine:150-255,Target:0;0;fuzzy_img#af2ad01ed42993c7
</code></pre>
<p>You can combine the image fuzzy hash subsignature with other logical signature features, like adding additional subsignatures:</p>
<pre><code>logo.png-2;Engine:150-255,Target:0;0&1;49484452;fuzzy_img#af2ad01ed42993c7
</code></pre>
<p>or container types:</p>
<pre><code>logo.png;Engine:150-255,Target:0,Container:CL_TYPE_HTML;0;fuzzy_img#af2ad01ed42993c7
logo.png;Engine:150-255,Target:0,Container:CL_TYPE_MAIL;0;fuzzy_img#af2ad01ed42993c7
</code></pre>
<p>ClamAV's image fuzzy hash is very close to, but not 100% identical to, the fuzzy hash generated by the Python <code>imagehash</code> package's <code>phash()</code> function. Note that these are only clean-room approximations of the pHash™️ algorithm. ClamAV's image fuzzy hashes are not expected to match the fuzzy hashes generated using other tools. Some images may match, while others do not.</p>
<p>You must use ClamAV to generate the fuzzy hash for the most reliable results. A <code>sigtool</code> option does not yet exist to generate a ClamAV image fuzzy hash. So, to generate the image fuzzy hash you can run this command:</p>
<pre><code class="language-bash">clamscan --gen-json --debug /path/to/file
</code></pre>
<p>The hash will appear in the JSON above the "SCAN SUMMARY" under the object named "ImageFuzzyHash".</p>
<h2 id="signatures-for-version-information-vi-metadata-in-pe-files"><a class="header" href="#signatures-for-version-information-vi-metadata-in-pe-files">Signatures for Version Information (VI) metadata in PE files</a></h2>
<p>Starting with ClamAV 0.96 it is possible to easily match certain information built into PE files (executables and dynamic link libraries). Whenever you lookup the properties of a PE executable file in windows, you are presented with a bunch of details about the file itself.</p>
<p>These info are stored in a special area of the file resources which goes under the name of <code>VS_VERSION_INFORMATION</code> (or versioninfo for short). It is divided into 2 parts. The first part (which is rather uninteresting) is really a bunch of numbers and flags indicating the product and file version. It was originally intended for use with installers which, after parsing it, should be able to determine whether a certain executable or library are to be upgraded/overwritten or are already up to date. Suffice to say, this approach never really worked and is generally never used.</p>
<p>The second block is much more interesting: it is a simple list of key/value strings, intended for user information and completely ignored by the OS. For example, if you look at ping.exe you can see the company being <em>"Microsoft Corporation"</em>, the description <em>"TCP/IP Ping command"</em>, the internal name <em>"ping.exe"</em> and so on... Depending on the OS version, some keys may be given peculiar visibility in the file properties dialog, however they are internally all the same.</p>
<p>To match a versioninfo key/value pair, the special file offset anchor <code>VI</code> was introduced. This is similar to the other anchors (like <code>EP</code> and <code>SL</code>) except that, instead of matching the hex pattern against a single offset, it checks it against each and every key/value pair in the file. The <code>VI</code> token doesn’t need nor accept a <code>+/-</code> offset like e.g. <code>EP+1</code>. As for the hex signature itself, it’s just the utf16 dump of the key and value. Only the <code>??</code> and <code>(aa|bb)</code> wildcards are allowed in the signature. Usually, you don’t need to bother figuring it out: each key/value pair together with the corresponding VI-based signature is printed by <code>clamscan</code> when the <code>--debug</code> option is given.</p>
<p>For example <code>clamscan --debug freecell.exe</code> produces:</p>
<pre><code>[...]
Recognized MS-EXE/DLL file
in cli_peheader
versioninfo_cb: type: 10, name: 1, lang: 410, rva: 9608
cli_peheader: parsing version info @ rva 9608 (1/1)
VersionInfo (d2de): 'CompanyName'='Microsoft Corporation' -
VI:43006f006d00700061006e0079004e0061006d006500000000004d006900
630072006f0073006f0066007400200043006f00720070006f0072006100740
069006f006e000000
VersionInfo (d32a): 'FileDescription'='Entertainment Pack
FreeCell Game' - VI:460069006c006500440065007300630072006900700
0740069006f006e000000000045006e007400650072007400610069006e006d
0065006e00740020005000610063006b0020004600720065006500430065006
c006c002000470061006d0065000000
VersionInfo (d396): 'FileVersion'='5.1.2600.0 (xpclient.010817
-1148)' - VI:460069006c006500560065007200730069006f006e00000000
0035002e0031002e0032003600300030002e003000200028007800700063006
c00690065006e0074002e003000310030003800310037002d00310031003400
380029000000
VersionInfo (d3fa): 'InternalName'='freecell' - VI:49006e007400
650072006e0061006c004e0061006d006500000066007200650065006300650
06c006c000000
VersionInfo (d4ba): 'OriginalFilename'='freecell' - VI:4f007200
6900670069006e0061006c00460069006c0065006e0061006d0065000000660
0720065006500630065006c006c000000
VersionInfo (d4f6): 'ProductName'='Sistema operativo Microsoft
Windows' - VI:500072006f0064007500630074004e0061006d00650000000
000530069007300740065006d00610020006f00700065007200610074006900
76006f0020004d006900630072006f0073006f0066007400ae0020005700690
06e0064006f0077007300ae000000
VersionInfo (d562): 'ProductVersion'='5.1.2600.0' - VI:50007200
6f006400750063007400560065007200730069006f006e00000035002e00310
02e0032003600300030002e0030000000
[...]
</code></pre>
<p>Although VI-based signatures are intended for use in logical signatures you can test them using ordinary <code>.ndb</code> files. For example:</p>
<pre><code>my_test_vi_sig:1:VI:paste_your_hex_sig_here
</code></pre>
<p>Final note. If you want to decode a VI-based signature into a human readable form you can use:</p>
<pre><code class="language-bash">echo hex_string | xxd -r -p | strings -el
</code></pre>
<p>For example:</p>
<pre><code class="language-bash">echo 460069006c0065004400650073006300720069007000740069006f006e000000000045006e007400650072007400610069006e006d0065006e00740020005000610063006b0020004600720065006500430065006c006c00200047006100
6d0065000000 | xxd -r -p | strings -el
FileDescription
Entertainment Pack FreeCell Game
</code></pre>
<h2 id="icon-signatures-for-pe-files"><a class="header" href="#icon-signatures-for-pe-files">Icon Signatures for PE files</a></h2>
<p>While Icon Signatures are stored in a <code>.idb</code> file, they are a feature of Logical Signatures.</p>
<p>ClamAV 0.96 includes an approximate/fuzzy icon matcher to help detecting malicious executables disguising themselves as innocent looking image files, office documents and the like.</p>
<p>Icon matching is only triggered by Logical Signatures (<code>.ldb</code>) using the special attribute tokens <code>IconGroup1</code> or <code>IconGroup2</code>. These identify two (optional) groups of icons defined in a <code>.idb</code> database file. The format of the <code>.idb</code> file is:</p>
<pre><code>ICONNAME:GROUP1:GROUP2:ICON_HASH
</code></pre>
<p>where:</p>
<ul>
<li>
<p><code>ICON_NAME</code> is a unique string identifier for a specific icon,</p>
</li>
<li>
<p><code>GROUP1</code> is a string identifier for the first group of icons (<code>IconGroup1</code>)</p>
</li>
<li>
<p><code>GROUP2</code> is a string identifier for the second group of icons (<code>IconGroup2</code>),</p>
</li>
<li>
<p><code>ICON_HASH</code> is a fuzzy hash of the icon image</p>
</li>
</ul>
<p>The <code>ICON_HASH</code> field can be obtained from the debug output of libclamav. For example:</p>
<pre><code>LibClamAV debug: ICO SIGNATURE:
ICON_NAME:GROUP1:GROUP2:18e2e0304ce60a0cc3a09053a30000414100057e000afe0000e 80006e510078b0a08910d11ad04105e0811510f084e01040c080a1d0b0021000a39002a41
</code></pre>
<div style="break-before: page; page-break-before: always;"></div><h1 id="extended-signature-format"><a class="header" href="#extended-signature-format">Extended signature format</a></h1>
<p>The extended signature format is ClamAV's most basic type of body-based signature since the deprecation of the original <code>.db</code> database format.</p>
<p>Extended sigantures allow for specification of additional information beyond just hexidecimal content such as a file "target type", virus offset, or engine functionality level (FLEVEL), making the detection more reliable.</p>
<p>The format is:</p>
<pre><code>MalwareName:TargetType:Offset:HexSignature[:min_flevel:[max_flevel]]
</code></pre>
<p><code>MalwareName</code>: The virus name. Should conform to the standards defined <a href="manual/Signatures/../Signatures.html#signature-names">here</a>.</p>
<p><code>TargetType</code>: A number specifying the type of the target file: <a href="manual/Signatures/../../appendix/FileTypes.html#Target-Types">Target Types</a></p>
<p><code>Offset</code>: An asterisk or a decimal number <code>n</code> possibly combined with a special modifier:</p>
<ul>
<li><code>*</code> = any</li>
<li><code>n</code> = absolute offset</li>
<li><code>EOF-n</code> = end of file minus <code>n</code> bytes</li>
</ul>
<p>Signatures for PE, ELF and Mach-O files additionally support:</p>
<ul>
<li><code>EP+n</code> = entry point plus n bytes (<code>EP+0</code> for <code>EP</code>)</li>
<li><code>EP-n</code> = entry point minus n bytes</li>
<li><code>Sx+n</code> = start of section <code>x</code>’s (counted from 0) data plus <code>n</code> bytes</li>
<li><code>SEx</code> = entire section <code>x</code> (offset must lie within section boundaries)</li>
<li><code>SL+n</code> = start of last section plus <code>n</code> bytes</li>
</ul>
<p>All the above offsets except <code>*</code> can be turned into <strong>floating offsets</strong> and represented as <code>Offset,MaxShift</code> where <code>MaxShift</code> is an unsigned integer. A floating offset will match every offset between <code>Offset</code> and <code>Offset+MaxShift</code>, eg. <code>10,5</code> will match all offsets from 10 to 15 and <code>EP+n,y</code> will match all offsets from <code>EP+n</code> to <code>EP+n+y</code>. Versions of ClamAV older than 0.91 will silently ignore the <code>MaxShift</code> extension and only use <code>Offset</code>. Optional <code>MinFL</code> and <code>MaxFL</code> parameters can restrict the signature to specific engine releases. All signatures in the extended format must be placed inside <code>*.ndb</code> files.</p>
<p><code>HexSignature</code>: The body-based content matching <a href="manual/Signatures/BodySignatureFormat.html">format</a>.</p>
<p><code>min_flevel</code>: (optional) The minimum ClamAV engine that the file type signature works with. See the <a href="manual/Signatures/../../appendix/FunctionalityLevels.html">FLEVEL reference</a> for details. To be used in the event that file type support has been recently added.</p>
<p><code>max_flevel</code>: (optional, requires <code>min_flevel</code>) The maximum ClamAV engine that the file type signature works with. To be used in the event that file type support has been recently removed.</p>
<div style="break-before: page; page-break-before: always;"></div><h1 id="using-yara-rules-in-clamav"><a class="header" href="#using-yara-rules-in-clamav">Using YARA rules in ClamAV</a></h1>
<p>ClamAV can process YARA rules. ClamAV virus database file names ending with <code>.yar</code> or <code>.yara</code> are parsed as YARA rule files. The link to the YARA rule grammar documentation may be found at <a href="https://virustotal.github.io/yara/">https://virustotal.github.io/yara/</a>. There are currently a few limitations on using YARA rules within ClamAV:</p>
<ul>
<li>
<p>YARA modules are not yet supported by ClamAV. This includes the “import” keyword and any YARA module-specific keywords.</p>
</li>
<li>
<p>Global rules (<code>global</code> keyword) are not supported by ClamAV.</p>
</li>
<li>
<p>External variables(<code>contains</code> and <code>matches</code> keywords) are not supported.</p>
</li>
<li>
<p>YARA rules pre-compiled with the <code>yarac</code> command are not supported.</p>
</li>
<li>
<p>As in the ClamAV logical and extended signature formats, YARA strings and segments of strings separated by wild cards must represent at least two octets of data.</p>
</li>
<li>
<p>There is a maximum of 64 strings per YARA rule.</p>
</li>
<li>
<p>YARA rules in ClamAV must contain at least one literal, hexadecimal, or regular expression string.</p>
</li>
</ul>
<p>In addition, there are a few more ClamAV processing modes that may affect the outcome of YARA rules.</p>
<ul>
<li>
<p><em>File decomposition and decompression</em> - Since ClamAV uses file decomposition and decompression to find viruses within de-archived and uncompressed inner files, YARA rules executed by ClamAV will match against these files as well.</p>
</li>
<li>
<p><em>Normalization</em> - By default, ClamAV normalizes HTML, JavaScript, and ASCII text files. YARA rules in ClamAV will match against the normalized result. The effects of normalization of these file types may be captured using <code>clamscan --leave-temps --tempdir=mytempdir</code>. YARA rules may then be written using the normalized file(s) found in <code>mytempdir</code>. Alternatively, starting with ClamAV 0.100.0, <code>clamscan --normalize=no</code> will prevent normalization and only scan the raw file. To obtain similar behavior prior to 0.99.2, use <code>clamscan --scan-html=no</code>. The corresponding parameters for clamd.conf are <code>Normalize</code> and <code>ScanHTML</code>.</p>
</li>
<li>
<p><em>YARA conditions driven by string matches</em> - All YARA conditions are driven by string matches in ClamAV. This saves from executing every YARA rule on every file. Any YARA condition may be augmented with a string match clause which is always true, such as:</p>
</li>
</ul>
<pre><code class="language-perl">rule CheckFileSize
{
strings:
$abc = "abc"
condition:
($abc or not $abc) and filesize < 200KB
}
</code></pre>
<p>This will ensure that the YARA condition always performs the desired action (checking the file size in this example),</p>
<div style="break-before: page; page-break-before: always;"></div><h1 id="phishing-signatures"><a class="header" href="#phishing-signatures">Phishing Signatures</a></h1>
<p>ClamAV can detect HTML links that look suspicious when the display text is a URL that is a different domain than than in the actual URL. Unfortunately, it is pretty common for a company to contract out web services and to use HTML link display text to make it look like it is a link to the company website. Because this practice is commonplace, ClamAV only does phishing checks for specific websites that are popularly targeted by phishing campaigns. Signatures to identify domains that should be monitored for phishing attempts are listed in ClamAV <code>PDB</code> database files, such as <code>daily.pdb</code>, a file found in the <code>daily.cvd</code> archive. </p>
<p>Unfortunately, many websites listed in the <code>PDB</code> phishing database also send emails with links that display a different domain than is in the actual link. To mitigate false positive detections in non-malicious links, ClamAV has allow list signatures in ClamAV <code>WDB</code> database files, such as <code>daily.wdb</code>, another file found in the <code>daily.cvd</code> archive. </p>
<p>To help you identify what triggered a heuristic phishing alert, <code>clamscan</code> or <code>clamd</code> will print a message indicating the "Display URL" and "Real URL" involved in a heuristic phishing alert. </p>
<p>For example, suppose that <code>amazon.com</code> were listed in ClamAV's loaded PDB database, you might observe this message before the alert when scanning an email with a link that claims to be for <code>https://www.amazon.com/</code> but is in fact linking to <code>https://someshadywebsite.example.com/</code>:</p>
<pre><code>LibClamAV info: Suspicious link found!
LibClamAV info: Real URL: https://someshadywebsite.example.com
LibClamAV info: Display URL: https://www.amazon.com
/path/to/suspicious/email.eml: Heuristics.Phishing.Email.SpoofedDomain FOUND
</code></pre>
<p>Table of Contents</p>
<ul>
<li><a href="manual/Signatures/PhishSigs.html#phishing-signatures">Phishing Signatures</a>
<ul>
<li><a href="manual/Signatures/PhishSigs.html#database-file-format">Database file format</a>
<ul>
<li><a href="manual/Signatures/PhishSigs.html#pdb-format">PDB format</a></li>
<li><a href="manual/Signatures/PhishSigs.html#gdb-format">GDB format</a></li>
<li><a href="manual/Signatures/PhishSigs.html#wdb-format">WDB format</a></li>
<li><a href="manual/Signatures/PhishSigs.html#hints">Hints</a></li>
<li><a href="manual/Signatures/PhishSigs.html#examples-of-pdb-signatures">Examples of PDB signatures</a></li>
<li><a href="manual/Signatures/PhishSigs.html#examples-of-wdb-signatures">Examples of WDB signatures</a></li>
<li><a href="manual/Signatures/PhishSigs.html#example-for-how-the-url-extractor-works">Example for how the URL extractor works</a></li>
<li><a href="manual/Signatures/PhishSigs.html#how-matching-works">How matching works</a>
<ul>
<li><a href="manual/Signatures/PhishSigs.html#realurl-displayedurl-concatenation">RealURL, DisplayedURL concatenation</a></li>
<li><a href="manual/Signatures/PhishSigs.html#what-happens-when-a-match-is-found">What happens when a match is found</a></li>
<li><a href="manual/Signatures/PhishSigs.html#extraction-of-realurl-displayedurl-from-html-tags">Extraction of <code>RealURL</code>, <code>DisplayedURL</code> from HTML tags</a></li>
<li><a href="manual/Signatures/PhishSigs.html#example">Example</a></li>
</ul>
</li>
<li><a href="manual/Signatures/PhishSigs.html#simple-patterns">Simple patterns</a></li>
<li><a href="manual/Signatures/PhishSigs.html#regular-expressions">Regular expressions</a></li>
<li><a href="manual/Signatures/PhishSigs.html#flags">Flags</a></li>
</ul>
</li>
<li><a href="manual/Signatures/PhishSigs.html#introduction-to-regular-expressions">Introduction to regular expressions</a>
<ul>
<li><a href="manual/Signatures/PhishSigs.html#special-characters">Special characters</a></li>
<li><a href="manual/Signatures/PhishSigs.html#character-classes">Character classes</a></li>
<li><a href="manual/Signatures/PhishSigs.html#escaping">Escaping</a></li>
<li><a href="manual/Signatures/PhishSigs.html#alternation">Alternation</a></li>
<li><a href="manual/Signatures/PhishSigs.html#optional-matching-and-repetition">Optional matching, and repetition</a></li>
<li><a href="manual/Signatures/PhishSigs.html#groups">Groups</a></li>
</ul>
</li>
<li><a href="manual/Signatures/PhishSigs.html#how-to-create-database-files">How to create database files</a>
<ul>
<li><a href="manual/Signatures/PhishSigs.html#how-to-create-and-maintain-the-allow-list-dailywdb">How to create and maintain the allow list (daily.wdb)</a></li>
<li><a href="manual/Signatures/PhishSigs.html#how-to-create-and-maintain-the-domain-list-dailypdb">How to create and maintain the domain list (daily.pdb)</a></li>
<li><a href="manual/Signatures/PhishSigs.html#dealing-with-false-positives-and-undetected-phishing-mails">Dealing with false positives, and undetected phishing mails</a>
<ul>
<li><a href="manual/Signatures/PhishSigs.html#false-positives">False positives</a></li>
<li><a href="manual/Signatures/PhishSigs.html#undetected-phish-mails">Undetected phish mails</a></li>
</ul>
</li>
</ul>
</li>
</ul>
</li>
</ul>
<h2 id="database-file-format"><a class="header" href="#database-file-format">Database file format</a></h2>
<h3 id="pdb-format"><a class="header" href="#pdb-format">PDB format</a></h3>
<p>This file contains urls/hosts that should be monitored for phishing attempts.
It contains lines in the following format:</p>
<pre><code>R:DisplayedURL[:FuncLevelSpec]
H:DisplayedHostname[:FuncLevelSpec]
</code></pre>
<ul>
<li>
<p><code>R</code></p>
<p>Regular expression, for the concatenated URL. The last 3 characters of the regular expression cannot regex special characters and much be an exact match.</p>
</li>
<li>
<p><code>H</code></p>
<p>Matches the <code>DisplayedHostname</code> as a simple pattern (literally, no regular expression).</p>
<ul>
<li>
<p>The pattern can match either the full hostname.</p>
</li>
<li>
<p>Or a subdomain of the specified hostname.</p>
</li>
<li>
<p>To avoid false matches in case of subdomain matches, the engine checks that there is a dot(<code>.</code>) or a space(<code> </code>) before the matched portion.</p>
</li>
</ul>
</li>
<li>
<p><code>RealURL</code></p>
<p>Is the URL the user is sent to, example: <code>href</code> attribute of an html anchor (<code><a></code> tag).</p>
</li>
<li>
<p><code>DisplayedURL</code></p>
<p>Is the URL description displayed to the user, where its <em>claimed</em> they are sent, example: contents of an html anchor (<code><a></code> tag).</p>
</li>
<li>
<p><code>DisplayedHostname</code></p>
<p>Is the hostname portion of the <code>DisplayedURL</code>.</p>
</li>
<li>
<p><code>FuncLevelSpec</code></p>
<p>An (optional) functionality level, 2 formats are possible:</p>
<ul>
<li>
<p><code>minlevel</code> all engines having functionality level <code>>= minlevel</code> will load this line.</p>
</li>
<li>
<p><code>minlevel-maxlevel</code> engines with functionality level <code>>= minlevel</code>, and <code>< maxlevel</code> will load this line.</p>
</li>
</ul>
</li>
</ul>
<h3 id="gdb-format"><a class="header" href="#gdb-format">GDB format</a></h3>
<p>This file contains URL hashes in the following format:</p>
<pre><code>S:P:HostPrefix[:FuncLevelSpec]
S:F:Sha256hash[:FuncLevelSpec]
S1:P:HostPrefix[:FuncLevelSpec]
S1:F:Sha256hash[:FuncLevelSpec]
S2:P:HostPrefix[:FuncLevelSpec]
S2:F:Sha256hash[:FuncLevelSpec]
S:W:Sha256hash[:FuncLevelSpec]
</code></pre>
<ul>
<li>
<p><code>S:</code></p>
<p>These are hashes for Google Safe Browsing - malware sites, and should not be used for other purposes.</p>
</li>
<li>
<p><code>S2:</code></p>
<p>These are hashes for Google Safe Browsing - phishing sites, and should not be used for other purposes.</p>
</li>
<li>
<p><code>S1:</code></p>
<p>Hashes for blocking phishing sites. Virus name: <code>Phishing.URL.Blocked</code>.</p>
</li>
<li>
<p><code>S:W:</code></p>
<p>Locally allowed hashes.</p>
</li>
<li>
<p><code>HostPrefix</code></p>
<p>4-byte prefix of the sha256 hash of the last 2 or 3 components of the hostname. If prefix doesn’t match, no further lookups are performed.</p>
</li>
<li>
<p><code>Sha256hash</code></p>
<p>sha256 hash of the canonicalized URL, or a sha256 hash of its prefix/suffix according to the Google Safe Browsing “Performing Lookups” rules. There should be a corresponding <code>:P:HostkeyPrefix</code> entry for the hash to be taken into consideration.</p>
</li>
</ul>
<p>To see which hash/URL matched, look at the <code>clamscan --debug</code> output, and look for the following strings: <code>Looking up hash</code>, <code>prefix matched</code>, and <code>Hash matched</code>. To ignore .gdb entries, create a local.gdb file, and adding a line <code>S:W:<HASH></code>.</p>
<h3 id="wdb-format"><a class="header" href="#wdb-format">WDB format</a></h3>
<p>This file contains url pairs for links that may look suspicious but are safe and should be allowed. It contains lines in the following format:</p>
<pre><code>X:RealURL:DisplayedURL[:FuncLevelSpec]
M:RealHostname:DisplayedHostname[:FuncLevelSpec]
</code></pre>
<ul>
<li>
<p><code>X</code></p>
<p>Regular expression, for the <em>entire URL</em>, not just the hostname.</p>
<ul>
<li>
<p>The regular expression is by default anchored to start-of-line and end-of-line, as if you have used <code>^RegularExpression$</code></p>
</li>
<li>
<p>A trailing <code>/</code> is automatically added both to the regex, and the input string to avoid false matches.</p>
</li>
<li>
<p>The regular expression matches the <em>concatenation</em> of the <code>RealURL</code>, a colon(<code>:</code>), and the <code>DisplayedURL</code> as a single string. It doesn’t separately match <code>RealURL</code> and <code>DisplayedURL</code>!</p>
</li>
<li>
<p>The last 3 characters of the regular expression cannot regex special characters and much be an exact match.</p>
</li>
</ul>
</li>
<li>
<p><code>M</code></p>
<p>Matches hostname, or subdomain of it, see notes for H above.</p>
</li>
</ul>
<h3 id="hints"><a class="header" href="#hints">Hints</a></h3>
<ul>
<li>
<p>Empty lines are ignored</p>
</li>
<li>
<p>The colons are mandatory</p>
</li>
<li>
<p>Don’t leave extra spaces on the end of a line!</p>
</li>
<li>
<p>If any of the lines don’t conform to this format, ClamAV will abort with a Malformed Database Error</p>
</li>
<li>
<p>See section <a href="manual/Signatures/PhishSigs.html#Extraction-of-RealURL,-DisplayedURL-from-HTML-tags">Extraction-of-RealURL</a> for more details on <code>RealURL</code>/<code>DisplayedURL</code></p>
</li>
</ul>
<h3 id="examples-of-pdb-signatures"><a class="header" href="#examples-of-pdb-signatures">Examples of PDB signatures</a></h3>
<p>To check for phishing mails that target <code>amazon.com</code>, or subdomains of <code>amazon.com</code>:</p>
<pre><code>H:amazon.com
</code></pre>
<p>To do the same, but for <code>amazon.co.uk</code>:</p>
<pre><code>H:amazon.co.uk
</code></pre>
<p>Alternatively, you could use a regex PDB signature to check both:</p>
<pre><code>R:.+\.amazon\.(com|co\.uk)([/?].*)?
</code></pre>
<p>You can limit the signatures to certain <a href="manual/Signatures/../../appendix/FunctionalityLevels.html">engine versions</a>. For example...</p>
<ol>
<li>
<p>Restrict so that engine versions 20 through 30 can load it, but not 31+:</p>
<pre><code>H:amazon.co.uk:20-30
</code></pre>
</li>
<li>
<p>Restrict so that engine versions <code>>= 20</code> can load it:</p>
<pre><code>H:amazon.co.uk:20-
</code></pre>
</li>
<li>
<p>Restrict so that engine versions <code><= 20</code> can load it:</p>
<pre><code>H:amazon.co.uk:0-20
</code></pre>
</li>
</ol>
<p>In a real situation, you’d probably use the second form. A situation like that would be if you are using a feature of the signatures not available in earlier versions, or if earlier versions have bugs with your signature. Its neither case here, the above examples are for illustrative purposes only.</p>
<h3 id="examples-of-wdb-signatures"><a class="header" href="#examples-of-wdb-signatures">Examples of WDB signatures</a></h3>
<p>To allow Amazon’s country specific domains and <code>amazon.com</code>, to mix domain names in <code>DisplayedURL</code>, and <code>RealURL</code>:</p>
<pre><code>X:.+\.amazon\.(at|ca|co\.uk|co\.jp|de|fr)([/?].*)?:.+\.amazon\.com([/?].*)?:17-
</code></pre>
<p>Explanation of this signature:</p>
<ul>
<li>
<p><code>X:</code></p>
<p>this is a regular expression</p>
</li>
<li>
<p><code>:17-</code></p>
<p>load signature only for engines with <a href="manual/Signatures/../../appendix/FunctionalityLevels.html">functionality level</a> >= 17</p>
</li>
</ul>
<p>The regular expression is the following (<code>X:</code>, <code>:17-</code> stripped, and a <code>/</code> appended)</p>
<pre><code>.+\.amazon\.(at|ca|co\.uk|co\.jp|de|fr)([/?].*)?:.+\.amazon\.com([/?].*)?/
</code></pre>
<p>Explanation of this regular expression (note that it is a single regular expression, and not 2 regular expressions splitted at the <code>:</code>).</p>
<ul>
<li>
<p><code>.+</code></p>
<p>any subdomain of</p>
</li>
<li>
<p><code>\.amazon\.</code></p>
<p>domain we are allowing (<code>RealURL</code> part)</p>
</li>
<li>
<p><code>(at|ca|co\.uk|co\.jp|de|fr)</code></p>
<p>country-domains: at, ca, co.uk, co.jp, de, fr</p>
</li>
<li>
<p><code>([/?].*)?</code></p>
<p>recomended way to end the real-url, this protects against embedded URLs (<code>evilurl.example.com/amazon.co.uk/</code>)</p>
</li>
<li>
<p><code>:</code></p>
<p><code>RealURL</code> and <code>DisplayedURL</code> are concatenated via a <code>:</code>, so match a literal <code>:</code> here</p>
</li>
<li>
<p><code>.+</code></p>
<p>any subdomain of</p>
</li>
<li>
<p><code>\.amazon\.com</code></p>
<p>allowed <code>DisplayedURL</code></p>
</li>
<li>
<p><code>([/?].*)?</code></p>
<p>recommended way to end displayed url part, to protect against embedded URLs</p>
</li>
<li>
<p><code>/</code></p>
<p>automatically added to further protect against embedded URLs</p>
</li>
</ul>
<p>When you add an entry, make sure you check that both domains are owned by the same entity. This signature allows links claiming to point to amazon.com (<code>DisplayedURL</code>), when in fact they really go to a country-specific domain of amazon (<code>RealURL</code>).</p>
<h3 id="example-for-how-the-url-extractor-works"><a class="header" href="#example-for-how-the-url-extractor-works">Example for how the URL extractor works</a></h3>
<p>Consider the following HTML file:</p>
<pre><code class="language-html"><html>
<a href="http://1.realurl.example.com/">
1.displayedurl.example.com
</a>
<a href="http://2.realurl.example.com">
2 d<b>i<p>splayedurl.e</b>xa<i>mple.com
</a>
<a href="http://3.realurl.example.com">
3.nested.example.com
<a href="http://4.realurl.example.com">
4.displayedurl.example.com
</a>
</a>
<form action="http://5.realurl.example.com">
sometext
<img src="http://5.displayedurl.example.com/img0.gif"/>
<a href="http://5.form.nested.displayedurl.example.com">
5.form.nested.link-displayedurl.example.com
</a>
</form>
<a href="http://6.realurl.example.com">
6.displ
<img src="6.displayedurl.example.com/img1.gif"/>
ayedurl.example.com
</a>
<a href="http://7.realurl.example.com">
<iframe src="http://7.displayedurl.example.com">
</a>
</code></pre>
<p>The phishing engine extract the following
<code>RealURL</code>/<code>DisplayedURL</code> pairs from it:</p>
<pre><code>http://1.realurl.example.com/
1.displayedurl.example.com
http://2.realurl.example.com
2displayedurl.example.com
http://3.realurl.example.com
3.nested.example.com
http://4.realurl.example.com
4.displayedurl.example.com
http://5.realurl.example.com
http://5.displayedurl.example.com/img0.gif
http://5.realurl.example.com
http://5.form.nested.displayedurl.example.com
http://5.form.nested.displayedurl.example.com
5.form.nested.link-displayedurl.example.com
http://6.realurl.example.com
6.displayedurl.example.com
http://6.realurl.example.com
6.displayedurl.example.com/img1.gif
</code></pre>
<h3 id="how-matching-works"><a class="header" href="#how-matching-works">How matching works</a></h3>
<h4 id="realurl-displayedurl-concatenation"><a class="header" href="#realurl-displayedurl-concatenation">RealURL, DisplayedURL concatenation</a></h4>
<p>The phishing detection module processes pairs of RealURL/DisplayedURL. Matching against <code>daily.wdb</code> is done as follows: the RealURL is concatenated with a <code>:</code>, and with the DisplayedURL, then that <em>line</em> is matched against the lines in <code>daily.wdb</code>/<code>daily.pdb</code></p>
<p>So if you have this line in <code>daily.wdb</code>:</p>
<pre><code>M:www.google.ro:www.google.com
</code></pre>
<p>This href: <code><a href='http://www.google.ro'>www.google.com</a></code> then it will be allowed, but: <code><a href='http://images.google.com'>www.google.com</a></code> will not.</p>
<h4 id="what-happens-when-a-match-is-found"><a class="header" href="#what-happens-when-a-match-is-found">What happens when a match is found</a></h4>
<p>In the case of the allow list, a match means that the RealURL/DisplayedURL combination is considered clean, and no further checks are performed on it.</p>
<p>In the case of the domain list, a match means that the RealURL/DisplayedURL is going to be checked for phishing attempts.</p>
<p>Furthermore you can restrict what checks are to be performed by specifying the 3-digit hexnumber.</p>
<h4 id="extraction-of-realurl-displayedurl-from-html-tags"><a class="header" href="#extraction-of-realurl-displayedurl-from-html-tags">Extraction of <code>RealURL</code>, <code>DisplayedURL</code> from HTML tags</a></h4>
<p>The html parser extracts pairs of <code>RealURL</code>/<code>DisplayedURL</code> based on the following rules.</p>
<p>After URLs have been extracted, they are normalized, and cut after the hostname. <code>http://test.example.com/path/somecgi?queryparameters</code> becomes <code>http://test.example.com/</code></p>
<ul>
<li>
<p><code>a</code></p>
<p>(anchor) the <code>href</code> is the <code>RealURL</code>, its <code>contents</code> is the <code>DisplayedURL</code></p>
<ul>
<li>
<p><code>contents</code></p>
<p>is the tag-stripped contents of the <code><a></code> tags, so for example <code><b></code> tags are stripped (but not their contents)</p>
</li>
</ul>
<p>nesting another <code><a></code> tag withing an <code><a></code> tag (besides being invalid html) is treated as a <code></a><a</code>...</p>
</li>
<li>
<p><code>form</code></p>
<p>the <code>action</code> attribute is the <code>RealURL</code>, and a nested <code><a></code> tag is the <code>DisplayedURL.</code></p>
</li>
<li>
<p><code>img/area</code></p>
<p>if nested within an <code><a></code> tag, the RealURL is the <code>href</code> of the a tag, and the <code>src</code>/<code>dynsrc</code>/<code>area</code> is the <code>DisplayedURL</code> of the <code>img</code></p>
<p>if nested withing a <code>form</code> tag, then the action attribute of the <code>form</code> tag is the <code>RealURL</code>.</p>
</li>
<li>
<p><code>iframe</code></p>
<p>if nested withing an <code><a></code> tag the <code>src</code> attribute is the <code>DisplayedURL</code>, and the <code>href</code> of its parent <code>a</code> tag is the <code>RealURL.</code></p>
<p>if nested withing a <code>form</code> tag, then the action attribute of the <code>form</code> tag is the <code>RealURL</code>.</p>
</li>
</ul>
<h4 id="example-1"><a class="header" href="#example-1">Example</a></h4>
<p>Consider this html file:</p>
<pre><code class="language-html"><a href=”evilurl”>www.paypal.com</a>
<a href=”evilurl2” title=”www.ebay.com”>click here to sign in</a>
<form action=”evilurl_form”>
Please sign in to <a href=”cgi.ebay.com”>Ebay</a>using this form
<input type=’text’ name=’username’>Username</input>
....
</form>
<a href=”evilurl”><img src=”images.paypal.com/secure.jpg”></a>
</code></pre>
<p>The resulting <code>RealURL</code>/<code>DisplayedURL</code> pairs will be (note that one tag can generate multiple pairs):</p>
<ul>
<li>
<p><code>evilurl</code> / <code>www.paypal.com</code></p>
</li>
<li>
<p><code>evilurl2</code> / <code>click here to sign in</code></p>
</li>
<li>
<p><code>evilurl2</code> / <code>www.ebay.com</code></p>
</li>
<li>
<p><code>evilurl_form</code> / <code>cgi.ebay.com</code></p>
</li>
<li>
<p><code>cgi.ebay.com</code> / <code>Ebay</code></p>
</li>
<li>
<p><code>evilurl</code> / <code>image.paypal.com/secure.jpg</code></p>
</li>
</ul>
<h3 id="simple-patterns"><a class="header" href="#simple-patterns">Simple patterns</a></h3>
<p>Simple patterns are matched literally, i.e. if you say:</p>
<pre><code>www.google.com
</code></pre>
<p>it is going to match <em>www.google.com</em>, and only that. The <em>. (dot)</em> character has no special meaning (see the section on regexes <a href="manual/Signatures/PhishSigs.html#sec:Regular-expressions">[sec:Regular-expressions]</a> for how the <em>.(dot)</em> character behaves there)</p>
<h3 id="regular-expressions"><a class="header" href="#regular-expressions">Regular expressions</a></h3>
<p>POSIX regular expressions are supported, and you can consider that internally it is wrapped by <em>^</em>, and <em>$.</em> In other words, this means that the regular expression has to match the entire concatenated (see section <a href="manual/Signatures/PhishSigs.html#RealURL,-DisplayedURL-concatenation">RealURL,-DisplayedURL-concatenation</a> for details on concatenation) url.</p>
<p>It is recomended that you read section <a href="manual/Signatures/PhishSigs.html#Introduction-to-regular">Introduction-to-regular</a> to learn how to write regular expressions, and then come back and read this for hints.</p>
<p>Be advised that clamav contains an internal, very basic regex matcher to reduce the load on the regex matching core. Thus it is recomended that you avoid using regex syntax not supported by it at the very beginning of regexes (at least the first few characters).</p>
<p>Currently the clamav regex matcher supports:</p>
<ul>
<li>
<p><code>.</code> (dot) character</p>
</li>
<li>
<p><code>\</code> (escaping special characters)</p>
</li>
<li>
<p><code>|</code> (pipe) alternatives</p>
</li>
<li>
<p><code>[]</code> (character classes)</p>
</li>
<li>
<p><code>()</code> (parenthesis for grouping, but no group extraction is performed)</p>
</li>
<li>
<p>other non-special characters</p>
</li>
</ul>
<p>Thus the following are not supported:</p>
<ul>
<li>
<p><code>+</code> repetition</p>
</li>
<li>
<p><code>*</code> repetition</p>
</li>
<li>
<p><code>{}</code> repetition</p>
</li>
<li>
<p>backreferences</p>
</li>
<li>
<p>lookaround</p>
</li>
<li>
<p>other “advanced” features not listed in the supported list ;)</p>
</li>
</ul>
<p>This however shouldn’t discourage you from using the “not directly supported features “, because if the internal engine encounters unsupported syntax, it passes it on to the POSIX regex core (beginning from the first unsupported token, everything before that is still processed by the internal matcher). An example might make this more clear:</p>
<pre><code class="language-re">*www\(\backslash\).google\(\backslash\).(com|ro|it) (\[a-zA-Z\])+\(\backslash\).google\(\backslash\).(com|ro|it)*
</code></pre>
<p>Everything till <code>(\[a-zA-Z\])+</code> is processed internally, that parenthesis (and everything beyond) is processed by the posix core.</p>
<p>Examples of url pairs that match:</p>
<ul>
<li>
<p><code>www.google.ro</code> <code>images.google.ro</code></p>
</li>
<li>
<p><code>www.google.com</code> <code>images.google.ro</code></p>
</li>
</ul>
<p>Example of url pairs that don’t match:</p>
<ul>
<li>
<p><code>www.google.ro</code> <code>images1.google.ro</code></p>
</li>
<li>
<p><code>images.google.com</code> <code>image.google.com</code></p>
</li>
</ul>
<h3 id="flags"><a class="header" href="#flags">Flags</a></h3>
<p>Flags are a binary OR of the following numbers:</p>
<table><thead><tr><th>Flag</th><th>Value</th></tr></thead><tbody>
<tr><td>HOST_SUFFICIENT</td><td>1</td></tr>
<tr><td>DOMAIN_SUFFICIENT</td><td>2</td></tr>
<tr><td>DO_REVERSE_LOOKUP</td><td>4</td></tr>
<tr><td>CHECK_REDIR</td><td>8</td></tr>
<tr><td>CHECK_SSL</td><td>16</td></tr>
<tr><td>CHECK_CLOAKING</td><td>32</td></tr>
<tr><td>CLEANUP_URL</td><td>64</td></tr>
<tr><td>CHECK_DOMAIN_REVERSE</td><td>128</td></tr>
<tr><td>CHECK_IMG_URL</td><td>256</td></tr>
<tr><td>DOMAINLIST_REQUIRED</td><td>512</td></tr>
</tbody></table>
<p>The names of the constants are self-explanatory.</p>
<p>These constants are defined in <code>libclamav/phishcheck.h</code>, you can check there for the latest flags.</p>
<p>There is a default set of flags that are enabled, these are currently:</p>
<pre><code class="language-c">( CLEANUP_URL | CHECK_SSL | CHECK_CLOAKING | CHECK_IMG_URL )
</code></pre>
<p>ssl checking is performed only for a tags currently.</p>
<p>You must decide for each line in the domain list if you want to filter any flags (that is you don’t want certain checks to be done), and then calculate the binary OR of those constants, and then convert it into a 3-digit hexnumber. For example you devide that domain_sufficient shouldn’t be used for ebay.com, and you don’t want to check images either, so you come up with this flag number: <code>2|256 => 258(decimal) => 102(hexadecimal)</code></p>
<p>So you add this line to <code>daily.wdb</code>:</p>
<pre><code>R102 www.ebay.com .+
</code></pre>
<h2 id="introduction-to-regular-expressions"><a class="header" href="#introduction-to-regular-expressions">Introduction to regular expressions</a></h2>
<p>Recomended reading:</p>
<ul>
<li>
<p>regex quick start: <a href="http://www.regular-expressions.info/quickstart.html">http://www.regular-expressions.info/quickstart.html</a></p>
</li>
<li>
<p>regex tutorial: <a href="http://www.regular-expressions.info/tutorial.html">http://www.regular-expressions.info/tutorial.html</a></p>
</li>
<li>
<p>regex(7) man-page: <a href="https://linux.die.net/man/7/regex">https://linux.die.net/man/7/regex</a></p>
</li>
</ul>
<h3 id="special-characters"><a class="header" href="#special-characters">Special characters</a></h3>
<ul>
<li>
<p><code>[</code></p>
<p>the opening square bracket - it marks the beginning of a character class, see section<a href="manual/Signatures/PhishSigs.html#Character-classes">Character-classes</a></p>
</li>
<li>
<p><code>\</code></p>
<p>the backslash - escapes special characters, see section <a href="manual/Signatures/PhishSigs.html#Escaping">Escaping</a></p>
</li>
<li>
<p><code>^</code></p>
<p>the caret - matches the beginning of a line (not needed in clamav regexes, this is implied)</p>
</li>
<li>
<p><code>$</code></p>
<p>the dollar sign - matches the end of a line (not needed in clamav regexes, this is implied)</p>
</li>
<li>
<p><code>.</code></p>
<p>the period or dot - matches <em>any</em> character</p>
</li>
<li>
<p><code>|</code></p>
<p>the vertical bar or pipe symbol - matches either of the token on its left and right side, see <a href="manual/Signatures/PhishSigs.html#Alternation">Alternation</a></p>
</li>
<li>
<p><code>?</code></p>
<p>the question mark - matches optionally the left-side token, see <a href="manual/Signatures/PhishSigs.html#optional-matching-and-repetition">Optional-matching, and Repetition</a></p>
</li>
<li>
<p><code>*</code></p>
<p>the asterisk or star - matches 0 or more occurences of the left-side token, see <a href="manual/Signatures/PhishSigs.html#optional-matching-and-repetition">Optional-matching, and Repetition</a></p>
</li>
<li>
<p><code>+</code></p>
<p>the plus sign - matches 1 or more occurences of the left-side token, see <a href="manual/Signatures/PhishSigs.html#optional-matching-and-repetition">Optional-matching, and Repetition</a></p>
</li>
<li>
<p><code>(</code></p>
<p>the opening round bracket - marks beginning of a group, see section <a href="manual/Signatures/PhishSigs.html#Groups">Groups</a></p>
</li>
<li>
<p><code>)</code></p>
<p>the closing round bracket - marks end of a group, see section<a href="manual/Signatures/PhishSigs.html#Groups">Groups</a></p>
</li>
</ul>
<h3 id="character-classes-1"><a class="header" href="#character-classes-1">Character classes</a></h3>
<h3 id="escaping"><a class="header" href="#escaping">Escaping</a></h3>
<p>Escaping has two purposes:</p>
<ul>
<li>
<p>It allows you to actually match the special characters themselves, for example to match the literal <code>+</code>, you would write <code>\+</code></p>
</li>
<li>
<p>It also allows you to match non-printable characters, such as the tab (<code>\t</code>) and newline (<code>\n</code>)</p>
</li>
</ul>
<p>However since non-printable characters are not valid inside an url, you won’t have a reason to use them.</p>
<h3 id="alternation"><a class="header" href="#alternation">Alternation</a></h3>
<h3 id="optional-matching-and-repetition"><a class="header" href="#optional-matching-and-repetition">Optional matching, and repetition</a></h3>
<h3 id="groups"><a class="header" href="#groups">Groups</a></h3>
<p>Groups are usually used together with repetition, or alternation. For example: <code>(com|it)+</code> means: match 1 or more repetitions of <code>com</code> or <code>it</code>, that is it matches: <code>com</code>, <code>it</code>, <code>comcom</code>, <code>comcomcom</code>, <code>comit</code>, <code>itit</code>, <code>ititcom</code>,... you get the idea.</p>
<p>Groups can also be used to extract substring, but this is not supported by the ClamAV, and not needed either in this case.</p>
<h2 id="how-to-create-database-files"><a class="header" href="#how-to-create-database-files">How to create database files</a></h2>
<h3 id="how-to-create-and-maintain-the-allow-list-dailywdb"><a class="header" href="#how-to-create-and-maintain-the-allow-list-dailywdb">How to create and maintain the allow list (daily.wdb)</a></h3>
<p>If the phishing code claims that a certain mail is phishing, but it's not, you have 2 choices:</p>
<ul>
<li>
<p>Examine your rules <code>daily.pdb</code>, and fix them if necessary (see: <a href="manual/Signatures/PhishSigs.html#how-to-create-database-files">How to create database files</a>)</p>
</li>
<li>
<p>Add it to the allow list (discussed here)</p>
</li>
</ul>
<p>Lets assume you are having problems because of links like this in a mail:</p>
<pre><code class="language-html"><a href=''http://69.0.241.57/bCentral/L.asp?L=XXXXXXXX''>`
http://www.bcentral.it/`
</a>`
</code></pre>
<p>After investigating those sites further, you decide they are no threat, and create a line like this in daily.wdb:</p>
<pre><code>R http://www\(\backslash\).bcentral\(\backslash\).it/.+
http://69\(\backslash\).0\(\backslash\).241\(\backslash\).57/bCentral/L\(\backslash\).asp?L=.+
</code></pre>
<blockquote>
<p><em>Note</em>: urls like the above can be used to track unique mail recipients, and thus know if somebody actually reads mails (so they can send more spam). However since this site required no authentication information, it is safe from a phishing point of view.</p>
</blockquote>
<h3 id="how-to-create-and-maintain-the-domain-list-dailypdb"><a class="header" href="#how-to-create-and-maintain-the-domain-list-dailypdb">How to create and maintain the domain list (daily.pdb)</a></h3>
<p>When not using <code>--phish-scan-alldomains</code> (production environments for example), you need to decide which urls you are going to check.</p>
<p>Although at a first glance it might seem a good idea to check everything, it would produce false positives. Particularly newsletters, ads, etc. are likely to use URLs that look like phishing attempts.</p>
<p>Lets assume that you’ve recently seen many phishing attempts claiming they come from Paypal. Thus you need to add paypal to daily.pdb:</p>
<pre><code>R .+ .+\(\backslash\).paypal\(\backslash\).com
</code></pre>
<p>The above line will block (detect as phishing) mails that contain urls that claim to lead to paypal, but they don’t in fact.</p>
<p>Be careful not to create regexes that match a too broad range of urls though.</p>
<h3 id="dealing-with-false-positives-and-undetected-phishing-mails"><a class="header" href="#dealing-with-false-positives-and-undetected-phishing-mails">Dealing with false positives, and undetected phishing mails</a></h3>
<h4 id="false-positives"><a class="header" href="#false-positives">False positives</a></h4>
<p>Whenever you see a false positive (mail that is detected as phishing, but its not), ou might need to modify <code>daily.pdb</code> (if one of yours rules in there are too broad), or you need to add the url to <code>daily.wdb</code>. If you think the algorithm is incorrect, please file a bug report.</p>
<h4 id="undetected-phish-mails"><a class="header" href="#undetected-phish-mails">Undetected phish mails</a></h4>
<p>If the mail is detected, if yes, then you need to add an appropriate line to <code>daily.pdb</code> (see <a href="manual/Signatures/PhishSigs.html#how-to-create-database-files">How to create database files</a>).</p>
<p>If the mail is not detected, then try using:</p>
<pre><code class="language-bash">$clamscan/clamscan --debug undetected.eml | less
</code></pre>
<p>Then see what urls are being checked, see if any of them is in an allow list, see if all urls are detected, etc.</p>
<div style="break-before: page; page-break-before: always;"></div><h1 id="bytecode-signatures"><a class="header" href="#bytecode-signatures">Bytecode Signatures</a></h1>
<p>Bytecode Signatures are the means by which more complex matching can be performed by writing C code to parse sample content at various stages in file extraction.</p>
<p>It is less complicated than it sounds. Essentially the signature author writes a function in C is compiled down to an intermediate language called "bytecode". This bytecode is encoded in ASCII <code>.cbc</code> file and distributed in <code>bytecode.[cvd|cld]</code>. When the database is loaded, ClamAV can interpret this bytecode to execute the function.</p>
<p>Bytecode functions are provided with a set of APIs that may be used to access the sample data, and to access what metadata ClamAV already has concerning the sample.</p>
<p>The function may at any time call an API to flag the sample as malicious, and may provide the signature/virus name at that time. This means a single bytecode signature (function) is written to handle a given file type and may trigger different alerts with different signature names as additional malicious characteristics for the file type are identified. That isn't to say that only one bytecode signature may be assigned to a given filetype, but that a single author may find it to be more efficient to use a bytecode signature to identify more than one type of malware.</p>
<p>The specifics on how to write and compile bytecode signatures are outside of the scope of this documentation. Extensive documentation on ClamAV Bytecode Signatures are provided with the <a href="https://github.com/Cisco-Talos/clamav-bytecode-compiler">ClamAV Bytecode Compiler</a>.</p>
<div style="break-before: page; page-break-before: always;"></div><h1 id="signatures-based-on-container-metadata"><a class="header" href="#signatures-based-on-container-metadata">Signatures based on container metadata</a></h1>
<p>ClamAV 0.96 allows creating generic signatures matching files stored inside different container types which meet specific conditions. The signature format is:</p>
<pre><code class="language-bash"> VirusName:ContainerType:ContainerSize:FileNameREGEX:
FileSizeInContainer:FileSizeReal:IsEncrypted:FilePos:
Res1:Res2[:MinFL[:MaxFL]]
</code></pre>
<p>where the corresponding fields are:</p>
<ul>
<li>
<p><code>VirusName:</code> Virus name to be displayed when signature matches.</p>
</li>
<li>
<p><code>ContainerType:</code> The file type containing the target file. For example:</p>
<ul>
<li><code>CL_TYPE_ZIP</code>,</li>
<li><code>CL_TYPE_RAR</code>,</li>
<li><code>CL_TYPE_ARJ</code>,</li>
<li><code>CL_TYPE_MSCAB</code>,</li>
<li><code>CL_TYPE_7Z</code>,</li>
<li><code>CL_TYPE_MAIL</code>,</li>
<li><code>CL_TYPE_POSIX_TAR</code>,</li>
<li><code>CL_TYPE_OLD_TAR</code>,</li>
<li><code>CL_TYPE_CPIO_OLD</code>,</li>
<li><code>CL_TYPE_CPIO_ODC</code>,</li>
<li><code>CL_TYPE_CPIO_NEWC</code>,</li>
<li><code>CL_TYPE_CPIO_CRC</code></li>
<li>etc.</li>
</ul>
<p>Use <code>*</code> as a wild card to indicate that container type may be any file type.
For a full list of ClamAV file types, see the <a href="manual/Signatures/../../appendix/FileTypes.html">ClamAV File Types Reference</a>.</p>
</li>
<li>
<p><code>ContainerSize:</code> size of the container file itself (eg. size of the zip archive) specified in bytes as absolute value or range <code>x-y</code>.</p>
</li>
<li>
<p><code>FileNameREGEX:</code> regular expression describing name of the target file</p>
</li>
<li>
<p><code>FileSizeInContainer:</code> usually compressed size; for MAIL, TAR and CPIO == <code>FileSizeReal</code>; specified in bytes as absolute value or range.</p>
</li>
<li>
<p><code>FileSizeReal:</code> usually uncompressed size; for MAIL, TAR and CPIO == <code>FileSizeInContainer</code>; absolute value or range.</p>
</li>
<li>
<p><code>IsEncrypted:</code> 1 if the target file is encrypted, 0 if it’s not and <code>*</code> to ignore</p>
</li>
<li>
<p><code>FilePos:</code> file position in container (counting from 1); absolute value or range.</p>
</li>
<li>
<p><code>Res1:</code> when <code>ContainerType</code> is <code>CL_TYPE_ZIP</code> or <code>CL_TYPE_RAR</code> this field is treated as a CRC sum of the target file specified in hexadecimal format; for other container types it’s ignored.</p>
</li>
<li>
<p><code>Res2:</code> not used as of ClamAV 0.96.</p>
</li>
</ul>
<p>The signatures for container files are stored inside <code>.cdb</code> files.</p>
<div style="break-before: page; page-break-before: always;"></div><h1 id="passwords-for-archive-files-experimental"><a class="header" href="#passwords-for-archive-files-experimental">Passwords for archive files [experimental]</a></h1>
<p>ClamAV allows for users to specify password attempts for certain password-compatible archives. Passwords will be attempted in order of appearance in the password signature file which use the extension of <code>.pwdb</code>. If no passwords apply or none are provided, ClamAV will default to the original behavior of parsing the file.</p>
<p>Currently, as of ClamAV 0.99 [flevel 81], only <code>.zip</code> archives using the traditional PKWARE encryption are supported. The signature format is:</p>
<pre><code>SignatureName;TargetDescriptionBlock;PWStorageType;Password
</code></pre>
<p>where:</p>
<ul>
<li>
<p><code>SignatureName</code>: name to be displayed during debug when a password is successful</p>
</li>
<li>
<p><code>TargetDescriptionBlock</code>: provides information about the engine and target file with comma separated Arg:Val pairs</p>
<ul>
<li><code>Engine:X-Y</code>: Required engine functionality level. See the <a href="manual/Signatures/appendix/FunctionalityLevels.html">FLEVEL reference</a> for details.</li>
<li><code>Container:CL_TYPE_*</code>: File type of applicable containers</li>
</ul>
</li>
<li>
<p><code>PWStorageType</code>: determines how the password field is parsed</p>
<ul>
<li>0 = cleartext</li>
<li>1 = hex</li>
</ul>
</li>
<li>
<p><code>Password</code>: value used in password attempt</p>
</li>
</ul>
<p>The signatures for password attempts are stored inside <code>.pwdb</code> files.</p>
<div style="break-before: page; page-break-before: always;"></div><h1 id="official-signature-naming-guidelines"><a class="header" href="#official-signature-naming-guidelines">Official Signature Naming Guidelines</a></h1>
<p>New official signatures published by Cisco-Talos in the <code>daily</code>, <code>main</code>, and <code>bytecode</code> signature databases follow this format:</p>
<pre><code>{platform}.{category}.{name}-{signature id}-{revision}
</code></pre>
<h2 id="signature-naming-rules"><a class="header" href="#signature-naming-rules">Signature Naming Rules</a></h2>
<p>Guidelines for creating new official signatures are as follows.</p>
<h3 id="platform"><a class="header" href="#platform"><code>platform</code></a></h3>
<p>Start names with targeted <em>platform</em> (or file format).</p>
<p>Options for this field in official signatures include: <em>Andr, Archive, Asp, Cert, Clamav, Clean, Css, Doc, Dos, Eicar, Email, Embedded, Emf, Gif, Heuristics, Html, Hunting, Hwp, Img, Ios, Java, Js, Legacy, Lnk, Midi</em></p>
<h3 id="category"><a class="header" href="#category"><code>category</code></a></h3>
<p>Follow with the <em>category</em>.</p>
<p>Options for this field in official signatures include: <em>Adware, Backdoor, Coinminer, Countermeasure, Downloader, Dropper, Exploit, File, Filetype, Infostealer, Ircbot, Joke, Keylogger, Loader, Macro, Malware, Packed, Packer, Phishing, Proxy, Ransomware, Revoked, Rootkit, Spyware, Test</em></p>
<h3 id="name"><a class="header" href="#name"><code>name</code></a></h3>
<p>Finish with a representative <em>name</em> of your choosing. This is often a malware family name. It is common to choose "Agent" if you can’t come up with a meaningful name.</p>
<p>Some examples: <em>Zbot, CVE_2012_0003, Sality, FakeAV, Koobface</em></p>
<p>Rules for the name field:</p>
<ol>
<li>"Must"
<ul>
<li>Only use alphanumeric characters, dot (.), underscores (_) in signature names</li>
</ul>
</li>
<li>"Must not"
<ul>
<li>Use space, apostrophe or quote marks.</li>
<li>Use company names, brand names, or names of living people, except where the virus is probably written by the person. Common first names are permissible, but be careful – avoid if possible. In particular, avoid names associated with the anti-virus world. If a virus claims to be written by a particular person or company do not believe it without further proof.</li>
<li>Use an existing Family_Name, unless the viruses belong to the same family</li>
<li>Invent a new name if there is an existing, acceptable name.</li>
<li>Use obscene or offensive names.</li>
</ul>
</li>
<li>"Should"
<ul>
<li>When possible reuse the most common family name used by other vendors</li>
<li>Avoid geographic names which are based on the discovery site – the same virus might appear simultaneously in several different places</li>
</ul>
</li>
</ol>
<h3 id="signature-id-and-revision"><a class="header" href="#signature-id-and-revision"><code>signature id</code> and <code>revision</code></a></h3>
<p>The <code>signature id</code> in combination with the <code>revision</code> form a unique value that can be used to identify any official signature without requiring the descriptive name.</p>
<p>The <code>revision</code> will increment each time a new signature replaces an older version. Revisions higher than 0 indicate that the older versions of the signature were dropped because they caused false positive alerts or because a newer signature was crafted with a higher detection rate.</p>
<h2 id="examples-official-signatures"><a class="header" href="#examples-official-signatures">Examples Official Signatures</a></h2>
<ul>
<li>Win.Trojan.Zusy-9935890-0</li>
<li>Win.Malware.Zusy-9935891-0</li>
<li>Win.Dropper.DarkKomet-9935892-0</li>
<li>Html.Malware.Agent-9915974-0</li>
<li>Java.Malware.CVE_2021_44228-9915817-0</li>
<li>Xls.Downloader.Qbot12211-9916030-0</li>
</ul>
<div style="break-before: page; page-break-before: always;"></div><h1 id="clamav-development"><a class="header" href="#clamav-development">ClamAV Development</a></h1>
<p>This chapter aims to provide information useful when developing, debugging, or profiling ClamAV.</p>
<h2 id="pull-request-basics"><a class="header" href="#pull-request-basics">Pull Request Basics</a></h2>
<p>If you're new to open source software development on GitHub, take a moment to read <a href="manual/Development/github-pr-basics.html">this quick introduction</a> on GitHub Pull Requests.</p>
<h2 id="clamav-git-work-flow"><a class="header" href="#clamav-git-work-flow">ClamAV Git Work Flow</a></h2>
<p>ClamAV's Git work flow isn't too complicated, but it is unique. See <a href="manual/Development/clamav-git-work-flow.html">this section</a> to get a better understanding of how we use Git.</p>
<h2 id="working-with-your-fork"><a class="header" href="#working-with-your-fork">Working with Your Fork</a></h2>
<p>New core developers and community contributors can <a href="manual/Development/personal-forks.html">follow these steps</a> to prepare an environment to work on ClamAV development.</p>
<h2 id="reviewing-pull-requests"><a class="header" href="#reviewing-pull-requests">Reviewing Pull Requests</a></h2>
<p>If you need to review a pull request, it's best to not only eyeball the changes and review the test logs, but to also build and test the PR manually on your own computer. <a href="manual/Development/testing-pull-requests.html">This section</a> will help you check out someone else's PR so you can test it.</p>
<h2 id="building-for-development"><a class="header" href="#building-for-development">Building for Development</a></h2>
<p>Basic instructions for building ClamAV can be in the <a href="manual/Installing.html">Installing</a> chapter and a comprehensive reference for compiling ClamAV with CMake is available in the <a href="https://github.com/Cisco-Talos/clamav/blob/dev/0.104/INSTALL.md">INSTALL.md</a> file accompanying the source code, but if you want a few extra tips on building ClamAV for development purposes, <a href="manual/Development/development-builds.html">check this out</a>.</p>
<h2 id="building-the-installer-packages"><a class="header" href="#building-the-installer-packages">Building the Installer Packages</a></h2>
<p>If you'd like to learn how we build the installer packages and even replicate this on your own, you can <a href="manual/Development/build-installer-packages.html">read about it here</a>.</p>
<h2 id="dev-tips--tricks"><a class="header" href="#dev-tips--tricks">Dev Tips & Tricks</a></h2>
<p><a href="manual/Development/tips-and-tricks.html">This section</a> contains a varied assortment of techniques you can use when coding on ClamAV to up your development game.</p>
<h2 id="libclamav"><a class="header" href="#libclamav">libclamav</a></h2>
<p>Are you interested in using libclamav to scan for malware in your own C/C++ application? <a href="manual/Development/libclamav.html">This section</a> introduces the most important functions of the libclamav API. For a more comprehensive reference, inline documention can be found in <a href="https://github.com/Cisco-Talos/clamav/blob/dev/0.104/libclamav/clamav.h">the <code>clamav.h</code> header</a> distributed with libclamav.</p>
<h2 id="contribute"><a class="header" href="#contribute">Contribute</a></h2>
<p>If you're interested in contributing to ClamAV, we've assembled a page of bugs that need fixing as well as other project ideas that we feel might be great new-contributor projects.</p>
<p>If you're looking for project ideas, check out the <a href="manual/Development/Contribute.html">project ideas list</a> to find out how you might be able to help out the project!</p>
<div style="break-before: page; page-break-before: always;"></div><h1 id="github-pull-request-basics"><a class="header" href="#github-pull-request-basics">GitHub Pull Request Basics</a></h1>
<p>Like most projects on GitHub, we use a pull request (PR) work flow for contributions to the <code>clamav</code> Git repository. This is true both for contributions from the community as well as for those from the core development team here at Cisco.</p>
<p>Historically, our team PRs have been reviewed and merged on an internal upstream Git repository, though we are now migrating to do all work on GitHub directly, with a private backup fork of the project used exclusively for review of security-related fixes and in preparation of each security patch version release.</p>
<p>The general pattern for working with Pull Requests on GitHub is this:</p>
<ol>
<li>
<p>You create a fork of the project repository on GitHub.</p>
</li>
<li>
<p>You clone (download) a copy of your fork on your computer.</p>
</li>
<li>
<p>In your local fork, you create a new branch for the feature or bug fix.</p>
</li>
<li>
<p>For each change, you create a Git commit. Your commits may include incomplete work as you're going, so you can save your work each day, in the end you should <a href="https://git-scm.com/book/en/v2/Git-Tools-Rewriting-History">edit or squash those commits down</a> so that each of your commits represent a single completed task and that the build is never broken for any given commit.</p>
</li>
<li>
<p>You push your commits to your remote fork on GitHub as needed, both to back up your work and to prepare for submitting a pull request for team review. If you've pushed commits and then edited or squashed those commits, you may have a conflict and may need to "force push" in order to update your remote fork.</p>
</li>
<li>
<p>When ready, submit a pull request, either by using the link provided by Git when you do a push, or by using the GitHub website. <em>Use the pull request description to include instructions for how to test your changes!</em></p>
</li>
<li>
<p>There are also some automated tests that get run when you submit a pull request, but you may need to re-run them if something goes wrong with the test infrastructure. Review the test results and work with the other developers to fix any issues with your pull request so it can be approved and merged.</p>
</li>
</ol>
<p>If you're new to all of this, have a look at <a href="https://guides.github.com/introduction/flow/">GitHub's flow guide</a> for their general recommendations on a basic PR work flow. Then continue in the next section to learn about ClamAV's work flow.</p>
<div style="break-before: page; page-break-before: always;"></div><h1 id="clamav-git-work-flow-1"><a class="header" href="#clamav-git-work-flow-1">ClamAV Git Work Flow</a></h1>
<p>ClamAV's Git work flow isn't very complicated, but it is more structured than most. It looks like this. Note that in the diagrams below, merged branches are regular merges and will add all of the commits from the source branch to the destination branch. The diagram doesn't show all the merged commits, for simplicity:</p>
<p><img src="manual/Development/../../images/new-git-workflow.png" alt="Git Work Flow" /></p>
<p><code>main</code>:</p>
<p>the development branch. testing is done in pull-requests (PR's), so this branch should be stable, though we make no guarantees.</p>
<p><code>rel/0.104</code>, <code>rel/1.0</code>:</p>
<p>Feature release branches. These always contain the latest stable patch versions for each feature release. When development on a feature release (E.g. <code>dev/0.104</code>) or a patch release (E.g. <code>dev/0.104.1</code>) is complete, they are merged here and tagged.</p>
<p><code>dev/0.104.1</code>:</p>
<p>A development branch used to test hotfixes prior to a patch release</p>
<p><code>sec/dev/0.104.1</code>:</p>
<p>A private development branch used to test security-related hotfixes prior to a patch release. This branch will be rebased like any feature branch as needed up until the release at which point it is merged into the <code>dev/0.104.1</code> branch and the <code>dev/0.104.1</code> branch is merged into the <code>rel/0.104</code> branch and tagged as "<code>clamav-0.104.1</code>".</p>
<p><code>feature/blah</code>:</p>
<p>A long-running branch for adding a major feature. It may be rebased several times with the default branch before > it is ready to merge.</p>
<p><code>CLAM-####-description</code>, <code>issue-####-description</code>, <code>bb####-description</code>:</p>
<p>A branch for working a JIRA task, GitHub issue, or Bugzilla Bug. These are typically only found in a personal > fork and appear as pull requests from the fork to the upstream <code>clamav</code> repository.</p>
<div style="break-before: page; page-break-before: always;"></div><h1 id="working-with-a-your-own-fork-of-the-clamav-repository"><a class="header" href="#working-with-a-your-own-fork-of-the-clamav-repository">Working with a Your Own Fork of the ClamAV repository</a></h1>
<p>A "fork" on GitHub is a personal playground. Though the word "fork" in the concept of open source traditionally referred to creating (and maintaining) a new variant of a project, forks on GitHub/GitLab/BitBucket/etc these days typically refer to a personal copy of the project where a user can test modifications to fix a bug or add a feature before contributing it back to the project in the form of a "pull request".</p>
<h3 id="create-and-maintain-a-personal-fork"><a class="header" href="#create-and-maintain-a-personal-fork">Create and Maintain a Personal Fork</a></h3>
<p>You may only have one for any project, but it is very easy to create:</p>
<p><img src="manual/Development/../../images/create-a-fork.png" alt="Create a Fork" /></p>
<p>You can rename it as needed so you won't confused a clone of your fork with that of the upstream <code>clamav</code> repository. Go to the "Settings" page and change the name to add your name in a suffix:</p>
<p><img src="manual/Development/../../images/change-fork-name.png" alt="Change Fork Name" /></p>
<p>You're free to add or delete branches in your fork as you see fit, but I would advise against adding your own commits to the existing branches. The existing branches, particularly the default branch<code>*</code> are a reference from which you can create your own branches for your work. Adding your own commits to the existing branches will break your ability to synchronize with the upstream <code>Cisco-Talos/clamav</code> repository, and without more advanced Git experience you won't be able to correct it.</p>
<blockquote>
<p><em>Tip</em>: If you've managed to screw up the commit history in your fork to the point where you don't know how to fix it, you can always delete your fork and create a new one.</p>
</blockquote>
<p>Your fork is a snapshot of the upstream <code>clamav</code> repository at the moment at which you created it. Left unmaintained, your fork's default branch will get left behind. Unlike BitBucket, GitHub will not sync branches for you automatically. If your branch is behind, it is simple to sync the branch on your fork using GitHub's GUI by pressing the "Fetch Upstream" button:</p>
<p><img src="manual/Development/../../images/fork-is-behind.png" alt="Sync and Merge" /></p>
<p>You can sync other branches too. Simply switch branches to the desired branch and press "Fetch Upstream" again.</p>
<blockquote>
<p><em>Disclaimer</em>: The ClamAV project has a history of changing default branches for development on each feature version. We've found that this causes more trouble than it is worth, and we intend to stop doing that after 0.104. Right now, the default branch is <code>dev/0.104</code>. After 0.104 is complete, it will be changed to <code>main</code> and we'll stop changing it. For more details, see the work flow changes in the section below.</p>
<p><em>Tip</em>: After we change the default branch for <code>Cisco-Talos/clamav</code> to <code>main</code>, you'll need to change your default branch too (it won't switch in your fork just because we changed the default in the upstream repo).</p>
</blockquote>
<h3 id="working-with-a-clone-of-your-fork-on-the-command-line"><a class="header" href="#working-with-a-clone-of-your-fork-on-the-command-line">Working with a Clone of your Fork on the Command Line</a></h3>
<p>If you don't already have an SSH key for your GitHub account, I recommend creating one. Navigate to your Account Settings and under SSH and GPG keys, click the "New SSH key" button. If you're unfamiliar with how to generate an SSH key, there's a nearby link "generating SSH keys" with additional instructions.</p>
<p>Next, clone your ClamAV <em>fork</em>. Use the "Code" button on the default page for your fork to copy the "SSH" URL. If you don't want to use an SSH key for GitHub authentication, use the HTTPS URL instead:</p>
<p><img src="manual/Development/../../images/clone-your-fork.png" alt="Clone your Fork" /></p>
<p>Now open up a terminal and type:</p>
<pre><code class="language-bash">git clone <paste that Git URL>
cd clamav-YourNameHere
</code></pre>
<p>Create a branch off of the default branch where you will work. If working on a GitHub Issue, Bugzilla Bug, or JIRA task<code>*</code>, the following branch name prefixes will help you and others identify the branch:</p>
<ul>
<li>For GitHub Issues: <code>issue-####-short-description</code></li>
<li>For Bugzilla Bugs: <code>bb-####-short-description</code></li>
<li>For JIRA task: <code>CLAM-####-short-description</code></li>
</ul>
<blockquote>
<p><em>Note</em>: <code>*</code>The ClamAV JIRA task tracker is not accessible outside of the Cisco network.</p>
</blockquote>
<p>Create your working branch:</p>
<pre><code>git checkout -b issue-####-short-description
</code></pre>
<p>You're now ready to make edits to the source. Be sure your changes match our code format style. The easiest way is to install <code>clang-format</code> and enable "Format On Save" in your text editor.</p>
<p>When you have made your changes, run:</p>
<pre><code class="language-bash">git add -u
git commit
</code></pre>
<p>Leave a meaningful git commit message that has a high-level descriptive title, and a more technical message body describing why the change was needed what your commit does to resolve it.</p>
<p>Run this to upload your commit to your fork on GitHub:</p>
<pre><code class="language-bash">git push -u origin <the_name_of_your_branch>
</code></pre>
<p>The <code>-u origin</code> argument will enable tracking between your local branch and your remote branch. In the future you will only need to do <code>git push</code> and it will know where to push it.</p>
<h3 id="rebase-your-development-branch-with-the-upstream-main-branch-and-resolving-merge-conflicts"><a class="header" href="#rebase-your-development-branch-with-the-upstream-main-branch-and-resolving-merge-conflicts">Rebase your development branch with the upstream <code>main</code> branch and resolving merge conflicts</a></h3>
<p>If you don't already have it:</p>
<pre><code>git remote add upstream git@github.com:Cisco-Talos/clamav.git
</code></pre>
<p>Then run:</p>
<pre><code>git fetch upstream
git rebase upstream/main
</code></pre>
<p>If you have any merge conflicts, you'll now have the opportunity to fix them. After every conflict is resolved and you've saved the files in question, run <code>git add <the resolved files></code> and then run <code>git rebase --continue</code>.</p>
<div style="break-before: page; page-break-before: always;"></div><h1 id="reviewing--testing-pull-requests"><a class="header" href="#reviewing--testing-pull-requests">Reviewing & Testing Pull Requests</a></h1>
<p>The tools available on GitHub are fantastic for reviewing code changes, but less so for checking out those code changes on your local machine to build and test them.</p>
<p>With a simple tweak to your <code>.git/config</code> file in a clone of the <code>Cisco-Talos/clamav</code> repository, you can simply check out another developer's pull request as a branch to build and test it.</p>
<p>First, if you don't already have a clone of the upstream repository, do this:</p>
<pre><code class="language-bash">git clone https://github.com/Cisco-Talos/clamav.git
</code></pre>
<p>Then, in your favorite text editor, open <code>.git/config</code> and add the following line at the end of the <code>[remote "origin"]</code> section. Don't delete or replace anything, just add the following line:</p>
<pre><code>fetch = +refs/pull/*/head:refs/remotes/origin/PR-*
</code></pre>
<blockquote>
<p><em>Tip</em>: The above works for GitHub Cloud and GitHub Enterprise servers. If you happen to work with GitLab or BitBucket, you can do this instead for the same effect:</p>
<p>For BitBucket repos:</p>
<pre><code>fetch = +refs/pull-requests/*/from:refs/remotes/origin/PR-*
</code></pre>
<p>For GitLab repos:</p>
<pre><code>fetch = +refs/merge-requests/*/head:refs/remotes/origin/PR-*
</code></pre>
</blockquote>
<p>Now you may run the following to test the pull request. Substitute <code>#</code> with the pull request number found on the website:</p>
<pre><code class="language-bash">git fetch
git checkout PR-#
</code></pre>
<p>At this point, you should find yourself in a branch containing the PR contributor's changes.</p>
<div style="break-before: page; page-break-before: always;"></div><h1 id="building-for-development-1"><a class="header" href="#building-for-development-1">Building for Development</a></h1>
<p>The following are instructions for building ClamAV using CMake or Autotools with recommendations specific to ClamAV software development.</p>
<ul>
<li><a href="manual/Development/development-builds.html#building-for-development">Building for Development</a>
<ul>
<li><a href="manual/Development/development-builds.html#build-dependencies">Build dependencies</a>
<ul>
<li><a href="manual/Development/development-builds.html#for-linuxunix">For Linux/UNIX</a></li>
<li><a href="manual/Development/development-builds.html#for-windows">For Windows</a></li>
</ul>
</li>
<li><a href="manual/Development/development-builds.html#download-the-source">Download the Source</a></li>
<li><a href="manual/Development/development-builds.html#building-clamav-with-cmake-v0104-and-newer">Building ClamAV with CMake (v0.104 and newer)</a>
<ul>
<li><a href="manual/Development/development-builds.html#linuxunix">Linux/Unix</a></li>
<li><a href="manual/Development/development-builds.html#windows">Windows</a>
<ul>
<li><a href="manual/Development/development-builds.html#vcpkg">vcpkg</a></li>
<li><a href="manual/Development/development-builds.html#mussels">Mussels</a></li>
</ul>
</li>
<li><a href="manual/Development/development-builds.html#testing-with-ctest">Testing with CTest</a>
<ul>
<li><a href="manual/Development/development-builds.html#unit-tests">Unit Tests</a></li>
<li><a href="manual/Development/development-builds.html#integration-tests">Integration Tests</a></li>
<li><a href="manual/Development/development-builds.html#feature-tests">Feature Tests</a></li>
</ul>
</li>
</ul>
</li>
<li><a href="manual/Development/development-builds.html#building-clamav-with-autotools-v0103-and-older">Building ClamAV with Autotools (v0.103 and older)</a>
<ul>
<li><a href="manual/Development/development-builds.html#running-autogensh">Running autogen.sh</a>
<ul>
<li><a href="manual/Development/development-builds.html#redhat--centos--fedora">Redhat / Centos / Fedora</a></li>
<li><a href="manual/Development/development-builds.html#debian--ubuntu">Debian / Ubuntu</a></li>
</ul>
</li>
<li><a href="manual/Development/development-builds.html#running-configure">Running configure</a></li>
<li><a href="manual/Development/development-builds.html#running-make">Running make</a></li>
<li><a href="manual/Development/development-builds.html#testing-with-make-check">Testing with <code>make check</code></a></li>
</ul>
</li>
</ul>
</li>
</ul>
<h2 id="build-dependencies"><a class="header" href="#build-dependencies">Build dependencies</a></h2>
<p>Instructions to install the build dependencies for each major operating system and distribution can be found in our install from source instructions. See:</p>
<ul>
<li><a href="manual/Development/Installing-from-source/Installing-from-source-Unix.html">Unix/Linux/Mac Instructions</a></li>
<li><a href="manual/Development/Installing-from-source/Installing-from-source-Windows.html">Windows Instructions</a></li>
</ul>
<p>For development, you may also need to install the following...</p>
<h3 id="for-linuxunix"><a class="header" href="#for-linuxunix">For Linux/UNIX</a></h3>
<ul>
<li>
<p><code>git</code></p>
</li>
<li>
<p><code>autoconf</code>, <code>automake</code>, <code>libtool</code>, <code>m4</code> (For 0.103 and older, only):</p>
<p>These four packages make up "Autotools" and are required to run the <code>./autogen.sh</code> script that generates the <code>./configure</code> tool for configuring an Autotools build. You will need these packakges if building from a git clone, but the 0.103 release tarballs have this stuff pre-generated for normal users.</p>
</li>
<li>
<p><code>valgrind</code>:</p>
<p>Valgrind is used to enhance our unit tests and feature tests. It will be automatically when running <code>ctest</code> for CMake builds, or when running <code>make check VG=1</code> for Autotools builds.</p>
</li>
<li>
<p><code>pytest</code> (For 0.104 and newer):</p>
<p>Pytest is used in our test suite for CMake builds to get better test output when analyzing test failures. Having pytest</p>
</li>
<li>
<p><code>bison</code> and <code>flex</code>:</p>
<p>Bison and Flex re-generating the Yara rule parser, used by our "maintainer mode" in the CMake build system (v0.104+), and used by default in the Autotools build system (v0.103-).</p>
</li>
<li>
<p><code>gperf</code>:</p>
<p>GPerf is another tool used by our "maintainer mode". It is used to generate code for our javascript normalizer. <code>*</code>Enabling GPerf in the "maintainer mode" for the CMake build system (v0.104+) is still a to-do.</p>
</li>
<li>
<p><code>ninja</code> or <code>ninja-build</code> (For 0.104 and newer):</p>
<p>Ninja is a build system that CMake can use in place of Makefiles (UNIX) or Visual Studio (Windows). It's faster than both, particularly as compared with Visual Studio. If you're compiling ClamAV frequently, you may find it very helpful. The only real downside is that it's highly multithreaded so errors and warnings tend to get mixed up and it can be hard to inspect when you're having build failures.</p>
</li>
</ul>
<h3 id="for-windows"><a class="header" href="#for-windows">For Windows</a></h3>
<ul>
<li>
<p><a href="https://git-scm.com/download/win">Git for Windows</a>.</p>
</li>
<li>
<p><a href="https://www.microsoft.com/en-us/p/windows-terminal/9n0dx20hk701">Windows Terminal</a>:</p>
<p>Windows Terminal is Microsoft's new open source terminal program. It's quite nice, and miles better than using a traditional CMD prompt or Powershell.</p>
</li>
<li>
<p><a href="https://visualstudio.microsoft.com/Downloads/?q=Visual%20Studio">Visual Studio</a>:</p>
<p>2019 Community Edition is fine. It may also possible to build using Clang + Ninja. Investigate at your peril.</p>
</li>
<li>
<p><a href="https://code.visualstudio.com/">Visual Studio Code</a>:</p>
<p>I recommend a modern text editor like VSCode instead of working with Visual Studio directly. Visual Studio is powerful, but can be slow and unwieldy. Those coming from a Unix/Linux background may find that the Vim plugin is particularly nice.</p>
</li>
<li>
<p><a href="https://chocolatey.org/install">Chocolatey</a>:</p>
<p>Chocolatey is an application package manager for Windows that makes it easy to install stuff on Windows. After you install Chocolatey, you can use it to install CMake, WiX, Flex, Bison, Perl, and Nasm very simply, like this:</p>
<pre><code class="language-ps1">choco install cmake
</code></pre>
</li>
<li>
<p>Wix Toolset:</p>
<p>If you want to build the installer, you'll also need WiX Toolset. If not, you can skip it. You can install it with Chocolatey:</p>
<pre><code class="language-ps1">choco install wixtoolset
</code></pre>
</li>
<li>
<p><code>bison</code> and <code>flex</code>:</p>
<p>As mentioned in the Linux/Unix section, Bison and Flex may be needed if working with the yara parser module. You can install it with Chocolatey:</p>
<pre><code class="language-ps1">choco install winflexbison
</code></pre>
</li>
<li>
<p>ActivePerl and Netwide Assembler (NASM):</p>
<p>Perl and NASM are required to compile openssl from source if using Mussels to build your dependencies. If using vcpkg, you can skip them. You can install these tools using Chocolatey:</p>
<pre><code class="language-ps1">choco install activeperl nasm
</code></pre>
</li>
</ul>
<p>We support two options for sourcing and building ClamAV library dependencies:</p>
<ol>
<li><a href="https://github.com/microsoft/vcpkg">vcpkg</a></li>
<li><a href="https://github.com/Cisco-Talos/Mussels">Mussels</a></li>
</ol>
<p>For basic builds, vcpkg should do just fine<code>*</code>, and is easier to get started.</p>
<p>If you want to customize how the dependencies are built, use Mussels. The ClamAV project uses Mussels to build the installers available on our website. The recipes to build the ClamAV dependencies, the definitions for finding and using the required development tools are hosted in <a href="https://github.com/Cisco-Talos/clamav-mussels-cookbook">the ClamAV Mussels Cookbook</a>.</p>
<blockquote>
<p><code>*</code> There is a known issue with the unit tests when building with vcpkg in Debug mode. When you run the libclamav unit tests (check_clamav), the program will crash and a popup will claim there was heap corruption. If you use Task Manager to kill the <code>check_clamav.exe</code> process, the rest of the tests pass just fine. This issue does not occur when using Mussels to supply the library dependencies. Commenting out the following lines in <code>readdb.c</code> resolves the heap corruption crash when running <code>check_clamav</code>, but of course introduces a memory leak:</p>
<pre><code class="language-c"> if (engine->stats_data)
free(engine->stats_data);
</code></pre>
<p>If anyone has time to figure out the real cause of the vcpkg Debug-build crash
in check_clamav, it would be greatly appreciated.</p>
</blockquote>
<h2 id="download-the-source"><a class="header" href="#download-the-source">Download the Source</a></h2>
<p>If you don't already have the source, use Git to clone it:</p>
<pre><code class="language-bash">git clone https://github.com/Cisco-Talos/clamav.git
cd clamav
</code></pre>
<p>If you intend to make changes and submit a pull request, fork the <code>Cisco-Talos/clamav</code> repo first and then clone your fork of the repository instead:</p>
<pre><code class="language-bash">git clone https://github.com/<yourusername>/clamav.git clamav-fork
cd clamav-fork
</code></pre>
<h2 id="building-clamav-with-cmake-v0104-and-newer-1"><a class="header" href="#building-clamav-with-cmake-v0104-and-newer-1">Building ClamAV with CMake (v0.104 and newer)</a></h2>
<p>ClamAV versions 0.103+ provide CMake build tooling. In 0.103, this is for experimental and development purposes only. Autotools should be used for production builds. In 0.104+, CMake is the only build system. Autotools and Visual Studio build systems have been removed.</p>
<p>To get started, first review the <a href="manual/Development/../Installing/Installing-from-source-Windows.html">official build isntructions</a>. Then return hrefer for some tips on building for development. For a complete reference of ClamAV build configuration options, see <a href="https://github.com/Cisco-Talos/clamav/blob/main/INSTALL.md">the <code>INSTALL.md</code> file located in the <code>clamav</code> repository</a>.</p>
<p>The following instructions assume you have installed CMake, Ninja, and either GCC, Clang, or Visual Studio 2015 or newer.</p>
<h3 id="linuxunix"><a class="header" href="#linuxunix">Linux/Unix</a></h3>
<p>Linux/Unix builds are often much simpler because the system's package manager can provide all of the dependencies for your. But if you want, you <em>can</em> build them yourself, using a tool like Mussels. The instructions listed in the Windows section are nearly identical. With Mussels on Linux, Unix, and macOS you can even use the <code>host-static</code> target to build all of the dependencies as static libraries to make ClamAV more portable and easier to package. Feel free to reach out on Discord if you want to learn more.</p>
<p>Configure (generate the build system):</p>
<pre><code class="language-bash">cmake .. -G Ninja \
-D CMAKE_BUILD_TYPE="Debug" \
-D OPTIMIZE=OFF \
-D CMAKE_INSTALL_PREFIX=install \
-D ENABLE_MILTER=ON \
-D ENABLE_EXAMPLES=ON \
-D ENABLE_STATIC_LIB=ON \
-D ENABLE_SYSTEMD=OFF
</code></pre>
<p>Build:</p>
<pre><code class="language-ps1">ninja
</code></pre>
<p>Install (to the <code>CMAKE_INSTALL_PREFIX</code> directory):</p>
<pre><code class="language-ps1">ninja install
</code></pre>
<h3 id="windows-2"><a class="header" href="#windows-2">Windows</a></h3>
<h4 id="vcpkg"><a class="header" href="#vcpkg">vcpkg</a></h4>
<p><a href="https://github.com/microsoft/vcpkg">vcpkg</a> can be used to build the ClamAV library dependencies automatically. See the <code>vcpkg</code> README for installation instructions.</p>
<p>Once installed, set the variable <code>$VCPKG_PATH</code> to the location where you installed <code>vcpkg</code>:</p>
<pre><code class="language-ps1">$VCPKG_PATH="..." # Path to your vcpkg installation
</code></pre>
<p>By default, CMake and <code>vcpkg</code> build for 32-bit. If you want to build for 64-bit, set the <code>VCPKG_DEFAULT_TRIPLET</code> environment variable:</p>
<pre><code class="language-ps1">$env:VCPKG_DEFAULT_TRIPLET="x64-windows"
</code></pre>
<p>Now run the following to build ClamAV's library dependencies:</p>
<pre><code class="language-ps1">& "$VCPKG_PATH\vcpkg" install 'curl[openssl]' 'json-c' 'libxml2' 'pcre2' 'pthreads' 'zlib' 'pdcurses' 'bzip2' 'check'
</code></pre>
<p>Finally, you can use the following to build ClamAV using Ninja for super fast builds. Replace "2019" and "Community" with different versions or editions as needed to match your Visual Studio installation.</p>
<p>Configure (generate the build system):</p>
<pre><code class="language-ps1">pushd "C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\Tools"
cmd /c "VsDevCmd.bat -arch=amd64 & set" |
foreach {
if ($_ -match "=") {
$v = $_.split("="); set-item -force -path "ENV:\$($v[0])" -value "$($v[1])"
}
}
popd
Write-Host "`nVisual Studio 2019 Command Prompt variables set." -ForegroundColor Yellow
cmake .. -G Ninja `
-D CMAKE_BUILD_TYPE="Debug" `
-D CMAKE_TOOLCHAIN_FILE="$VCPKG_PATH\scripts\buildsystems\vcpkg.cmake" `
-D CMAKE_INSTALL_PREFIX="install"
</code></pre>
<p>Build:</p>
<pre><code class="language-ps1">ninja
</code></pre>
<p>Install (to the <code>CMAKE_INSTALL_PREFIX</code> directory):</p>
<pre><code class="language-ps1">ninja install
</code></pre>
<blockquote>
<p><em>Tip</em>: I like to place the "Configure" script in a <code>configure-vcpkg.ps1</code> script file in my home directory. This way I can simply run <code>~\configure-vcpkg.ps1</code> followed by <code>ninja</code> to do a build.</p>
</blockquote>
<h4 id="mussels"><a class="header" href="#mussels">Mussels</a></h4>
<p>Here are some tips for using Mussels to build the clamav dependencies and then for building ClamAV with those dependencies.</p>
<p>Install Mussels</p>
<pre><code class="language-ps1">python3 -m pip install --user mussels
</code></pre>
<p>After the install, pip may suggest you add a "Scripts" directory to your PATH environment variable. <em>I strongly suggest that you do this</em>, so you can run <code>msl</code> for mussels commands instead of having to type <code>python3 -m mussels</code> for every command.</p>
<p>Now to use Mussels, run:</p>
<pre><code class="language-ps1"># This requires Git, and will clone the the "clamav" and "scrapbook" cookbooks.
msl up
# This is to enable running the scripts in the clamav cookbook to build the clamav dependencies.
msl cookbook trust -y clamav
# This is just to get you in a small directory so Mussels don't spend forever searching your harddrive for build recipes.
mkdir tmp && cd tmp
# First try a dry-run. If you're missing any tools, it will tell you.
# If you have everything, it will give you a list of the order it plans to build everything.
msl build clamav_deps --dry-run
# Then do the build.
msl build clamav_deps
# You could also have it build clamav for you too, but that's not so useful for development work.
msl build clamav
</code></pre>
<p>Mussels isn't great for doing repeated builds, because it tends to retry every build in the dependency chain, and that will take some time. Mussels also builds from a downloaded source tarball, and not from a local Git repository. If you're interested in working on improvement Mussels for development purposes and smoothing over some of these sharp edges, <a href="https://github.com/Cisco-Talos/Mussels#contribute">we'd love the help</a>.</p>
<p>So assuming you've now build the clamav dependencies, you should be ready to build ClamAV. Replace "2019" and "Community" with different versions or editions as needed to match your Visual Studio installation</p>
<p>Configure (generate the build system):</p>
<pre><code class="language-ps1">pushd "C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\Tools"
cmd /c "VsDevCmd.bat -arch=amd64 & set" |
foreach {
if ($_ -match "=") {
$v = $_.split("="); set-item -force -path "ENV:\$($v[0])" -value "$($v[1])"
}
}
popd
Write-Host "`nVisual Studio 2019 Command Prompt variables set." -ForegroundColor Yellow
cmake .. -G Ninja -D CMAKE_BUILD_TYPE="Debug" `
-D ENABLE_EXAMPLES=OFF `
-D JSONC_INCLUDE_DIR="$home\.mussels\install\x64\include\json-c" `
-D JSONC_LIBRARY="$home\.mussels\install\x64\lib\json-c.lib" `
-D ENABLE_JSON_SHARED=OFF `
-D BZIP2_INCLUDE_DIR="$home\.mussels\install\x64\include" `
-D BZIP2_LIBRARY_RELEASE="$home\.mussels\install\x64\lib\libbz2.lib" `
-D CURL_INCLUDE_DIR="$home\.mussels\install\x64\include" `
-D CURL_LIBRARY="$home\.mussels\install\x64\lib\libcurl_imp.lib" `
-D OPENSSL_ROOT_DIR="$home\.mussels\install\x64" `
-D OPENSSL_INCLUDE_DIR="$home\.mussels\install\x64\include" `
-D OPENSSL_CRYPTO_LIBRARY="$home\.mussels\install\x64\lib\libcrypto.lib" `
-D ZLIB_LIBRARY="$home\.mussels\install\x64\lib\libssl.lib" `
-D LIBXML2_INCLUDE_DIR="$home\.mussels\install\x64\include\libxml2" `
-D LIBXML2_LIBRARY="$home\.mussels\install\x64\lib\libxml2.lib" `
-D PCRE2_INCLUDE_DIR="$home\.mussels\install\x64\include" `
-D PCRE2_LIBRARY="$home\.mussels\install\x64\lib\pcre2-8.lib" `
-D CURSES_INCLUDE_DIR="$home\.mussels\install\x64\include" `
-D CURSES_LIBRARY="$home\.mussels\install\x64\lib\pdcurses.lib" `
-D PThreadW32_INCLUDE_DIR="$home\.mussels\install\x64\include" `
-D PThreadW32_LIBRARY="$home\.mussels\install\x64\lib\pthreadVC2.lib" `
-D ZLIB_INCLUDE_DIR="$home\.mussels\install\x64\include" `
-D ZLIB_LIBRARY="$home\.mussels\install\x64\lib\zlibstatic.lib" `
-D LIBCHECK_INCLUDE_DIR="$home\.mussels\install\x64\include" `
-D LIBCHECK_LIBRARY="$home\.mussels\install\x64\lib\checkDynamic.lib" `
-D CMAKE_INSTALL_PREFIX="install"
</code></pre>
<p>Build:</p>
<pre><code class="language-ps1">ninja
</code></pre>
<p>Install (to the <code>CMAKE_INSTALL_PREFIX</code> directory):</p>
<pre><code class="language-ps1">ninja install
</code></pre>
<blockquote>
<p><em>Tip</em>: I like to place the "Configure" script in a <code>configure-mussels.ps1</code> script file in my home directory. This way I can simply run <code>~\configure-mussels.ps1</code> followed by <code>ninja</code> to do a build.</p>
</blockquote>
<h3 id="testing-with-ctest"><a class="header" href="#testing-with-ctest">Testing with CTest</a></h3>
<p>ClamAV version 0.104+ will include unit tests, integration tests, & feature tests performed via CMake's <code>ctest</code> toolset. All tests are executed within through <code>ctest</code> but within a Python test framework build around Python's <code>unittest</code> module. See <code>clamav/unit_tests/testcase.py</code>. Python 3.5+ is required.</p>
<blockquote>
<p><em>Note</em>: Valgrind tests are performed on Linux if Valgrind is installed.</p>
</blockquote>
<h4 id="unit-tests"><a class="header" href="#unit-tests">Unit Tests</a></h4>
<p>The libclamav unit tests use the <a href="https://github.com/libcheck/check">libcheck</a> framework. There are presently no unit tests for libfreshclam. See <code>clamav/unit_tests/check_clamav.c</code> for the libclamav unit tests.</p>
<h4 id="integration-tests"><a class="header" href="#integration-tests">Integration Tests</a></h4>
<p>ClamAV is presently light on integration tests for libclamav, though you may think of the application feature as integration tests, because the apps integrate libclamav. Tests for additional features not easily exercised via the existing applications could be added by creating new example applications in <code>clamav/examples</code> and exercising those programs in new CTest tests. See <code>clamav/unit_tests/CMakeLists.txt</code> and <code>clamav/examples/CMakeLists.txt</code> for details.</p>
<h4 id="feature-tests"><a class="header" href="#feature-tests">Feature Tests</a></h4>
<p>ClamAV primarily has feature tests for ClamD and ClamScan, though basic version tests do exist for FreshClam and SigTool as well. See <code>clamav/unit_tests/CMakeLists.txt</code> and <code>clamav/unit_tests/clamscan_test.py</code> for an example.</p>
<h2 id="building-clamav-with-autotools-v0103-and-older-1"><a class="header" href="#building-clamav-with-autotools-v0103-and-older-1">Building ClamAV with Autotools (v0.103 and older)</a></h2>
<h3 id="running-autogensh"><a class="header" href="#running-autogensh">Running autogen.sh</a></h3>
<p>ClamAV versions 0.103+ will require you to run <code>autogen.sh</code> before running <code>configure</code> when building from a git clone. The files generated by Autotools, such as <code>configure</code>, are no longer stored in the Git repo. When you run <code>autogen.sh</code> it will generate those files for you.</p>
<pre><code class="language-bash">./autogen.sh
</code></pre>
<p>To run <code>autogen.sh</code>, you will need some extra tools:</p>
<ul>
<li>autoconf</li>
<li>automake</li>
<li>libtool</li>
<li>m4</li>
<li>pkg-config</li>
</ul>
<p>The packages to install are...</p>
<h4 id="redhat--centos--fedora-2"><a class="header" href="#redhat--centos--fedora-2">Redhat / Centos / Fedora</a></h4>
<pre><code class="language-sh">dnf/yum install -y \
autoconf autoreconf automake libtool libtool-ltdl-devel m4 pkg-config
</code></pre>
<h4 id="debian--ubuntu"><a class="header" href="#debian--ubuntu">Debian / Ubuntu</a></h4>
<pre><code class="language-sh">apt-get install -y \
autoconf autoconf-archive automake libtool libltdl-dev m4 pkg-config
</code></pre>
<h3 id="running-configure"><a class="header" href="#running-configure">Running configure</a></h3>
<p>To ensure that build artifacts don't clutter the source code directory, create a subdirectory named <code>build</code>.</p>
<pre><code class="language-bash">mkdir build
cd build
</code></pre>
<p>For a basic build, just run <code>../configure</code>. If you've installed the dependencies with your platforms respective package manager, it should detect the dependencies automatically. macOS users will need to use this option to properly detect openssl <code>--with-openssl=/usr/local/opt/openssl@1.1</code>.</p>
<p>Run <code>../configure --help</code> to see a full list of options. The following suggestions will help you get started:</p>
<ul>
<li>
<p>Modify the <code>CFLAGS</code>, <code>CXXFLAGS</code>, <code>OBJCFLAGS</code> variables as follows (assuming you're build with <code>gcc</code>):</p>
<ul>
<li>
<p>Include <code>gdb</code> debugging information (<code>-ggdb</code>). This will make it easier to debug with <code>gdb</code>.</p>
</li>
<li>
<p>Disable optimizations (<code>-O0</code>). This will ensure the line numbers you see in <code>gdb</code> match up with what is actually being executed.</p>
</li>
</ul>
<p>Example:</p>
<pre><code class="language-bash">CFLAGS="-ggdb -O0" CXXFLAGS="-ggdb -O0" OBJCFLAGS="-ggdb -O0" ../configure
</code></pre>
<p>NOTE: Setting <code>OBJCFLAGS</code> is needed because currently, clamsubmit gets built with the Objective-C compiler. See <a href="https://stackoverflow.com/questions/61167084/automake-conditional-compilation-from-c-or-objective-c-sources">this Stack Overflow post</a> for a discussion of why this occurs.</p>
</li>
<li>
<p>Run configure with the following options:</p>
<ul>
<li>
<p><code>--prefix=`pwd`/../installed</code>: This will cause <code>make install</code> to install into the specified directory (a directory named <code>installed</code> in the root of the ClamAV source code directory).</p>
</li>
<li>
<p><code>--enable-debug</code>: This will define <em>CL_DEBUG</em>, which mostly just enables additional print statements that are useful for debugging.</p>
</li>
<li>
<p><code>--enable-check</code>: Enables the unit tests, which can be run with <code>make check</code>.</p>
</li>
<li>
<p><code>--enable-coverage</code>: If using gcc, sets <code>-fprofile-arcs -ftest-coverage</code> so that code coverage metrics will get generated when the program is run. Note that the code inserted to store program flow data may show up in any generated flame graphs or profiling output, so if you don't care about code coverage, omit this.</p>
</li>
<li>
<p><code>--enable-libjson</code>: Enables <code>libjson</code>, which enables the <code>--gen-json</code> option. The json output contains additional metadata that might be helpful when debugging.</p>
</li>
<li>
<p><code>--with-systemdsystemunitdir=no</code>: Don't try to register <code>clamd</code> as a <code>systemd</code> service (on systems that use <code>systemd</code>). You likely don't want this development build of <code>clamd</code> to register as a service, and this eliminates the need to run <code>make install</code> with <code>sudo</code>.</p>
</li>
<li>
<p>You might want to include the following flags also so that the optional functionality is enabled: <code>--enable-experimental --enable-clamdtop --enable-milter --enable-xml --enable-pcre</code>. Note that this may require you to install additional development libraries.</p>
</li>
<li>
<p><code>--enable-llvm --with-system-llvm=no</code>: When LLVM is enabled, LLVM provides the capability to just-in-time compile ClamAV bytecode signatures. Without LLVM, ClamAV uses a built-in bytecode interpreter to execute bytecode signatures. With LLVM, options, "system LLVM" and "internal LLVM". The bytecode interpreter is somewhat slower than using LLVM, though the results are the same. At present only LLVM versions up to LLVM 3.6.2 are supported by ClamAV, and LLVM 3.6.2 is old enough that newer distributions no longer provide it. Therefore, we recommend using the <code>--enable-llvm --with-system-llvm=no</code> configure option to use the "internal LLVM". It is worth noting that the internal LLVM can take a while to build, and that the JIT compilation process for loading bytecode signatures also takes a while when starting <code>clamd</code> or <code>clamdscan</code>. For compile speed and <code>clamscan</code> load speed, you may wish to instead ouse <code>--disable-llvm</code>.</p>
</li>
</ul>
</li>
</ul>
<p>Altogether, the following configure command can be used:</p>
<pre><code class="language-bash">CFLAGS="-ggdb -O0" CXXFLAGS="-ggdb -O0" OBJCFLAGS="-ggdb -O0" ../configure --prefix=`pwd`/../installed --enable-debug --enable-check --enable-coverage --enable-libjson --with-systemdsystemunitdir=no --enable-experimental --enable-clamdtop --enable-xml --enable-pcre --enable-llvm --with-system-llvm=no
</code></pre>
<p>NOTE: It is possible to build libclamav as a static library and have it statically linked into clamscan/clamd (to do this, run <code>../configure</code> with <code>--enable-static --disable-shared</code>). This is useful for using tools like <code>gprof</code> that do not support profiling code in shared objects. However, there are two drawbacks to doing this:</p>
<ul>
<li>
<p><code>clamscan</code>/<code>clamd</code> will not be able to extract files from RAR archives. Based on the software license of the unrar library that ClamAV uses, the library can only be dynamically loaded. ClamAV will attempt to dlopen the unrar library shared object and will continue on without RAR extraction support if the library can't be found (or if it doesn't get built, which is what happens if you indicate that shared libraries should not be built).</p>
</li>
<li>
<p>If you make changes to libclamav, you'll need to <code>make clean</code>, <code>make</code>, and <code>make install</code> again to have <code>clamscan</code>/<code>clamd</code> rebuilt using the new <code>libclamav.a</code>. The makefiles don't seem to know to rebuild <code>clamscan</code>/<code>clamd</code> when <code>libclamav.a</code> changes (TODO, fix this).</p>
</li>
</ul>
<h3 id="running-make"><a class="header" href="#running-make">Running make</a></h3>
<p>Run the following to finishing building. <code>-j2</code> in the code below is used to indicate that the build process should use 2 cores. Increase this if your machine is more powerful.</p>
<pre><code class="language-bash">make -j2
make install
</code></pre>
<p>The ClamAV executables will get installed in <code>../installed/bin/</code>, so to invoke clamscan do:</p>
<pre><code class="language-bash">cd ..
./installed/bin/clamscan
</code></pre>
<h3 id="testing-with-make-check"><a class="header" href="#testing-with-make-check">Testing with <code>make check</code></a></h3>
<p>You can run <code>make check</code> to run the unit tests and feature tests.</p>
<p>Unlike with the CTest tool used for CMake builds, you must use <code>make check VG=1</code> if you wish to run extra tests using Valgrind (must be installed).</p>
<div style="break-before: page; page-break-before: always;"></div><h1 id="building-the-installer-packages-1"><a class="header" href="#building-the-installer-packages-1">Building the Installer Packages</a></h1>
<p>ClamAV's installer packages are compiled in a Jenkins CI environment in the Cisco-Talos development network. For each supported OS / packaging system / architecture, we have a computer (or VM) that maintains a copy of ClamAV's external library dependencies. These libraries are recompiled using <a href="https://github.com/Cisco-Talos/Mussels">Mussels</a> any time there is a change to the recipes in <a href="https://github.com/Cisco-Talos/clamav-mussels-cookbook/">our "clamav" Mussels cookbook</a>.</p>
<p>Instructions follow for how you can build the installer packages in much the same way that we do.</p>
<h2 id="linux"><a class="header" href="#linux">Linux</a></h2>
<blockquote>
<p><em>Tip</em>: Using an older version of Linux is best. ClamAV's only dependency will be on <code>glibc</code>, which is forwards compatible. That is to say that if you build the installer on an older version of Linux, it should install and run on a new version of Linux. The opposite is not true.</p>
</blockquote>
<p>First, install Mussels:</p>
<pre><code class="language-bash">python3 -m pip install --user mussels
</code></pre>
<p>Mussels also requires Git, so if you don't have that installed, install it now.</p>
<p>Now to use Mussels, run:</p>
<pre><code class="language-bash"># This requires Git, and will clone the the "clamav" and "scrapbook" cookbooks.
msl up
# This is to enable running the scripts in the clamav cookbook to build the clamav dependencies.
msl cookbook trust -y clamav
# This is just to get you in a small directory so Mussels don't spend forever searching your harddrive for build recipes.
mkdir tmp && cd tmp
# First try a dry-run. If you're missing any tools, it will tell you.
# If you have everything, it will give you a list of the order it plans to build everything.
msl build -t host-static clamav_deps --dry-run
# Then do the build.
msl build -t host-static clamav_deps
</code></pre>
<blockquote>
<p><em>Tip</em>: On some systems you may encounter this error:</p>
<pre><code>RuntimeError: Click will abort further execution because Python was configured to use ASCII as encoding for the environment. Consult https://click.palletsprojects.com/unicode-support/ for mitigation steps.
This system lists some UTF-8 supporting locales that you can pick from. The following suitable locales were discovered: en_AG.utf8, en_AU.utf8, en_BW.utf8, en_CA.utf8, en_DK.utf8, en_GB.utf8, en_HK.utf8, en_IE.utf8, en_IN.utf8, en_NG.utf8, en_NZ.utf8, en_PH.utf8, en_SG.utf8, en_US.utf8, en_ZA.utf8, en_ZM.utf8, en_ZW.utf8
</code></pre>
<p>To resolve this, pick a local and set it, like this:</p>
<pre><code>export LC_ALL=en_US.utf8
</code></pre>
<p>After you've set <code>LC_ALL</code> to your desired locale, re-run the above <code>msl</code> commands. You should see it run Git to update the cookbooks without error.</p>
</blockquote>
<p>So assuming you've now build the clamav dependencies, you should be ready to build ClamAV.</p>
<p>In a Git clone of the clamav source (or the extracted source tarball from a release), create a <code>build</code> subdirectory and open a terminal in that <code>build</code> directory.</p>
<p>Run the following...</p>
<p>Configure (generate the build system):</p>
<pre><code class="language-bash">cmake .. \
-D CMAKE_FIND_PACKAGE_PREFER_CONFIG=TRUE \
-D CMAKE_PREFIX_PATH="$HOME/.mussels/install/host-static" \
-D CMAKE_INSTALL_PREFIX="/usr/local" \
-D CPACK_PACKAGING_INSTALL_PREFIX="/usr/local" \
-D CPACK_DEBIAN_PACKAGE_RELEASE=1 \
-D CPACK_RPM_PACKAGE_RELEASE=1 \
-D CMAKE_MODULE_PATH="$HOME/.mussels/install/host-static/lib/cmake" \
-D CMAKE_BUILD_TYPE=RelWithDebInfo \
-D ENABLE_EXAMPLES=OFF \
-D ENABLE_MILTER=OFF \
-D JSONC_INCLUDE_DIR="$HOME/.mussels/install/host-static/include/json-c" \
-D JSONC_LIBRARY="$HOME/.mussels/install/host-static/lib/libjson-c.a" \
-D ENABLE_JSON_SHARED=OFF \
-D BZIP2_INCLUDE_DIR="$HOME/.mussels/install/host-static/include" \
-D BZIP2_LIBRARY_RELEASE="$HOME/.mussels/install/host-static/lib/libbz2_static.a" \
-D OPENSSL_ROOT_DIR="$HOME/.mussels/install/host-static" \
-D OPENSSL_INCLUDE_DIR="$HOME/.mussels/install/host-static/include" \
-D OPENSSL_CRYPTO_LIBRARY="$HOME/.mussels/install/host-static/lib/libcrypto.a" \
-D OPENSSL_SSL_LIBRARY="$HOME/.mussels/install/host-static/lib/libssl.a" \
-D LIBXML2_INCLUDE_DIR="$HOME/.mussels/install/host-static/include/libxml2" \
-D LIBXML2_LIBRARY="$HOME/.mussels/install/host-static/lib/libxml2.a" \
-D PCRE2_INCLUDE_DIR="$HOME/.mussels/install/host-static/include" \
-D PCRE2_LIBRARY="$HOME/.mussels/install/host-static/lib/libpcre2-8.a" \
-D NCURSES_INCLUDE_DIR="$HOME/.mussels/install/host-static/include/ncurses" \
-D CURSES_LIBRARY="$HOME/.mussels/install/host-static/lib/libncurses.a" \
-D ZLIB_INCLUDE_DIR="$HOME/.mussels/install/host-static/include" \
-D ZLIB_LIBRARY="$HOME/.mussels/install/host-static/lib/libz.a" \
-D LIBCHECK_INCLUDE_DIR="$HOME/.mussels/install/host-static/include" \
-D LIBCHECK_LIBRARY="$HOME/.mussels/install/host-static/lib/libcheck.a"
</code></pre>
<blockquote>
<p><em>Tip</em>: Note the use of <code>CPACK_DEBIAN_PACKAGE_RELEASE</code> and <code>CPACK_RPM_PACKAGE_RELEASE</code>. Feel free to only use the one you need for whichever platform you're targeting. You should increase the release version number if re-releasing a new package of the same ClamAV version.</p>
</blockquote>
<p>Build:</p>
<pre><code class="language-bash">make -j12
</code></pre>
<p>It's a good idea to run the public test suite at this point:</p>
<pre><code class="language-bash">ctest -V
</code></pre>
<p>To make the RPM package for RPM-based distributions, you'll need the rpmbuild tool, which you can install with <code>yum install rpm-build</code>. Then run:</p>
<pre><code class="language-bash">cpack -G RPM
</code></pre>
<p>To make the DEB package for Debian-based distributions, run:</p>
<pre><code class="language-bash">cpack -G DEB
</code></pre>
<h2 id="macos-5"><a class="header" href="#macos-5">macOS</a></h2>
<blockquote>
<p><em>Note</em>: The macOS instructions depend on Xcode, which is required to build the arm64 + x86_64 "universal" binaries. You may need to install it from the macOS app store. Be sure to run it once to accept the EULA before you proceed.</p>
</blockquote>
<p>First, install Mussels:</p>
<pre><code class="language-bash">python3 -m pip install --user mussels
</code></pre>
<p>Mussels also requires Git, so if you don't have that installed, install it now.</p>
<p>Now to use Mussels, run:</p>
<pre><code class="language-bash"># This requires Git, and will clone the the "clamav" and "scrapbook" cookbooks.
msl up
# This is to enable running the scripts in the clamav cookbook to build the clamav dependencies.
msl cookbook trust -y clamav
# This is just to get you in a small directory so Mussels don't spend forever searching your harddrive for build recipes.
mkdir tmp && cd tmp
# First try a dry-run. If you're missing any tools, it will tell you.
# If you have everything, it will give you a list of the order it plans to build everything.
msl build -t host-static clamav_deps --dry-run
# Then do the build.
msl build -t host-static clamav_deps
</code></pre>
<p>So assuming you've now build the clamav dependencies, you should be ready to build ClamAV.</p>
<p>In a Git clone of the clamav source (or the extracted source tarball from a release), create a <code>build</code> subdirectory and open a terminal in that <code>build</code> directory.</p>
<p>Run the following...</p>
<p>Configure (generate the build system):</p>
<pre><code class="language-bash">cmake .. \
-G Xcode \
-D CLAMAV_SIGN_FILE=ON \
-D CMAKE_OSX_ARCHITECTURES="arm64;x86_64" \
-D CMAKE_FIND_PACKAGE_PREFER_CONFIG=TRUE \
-D CMAKE_PREFIX_PATH="$HOME/.mussels/install/host-static" \
-D CMAKE_INSTALL_PREFIX="/usr/local/clamav" \
-D CPACK_PACKAGING_INSTALL_PREFIX="/usr/local" \
-D CMAKE_MODULE_PATH="$HOME/.mussels/install/host-static/lib/cmake" \
-D ENABLE_EXAMPLES=OFF \
-D JSONC_INCLUDE_DIR="$HOME/.mussels/install/host-static/include/json-c" \
-D JSONC_LIBRARY="$HOME/.mussels/install/host-static/lib/libjson-c.a" \
-D ENABLE_JSON_SHARED=OFF \
-D BZIP2_INCLUDE_DIR="$HOME/.mussels/install/host-static/include" \
-D BZIP2_LIBRARY_RELEASE="$HOME/.mussels/install/host-static/lib/libbz2_static.a" \
-D OPENSSL_ROOT_DIR="$HOME/.mussels/install/host-static" \
-D OPENSSL_INCLUDE_DIR="$HOME/.mussels/install/host-static/include" \
-D OPENSSL_CRYPTO_LIBRARY="$HOME/.mussels/install/host-static/lib/libcrypto.a" \
-D OPENSSL_SSL_LIBRARY="$HOME/.mussels/install/host-static/lib/libssl.a" \
-D LIBXML2_INCLUDE_DIR="$HOME/.mussels/install/host-static/include/libxml2" \
-D LIBXML2_LIBRARY="$HOME/.mussels/install/host-static/lib/libxml2.a" \
-D PCRE2_INCLUDE_DIR="$HOME/.mussels/install/host-static/include" \
-D PCRE2_LIBRARY="$HOME/.mussels/install/host-static/lib/libpcre2-8.a" \
-D CURSES_INCLUDE_DIR="$HOME/.mussels/install/host-static/include" \
-D CURSES_LIBRARY="$HOME/.mussels/install/host-static/lib/libncurses.a" \
-D ZLIB_INCLUDE_DIR="$HOME/.mussels/install/host-static/include" \
-D ZLIB_LIBRARY="$HOME/.mussels/install/host-static/lib/libz.a" \
-D LIBCHECK_INCLUDE_DIR="$HOME/.mussels/install/host-static/include" \
-D LIBCHECK_LIBRARY="$HOME/.mussels/install/host-static/lib/libcheck.a"
</code></pre>
<p>Build:</p>
<pre><code class="language-bash">cmake --build . --config RelWithDebInfo
</code></pre>
<p>It's a good idea to run the public test suite at this point:</p>
<pre><code class="language-bash">ctest -C RelWithDebInfo -V
</code></pre>
<p>Now, to make the installer, just run:</p>
<pre><code class="language-bash">cpack -C RelWithDebInfo
</code></pre>
<p>This will generate the PKG installer package.</p>
<h2 id="windows-3"><a class="header" href="#windows-3">Windows</a></h2>
<p>For tips on installing development tools for Windows, see the <a href="manual/Development/development-builds.html#for-windows">development build instructions</a>.</p>
<p>First, install Mussels:</p>
<pre><code class="language-bash">python3 -m pip install --user mussels
</code></pre>
<p>Mussels also requires Git, so if you don't have that installed, install it now.</p>
<blockquote>
<p><em>Tip</em>: You may receive a warning that installed scripts are not in your <code>PATH</code> environment variable. I strongly recommend adding the <code>Scripts</code> directory described to your <code>PATH</code>. After which, you may run Mussels using <code>msl</code> on the command line instead of typing <code>python3 -m mussels</code>, which is exceedingly tedious ;-).</p>
</blockquote>
<p>Now to use Mussels, run:</p>
<pre><code class="language-ps1"># This requires Git, and will clone the the "clamav" and "scrapbook" cookbooks.
msl up
# This is to enable running the scripts in the clamav cookbook to build the clamav dependencies.
msl cookbook trust -y clamav
# This is just to get you in a small directory so Mussels don't spend forever searching your harddrive for build recipes.
mkdir tmp && cd tmp
# First try a dry-run. If you're missing any tools, it will tell you.
# If you have everything, it will give you a list of the order it plans to build everything.
msl build clamav_deps --dry-run
# Then do the build.
msl build clamav_deps
# By default, this build will be for x64*
# If you want to build for x86, run:
msl build -t x86 clamav_deps
</code></pre>
<blockquote>
<p><code>*</code>For Windows, our recipes only provide two build targets: <code>x64</code> and <code>x86</code>. We don't as of yet have an <code>x64-static</code> variant for the recipes. You'll probably want <code>x64</code>, which is the default.</p>
</blockquote>
<p>So assuming you've now build the clamav dependencies, you should be ready to build ClamAV.</p>
<p>In a Git clone of the clamav source (or the extracted source tarball from a release), create a <code>build</code> subdirectory and open a Powershell terminal in that <code>build</code> directory.</p>
<p>Run the following, replacing "2019" and "Community" with different versions or editions as needed to match your Visual Studio installation...</p>
<p>Configure (generate the build system):</p>
<pre><code class="language-ps1">pushd "C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\Tools"
cmd /c "VsDevCmd.bat -arch=amd64 & set" |
foreach {
if ($_ -match "=") {
$v = $_.split("="); set-item -force -path "ENV:\$($v[0])" -value "$($v[1])"
}
}
popd
Write-Host "`nVisual Studio Command Prompt variables set." -ForegroundColor Yellow
cmake .. -G Ninja -D CMAKE_BUILD_TYPE="RelWithDebInfo" `
-D ENABLE_EXAMPLES=OFF `
-D ENABLE_JSON_SHARED=OFF `
-D JSONC_INCLUDE_DIR="$home\.mussels\install\x64\include\json-c" `
-D JSONC_LIBRARY="$home\.mussels\install\x64\lib\json-c.lib" `
-D BZIP2_INCLUDE_DIR="$home\.mussels\install\x64\include" `
-D BZIP2_LIBRARY_RELEASE="$home\.mussels\install\x64\lib\libbz2.lib" `
-D CURL_INCLUDE_DIR="$home\.mussels\install\x64\include" `
-D CURL_LIBRARY="$home\.mussels\install\x64\lib\libcurl_imp.lib" `
-D OPENSSL_ROOT_DIR="$home\.mussels\install\x64" `
-D OPENSSL_INCLUDE_DIR="$home\.mussels\install\x64\include" `
-D OPENSSL_CRYPTO_LIBRARY="$home\.mussels\install\x64\lib\libcrypto.lib" `
-D ZLIB_LIBRARY="$home\.mussels\install\x64\lib\libssl.lib" `
-D LIBXML2_INCLUDE_DIR="$home\.mussels\install\x64\include\libxml2" `
-D LIBXML2_LIBRARY="$home\.mussels\install\x64\lib\libxml2.lib" `
-D PCRE2_INCLUDE_DIR="$home\.mussels\install\x64\include" `
-D PCRE2_LIBRARY="$home\.mussels\install\x64\lib\pcre2-8.lib" `
-D CURSES_INCLUDE_DIR="$home\.mussels\install\x64\include" `
-D CURSES_LIBRARY="$home\.mussels\install\x64\lib\pdcurses.lib" `
-D PThreadW32_INCLUDE_DIR="$home\.mussels\install\x64\include" `
-D PThreadW32_LIBRARY="$home\.mussels\install\x64\lib\pthreadVC2.lib" `
-D ZLIB_INCLUDE_DIR="$home\.mussels\install\x64\include" `
-D ZLIB_LIBRARY="$home\.mussels\install\x64\lib\zlibstatic.lib" `
-D LIBCHECK_INCLUDE_DIR="$home\.mussels\install\x64\include" `
-D LIBCHECK_LIBRARY="$home\.mussels\install\x64\lib\checkDynamic.lib"
</code></pre>
<p>Build:</p>
<pre><code class="language-ps1">ninja
</code></pre>
<p>It's a good idea to run the public test suite at this point:</p>
<pre><code class="language-bash">ctest -C RelWithDebInfo -V
</code></pre>
<p>Now, to make the installer, just run:</p>
<pre><code class="language-ps1">cpack -C RelWithDebInfo
</code></pre>
<p>This will generate both the ZIP and the MSI installer packages.</p>
<div style="break-before: page; page-break-before: always;"></div><h1 id="development-tips--tricks"><a class="header" href="#development-tips--tricks">Development Tips & Tricks</a></h1>
<p>The following are a collection of tips that may help you be a more productive ClamAV developer.</p>
<ul>
<li><a href="manual/Development/tips-and-tricks.html#development-tips--tricks">Development Tips & Tricks</a>
<ul>
<li><a href="manual/Development/tips-and-tricks.html#downloading-the-official-ruleset">Downloading the Official Ruleset</a></li>
<li><a href="manual/Development/tips-and-tricks.html#general-debugging">General Debugging</a>
<ul>
<li><a href="manual/Development/tips-and-tricks.html#useful-clamscan-flags">Useful clamscan Flags</a></li>
<li><a href="manual/Development/tips-and-tricks.html#using-gdb">Using gdb</a></li>
</ul>
</li>
<li><a href="manual/Development/tips-and-tricks.html#hunting-for-memory-leaks">Hunting for Memory Leaks</a></li>
</ul>
</li>
</ul>
<h2 id="downloading-the-official-ruleset"><a class="header" href="#downloading-the-official-ruleset">Downloading the Official Ruleset</a></h2>
<p>If you plan to use custom rules for testing, you can invoke <code>clamscan</code> via <code>./installed/bin/clamscan</code>, specifying your custom rule files via <code>-d</code> parameters.</p>
<p>If you want to download the official ruleset to use with <code>clamscan</code>, do the following:</p>
<ol>
<li>Run <code>mkdir -p installed/share/clamav</code></li>
<li>Comment out line 8 of etc/freshclam.conf.sample</li>
<li>Run <code>./installed/bin/freshclam --config-file etc/freshclam.conf.sample</code></li>
</ol>
<h2 id="general-debugging"><a class="header" href="#general-debugging">General Debugging</a></h2>
<p>NOTE: Some of the debugging/profiling tools mentioned in the sections below are specific to Linux</p>
<h3 id="useful-clamscan-flags"><a class="header" href="#useful-clamscan-flags">Useful clamscan Flags</a></h3>
<p>The following are useful flags to include when debugging clamscan:</p>
<ul>
<li>
<p><code>--debug --verbose</code>: Print lots of helpful debug information</p>
</li>
<li>
<p><code>--gen-json</code>: Print some additional debug information in a JSON format</p>
</li>
<li>
<p><code>--statistics=pcre --statistics=bytecode</code>: Print execution statistics on any PCRE and bytecode rules that were evaluated</p>
</li>
<li>
<p><code>--dev-performance</code>: Print per-file statistics regarding how long scanning took and the times spent in various scanning stages</p>
</li>
<li>
<p><code>--alert-broken</code>: This will attempt to detect broken executable files. If an executable is determined to be broken, some functionality might not get invoked for the sample, and this could be an indication of an issue parsing the PE header or file. This causes those binary to generate an alert instead of just continuing on. This flag replaces the <code>--detect-broken</code> flag from releases prior to 0.101.</p>
</li>
<li>
<p><code>--max-filesize=2000M --max-scansize=2000M --max-files=2000000 --max-recursion=2000000 --max-embeddedpe=2000M --max-htmlnormalize=2000000 --max-htmlnotags=2000000 --max-scriptnormalize=2000000 --max-ziptypercg=2000000 --max-partitions=2000000 --max-iconspe=2000000 --max-rechwp3=2000000 --pcre-match-limit=2000000 --pcre-recmatch-limit=2000000 --pcre-max-filesize=2000M --max-scantime=2000000</code>:</p>
<p>Effectively disables all file limits and maximums for scanning. This is useful if you'd like to ensure that all files in a set get scanned, and would prefer clam to just run slowly or crash rather than skip a file because it encounters one of these thresholds</p>
</li>
</ul>
<p>The following are useful flags to include when debugging rules that you're
writing:</p>
<ul>
<li>
<p><code>-d</code>: Allows you to specify a custom ClamAV rule file from the command line</p>
</li>
<li>
<p><code>--bytecode-unsigned</code>: If you are testing custom bytecode rules, you'll need this flag so that <code>clamscan</code> actually runs the bytecode signature</p>
</li>
<li>
<p><code>--all-match</code>: Allows multiple signatures to match on a file being scanned</p>
</li>
<li>
<p><code>--leave-temps --tmpdir=/tmp</code>: By default, ClamAV will attempt to extract embedded files that it finds, normalize certain text files before looking for matches, and unpack packed executables that it has unpacking support for. These flags tell ClamAV to write these intermediate files out to the directory specified. Usually when a file is written, it will mention the file name in the --debug output, so you can have some idea at what stage in the scanning process a tmp file was created.</p>
</li>
<li>
<p><code>--dump-certs</code>: For signed PE files that match a rule, display information about the certificates stored within the binary.</p>
<blockquote>
<p><em>Note</em>: sigtool has this functionality as well and doesn't require a rule match to view the cert data</p>
</blockquote>
</li>
</ul>
<h3 id="using-gdb"><a class="header" href="#using-gdb">Using gdb</a></h3>
<p>Given that you might want to pass a lot of arguments to <code>gdb</code>, consider taking advantage of the <code>--args</code> parameter. For example:</p>
<pre><code class="language-bash">gdb --args ./installed/bin/clamscan -d /tmp/test.ldb -d /tmp/block_list.crb -d --dumpcerts --debug --verbose --max-filesize=2000M --max-scansize=2000M --max-files=2000000 --max-recursion=2000000 --max-embeddedpe=2000M --max-iconspe=2000000 f8f101166fec5785b4e240e4b9e748fb6c14fdc3cd7815d74205fc59ce121515
</code></pre>
<p>When using ClamAV without libclamav statically linked, if you set breakpoints on libclamav functions by name, you'll need to make sure to indicate that the breakpoints should be resolved after libraries have been loaded.</p>
<p>For other documentation about how to use <code>gdb</code>, check out the following resources:</p>
<ul>
<li><a href="http://www.cabrillo.edu/%7Eshodges/cs19/progs/guide_to_gdb_1.1.pdf">A Guide to gdb</a></li>
<li><a href="http://users.ece.utexas.edu/%7Eadnan/gdb-refcard.pdf">gdb Quick Reference</a></li>
</ul>
<h2 id="hunting-for-memory-leaks"><a class="header" href="#hunting-for-memory-leaks">Hunting for Memory Leaks</a></h2>
<p>You can easily hunt for memory leaks with valgrind. Check out this guide to get started: <a href="http://valgrind.org/docs/manual/quick-start.html">Valgrind Quick Start</a></p>
<p>If checking for leaks, be sure to run <code>clamscan</code> with samples that will hit as many of the unique code paths in the code you are testing. An example invocation is as follows:</p>
<pre><code class="language-bash">valgrind --leak-check=full ./installed/bin/clamscan -d /tmp/test.ldb --leave-temps --tempdir /tmp/test --debug --verbose /tmp/upx-samples/ > /tmp/upx-results-2.txt 2>&1
</code></pre>
<p>Alternatively, on Linux, you can use glibc's built-in leak checking functionality:</p>
<pre><code class="language-bash">MALLOC_CHECK_=7 ./installed/bin/clamscan
</code></pre>
<p>See the <a href="http://manpages.ubuntu.com/manpages/trusty/man3/mallopt.3.html">mallopt man page</a> for more details</p>
<div style="break-before: page; page-break-before: always;"></div><h1 id="performance-profiling"><a class="header" href="#performance-profiling">Performance Profiling</a></h1>
<h2 id="flame-graph-profiling"><a class="header" href="#flame-graph-profiling">Flame Graph Profiling</a></h2>
<p><a href="https://github.com/brendangregg/FlameGraph">FlameGraph</a> is a great tool for generating interactive flamegraphs based collected profiling data. The github page has thorough documentation on how to use the tool, but an overview is presented below:</p>
<p>First, install <code>perf</code>, which on Linux can be done via:</p>
<pre><code class="language-bash">sudo apt-get install linux-tools-common linux-tools-generic linux-tools-`uname -r`
</code></pre>
<blockquote>
<p><em>Tip</em>: If you're on Windows using WSL2 with Ubuntu 20.04, you may find that the above fails with this error message:</p>
<pre><code>E: Unable to locate package linux-tools-4.19.104-microsoft-standard
E: Couldn't find any package by glob 'linux-tools-4.19.104-microsoft-standard'
E: Couldn't find any package by regex 'linux-tools-4.19.104-microsoft-standard'
</code></pre>
<p>You may have luck building and installing <code>perf</code> yourself using Microsoft's WSL2 Linux Kernel sources. At the time of writing, this <em>doesn't</em> work with the <code>master</code> branch because the <code>perf</code> build appears to be broken with newer versions of glibc. Instead, we can use the <code>linux-msft-wsl-5.10.16.3</code> tag:</p>
<pre><code class="language-bash">sudo apt install flex bison
git clone https://github.com/microsoft/WSL2-Linux-Kernel --depth 1 --branch linux-msft-wsl-5.10.16.3
cd WSL2-Linux-Kernel/tools/perf
make -j8
sudo cp perf /usr/local/bin
</code></pre>
<p>Technique courtesy of: https://gist.github.com/abel0b/b1881e41b9e1c4b16d84e5e083c38a13</p>
</blockquote>
<p>Modify the system settings to allow <code>perf</code> record to be run by a standard user:</p>
<pre><code class="language-bash">sudo su # Run the following as root
cat /proc/sys/kernel/perf_event_paranoid
echo "1" > /proc/sys/kernel/perf_event_paranoid
exit
</code></pre>
<p>Invoke <code>clamscan</code> via <code>perf record</code> as follows, and run <code>perf script</code> to collect the profiling data. Note that in this example, ClamAV was compiled in a <code>build</code> subdirectory and installed to <code>build/install</code>:</p>
<pre><code class="language-bash">perf record -F 100 -g -- ./install/bin/clamscan -d ./unit_tests/clamav.hdb --allmatch ./test/
perf script > /tmp/out.perf
</code></pre>
<p>The <code>-F</code> parameter indicates how many samples should be collected during program execution. If your scan will take a long time to run, a lower value should be sufficient. Otherwise, consider choosing a higher value (on Ubuntu 18.04, 7250 is the max frequency, but it can be increased via <code>/proc/sys/kernel/perf_event_max_sample_rate</code>.</p>
<p>Clone out <a href="https://github.com/brendangregg/FlameGraph">the FlameGraph project</a> and run the following commands inside the FlameGraph directory to generate the flame graph:</p>
<pre><code class="language-bash">git clone https://github.com/brendangregg/FlameGraph.git
cd FlameGraph
perl stackcollapse-perf.pl /tmp/out.perf > /tmp/out.folded
perl flamegraph.pl /tmp/out.folded > /tmp/test.svg
</code></pre>
<p>The SVG that is generated is interactive, but some viewers don't support this.
Be sure to open it in a web browser like Chrome to be able to take full advantage of it.</p>
<p>Here's an example flamegraph generated by scanning ClamAV test files:</p>
<p align="center">
<a href="https://raw.githubusercontent.com/micahsnyder/clamav-documentation/main/src/images/flamegraph.svg">
<img align="center" src="https://raw.githubusercontent.com/micahsnyder/clamav-documentation/main/src/images/flamegraph.svg" alt='Example Flamegraph'>
</a>
</p>
<h2 id="call-graph-profiling---callgrind"><a class="header" href="#call-graph-profiling---callgrind">Call Graph Profiling - Callgrind</a></h2>
<p>Callgrind is a profiling tool included with <code>valgrind</code>. This can be done by prepending <code>valgrind --tool=callgrind </code> to the <code>clamscan</code> command.</p>
<p><a href="https://kcachegrind.github.io/html/Home.html">kcachegrind</a> is a follow-on tool that will graphically present the profiling data and allow you to explore it visually, although if you don't already use KDE you'll have to install lots of extra packages to use it.</p>
<h2 id="system-call-tracing--fault-injection"><a class="header" href="#system-call-tracing--fault-injection">System Call Tracing / Fault Injection</a></h2>
<p>strace can be used to track the system calls that are performed and provide the number of calls / time spent in each system call. This can be done by prepending <code>strace -c </code> to a <code>clamscan</code> command. Results will look something like this:</p>
<pre><code class="language-bash"> % time seconds usecs/call calls errors syscall
------ ----------- ----------- --------- --------- ----------------
95.04 0.831430 13 62518 read
3.22 0.028172 14 2053 munmap
0.69 0.006005 3 2102 mmap
0.28 0.002420 7 344 pread64
0.16 0.001415 5 305 1 openat
0.13 0.001108 3 405 write
0.11 0.000932 23 40 mprotect
0.07 0.000632 2 310 close
0.07 0.000583 9 67 30 access
0.05 0.000395 1 444 lseek
0.04 0.000344 2 162 fstat
0.04 0.000338 1 253 brk
0.03 0.000262 1 422 fcntl
0.02 0.000218 16 14 futex
0.01 0.000119 1 212 getpid
0.01 0.000086 14 6 getdents
0.00 0.000043 7 6 dup
0.00 0.000040 1 31 unlink
0.00 0.000038 19 2 rt_sigaction
0.00 0.000037 19 2 rt_sigprocmask
0.00 0.000029 1 37 stat
0.00 0.000022 11 2 prlimit64
0.00 0.000021 21 1 sysinfo
0.00 0.000020 1 33 clock_gettime
0.00 0.000019 19 1 arch_prctl
0.00 0.000018 18 1 set_tid_address
0.00 0.000018 18 1 set_robust_list
0.00 0.000013 0 60 lstat
0.00 0.000011 0 65 madvise
0.00 0.000002 0 68 geteuid
0.00 0.000000 0 1 execve
0.00 0.000000 0 1 uname
0.00 0.000000 0 1 getcwd
------ ----------- ----------- --------- --------- ----------------
100.00 0.874790 69970 31 total
</code></pre>
<p><code>strace</code> can also be used for cool things like system call fault injection. For instance, let's say you are curious whether the <code>read</code> bytecode API call is implemented in such a way that the underlying <code>read</code> system call could handle <code>EINTR</code> being returned (which can happen periodically). To test this, write the following bytecode rule:</p>
<pre><code class="language-c"> VIRUSNAME_PREFIX("BC.Heuristic.Test.Read.Passed")
VIRUSNAMES("")
TARGET(0)
SIGNATURES_DECL_BEGIN
DECLARE_SIGNATURE(zeroes)
SIGNATURES_DECL_END
SIGNATURES_DEF_BEGIN
DEFINE_SIGNATURE(zeroes, "0:0000")
SIGNATURES_DEF_END
bool logical_trigger()
{
return matches(Signatures.zeroes);
}
#define READ_S(value, size) if (read(value, size) != size) return 0;
int entrypoint(void)
{
char buffer[65536];
int i;
for (i = 0; i < 256; i++)
{
debug(i);
debug("\n");
READ_S(buffer, sizeof(buffer));
}
foundVirus("");
return 0;
}
</code></pre>
<p>Compiled the rule, and make a test file to match against it. Then run it under <code>strace</code> to determine what underlying read system call is being used for the bytecode <code>read</code> function:</p>
<pre><code class="language-bash">clambc-compiler read_test.bc
dd if=/dev/zero of=/tmp/zeroes bs=65535 count=256
strace clamscan -d read_test.cbc --bytecode-unsigned /tmp/zeroes
</code></pre>
<p>It uses <code>pread64</code> under the hood, so the following command could be used for fault injection:</p>
<pre><code class="language-bash">strace -e fault=pread64:error=EINTR:when=20+10 clamscan -d read_test.cbc --bytecode-unsigned /tmp/zeroes
</code></pre>
<p>This command tells <code>strace</code> to skip the first 20 <code>pread64</code> calls (these appear to be used by the loader, which didn't seem to handle <code>EINTR</code> correctly) but to inject <code>EINTR</code> for every 10th call afterward. We can see the injection in action and that the system call is retried successfully:</p>
<pre><code class="language-c"> pread64(3, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 65536, 15007744) = 65536
pread64(3, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 65536, 15073280) = 65536
pread64(3, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 65536, 15138816) = 65536
pread64(3, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 65536, 15204352) = 65536
pread64(3, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 65536, 15269888) = 65536
pread64(3, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 65536, 15335424) = 65536
pread64(3, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 65536, 15400960) = 65536
pread64(3, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 65536, 15466496) = 65536
pread64(3, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 65536, 15532032) = 65536
pread64(3, 0x7f6a7ff43000, 65536, 15597568) = -1 EINTR (Interrupted system call) (INJECTED)
pread64(3, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 65536, 15597568) = 65536
</code></pre>
<p>More documentation on using <code>strace</code> to perform system call fault injection, see <a href="https://archive.fosdem.org/2017/schedule/event/failing_strace/attachments/slides/1630/export/events/attachments/failing_strace/slides/1630/strace_fosdem2017_ta_slides.pdf">this presentation</a> from FOSDEM 2017.</p>
<div style="break-before: page; page-break-before: always;"></div><h1 id="computing-code-coverage"><a class="header" href="#computing-code-coverage">Computing Code Coverage</a></h1>
<h2 id="code-coverage-when-using-cmake-v0104-and-newer"><a class="header" href="#code-coverage-when-using-cmake-v0104-and-newer">Code coverage when using CMake (v0.104 and newer)</a></h2>
<blockquote>
<p><em>TO-DO</em>: Help us figure out how to compute code coverage and document the process here.</p>
</blockquote>
<h2 id="code-coverage-when-using-autotools-v0103-and-older"><a class="header" href="#code-coverage-when-using-autotools-v0103-and-older">Code coverage when using Autotools (v0.103 and older)</a></h2>
<p>gcov/lcov can be used to produce a code coverage report indicating which lines of code were executed on a single run or by multiple runs of <code>clamscan</code>. NOTE: for these metrics to be collected, ClamAV needs to have been configured with the <code>--enable-coverage</code> option.</p>
<p>First, run the following to zero out all of the performance metrics:</p>
<pre><code class="language-bash">lcov -z --directory . --output-file coverage.lcov.data
</code></pre>
<p>Next, run ClamAV through whatever test cases you have. Then, run lcov again to collect the coverage data as follows:</p>
<pre><code class="language-bash">lcov -c --directory . --output-file coverage.lcov.data
</code></pre>
<p>Finally, run the genhtml tool that ships with lcov to produce the code coverage report:</p>
<pre><code class="language-bash">genhtml coverage.lcov.data --output-directory report
</code></pre>
<p>The report directory will have an <code>index.html</code> page which can be loaded into any web browser.</p>
<p>For more information, visit the <a href="http://ltp.sourceforge.net/coverage/lcov.php">lcov webpage</a></p>
<div style="break-before: page; page-break-before: always;"></div><h1 id="building-and-testing-clamav-with-fuzzing-sanitizers"><a class="header" href="#building-and-testing-clamav-with-fuzzing-sanitizers">Building and Testing ClamAV with Fuzzing Sanitizers</a></h1>
<h2 id="build--reproduce-fuzz-reports-using-oss-fuzz-tools"><a class="header" href="#build--reproduce-fuzz-reports-using-oss-fuzz-tools">Build & Reproduce Fuzz Reports using OSS-Fuzz Tools</a></h2>
<p>Check out <a href="https://github.com/google/oss-fuzz.git">the google/oss-fuzz repository</a> and the <code>clamav</code> repo side by side. .</p>
<p>Then inside the <code>oss-fuzz</code> directory, run:</p>
<pre><code class="language-bash">python3 infra/helper.py build_image clamav
python3 infra/helper.py build_fuzzers --sanitizer address clamav ../clamav
python3 infra/helper.py reproduce clamav clamav_scanmap_fuzzer /path/to/poc_file
</code></pre>
<blockquote>
<p><em>Tip</em>: You can substitute <code>address</code> argument in the second command that selects the Address Sanitizer (ASan) with <code>memory</code> or <code>undefined</code> to use the Memory Sanitizer (MSan) or the Undefined Behavior Sanitizer (UBSan).</p>
</blockquote>
<p>See <a href="https://google.github.io/oss-fuzz/advanced-topics/reproducing/">https://google.github.io/oss-fuzz/advanced-topics/reproducing/</a> for more details.</p>
<h2 id="build--test-fuzz-targets-sanitizers-in-cmake-v0104-and-newer"><a class="header" href="#build--test-fuzz-targets-sanitizers-in-cmake-v0104-and-newer">Build & Test Fuzz Targets Sanitizers in CMake (v0.104 and newer)</a></h2>
<p>Inside your <code>clamav</code> git clone, run:</p>
<pre><code class="language-bash">mkdir build-fuzz && cd build-fuzz
export CC=`which clang` && \
export CXX=`which clang++` && \
export SANITIZER=address && \
cmake .. -G Ninja \
-D OPTIMIZE=OFF \
-D CMAKE_BUILD_TYPE="Debug" \
-D ENABLE_FUZZ=ON \
&& \
ninja
</code></pre>
<p>This will build the fuzz target executables in the <code>build-fuzz/fuzz/</code> directory. You can run them just like a regular program, passing the file as input.</p>
<p>E.g.:</p>
<pre><code class="language-bash">./fuzz/clamav_scanfile_fuzzer /path/to/poc_file
</code></pre>
<h2 id="clamav-with-address-sanitizer-asan-in-autotools-v0103-and-older"><a class="header" href="#clamav-with-address-sanitizer-asan-in-autotools-v0103-and-older">ClamAV with Address Sanitizer (ASAN) in Autotools (v0.103 and older)</a></h2>
<p>Building ClamAV with ASAN support can be extremely useful in detecting memory corruption and memory leaks. To build with ASAN, use a <code>..\configure</code> line like the following:</p>
<pre><code class="language-bash">CFLAGS="-ggdb -O0 -fsanitize=address -fno-omit-frame-pointer" LDFLAGS="-fsanitize=address" CXXFLAGS="-ggdb -O0 -fsanitize=address -fno-omit-frame-pointer" OBJCFLAGS="-ggdb -O0 -fsanitize=address -fno-omit-frame-pointer" ../configure --prefix=`pwd`/../installed --enable-debug --enable-libjson --with-systemdsystemunitdir=no --enable-experimental --enable-clamdtop --enable-libjson --enable-xml --enable-pcre --disable-llvm
</code></pre>
<div style="break-before: page; page-break-before: always;"></div><h1 id="libclamav-1"><a class="header" href="#libclamav-1">Libclamav</a></h1>
<p>Libclamav provides an easy and effective way to add a virus protection into your software. The library is thread-safe and transparently recognizes and scans within archives, mail files, MS Office document files, executables and other special formats.</p>
<h2 id="license-1"><a class="header" href="#license-1">License</a></h2>
<p>Libclamav is licensed under the GNU GPL v2 license. This means you are <strong>not allowed</strong> to link commercial, closed-source software against it. All software using libclamav must be GPL compliant.</p>
<h2 id="supported-formats-and-features"><a class="header" href="#supported-formats-and-features">Supported formats and features</a></h2>
<h3 id="executables"><a class="header" href="#executables">Executables</a></h3>
<p>The library has a built-in support for 32- and 64-bit Portable Executable, ELF and Mach-O files. Additionally, it can handle PE files compressed or obfuscated with the following tools:</p>
<ul>
<li>Aspack (2.12)</li>
<li>UPX
<ul>
<li>PE (Windows) built-in</li>
<li>ELF, Mach-O enabled via bytecode signatures</li>
</ul>
</li>
<li>FSG (1.3, 1.31, 1.33, 2.0)</li>
<li>Petite (2.x)</li>
<li>PeSpin (1.1)</li>
<li>NsPack</li>
<li>wwpack32 (1.20)</li>
<li>MEW</li>
<li>Upack</li>
<li>Y0da Cryptor (1.3)</li>
</ul>
<h3 id="mail-files"><a class="header" href="#mail-files">Mail files</a></h3>
<p>Libclamav can handle almost every mail file format including TNEF (winmail.dat) attachments.</p>
<h3 id="archives-and-compressed-files"><a class="header" href="#archives-and-compressed-files">Archives and compressed files</a></h3>
<p>The following archive and compression formats are supported by internal handlers:</p>
<ul>
<li>Zip (+ SFX)</li>
<li>RAR (+ SFX)</li>
<li>7Zip</li>
<li>Tar</li>
<li>CPIO</li>
<li>Gzip</li>
<li>Bzip2</li>
<li>DMG</li>
<li>IMG</li>
<li>ISO 9660</li>
<li>PKG</li>
<li>HFS+ partition</li>
<li>HFSX partition</li>
<li>APM disk image</li>
<li>GPT disk image</li>
<li>MBR disk image</li>
<li>XAR</li>
<li>XZ</li>
<li>MS OLE2</li>
<li>MS Cabinet Files (+ SFX)</li>
<li>MS CHM (Compiled HTML)</li>
<li>MS SZDD compression format</li>
<li>BinHex</li>
<li>SIS (SymbianOS packages)</li>
<li>AutoIt</li>
<li>NSIS</li>
<li>InstallShield</li>
</ul>
<h3 id="documents"><a class="header" href="#documents">Documents</a></h3>
<p>The most popular file formats are supported:</p>
<ul>
<li>MS Office and MacOffice files</li>
<li>RTF</li>
<li>PDF</li>
<li>HTML</li>
</ul>
<p>In the case of Office, RTF and PDF files, libclamav will only extract the embedded objects and will not decode the text data itself. The text decoding and normalization is only performed for HTML files.</p>
<h3 id="data-loss-prevention"><a class="header" href="#data-loss-prevention">Data Loss Prevention</a></h3>
<p>Libclamav includes a DLP module which can detect the following credit card issuers: AMEX, VISA, MasterCard, Discover, Diner’s Club, and JCB and U.S. social security numbers inside text files.</p>
<p>Future versions of Libclamav may include additional features to detect other credit cards and other forms of PII (Personally Identifiable Information) which may be transmitted without the benefit of being encrypted.</p>
<h3 id="others-1"><a class="header" href="#others-1">Others</a></h3>
<p>Libclamav can handle various obfuscators, encoders, files vulnerable to security risks such as:</p>
<ul>
<li>JPEG (exploit detection)</li>
<li>RIFF (exploit detection)</li>
<li>uuencode</li>
<li>ScrEnc obfuscation</li>
<li>CryptFF</li>
</ul>
<h2 id="api"><a class="header" href="#api">API</a></h2>
<h3 id="header-file"><a class="header" href="#header-file">Header file</a></h3>
<p>Every program using libclamav must include the header file <code>clamav.h</code>:</p>
<pre><code class="language-c"> #include "clamav.h"
</code></pre>
<h3 id="initialization"><a class="header" href="#initialization">Initialization</a></h3>
<p>Before using libclamav, you should call <code>cl_init()</code> to initialize it. <code>CL_INIT_DEFAULT</code> is a macro that can be passed to <code>cl_init()</code> representing the default initialization settings. When it’s done, you’re ready to create a new scan engine by calling <code>cl_engine_new()</code>. To free resources allocated by the engine use <code>cl_engine_free()</code>. Function prototypes:</p>
<pre><code class="language-c"> int cl_init(unsigned int options);
struct cl_engine *cl_engine_new(void);
int cl_engine_free(struct cl_engine *engine);
</code></pre>
<p><code>cl_init()</code> and <code>cl_engine_free()</code> return <code>CL_SUCCESS</code> on success or another code on error. <code>cl_engine_new()</code> return a pointer or NULL if there’s not enough memory to allocate a new engine structure.</p>
<h3 id="database-loading"><a class="header" href="#database-loading">Database loading</a></h3>
<p>The following set of functions provides an interface for loading the virus database:</p>
<pre><code class="language-c"> const char *cl_retdbdir(void);
int cl_load(const char *path, struct cl_engine *engine,
unsigned int *signo, unsigned int options);
</code></pre>
<p><code>cl_retdbdir()</code> returns the default (hardcoded) path to the directory with ClamAV databases. <code>cl_load()</code> loads a single database file or all databases from a given directory (when <code>path</code> points to a directory). The second argument is used for passing in the pointer to the engine that should be previously allocated with <code>cl_engine_new()</code>. A number of loaded signatures will be <strong>added</strong> to <code>signo</code>. The last argument can pass the following flags:</p>
<ul>
<li><strong>CL_DB_STDOPT</strong>
This is an alias for a recommended set of scan options.</li>
<li><strong>CL_DB_PHISHING</strong>
Load phishing signatures.</li>
<li><strong>CL_DB_PHISHING_URLS</strong>
Initialize the phishing detection module and load .wdb and .pdb
files.</li>
<li><strong>CL_DB_PUA</strong>
Load signatures for Potentially Unwanted Applications.</li>
<li><strong>CL_DB_OFFICIAL_ONLY</strong>
Only load official signatures from digitally signed databases.</li>
<li><strong>CL_DB_BYTECODE</strong>
Load bytecode.</li>
</ul>
<p><code>cl_load()</code> returns <code>CL_SUCCESS</code> on success and another code on failure.</p>
<pre><code class="language-c"> ...
struct cl_engine *engine;
unsigned int sigs = 0;
int ret;
if((ret = cl_init(CL_INIT_DEFAULT)) != CL_SUCCESS) {
printf("cl_init() error: %s\n", cl_strerror(ret));
return 1;
}
if(!(engine = cl_engine_new())) {
printf("Can't create new engine\n");
return 1;
}
ret = cl_load(cl_retdbdir(), engine, &sigs, CL_DB_STDOPT);
</code></pre>
<h3 id="database-verification"><a class="header" href="#database-verification">Database verification</a></h3>
<p>The <code>cl_load()</code> API will verify that the database is signed and is correct, although it will also return <code>CL_SUCCESS</code> for non-database files that of course cannot be loaded.</p>
<p>You can, however, use the <code>cl_cvdverify()</code> API to verify a database directly:</p>
<pre><code class="language-c">/**
* @brief Verify a CVD file by loading and unloading it.
*
* @param file Filepath of CVD file.
* @return cl_error_t CL_SUCCESS if success, else a CL_E* error code.
*/
extern cl_error_t cl_cvdverify(const char *file);
</code></pre>
<p>As the comment block explains, this will load-test the database. Be advised that for some larger databases, this may use a fair bit system RAM.</p>
<h3 id="error-handling"><a class="header" href="#error-handling">Error handling</a></h3>
<p>Use <code>cl_strerror()</code> to convert error codes into human readable messages. The function returns a statically allocated string:</p>
<pre><code class="language-c"> if(ret != CL_SUCCESS) {
printf("cl_load() error: %s\n", cl_strerror(ret));
cl_engine_free(engine);
return 1;
}
</code></pre>
<h3 id="engine-structure"><a class="header" href="#engine-structure">Engine structure</a></h3>
<p>When all required databases are loaded you should prepare the detection engine by calling <code>cl_engine_compile()</code>. In case of failure you should still free the memory allocated to the engine with <code>cl_engine_free()</code>:</p>
<pre><code class="language-c"> int cl_engine_compile(struct cl_engine *engine);
</code></pre>
<p>In our example:</p>
<pre><code class="language-c"> if((ret = cl_engine_compile(engine)) != CL_SUCCESS) {
printf("cl_engine_compile() error: %s\n", cl_strerror(ret));
cl_engine_free(engine);
return 1;
}
</code></pre>
<h3 id="limits"><a class="header" href="#limits">Limits</a></h3>
<p>When you create a new engine with <code>cl_engine_new()</code>, it will have all internal settings set to default values as recommended by the ClamAV authors. It’s possible to check and modify the values (numerical and strings) using the following set of functions:</p>
<pre><code class="language-c"> int cl_engine_set_num(struct cl_engine *engine,
enum cl_engine_field field, long long num);
long long cl_engine_get_num(const struct cl_engine *engine,
enum cl_engine_field field, int *err);
int cl_engine_set_str(struct cl_engine *engine,
enum cl_engine_field field, const char *str);
const char *cl_engine_get_str(const struct cl_engine *engine,
enum cl_engine_field field, int *err);
</code></pre>
<p>Please don’t modify the default values unless you know what you’re doing. Refer to the ClamAV sources (clamscan, clamd) for examples.</p>
<h3 id="database-checks"><a class="header" href="#database-checks">Database checks</a></h3>
<p>It’s very important to keep the internal instance of the database up to date. You can watch database changes with the <code>cl_stat..()</code> family of functions.</p>
<pre><code class="language-c"> int cl_statinidir(const char *dirname, struct cl_stat *dbstat);
int cl_statchkdir(const struct cl_stat *dbstat);
int cl_statfree(struct cl_stat *dbstat);
</code></pre>
<p>Initialization:</p>
<pre><code class="language-c"> ...
struct cl_stat dbstat;
memset(&dbstat, 0, sizeof(struct cl_stat));
cl_statinidir(dbdir, &dbstat);
</code></pre>
<p>To check for a change you just need to call <code>cl_statchkdir</code> and check its return value (0 - no change, 1 - some change occurred). Remember to reset the <code>cl_stat</code> structure after reloading the database.</p>
<pre><code class="language-c"> if(cl_statchkdir(&dbstat) == 1) {
reload_database...;
cl_statfree(&dbstat);
cl_statinidir(cl_retdbdir(), &dbstat);
}
</code></pre>
<p>Libclamav includes and additional call to check the number of signatures that can be loaded from a given directory:</p>
<pre><code class="language-c"> int cl_countsigs(const char *path, unsigned int countoptions,
unsigned int *sigs);
</code></pre>
<p>The first argument points to the database directory, the second one specifies what signatures should be counted: <code>CL_COUNTSIGS_OFFICIAL</code> (official signatures), <code>CL_COUNTSIGS_UNOFFICIAL</code> (third party signatures), <code>CL_COUNTSIGS_ALL</code> (all signatures). The last argument points to the counter to which the number of detected signatures will be added (therefore the counter should be initially set to 0). The call returns <code>CL_SUCCESS</code> or an error code.</p>
<h3 id="data-scan-functions"><a class="header" href="#data-scan-functions">Data scan functions</a></h3>
<p>It’s possible to scan a file or descriptor using:</p>
<pre><code class="language-c"> int cl_scanfile(
const char *filename,
const char **virname,
unsigned long int *scanned,
const struct cl_engine *engine,
struct cl_scan_options *options);
int cl_scandesc(
int desc,
const char *filename,
const char **virname,
unsigned long int *scanned,
const struct cl_engine *engine,
struct cl_scan_options *options);
</code></pre>
<p>Both functions will store a virus name under the pointer <code>virname</code>, the virus name is part of the engine structure and must not be released directly. If the third argument (<code>scanned</code>) is not NULL, the functions will increase its value with the size of scanned data (in <code>CL_COUNT_PRECISION</code> units). The last argument (<code>options</code>) requires a pointer to a data structure that specifies the scan options. The data structure should be <code>memset()</code> Each variable in the structure is a bit-flag field. The structure definition is:</p>
<pre><code class="language-c"> struct cl_scan_options {
uint32_t general;
uint32_t parse;
uint32_t alert;
uint32_t heuristic_alert;
uint32_t mail;
uint32_t dev;
};
</code></pre>
<p>Supported flags for each of the fields are as follows:</p>
<p><code>general</code> - General scanning options.</p>
<ul>
<li><strong>CL_SCAN_GENERAL_ALLMATCHES</strong>
Scan in all-match mode</li>
<li><strong>CL_SCAN_GENERAL_COLLECT_METADATA</strong>
Collect metadata (--gen-json)</li>
<li><strong>CL_SCAN_GENERAL_HEURISTICS</strong>
Option to enable heuristic alerts. Required for any of the heuristic alerting options to work.</li>
</ul>
<p><code>parse</code> - Options to enable/disable specific parsing capabilities. Generally you will want to enable all parsers. The easiest way to do this is to set the parse flags to ~0.</p>
<ul>
<li><strong>CL_SCAN_PARSE_ARCHIVE</strong>
This flag enables transparent scanning of various archive formats.</li>
<li><strong>CL_SCAN_PARSE_ELF</strong>
Enable support for ELF files.</li>
<li><strong>CL_SCAN_PARSE_PDF</strong>
Enables scanning within PDF files.</li>
<li><strong>CL_SCAN_PARSE_SWF</strong>
Enables scanning within SWF files, notably compressed SWF.</li>
<li><strong>CL_SCAN_PARSE_HWP</strong>
Enables scanning of Hangul Word Processor (HWP) files.</li>
<li><strong>CL_SCAN_PARSE_XMLDOCS</strong>
Enables scanning of XML-formatted documents (e.g. Word, Excel, PowerPoint, HWP).</li>
<li><strong>CL_SCAN_PARSE_MAIL</strong>
Enable support for mail files.</li>
<li><strong>CL_SCAN_PARSE_OLE2</strong>
Enables support for OLE2 containers (used by MS Office and .msi files).</li>
<li><strong>CL_SCAN_PARSE_HTML</strong>
This flag enables HTML normalization (including ScrEnc decryption).</li>
<li><strong>CL_SCAN_PARSE_PE</strong>
This flag enables deep scanning of Portable Executable files and allows libclamav to unpack executables compressed with run-time unpackers.</li>
</ul>
<p><code>heuristic</code> - Options to enable specific heuristic alerts</p>
<ul>
<li><strong>CL_SCAN_GENERAL_HEURISTIC_PRECEDENCE</strong>
Allow heuristic match to take precedence. When enabled, if a heuristic scan (such as phishingScan) detects a possible virus/phish it will stop scan immediately. Recommended, saves CPU scan-time. When <em>disabled</em>, virus/phish detected by heuristic scans will be reported only at the end of a scan. If an archive contains both a heuristically detected virus/phishing, and a real malware, the real malware will be reported.</li>
<li><strong>CL_SCAN_HEURISTIC_ENCRYPTED_ARCHIVE</strong>
With this flag the library will mark encrypted archives as viruses (encrypted .zip, .7zip, .rar).</li>
<li><strong>CL_SCAN_HEURISTIC_ENCRYPTED_DOC</strong>
With this flag the library will mark encrypted documents as viruses (encrypted .pdf).</li>
<li><strong>CL_SCAN_HEURISTIC_BROKEN</strong>
libclamav will try to detect broken executables and mark them as Broken.Executable.</li>
<li><strong>CL_SCAN_HEURISTIC_EXCEEDS_MAX</strong>
Alert when the scan of any file exceeds maximums such as max-filesize, max-scansize, max-recursion level.</li>
<li><strong>CL_SCAN_HEURISTIC_PHISHING_SSL_MISMATCH</strong>
Heuristic for phishing module: alert on SSL mismatches in URLs.</li>
<li><strong>CL_SCAN_HEURISTIC_PHISHING_CLOAK</strong>
Heuristic for phishing module: alert on cloaked URLs.</li>
<li><strong>CL_SCAN_HEURISTIC_MACROS</strong>
OLE2 containers, which contain VBA macros will be marked infected (Heuristics.OLE2.ContainsMacros).</li>
<li><strong>CL_SCAN_HEURISTIC_PARTITION_INTXN</strong>
alert if partition table size doesn't make sense</li>
<li><strong>CL_SCAN_HEURISTIC_STRUCTURED</strong>
Enable the data loss prevention (DLP) module which scans for credit card and SSN numbers. i.e. alert when detecting personal information</li>
<li><strong>CL_SCAN_HEURISTIC_STRUCTURED_SSN_NORMAL</strong>
Search for [and alert when detecting] SSNs formatted as xx-yy-zzzz.</li>
<li><strong>CL_SCAN_HEURISTIC_STRUCTURED_SSN_STRIPPED</strong>
Search for [and alert when detecting] SSNs formatted as xxyyzzzz.</li>
</ul>
<p><code>mail</code> - Options to enable specific mail parsing features</p>
<ul>
<li><strong>CL_SCAN_MAIL_PARTIAL_MESSAGE</strong>
Scan RFC1341 messages split over many emails. You will need to periodically clean up <code>$TemporaryDirectory/clamav-partial</code> directory.</li>
</ul>
<p><code>dev</code> - Options designed for use by ClamAV developers</p>
<ul>
<li><strong>CL_SCAN_DEV_COLLECT_SHA</strong>
Enables hash output in sha-collect builds - for internal use only</li>
<li><strong>CL_SCAN_DEV_COLLECT_PERFORMANCE_INFO</strong>
Collect performance timings</li>
</ul>
<p>All functions return <code>CL_CLEAN</code> when the file seems clean, <code>CL_VIRUS</code> when a virus is detected and another value on failure.</p>
<pre><code class="language-c"> ...
const char *virname;
if((ret = cl_scanfile("/tmp/test.exe", &virname, NULL, engine,
&options)) == CL_VIRUS) {
printf("Virus detected: %s\n", virname);
} else {
printf("No virus detected.\n");
if(ret != CL_CLEAN)
printf("Error: %s\n", cl_strerror(ret));
}
</code></pre>
<h3 id="memory"><a class="header" href="#memory">Memory</a></h3>
<p>Because the engine structure occupies a few megabytes of system memory, you should release it with <code>cl_engine_free()</code> if you no longer need to scan files.</p>
<h3 id="forking-daemons"><a class="header" href="#forking-daemons">Forking daemons</a></h3>
<p>If you’re using libclamav with a forking daemon you should call <code>srand()</code> inside a forked child before making any calls to the libclamav functions. This will avoid possible collisions with temporary filenames created by other processes of the daemon. This procedure is not required for multi-threaded daemons.</p>
<h3 id="clamav-config"><a class="header" href="#clamav-config">clamav-config</a></h3>
<p>Use <code>clamav-config</code> to check compilation information for libclamav.</p>
<pre><code class="language-bash"> $ clamav-config --libs
-L/usr/local/lib -lz -lbz2 -lgmp -lpthread
$ clamav-config --cflags
-I/usr/local/include -g -O2
</code></pre>
<h3 id="example-2"><a class="header" href="#example-2">Example</a></h3>
<p>You will find an example scanner application in the clamav source under <code>./examples</code>.</p>
<p>In ClamaV 0.104+, you can build the example programs alongside ClamAV by configuring with <code>-D ENABLE_EXAMPLES=ON</code>.</p>
<p>Or, if you have ClamAV already installed, execute the following to compile it:</p>
<pre><code class="language-bash">gcc -Wall ex1.c -o ex1 -lclamav
</code></pre>
<h2 id="cvd-format"><a class="header" href="#cvd-format">CVD format</a></h2>
<p>CVD (ClamAV Virus Database) is a digitally signed tarball containing one or more databases. The header is a 512-bytes long string with colon separated fields:</p>
<pre><code> ClamAV-VDB:build time:version:number of signatures:functionality
level required:MD5 checksum:digital signature:builder name:build time (sec)
</code></pre>
<p><code>sigtool --info</code> displays detailed information on CVD files:</p>
<pre><code class="language-bash"> $ sigtool -i daily.cvd
File: daily.cvd
Build time: 10 Mar 2008 10:45 +0000
Version: 6191
Signatures: 59084
Functionality level: 26
Builder: ccordes
MD5: 6e6e29dae36b4b7315932c921e568330
Digital signature: zz9irc9irupR3z7yX6J+OR6XdFPUat4HIM9ERn3kAcOWpcMFxq
Fs4toG5WJsHda0Jj92IUusZ7wAgYjpai1Nr+jFfXHsJxv0dBkS5/XWMntj0T1ctNgqmiF
+RLU6V0VeTl4Oej3Aya0cVpd9K4XXevEO2eTTvzWNCAq0ZzWNdjc
Verification OK.
</code></pre>
<div style="break-before: page; page-break-before: always;"></div><h1 id="project-ideas"><a class="header" href="#project-ideas">Project Ideas</a></h1>
<p>For ClamAV library & application projects, submit pull-requests to: <a href="https://github.com/Cisco-Talos/clamav">https://github.com/Cisco-Talos/clamav</a></p>
<p>For ClamAV documentation projects, submit pull-requests to: <a href="https://github.com/Cisco-Talos/clamav-faq/pulls">https://github.com/Cisco-Talos/clamav-faq/pulls</a></p>
<blockquote>
<p><em>Tip</em>: If you find that any of the bugs or projects have already been completed, you can help out simply by updating the list in a pull-request to update <a href="https://github.com/Cisco-Talos/clamav-documentation/blob/master/src/manual/Development/Contribute.md">this document</a>.</p>
</blockquote>
<ul>
<li><a href="manual/Development/Contribute.html#project-ideas">Project Ideas</a>
<ul>
<li><a href="manual/Development/Contribute.html#bugs">Bugs</a></li>
<li><a href="manual/Development/Contribute.html#larger-projects">Larger Projects</a>
<ul>
<li><a href="manual/Development/Contribute.html#cmake--d-maintainer_modeon">CMake: <code>-D MAINTAINER_MODE=ON</code></a></li>
<li><a href="manual/Development/Contribute.html#cmake--d-code_coverageon">CMake: <code>-D CODE_COVERAGE=ON</code></a></li>
<li><a href="manual/Development/Contribute.html#develop-new-detection-capabilities-for-peelfmacho-executables">Develop New Detection Capabilities for PE/ELF/MachO Executables</a></li>
<li><a href="manual/Development/Contribute.html#develop-memory-scanning-capabilities-for-unix">Develop Memory Scanning Capabilities for Unix</a></li>
<li><a href="manual/Development/Contribute.html#webassembly-runtime">WebAssembly Runtime</a></li>
<li><a href="manual/Development/Contribute.html#add-unpacking-support-for-new-packers">Add Unpacking Support for New Packers</a></li>
<li><a href="manual/Development/Contribute.html#add-support-for-matching-on-net-internals">Add Support for Matching on .NET Internals</a></li>
<li><a href="manual/Development/Contribute.html#extract-macros-from-oxml-docs">Extract Macros from OXML docs</a></li>
<li><a href="manual/Development/Contribute.html#dynamically-add-new-file-types-simply-by-adding-file-type-magic-ftm-signatures">Dynamically add new file types simply by adding file type magic (.ftm) signatures</a></li>
<li><a href="manual/Development/Contribute.html#register-scanners-for-each-file-type-write-bytecode-signature-scanners">Register scanners for each file type, Write bytecode "signature" scanners.</a></li>
<li><a href="manual/Development/Contribute.html#limit-logical-signature-alerts-based-on-file-type">Limit logical signature alerts based on file type</a></li>
<li><a href="manual/Development/Contribute.html#libclamav-callback-function-to-request-additional-file">libclamav Callback Function to Request Additional File</a></li>
</ul>
</li>
</ul>
</li>
</ul>
<h2 id="bugs"><a class="header" href="#bugs">Bugs</a></h2>
<p>There's only so much our core dev team can schedule into each release. Many bugs probably won't be fixed without your help! Feel free to troll our <a href="https://bugzilla.clamav.net/buglist.cgi?bug_status=UNCONFIRMED&bug_status=NEW&bug_status=ASSIGNED&bug_status=NEEDINFO&bug_status=REOPENED&classification=ClamAV&limit=0&list_id=162199&order=changeddate%20DESC%2Cbug_status%2Cpriority%2Cassigned_to%2Cbug_id&product=ClamAV&query_format=advanced&resolution=---">open Bugzilla tickets</a> and our <a href="https://github.com/Cisco-Talos/clamav-devel/issues">open GitHub Issues</a> if you're looking for project ideas!</p>
<h2 id="larger-projects"><a class="header" href="#larger-projects">Larger Projects</a></h2>
<p>The following are a list of project ideas for someone looking to work on a larger project.
Any projects labeled "Risky" or "Exploratory" are thought to be more likely to fail, or to have significant drawbacks that will result in the new feature being ultimately rejected.</p>
<p>Please don't take it personally if the ClamAV team decide not to merge your implementation due to perceived complexity, stability, or other such concerns.</p>
<p>Contributors are expected to implement ample documentation for any new code or feature. Directions on how to test the contribution as well as unit and/or system tests will significantly help with PR review and will improve the likelihood that your contribution will be accepted.</p>
<p>Unstable or incomplete work is not likely to be accepted. The core development team has a long backlog of tasks and a curated roadmap for the next 6-12 months and will not have time to complete an unfinished project for you.</p>
<p>Contributors submitting a sizeable new feature will be asked to sign a Contributors License Agreement (CLA) before the contribution can be accepted.</p>
<h3 id="cmake--d-maintainer_modeon"><a class="header" href="#cmake--d-maintainer_modeon">CMake: <code>-D MAINTAINER_MODE=ON</code></a></h3>
<p>The purpose of "maintainer" build-mode is to update source generated by tools like Flex, Bison, and GPerf which are not readily accessible on every platform.</p>
<p>In this case, the project is to add <a href="https://www.gnu.org/software/gperf/manual/gperf.html">GNU <code>gperf</code></a> support to the our CMake build system's Maintainer-Mode (<code>-D MAINTAINER_MODE=ON</code>). To complete this task, you'll need to detect GPerf when using Maintainer-Mode, and it should be required. When the build runs, it should regenerate and overwrite the <code>libclamav/jsparse/generated</code> files in the source directory using <code>gperf</code> with <code>jsparse-keywords.gperf</code>.</p>
<p>The contributor should add the new option to <code>CMakeOptions.cmake</code> and document the feature in <code>INSTALL.cmake.md</code> as well as in the <code>clamav-faq</code> repo's <code>development.md</code> developer documentation, after the feature has merged.</p>
<p><strong>Category</strong>: Low-hanging fruit, Development</p>
<p><strong>What you will learn from this project</strong>:</p>
<ul>
<li>CMake C/C++ build system skills</li>
</ul>
<p><strong>Required skills</strong>:</p>
<ul>
<li>Linux/Unix familiarity. Familiarity with compiling C/C++ projects.</li>
</ul>
<p><strong>Project Size</strong>: Small</p>
<h3 id="cmake--d-code_coverageon"><a class="header" href="#cmake--d-code_coverageon">CMake: <code>-D CODE_COVERAGE=ON</code></a></h3>
<p>Add a <code>-D CODE_COVERAGE=ON</code> option to the CMake build system which will build ClamAV with code coverage features enabled.</p>
<p>An ideal solution would support code coverage in when using GCC, Clang, and MSVC.</p>
<p>See <code>development.md</code> in the <code>clamav-faq</code> repo for additional insight on how <code>gcov</code>, <code>lcov</code>, and <code>genhtml</code> can be used today with the Autotools build system.</p>
<p>The contributor should add the new option to <code>CMakeOptions.cmake</code> and document the feature in <code>INSTALL.cmake.md</code> as well as in the <code>clamav-faq</code> repo's <code>development.md</code> developer documentation, after the feature has merged.</p>
<p><strong>Category</strong>: Low-hanging fruit, Development</p>
<p><strong>What you will learn from this project</strong>:</p>
<ul>
<li>CMake C/C++ build system skills</li>
<li>Familiarity with C/C++ code coverage</li>
</ul>
<p><strong>Required skills</strong>:</p>
<ul>
<li>Linux/Unix familiarity. Familiarity with compiling C/C++ projects.</li>
</ul>
<p><strong>Project Size</strong>: Small</p>
<h3 id="develop-new-detection-capabilities-for-peelfmacho-executables"><a class="header" href="#develop-new-detection-capabilities-for-peelfmacho-executables">Develop New Detection Capabilities for PE/ELF/MachO Executables</a></h3>
<p>ClamAV parses the PE/ELF/MachO headers on executables that it scans, but doesn't make all of the data that it extracts available for use by NDB/LDB signatures. Some features that would be great to have include:</p>
<ul>
<li>The ability to distinguish between regular executables and DLLs/SOs/DYLIBs (add new keywords?)</li>
<li>Subsignature modifiers that can limit subsigs to only being evaluated against sections with memory permission flags (Read/Write/Execute). This would allow signatures to be evaluated more efficiently and also would decrease the chance of signature false positives.</li>
<li>Parsing digital signatures in signed MachO exes and evaluating against the certificate trust / block <code>.crb</code> rules</li>
<li>Other features that might be helpful?</li>
</ul>
<p>As PE, ELF, and MachO parsing features already exist in C, C is the mostly likely language of choice. However any major new self contained code would ideally be written in Rust.</p>
<p><strong>Category</strong>: Core Development</p>
<p><strong>What you will learn from this project</strong>:</p>
<ul>
<li>The PE, ELF, and MachO file formats</li>
<li>How ClamAV parses executable headers, performs signature matching, and the capabilities are provided</li>
<li>How to write ClamAV signatures to match on executable files</li>
</ul>
<p><strong>Required skills</strong>:</p>
<ul>
<li>Strong C development experience</li>
<li>Rust development experince (as needed)</li>
</ul>
<p><strong>Project Size</strong>: Large</p>
<h3 id="develop-memory-scanning-capabilities-for-unix"><a class="header" href="#develop-memory-scanning-capabilities-for-unix">Develop Memory Scanning Capabilities for Unix</a></h3>
<p>Today, ClamAV works by scanning files on disk for malware. It'd be great if ClamAV could also be used to scan process memory on a system its running on in order to detect malware that isn't present on disk.</p>
<p>The ClamAV team is already looking into integrating such a feature from clamav-win32, a project by Gianluigi Tiesi who has graciously agreed to allow us to include this <a href="https://github.com/clamwin/clamav-win32/blob/0.102/src/helpers/scanmem.c">memory scanning feature</a> and others in the upstream clamav project.</p>
<p>This project would be to develop a similar capability for use on Linux and/or macOS and/or BSD Unix scanning clients.</p>
<p>As this is a relatively large new feature, an ideal solution would be written in Rust.</p>
<p><strong>Category</strong>: Fun/Peripheral</p>
<p><strong>What you will learn from this project</strong>:</p>
<ul>
<li>The techniques and OS APIs related to inspecting the memory of running processes</li>
<li>The security mechanisms in place to limit arbitrary access to process memory</li>
</ul>
<p><strong>Required skills</strong>:</p>
<ul>
<li>Strong Rust development experience.</li>
<li>Linux/Unix operating systems experience.</li>
</ul>
<p><strong>Project Size</strong>: Large</p>
<h3 id="webassembly-runtime"><a class="header" href="#webassembly-runtime">WebAssembly Runtime</a></h3>
<p>Background: ClamAV has for a long time had runtime support for running portable plugins we call "bytecode signatures". ClamAV has a <a href="https://github.com/Cisco-Talos/clamav-bytecode-compiler">custom bytecode compiler</a> to compile these plugins from a C-like language and uses LLVM or a homegrown "bytecode interpreter" to run the plugins. This solution is strikingly similar to a newer portable plugin technology: WebAssembly!</p>
<p>The goal of project would be to create a proof-of-concept WebAssembly (wasm) runtime in ClamAV so that "wasm signatures" could be written in Rust and executed in a wasm sandbox. As with our current bytecode signature technology, the wasm signatures would run at specific hooks in the ClamAV scanning process. They would need access to the file map (buffer) being scanned, and would be given <a href="https://github.com/Cisco-Talos/clamav/blob/dev/0.103/libclamav/bytecode_api.h">a limited API</a> to call into ClamAV functions.</p>
<p>For a proof-of-concept, executing a local wasm plugin that has access to the file being scanned (without copying the data) would be fine. A production solution would need to convert the wasm plugin to an ascii-text encoding so it can be distributed much the same way the current bytecode signature <code>.cbc</code> plugins are distributed. As with the bytecode signatures, <code>clamscan</code> and <code>clamd</code> <em>must not</em> load the plugins unless they've been digitally signed or the <code>--bytecode-unsigned</code>/<code>BytecodeUnsigned</code> options are set, which would disable this safety precaution.</p>
<blockquote>
<p><em>Important Notes</em>: The ClamAV bytecode compiler project is currently undergoing a major re-write. Once complete, the new bytecode compiler will effectively be a Python script that invokes <code>clang</code> with a collection of custom compiler passes that effectively compile C code into ClamAV-bytecode plugins. This project would have you extend that project to instead use <code>rustc</code> to compile Rust ClamAV-WASM plugins.</p>
</blockquote>
<p><strong>Category</strong>: Core Development, Fun</p>
<p><strong>What you will learn from this project</strong>:</p>
<ul>
<li>Compilers</li>
<li>LLVM, WebAssembly JIT</li>
<li>Executable plugin sandboxing</li>
<li>Rust</li>
</ul>
<p><strong>Required skills</strong>:</p>
<ul>
<li>C/C++ development experience.</li>
<li>Rust development experience.</li>
</ul>
<p><strong>Project Size</strong>: Large</p>
<h3 id="add-unpacking-support-for-new-packers"><a class="header" href="#add-unpacking-support-for-new-packers">Add Unpacking Support for New Packers</a></h3>
<p>ClamAV includes support for unpacking executables generated by several software packers so that malware can't use them to easily evade detection. The list of packers currently supported can be found in the <a href="manual/Development/../../Introduction.html">Introduction of the ClamAV Manual</a>. There are many packers out there, though, so there is always a need to write unpacking code for ones that are frequently used by malware authors. Some that are currently needed include:</p>
<ul>
<li>UPX for ELF</li>
<li>MPRESS (although we do have some bytecode signatures for MPRESS - those might be sufficient)</li>
<li>If anyone is interested in this, we can analyze thousands of samples and identify more candidates for this list</li>
</ul>
<p>Improvements to existing executable (PE/ELF/MachO) parsing code would likely be in C, but any new standalone modules would ideally be written in Rust.</p>
<p><strong>Category</strong>: Fun/Peripheral</p>
<p><strong>What you will learn from this project</strong>:</p>
<ul>
<li>How packers function, the steps involved in run-time loading and fixing memory maps, and a general approach to unpacking</li>
<li>You'll gain experience reverse-engineering real-world malware</li>
</ul>
<p><strong>Required skills</strong>:</p>
<ul>
<li>C development experience.</li>
<li>Rust development experience.</li>
</ul>
<p><strong>Project Size</strong>: Large</p>
<h3 id="add-support-for-matching-on-net-internals"><a class="header" href="#add-support-for-matching-on-net-internals">Add Support for Matching on .NET Internals</a></h3>
<p>YARA extracts certain properties of .NET executables and makes them available for signatures to use for detection: https://yara.readthedocs.io/en/v3.6.0/modules/dotnet.html</p>
<p>Can ClamAV do something similar? For instance, extract the GUIDs and allow matching on those the way we do entries in the PE VersionInfo section?</p>
<blockquote>
<p><em>Tip</em>: An ideal solution for this and any new file parsing feature should be written in Rust and called by our existing C code.</p>
</blockquote>
<p><strong>Category</strong>: Fun/Peripheral</p>
<p><strong>What you will learn from this project</strong>:</p>
<ul>
<li>How .NET executables are structured, and how they work internally</li>
<li>How to write .NET applications (for testing)</li>
<li>You'll also test your code against real-world malware, and perform reverse-engineering of samples as needed (if they break your code).</li>
</ul>
<p><strong>Required skills</strong>:</p>
<ul>
<li>C development experience.</li>
<li>Rust development experience.</li>
<li>Any prior experience in the areas listed above is a plus.</li>
</ul>
<p><strong>Project Size</strong>: Large</p>
<h3 id="extract-macros-from-oxml-docs"><a class="header" href="#extract-macros-from-oxml-docs">Extract Macros from OXML docs</a></h3>
<p>ClamAV and SigTool currently support parsing OLE Office files to decompress and extract macros for scanning. The newer version OOXML Office files do not have this support, resulting in detection possible for macros in these documents. The ability to both extract and scan macros would enable better coverage. This might mean creating a new target type to prevent creating two signatures one for OLE macros and another for OOXML macros.</p>
<blockquote>
<p><em>Tip</em>: An ideal solution for this and any new file parsing feature should be written in Rust and called by our existing C code.</p>
</blockquote>
<p><strong>Category</strong>:</p>
<p><strong>What you will learn from this project</strong>:</p>
<ul>
<li>ClamAV and SigTool internals</li>
<li>Office document macro compression (RLE compression)</li>
<li>Macro storage in OOXML files</li>
</ul>
<p><strong>Required skills</strong>:</p>
<ul>
<li>C development experience.</li>
<li>Rust development experience.</li>
<li>Any prior experience in the areas listed above is a plus.</li>
</ul>
<p><strong>Project Size</strong>: Medium</p>
<h3 id="dynamically-add-new-file-types-simply-by-adding-file-type-magic-ftm-signatures"><a class="header" href="#dynamically-add-new-file-types-simply-by-adding-file-type-magic-ftm-signatures">Dynamically add new file types simply by adding file type magic (.ftm) signatures</a></h3>
<p>Known file types are currently baked into each ClamAV versions along with file type magic signatures. See <code>filetypes_int.h</code>, <code>filetypes.h</code>, and <code>filetypes.c</code>. The hardcoded signature definitions for these hardcoded types are generally overridden by <code>daily.ftm</code>, a component of <code>daily.cvd</code> used to tweak file type identification definitions after release.</p>
<p>This project would be to re-architect how file types are stored in libclamav so new file types can be dynamically added when <code>daily.ftm</code> (or some other <code>.ftm</code> file) is loaded. Supplemental <code>.ftm</code> files should supplement the existing file type definitions, allowing an <code>extra.ftm</code> file to be tested alongside <code>daily.cvd</code>.</p>
<p>This new capability when combined with the ability to register bytecode signatures as new file type scanners will dramatically increase the ability to extend ClamAV functionality between major version updates. Even when combined with logical signatures that target specific file types (using the proposed new <code>Type:</code> keyword instead of <code>Target:</code>, see below project idea), will allow creative analysts to write more compact and efficient logical signatures.</p>
<p><strong>Category</strong>: Fun, Core Development</p>
<p><strong>What you will learn from this project</strong>:</p>
<ul>
<li>Software architecture experience.</li>
</ul>
<p><strong>Required skills</strong>:</p>
<ul>
<li>C development experience.</li>
</ul>
<p><strong>Project Size</strong>: Medium</p>
<h3 id="register-scanners-for-each-file-type-write-bytecode-signature-scanners"><a class="header" href="#register-scanners-for-each-file-type-write-bytecode-signature-scanners">Register scanners for each file type, Write bytecode "signature" scanners.</a></h3>
<p>Bytecode signatures are the portable executable plugin format for ClamAV. If ClamAV file types each had one or more<code>*</code> linked list of file type handlers ("scanners"), then a bytecode API could be added to register a bytecode signature as a new scanner for a file type.</p>
<p>This project should be completed after the project to dynamically add new file types with new file type magic signatures (above). This new scanning architecture would be really powerful way to add features to the product without requiring a major version update. When combined with the project to run WebAssembly signatures written in Rust (project idea above) -- this plugin-based scanner feature would have the potential to become the fastest <em>and</em> <strong>safest</strong> way to add new capabilities to ClamAV.</p>
<p><em><strong>Example use case</strong></em>:</p>
<p>One example use case of this feature would be to alert on the malicious use of crypto miner wallet IDs.</p>
<p>Cryptomining malware has become increasingly prevalent with the rise in cryptocurrency prices, and we have thousands of wallet identifiers known to be associated with malicious cryptomining campaigns. We don't have a robust way of using these IDs for detection, though, because we only want to raise an alert if the ID appears to be used in a malicious way (Ex: hardcoded into a mining application or as part of a coin miner configuration file) and not in legitimate ways (Ex: blog posts about campaigns or wallet block lists used by the mining pools).</p>
<p>The two use-cases that we want to alert on are miner config files and executables with the embedded wallet identifier. We could have two <code>.ftm</code> rules (one for each case) that indicate a <code>CL_TYPE_MINER</code> or something like that, and then scanning execution for <code>CL_TYPE_MINER</code> can go to the bytecode sig to perform any other checks that may be necessary.</p>
<p><em><strong><code>*</code>Additional Considerations</strong></em>: ClamAV has several locations in the scanning process for invoking file type scanners:</p>
<ol>
<li>After initial file type identification, and before the "raw scan". In <code>cli_magic_scan()</code>.</li>
<li>Once for each embedded file types found when using <code>scanraw()</code> to also match on embedded type recognition signatures<code>*</code>. In <code>scanraw()</code>.
<ul>
<li><code>*</code>Embedded type recognition signature matching is a feature used to identify self-extracting archives and some harder to identify file formats, like XML-based office document formats, DMG files, master boot records (MBR), etc. It isn't used for some archive and disk image formats that we'll unpack later anyways because they cause excessive type false positives and duplicate file scanning. A common example without this safety measure was duplicate file extraction and scanning of zip file entries found in a tarball.</li>
</ul>
</li>
<li>After scanning all of the found embedded types (above). At the end of <code>scanraw()</code>. These could probably be moved to (4) if it is deemed safe to remove the 1st "safety measure" call to <code>scanraw()</code> in <code>cli_magic_scan()</code> (i.e we'd only call <code>scanraw()</code> once, ever).</li>
<li>Again, after the call to <code>scanraw()</code> at the bottom of <code>cli_magic_scan()</code>, for types that have bytecode hooks that won't execute unless a logical signature matches, requiring <code>scanraw()</code> to perform matching first.</li>
</ol>
<p>Considering that there are 3 or 4 placement options for scanners, it may be required to have 3 (or 4) different lists to add to when registering a new scanner to indicate when to run the scanner in the scanning process. An enum argument for the function would indicate which list to add it to. If inserting the new scanner for a given type from the <em>front</em> of the list, and only invoking the next scanner if the first one returns <code>CL_EPARSE</code> or <code>CL_EFORMAT</code>, then a scanner registration could be used to override an existing/built-in one <em>or</em> supplement it, whichever is desired.</p>
<p>This project would would require coming up with a common file-type-scanner API for all scanners (including bytecode scanners), and would enable moving all file-type-scanners out of <code>scanners.c</code> and into a new file for each in a <code>scanners</code> subdirectory. A separate <code>parsers</code> subdirectory should be added at this time and each file type parser would be moved there. The distinction between a "scanner" and a "parser" is this. A scanner uses a parser to extract bits to be scanned. A parser may simply be something like an archive extraction library. In some cases, particularly in internally developed code, the distinction may be less clear and so the entire thing may be better placed under the <code>scanners</code> directory as the entry-point will doubtless need to use the common file-type-scanner API.</p>
<p>This project will also require creating lots of regression tests for file type identification to ensure that the new architecture doesn't accidentally misclassify or fail to scan certain files.</p>
<p>The majority of the work won't actually change ClamAV's behavior, which may seem frustrating, but the end goal is super cool. Code cleanup and organization along the way will also make a meaningful difference. This project could be split into pieces:</p>
<ol>
<li>Establish a common file type scanner function API and reorganize the scanners and parsers as described above.</li>
<li>Convert the API into a callback function pointer definition and create a registration API. Add a set of scanner callback lists to each file type. The built-in scanners should be initialized either at compile time or at least when libclamav is initialized, depending on the chosen design.</li>
</ol>
<p><strong>Category</strong>: Very Fun, Core Development</p>
<p><strong>What you will learn from this project</strong>:</p>
<ul>
<li>Software architecture experience</li>
<li>How to write ClamAV signatures (bytecode and LDB sigs)</li>
<li>You'll test your code against real-world malware, and can do reverse engineering if you'd like to expand the initial coinminer classification logic.</li>
</ul>
<p><strong>Required skills</strong>:</p>
<ul>
<li>Strong C development experience.</li>
<li>Any prior experience in the areas listed below is a plus.</li>
</ul>
<p><strong>Project Size</strong>: Very Large</p>
<h3 id="limit-logical-signature-alerts-based-on-file-type"><a class="header" href="#limit-logical-signature-alerts-based-on-file-type">Limit logical signature alerts based on file type</a></h3>
<p>ClamAV signatures have a "Target Type" which is an integer type which can be used in signatures to limit signature matches to specific file types. ClamAV also categorizes signature patterns into two different Aho-Corasick pattern-matching trie's by Target Type. Target Type <code>1</code> (Windows executables (EXE/DLL/SYS/etc.) go in one trie, and <em>everything else</em> goes in the other trie. Unfortunately, not every file type has an associated target type. In addition, while it's conceivable to be able to add new text-based file types dynamically (see the above project idea about file type magic signatures), it is less feasible to dynamically add new numerical target types.</p>
<p>For some advanced reading, see:</p>
<ul>
<li><appendix/FileTypes.md></li>
<li><manual/Signatures/LogicalSignatures.md></li>
</ul>
<p>This project is to add a new "<code>Type:</code>" keyword to the <code>TargetDescriptionBlock</code> for <a href="manual/Development/../Signatures/LogicalSignatures.html">Logical Signature (<code>.ldb</code>)</a> to limit logical signature alerts to specific file types, much like you currently can do with Target Types ("<code>Target:</code>"), Container File Types ("<code>Container:</code>"), and Container Intermediate Types ("<code>Intermediates:</code>"). While this isn't expected to improve scan times, it should reduce overall signature size as analysts will no longer need to duplicate the file-type-magic signature in order to limit alerting on a signature match by file type.</p>
<p>To illustrate, this is the file type magic signature for a Microsoft Shortcut File, aka <code>CL_TYPE_LNK</code>:</p>
<pre><code>0:0:4C0000000114020000000000C000000000000046:Microsoft Windows Shortcut File:CL_TYPE_ANY:CL_TYPE_LNK:100
</code></pre>
<p>Though we can classify a file as <code>CL_TYPE_LNK</code> and even unpack the file with custom scanner using that type, there is presently no way to write a signature for <code>CL_TYPE_LNK</code> files without duplicating the <code>0:4C0000000114020000000000C000000000000046</code> bit.</p>
<p>At present a signature to alert on a "malicious" shortcut containing <code>0xdeadbeef</code> might look like this:</p>
<pre><code>SignatureName;Target:0;(0&1);0:4C0000000114020000000000C000000000000046;deadbeef
</code></pre>
<p>After this change, the signature could instead read:</p>
<pre><code>SignatureName;Target:0,Type:CL_TYPE_LNK;(0);deadbeef
</code></pre>
<p><strong>Category</strong>: Low-hanging Fruit, Core Development</p>
<p><strong>What you will learn from this project</strong>:</p>
<ul>
<li>Knowledge of ClamAV's signature databases, and logical signature evaluation.</li>
</ul>
<p><strong>Required skills</strong>:</p>
<ul>
<li>C development experience.</li>
</ul>
<p><strong>Project Size</strong>: Small</p>
<h3 id="libclamav-callback-function-to-request-additional-file"><a class="header" href="#libclamav-callback-function-to-request-additional-file">libclamav Callback Function to Request Additional File</a></h3>
<p>Add a callback function to give libclamav file parsers the ability to request additional file data from the scanning application -- I.e. <code>clamscan</code> and <code>clamd</code> (and by extension <code>clamdscan</code> & <code>clamonacc</code>).</p>
<p>This feature would enable support for split-archive scans, if all components of the split archive are present and available to the scanning application. To make this work for <code>clamdscan</code>+<code>clamd</code>, or <code>clamonacc</code>+<code>clamd</code>, the request would also have to be relayed by <code>clamd</code> over the socket API to the scanning client, and the client would have to respond with additional data, filepath, or file descriptor for <code>clamd</code> to provide via the callback to file parser.</p>
<blockquote>
<p><strong>Disclaimer</strong>: It's entirely likely that this idea is bogus and wouldn't work over the <code>clamd</code>+<code>clamdscan</code> socket API. This task would require a fair amount exploratory coding.</p>
</blockquote>
<p>When a file is scanned, the scanner (eg <code>cli_scanrar</code>) may call a callback function provided by clamscan or clamd to request scan access to other files by name, with the expectation that it would receive an <code>fmap</code> in response. Specifically, when the first file in a split archive is scanned, the parser could request <code>fmap</code>s for subsequent files to provide to the archive extraction library. Direct scanning of files other than the first file in a split archive will skip, because they are split and are not the first file.</p>
<p><strong>Category</strong>: Risky/Exploratory, Core Development</p>
<p><strong>What you will learn from this project</strong>:</p>
<ul>
<li>ClamAV and SigTool internals</li>
<li>Socket programming</li>
</ul>
<p><strong>Required skills</strong>:</p>
<ul>
<li>C and C++ development experience.</li>
</ul>
<p><strong>Project Size</strong>: Large</p>
<div style="break-before: page; page-break-before: always;"></div><h1 id="clam-antivirus-frequently-asked-questions"><a class="header" href="#clam-antivirus-frequently-asked-questions">Clam AntiVirus <em>Frequently Asked Questions</em></a></h1>
<p>If you're unable to find an answer to your question in the FAQ, you can seek help in <a href="https://www.clamav.net/contact.html#ml">our clamav-users mailing list</a>, on our <a href="https://discord.gg/6vNAqWnVgw">Discord server</a>, or by submitting an <a href="https://github.com/Cisco-Talos/clamav/issues">issue on GitHub</a>. The mailing list archives and existing Github issues (open or closed) may also have an answer to your question.</p>
<p>Please consider contributing answered questions back to this FAQ, and improving the quality of these answers, by submitting pull requests to <a href="https://github.com/Cisco-Talos/clamav-documentation">our documentation source repository</a>.</p>
<p>Table Of Contents</p>
<ol>
<li><a href="faq/faq-whichversion.html">Selecting the Right Version of ClamAV for You</a></li>
<li><a href="faq/faq-freshclam.html">FreshClam (Signature Updater)</a></li>
<li><a href="faq/faq-cvd.html">Signature Database (CVD)</a></li>
<li><a href="faq/faq-misc.html">Misc</a></li>
<li><a href="faq/faq-ml.html">Mailing Lists</a></li>
<li><a href="faq/faq-safebrowsing.html">Safe Browsing</a></li>
<li><a href="faq/faq-troubleshoot.html">Troubleshooting</a></li>
<li><a href="faq/faq-scan-alerts.html">Interpreting Scan Alerts</a></li>
<li><a href="faq/faq-upgrade.html">Upgrading</a></li>
<li><a href="faq/faq-win32.html">Win32</a></li>
<li><a href="faq/faq-eol.html">ClamAV EOL Policy</a></li>
<li><a href="faq/faq-pua.html">PUA (Potentially Unwanted Application)</a></li>
<li><a href="faq/faq-ignore.html">Ignore</a></li>
<li><a href="faq/faq-uninstall.html">Uninstall</a></li>
</ol>
<p>ClamAV FAQ © 2021 Cisco Systems, Inc.</p>
<p>This document is distributed under the terms of the GNU General Public License v2.</p>
<p>Clam AntiVirus is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.</p>
<p>ClamAV and Clam AntiVirus are trademarks of Cisco Systems, Inc.</p>
<div style="break-before: page; page-break-before: always;"></div><h1 id="which-version-of-clamav-should-i-use"><a class="header" href="#which-version-of-clamav-should-i-use">Which Version of ClamAV should I use?</a></h1>
<p>Official ClamAV releases are available for download from <a href="http://www.clamav.net/downloads">ClamAV.net</a>.</p>
<h2 id="stable-release"><a class="header" href="#stable-release">Stable release</a></h2>
<p>For critical systems, please install using the latest stable release.</p>
<h2 id="beta-and-release-candidates-programs"><a class="header" href="#beta-and-release-candidates-programs">Beta and Release candidates Programs</a></h2>
<p>If your system is not critical, we occasionally release beta and release candidate (RC) versions of the next feature release. Your participation in our beta and release candidate programs is always appreciated.</p>
<div style="break-before: page; page-break-before: always;"></div><h1 id="freshclam-faq"><a class="header" href="#freshclam-faq">FreshClam FAQ</a></h1>
<p>The following FAQ should help you understand why <code>freshclam</code> may have failed to fetch the latest updates.</p>
<p>If you're unable to find an answer to your question in the FAQ, you can seek help in <a href="https://www.clamav.net/contact.html#ml">our clamav-users mailing list</a>, on our <a href="https://discord.gg/6vNAqWnVgw">Discord server</a>, or by submitting an <a href="https://github.com/Cisco-Talos/clamav/issues">issue on GitHub</a>. The mailing list archives and existing Github issues (open or closed) may also have an answer to your question.</p>
<p>Please consider contributing answered questions back to this FAQ, and improving the quality of these answers, by submitting pull requests to <a href="https://github.com/Cisco-Talos/clamav-documentation">our documentation source repository</a>.</p>
<h2 id="failed-to-get-information-about-user-clamav"><a class="header" href="#failed-to-get-information-about-user-clamav">Failed to get information about user "clamav"</a></h2>
<p>If you've installed ClamAV and are running Freshclam as root or with <code>sudo</code> but don't have a <code>clamav</code> user account for Freshclam to run as, you may encounter this error:</p>
<pre><code>ERROR: Failed to get information about user "clamav".
Create the "clamav" user account for freshclam to use, or set the DatabaseOwner config option in freshclam.conf to a different user.
For more information, see https://docs.clamav.net/manual/Installing/Installing-from-source-Unix.html
ERROR: Initialization error!
</code></pre>
<p>You can resolve this issue by following these steps to <a href="https://docs.clamav.net/manual/Installing/Add-clamav-user.html">create a <code>clamav</code> service account</a>.</p>
<h2 id="cant-create-freshclamdat-in-usrlocalshareclamav"><a class="header" href="#cant-create-freshclamdat-in-usrlocalshareclamav">Can't create freshclam.dat in /usr/local/share/clamav</a></h2>
<p>If the database directory exists but is not owned by the user account that Freshclam is being run as, you may encounter this error:</p>
<pre><code>ERROR: Can't create freshclam.dat in /usr/local/share/clamav
Hint: The database directory must be writable for UID 1000 or GID 1000
ERROR: Failed to save freshclam.dat!
WARNING: Failed to create a new freshclam.dat!
ERROR: initialize: libfreshclam init failed.
ERROR: Initialization error!
</code></pre>
<p>To resolve this issue, change ownership of the directory to the appropriate user account.</p>
<p>For example if you're running Freshclam under your user account "bob", something like this may resolve the issue:</p>
<pre><code class="language-bash">sudo chown -R bob /usr/local/share/clamav
</code></pre>
<p>If running Freshclam as root (or with <code>sudo</code>), then Freshclam will try to automatically switch to run as the <code>clamav</code> user, or whichever user is specified as the <code>DatabaseOwner</code> in <code>freshclam.conf</code>. Run this to resolve the issue:</p>
<pre><code class="language-bash">sudo chown -R clamav /usr/local/share/clamav
</code></pre>
<h2 id="problem-with-the-ssl-ca-cert"><a class="header" href="#problem-with-the-ssl-ca-cert">Problem with the SSL CA cert</a></h2>
<p>On Linux/Unix systems, Freshclam uses openssl to validate certificates for TLS connections. It relies on finding the openssl CA bundle in the default path. You may encounter the following error if you're missing the <code>ca-certificates</code> package, or on some distributions where the path to the CA bundle has been customized:</p>
<pre><code>WARNING: Download failed (77) WARNING: Message: Problem with the SSL CA cert (path? access rights?
WARNING: Can't download daily.cvd from https://database.clamav.net/daily.cvd
</code></pre>
<p>First you may try installing the <code>ca-certificates</code> package. If that is already installed, or the issue persists, then you may need to set the <code>CURL_CA_BUNDLE</code> environment variable to direct Freshclam to the path of the CA bundle on your system.</p>
<p>For example, on openSUSE you may need to set <code>CURL_CA_BUNDLE=/var/lib/ca-certificates/ca-bundle.pem</code>. You can test this by running:</p>
<pre><code class="language-bash">CURL_CA_BUNDLE=/var/lib/ca-certificates/ca-bundle.pem freshclam
</code></pre>
<p>If this resolves the issue, you may wish to export the <code>CURL_CA_BUNDLE</code> variable in your <code>.bashrc</code> file or the equivalent for your shell.</p>
<blockquote>
<p><em>Tip</em>: The <code>CURL_CA_BUNDLE</code> variable is also used by ClamSubmit.</p>
</blockquote>
<h2 id="invalid-dns-reply-falling-back-to-http-mode-or-error-cant-query-currentcvdclamavnet"><a class="header" href="#invalid-dns-reply-falling-back-to-http-mode-or-error-cant-query-currentcvdclamavnet">Invalid DNS reply. Falling back to HTTP mode or ERROR: Can't query current.cvd.clamav.net</a></h2>
<p>There is a problem with your DNS server. Please check the entries in <code>/etc/resolv.conf</code> and verify that you can resolve the <code>TXT</code> record manually:</p>
<p><code>$ host -t txt current.cvd.clamav.net</code></p>
<p>If you can't, it means your network is broken. You'll be still able to download the updates, but you'll waste a lot of bandwidth checking for updates. Please note that some not RFC compliant DNS servers (namely the one shipped with the <em>Alcatel</em> (now <em>Thomson</em>) <em>SpeedTouch 510 modem</em>) can't resolve <code>TXT</code> record. If that's the case, please recompile ClamAV with the flag <code>--enable-dns-fix</code>.</p>
<h2 id="error-connection-with--failed"><a class="header" href="#error-connection-with--failed">ERROR: Connection with ??? failed</a></h2>
<p>Either your dns servers are not working or you are blocking <code>port 53/tcp</code>. You should manually check that you can resolve hostnames with:</p>
<p><code>$ host database.clamav.net</code></p>
<p>If it doesn't work, check your dns settings in <code>/etc/resolv.conf</code>. If it works, check that you can receive dns answers longer than 512 bytes, e.g. check that your firewall is not blocking packets which originate from <code>port 53/tcp</code>. An easy way to find it out is:</p>
<p><code>$ dig @ns1.clamav.net db.us.big.clamav.net</code></p>
<h2 id="warning-incremental-update-failed-trying-to-download-dailycvd"><a class="header" href="#warning-incremental-update-failed-trying-to-download-dailycvd">WARNING: Incremental update failed, trying to download daily.cvd</a></h2>
<p>For some reason, incremental update failed. FreshClam can recover from this situation by downloading the whole daily.cvd.</p>
<h2 id="database-update-process-failed-downloaded-database-had-lower-version-than-advertised"><a class="header" href="#database-update-process-failed-downloaded-database-had-lower-version-than-advertised">Database update process failed: Downloaded database had lower version than advertised</a></h2>
<p>For some reason, the content delivery network is not serving the latest updates yet. If you experience this problem, please report the issue on <a href="https://github.com/Cisco-Talos/clamav-devel/issues">GitHub Issues</a>.</p>
<h2 id="update-failed-your-network-may-be-down-or-the-clamav-database-content-delivery-network-is-experiencing-an-outage"><a class="header" href="#update-failed-your-network-may-be-down-or-the-clamav-database-content-delivery-network-is-experiencing-an-outage">Update failed. Your network may be down or the ClamAV database content delivery network is experiencing an outage</a></h2>
<p>It's not your lucky day. Your network may be down or the ClamAV database content delivery network is experiencing an outage. Please wait a few minutes and try again. Remember to pass the <code>-v</code> option to freshclam.</p>
<h2 id="update-failed-updating-too-frequently-with-an-outdated-version"><a class="header" href="#update-failed-updating-too-frequently-with-an-outdated-version">Update failed. Updating too frequently with an outdated version</a></h2>
<p>Starting from ClamAV 0.9x, whenever your ClamAV engine becomes outdated and the difference between the functionality level required by the CVD and the functionality level supported by your ClamAV engine is more than 3, freshclam will refuse to check for updates more often than 6 times per day.</p>
<p>The reason for this is that bandwidth can be expensive. It is not helpful to generate extra traffic on our content delivery network if you cannot take advantage of all the signatures anyway. If you really care about catching as much malware as possible and you want to check for updates more often than 6 times per day, then you should also not run such an old version of ClamAV.</p>
<h2 id="your-clamav-installation-is-outdated"><a class="header" href="#your-clamav-installation-is-outdated">Your ClamAV installation is OUTDATED</a></h2>
<p>This message does NOT indicate that you are unable to download the latest CVD update! You'll get this message whenever a new version of ClamAV is released. In order to detect all the latest viruses, it's not enough to keep your database up to date. You also need to run the latest version of the scanner.</p>
<h2 id="warning-current-functionality-level--1-required--2"><a class="header" href="#warning-current-functionality-level--1-required--2">WARNING: Current functionality level = 1, required = 2</a></h2>
<p>The functionality level of the database determines which scanner engine version is required to use all of its signatures. If you don't upgrade immediately you will still be able to download the latest CVD updates but the engine won't be able to use ALL of them.</p>
<h2 id="ignoring-mirror-ip-has-connected-too-many-times-with-an-outdated-version"><a class="header" href="#ignoring-mirror-ip-has-connected-too-many-times-with-an-outdated-version">Ignoring mirror <IP> (has connected too many times with an outdated version)</a></h2>
<p>If you are experiencing this problem, please do the following: Stop the <code>freshclam</code> daemon if it's running, delete both <code>mirrors.dat</code> and <code>daily.cvd</code>, then restart the <code>freshclam</code> daemon. FreshClam will then download a new <code>daily.cvd</code> and will be up-to-date.</p>
<h2 id="http-error-codes"><a class="header" href="#http-error-codes">HTTP Error Codes</a></h2>
<p>If you are receiving a 403, 503, or 1020 error codes when downloading from Cloudflare, then you are either explicitly blocked, using an <a href="faq/faq-eol.html">EOL'ed version of ClamAV</a> or you are downloading incorrectly.</p>
<p>If FreshClam is failing and you're not sure why, you may run <code>freshclam -v</code> for "Verbose Mode" to see the HTTP request & response details (ClamAV 0.102+).</p>
<p>After checking that you are using a current version of ClamAV, please discontinue whatever method of download you are using and immediately move to using either FreshClam or <a href="https://github.com/Cisco-Talos/cvdupdate">cvdupdate</a>. These are the two supported methods for downloading AV updates from ClamAV. All other methods may be rate limited, or blocked at our discretion. Use of Wget, Curl, or other command line tools that are scripted are explicitly denied.</p>
<p>If you are receiving a 429, that means you are rate limited. You're downloading too fast or too much. Please use Freshclam or <a href="https://github.com/micahsnyder/cvdupdate">cvdupdate</a>. If you are using a shared hosting provider, like Amazon AWS, Google Cloud Computing, Oracle, Azure, etc, you will most likely be rate limited, however cvdupdate should handle this gracefully. If you continue to receive these, we recommend you try from a different external IP address.</p>
<p>If you are receiving a 403 specifically on the safebrowsing.cvd file, please read <a href="https://blog.clamav.net/2021/04/are-you-still-attempting-to-download.html">this blog post</a> immediately!</p>
<p>Are you running a version of FreshClam/ClamAV lower than <code>0.103.2</code>? If so, you should immediately upgrade to at least 0.103.2.</p>
<p>If you have checked all of the above and you are still seeing errors, please open a ticket using the below link.</p>
<h2 id="for-all-other-database-update-related-failures"><a class="header" href="#for-all-other-database-update-related-failures">For all other database update related failures</a></h2>
<p>Please report freshclam update failures or issues on <a href="https://github.com/Cisco-Talos/clamav-devel/issues">GitHub Issues</a>.</p>
<div style="break-before: page; page-break-before: always;"></div><h1 id="clamav-virus-database-faq"><a class="header" href="#clamav-virus-database-faq">ClamAV Virus Database FAQ</a></h1>
<p>The following FAQ should help you understand how ClamAV CVD signature databases work and any issues you may experience working with them.</p>
<p>If you're unable to find an answer to your question in the FAQ, you can seek help in <a href="https://www.clamav.net/contact.html#ml">our clamav-users mailing list</a>, on our <a href="https://discord.gg/6vNAqWnVgw">Discord server</a>, or by submitting an <a href="https://github.com/Cisco-Talos/clamav/issues">issue on GitHub</a>. The mailing list archives and existing Github issues (open or closed) may also have an answer to your question.</p>
<p>Please consider contributing answered questions back to this FAQ, and improving the quality of these answers, by submitting pull requests to <a href="https://github.com/Cisco-Talos/clamav-documentation">our documentation source repository</a>.</p>
<h2 id="how-do-i-keep-my-virus-database-up-to-date"><a class="header" href="#how-do-i-keep-my-virus-database-up-to-date">How do I keep my virus database up to date?</a></h2>
<p>ClamAV comes with <em>FreshClam</em>, a tool which periodically checks for new database releases and keeps your database up to date. It is encouraged that you update to at least version 0.103.2, which respects our bandwidth limitations.</p>
<h2 id="how-often-is-the-virus-database-updated"><a class="header" href="#how-often-is-the-virus-database-updated">How often is the virus database updated?</a></h2>
<p>The virus database is usually updated once or twice per day. Sign up for our <a href="https://lists.clamav.net/mailman/listinfo/clamav-virusdb">VirusDB mailing list</a> to see our response times to new threats. The virusdb team tries to keep up with the latest threats in the wild. You can contribute to make the virusdb updating process more efficient by submitting samples of viruses via our "<a href="https://www.clamav.net/contact">Contact</a>" page on ClamAV.net.</p>
<h2 id="the-last-cvd-update-crashed-my-clamav-installation-why"><a class="header" href="#the-last-cvd-update-crashed-my-clamav-installation-why">The last CVD update crashed my ClamAV installation. Why?</a></h2>
<p>Before publishing a CVD update, we verify that it can be correctly loaded by the last two stable release series of ClamAV.</p>
<h2 id="the-last-cvd-update-detects-a-lot-of-false-positives-on-my-system-why"><a class="header" href="#the-last-cvd-update-detects-a-lot-of-false-positives-on-my-system-why">The last CVD update detects a lot of false positives on my system. Why?</a></h2>
<p>Before publishing a CVD update, we test it for false positives using the latest stable release of ClamAV. If you want to avoid problems with false positives, you must run the latest stable version of ClamAV. Please stay tuned to our <a href="faq/faq-eol.html">EOL policy</a> for what versions are actively supported.</p>
<h2 id="i-tried-to-submit-a-sample-through-the-web-interface-but-it-said-the-sample-is-already-recognized-by-clamav-my-clamscan-tells-me-its-not-i-have-already-updated-my-database-and-clamav-engine-whats-wrong-with-my-setup"><a class="header" href="#i-tried-to-submit-a-sample-through-the-web-interface-but-it-said-the-sample-is-already-recognized-by-clamav-my-clamscan-tells-me-its-not-i-have-already-updated-my-database-and-clamav-engine-whats-wrong-with-my-setup">I tried to submit a sample through the web interface, but it said the sample is already recognized by ClamAV. My ClamScan tells me it's not. I have already updated my database and ClamAV engine, what's wrong with my setup?</a></h2>
<p>Please run ClamScan with the <code>--alert-broken</code> option. Also check that FreshClam and ClamScan are using the same path for storing/reading the database.</p>
<h2 id="i-found-an-infected-file-in-my-hdusbmailbox-but-clamav-doesnt-recognize-it-yet-can-you-help-me"><a class="header" href="#i-found-an-infected-file-in-my-hdusbmailbox-but-clamav-doesnt-recognize-it-yet-can-you-help-me">I found an infected file in my HD/USB/mailbox, but ClamAV doesn't recognize it yet. Can you help me?</a></h2>
<p>Our virus database is kept up to date with the help of the community. Whenever you find a new virus which is not detected by ClamAV you should <a href="https://www.clamav.net/reports/malware">complete this form</a>. The virusdb team will review your submission and update the database if necessary. Before submitting a new sample: - check that the value of <code>DatabaseDirectory</code>, in both <code>clamd.conf</code> and <code>freshclam.conf</code>, is the same - and update your database by running FreshClam to ensure you've scanned it with the latest virus database.</p>
<h2 id="im-running-clamav-on-a-lot-of-clients-on-my-local-network-can-i-serve-the-cvd-files-from-a-local-server-so-that-each-client-doesnt-have-to-download-them-from-your-servers"><a class="header" href="#im-running-clamav-on-a-lot-of-clients-on-my-local-network-can-i-serve-the-cvd-files-from-a-local-server-so-that-each-client-doesnt-have-to-download-them-from-your-servers">I'm running ClamAV on a lot of clients on my local network. Can I serve the cvd files from a local server so that each client doesn't have to download them from your servers?</a></h2>
<p>Sure, you can find more details on our <a href="faq/../appendix/CvdPrivateMirror.html">Private Local Mirror page</a>.</p>
<ol>
<li>
<p>If you want to take advantage of incremental updates, install a proxy server and then configure your FreshClam clients to use it (watch for the HTTPProxyServer parameter in <code>freshclam.conf</code>).</p>
</li>
<li>
<p>The second possible solution is to:</p>
</li>
</ol>
<ul>
<li>
<p>Configure a local webserver on one of your machines (say <code>machine1.mylan</code>)</p>
</li>
<li>
<p>Let FreshClam download the <code>*.cvd</code> files from <a href="http://database.clamav.net">http://database.clamav.net</a> to the webserver's <em>DocumentRoot</em>.</p>
</li>
<li>
<p>Finally, change <code>freshclam.conf</code> on your clients so that it includes:</p>
<pre><code class="language-ini">DatabaseMirror machine1.mylan
ScriptedUpdates off
</code></pre>
<p>First the database will be downloaded to the local webserver and then the other clients on the network will update their copy of the database from it.</p>
<p><em>Important</em>: For this to work, you have to add <code>ScriptedUpdates off</code> on all of your machines!</p>
</li>
</ul>
<h2 id="i-cant-wait-for-you-to-update-the-database-i-need-to-use-the-new-signature-now"><a class="header" href="#i-cant-wait-for-you-to-update-the-database-i-need-to-use-the-new-signature-now">I can't wait for you to update the database! I need to use the new signature NOW!</a></h2>
<p>No problem, save your own signatures in a text file with the appropriate extension (see <a href="faq/../manual/Signatures.html">our signature writing documentation</a> for more information). Put the signature files in the same directory where the <code>.cvd</code> files are located. This is typically <code>/usr/local/share/clamav</code> or <code>/var/lib/clamav</code>. ClamAV will load it after the official <code>.cvd</code> files. You do not need to sign your custom database files.</p>
<h2 id="can-i-download-the-virus-database-manually"><a class="header" href="#can-i-download-the-virus-database-manually">Can I download the virus database manually?</a></h2>
<p>This practice is discouraged, please use either FreshClam or CVDUpdate to update your definitions. Please check out our <a href="faq/faq-freshclam.html">FreshClam FAQ</a> and our <a href="faq/../appendix/CvdPrivateMirror.html">Private Mirror Documentation</a> for further information and links to CVDUpdate.</p>
<h2 id="i-am-getting-error-codes-such-as-403-429-etc-when-freshclam-or-other-update-system-attempts-to-download-updates"><a class="header" href="#i-am-getting-error-codes-such-as-403-429-etc-when-freshclam-or-other-update-system-attempts-to-download-updates">I am getting error codes such as 403, 429, etc when FreshClam (or other update system) attempts to download updates</a></h2>
<p>Are you attempting to download <code>safebrowsing.cvd</code> and getting a 403? If so, <a href="https://blog.clamav.net/2021/04/are-you-still-attempting-to-download.html">take a look at this blog post</a>, otherwise check out our <a href="faq/faq-freshclam.html">Freshclam FAQ</a> under the section on "Error Codes".</p>
<hr />
<p>For other questions regarding issues with FreshClam, see our <a href="faq/faq-troubleshoot.html">FreshClam Troubleshooting FAQ</a>.</p>
<div style="break-before: page; page-break-before: always;"></div><h1 id="miscellaneous-faq"><a class="header" href="#miscellaneous-faq">Miscellaneous FAQ</a></h1>
<p>If you're unable to find an answer to your question in our FAQ, you can seek help in <a href="https://www.clamav.net/contact.html#ml">our clamav-users mailing list</a>, on our <a href="https://discord.gg/6vNAqWnVgw">Discord server</a>, or by submitting an <a href="https://github.com/Cisco-Talos/clamav/issues">issue on GitHub</a>. The mailing list archives and existing Github issues (open or closed) may also have an answer to your question.</p>
<p>Please consider contributing answered questions back to this FAQ, and improving the quality of these answers, by submitting pull requests to <a href="https://github.com/Cisco-Talos/clamav-documentation">our documentation source repository</a>.</p>
<h2 id="i-see-you-have-bugzilla-and-github-issues-which-one-should-i-use"><a class="header" href="#i-see-you-have-bugzilla-and-github-issues-which-one-should-i-use">I see you have Bugzilla AND GitHub Issues. Which one should I use?</a></h2>
<p>Please use <a href="https://github.com/Cisco-Talos/clamav/issues">GitHub Issues</a>. We're slowly phasing out Bugzilla. But please read the Security Policy and do not disclose anything in a ticket that should be kept private or that may represent a vulnerability.</p>
<h2 id="i-reported-a-bug-on-bugzilla-but-no-one-can-see-it-what-do-i-do"><a class="header" href="#i-reported-a-bug-on-bugzilla-but-no-one-can-see-it-what-do-i-do">I reported a bug on Bugzilla, but no one can see it. What do I do?</a></h2>
<p>Bugs reported to ClamAV's <a href="https://bugzilla.clamav.net/">Bugzilla ticket tracker</a> are private by default. Our policy is to make tickets public if they are not security-related. If you believe your bug report isn't security-related, please ping the ticket requesting that the ticket be made public. Chances are high that we simply forgot to remove the tag when the report came in.</p>
<h2 id="where-can-i-find-the-bug-ticket-for-a-security-bug-fix"><a class="header" href="#where-can-i-find-the-bug-ticket-for-a-security-bug-fix">Where can I find the bug ticket for a security bug fix?</a></h2>
<p>Our policy is to make security-related bugs public either:
A. fourteen (14) days after a security patch version has been published with a fix for the bug, or
B. after the non-disclosure agreement with a vulnerability reporter has expired and the bug details are otherwise already public.</p>
<p>This policy serves to reduce the risk that a malicious party would find enough details in the ticket to craft their own exploit for the bug before users have had an opportunity to upgrade to a patched version.</p>
<h2 id="where-can-i-find-a-test-file-to-prove-that-a-security-bug-doesnt-affect-me-or-has-been-fixed-in-my-version"><a class="header" href="#where-can-i-find-a-test-file-to-prove-that-a-security-bug-doesnt-affect-me-or-has-been-fixed-in-my-version">Where can I find a test file to prove that a security bug doesn't affect me or has been fixed in my version?</a></h2>
<p>We do not share test files for security bugs. Sharing these files puts users at risk for at least two reasons:</p>
<ol>
<li>Sharing a test file outside of our organization increases the risk of it falling into the wrong hands and being used to craft an exploit.</li>
<li>Test files generated by a fuzzer are designed to demonstrate a bug in a specific test environment and do the bare minimum necessary to trigger the bug. Scanning a test file outside of that environment is unlikely to demonstrate the issue EVEN THOUGH THE ISSUE STILL EXISTS. A clever adversary may very well be able to craft a bigger and better exploit for that issue that does affect your unpatched system. Testing with the original fuzzer-generated file is most likely to give you a false sense of security.</li>
</ol>
<h2 id="can-phishing-be-considered-one-kind-of-spam-clamav-should-not-detect-it-as-some-kind-of-malware"><a class="header" href="#can-phishing-be-considered-one-kind-of-spam-clamav-should-not-detect-it-as-some-kind-of-malware">Can phishing be considered one kind of spam? ClamAV should not detect it as some kind of malware.</a></h2>
<p>Starting from release 0.90, ClamAV allows you to choose whether to detect phish as some kind of malware or not. This should put an end to the endless threads on our mailing lists. So long, and thanks for all the phish.</p>
<h2 id="why-is-my-legitimate-html-newsletteremail-detected-by-clamav-as-phishingheuristicsemailspoofeddomain"><a class="header" href="#why-is-my-legitimate-html-newsletteremail-detected-by-clamav-as-phishingheuristicsemailspoofeddomain">Why is my legitimate HTML newsletter/email detected by ClamAV as Phishing.Heuristics.Email.SpoofedDomain?</a></h2>
<p>If it contains links in the form of <code>href="http://yourdomain.example.tld"> otherdomain.tld</code>, where <code>otherdomain.tld</code> (ProtectedDomain) doesn't belong to you and is listed in ClamAV database (like amazon.com, ebay.com, ...) then ClamAV detects it as a phishing attempt.</p>
<h2 id="my-legitimate-emails-from-yourdomaintld-are-detected-as-phishingheuristicsemailspoofeddomain"><a class="header" href="#my-legitimate-emails-from-yourdomaintld-are-detected-as-phishingheuristicsemailspoofeddomain">My legitimate emails from yourdomain.tld are detected as Phishing.Heuristics.Email.SpoofedDomain</a></h2>
<p>Please <a href="https://www.clamav.net/reports/malware">submit a sample</a>, marking it as a false positive, phishing. If it's really a false positive, we will add an allow list entry for it.</p>
<h2 id="can-i-convert-the-new-database-format-to-the-old-one"><a class="header" href="#can-i-convert-the-new-database-format-to-the-old-one">Can I convert the new database format to the old one?</a></h2>
<p>Yes, install a recent version of sigtool and run:</p>
<p><code>sigtool --unpack-current daily.cvd; sigtool --unpack-current main.cvd</code></p>
<h2 id="how-do-i-read-inside-the-cvd-files"><a class="header" href="#how-do-i-read-inside-the-cvd-files">How do I read inside the CVD files?</a></h2>
<p>See previous FAQ.</p>
<h2 id="im-using-clamav-in-a-production-environment-and-a-brand-new-virus-is-not-being-recognized-by-clamav-how-long-do-i-have-to-wait-before-clamav-can-start-filtering-the-virus"><a class="header" href="#im-using-clamav-in-a-production-environment-and-a-brand-new-virus-is-not-being-recognized-by-clamav-how-long-do-i-have-to-wait-before-clamav-can-start-filtering-the-virus">I'm using ClamAV in a production environment and a brand new virus is not being recognized by ClamAV. How long do I have to wait before ClamAV can start filtering the virus?</a></h2>
<p>No time at all! Find a signature for that virus and modify your virus database accordingly (see our <a href="faq/../manual/Signatures.html">signature writing documentation</a> for details).
Remember to <a href="https://www.clamav.net/reports/malware">submit</a> the sample to the virusdb team.</p>
<h2 id="why-is-clamav-calling-the-xxx-virus-with-another-name"><a class="header" href="#why-is-clamav-calling-the-xxx-virus-with-another-name">Why is ClamAV calling the XXX virus with another name?</a></h2>
<p>This usually happens when we add a signature <em>before</em> other AV vendors. No well-known name is available at that moment so we have to invent one. Renaming the virus after a few days would just confuse people more, so we usually keep on using our name for that virus. The only exception is when a new name is established soon after the signature addition.</p>
<h2 id="i-get-many-false-positives-of-oversizedzip"><a class="header" href="#i-get-many-false-positives-of-oversizedzip">I get many false positives of Oversized.zip</a></h2>
<p>Whenever a file exceeds ArchiveMaxCompressionRatio (see <code>clamd.conf</code> man page), it's considered a logic bomb and marked as <code>Oversized.zip</code>. Try increasing your ArchiveMaxCompressionRatio setting.</p>
<h2 id="what-is-pua-i-get-a-lot-of-false-positives-named-pua"><a class="header" href="#what-is-pua-i-get-a-lot-of-false-positives-named-pua">What is PUA? I get a lot of false positives named PUA.</a></h2>
<p>With the release of ClamAV 0.91.2 we introduce the option to scan for Potentially Unwanted Applications.</p>
<p>The PUA database contains detection for applications that are not malicious by itself but can be used in a malicious or unwanted context. As an example: A tool to retrieve passwords from a system can be useful as long as the person who uses it, is authorized to do so. However, the same tool can be used to steal passwords from a system. To make use of the PUA database you can use the <strong><code>--detect-pua</code> switch</strong> for clamscan or enable it in the config file for ClamD (add: <code>DetectPUA yes</code>).</p>
<p>At this point we DO NOT recommend using it in production environments, because the detection may be too aggressive and lead to false positives. In one of the next releases we will provide additional features for fine-tuning allowing better adjustments to different setups. NOTE: A detection as PUA does NOT tell if an application is good or bad. All it says is, that a file MAY BE unwanted or MAYBE could compromise your system security and it MAY BE a good idea to check it twice.</p>
<h2 id="can-clamav-disinfect-files"><a class="header" href="#can-clamav-disinfect-files">Can ClamAV disinfect files?</a></h2>
<p>No, it can't. We will add support for disinfecting OLE2 files in one of the next stable releases. There are no plans for disinfecting other types of files. There are many reasons for it: cleaning viruses from files is virtually pointless these days. It is very seldom that there is anything useful left after cleaning, and even if there is, would you trust it?</p>
<h2 id="when-using-clamscan-is-there-a-way-to-know-which-message-within-an-mbox-is-infected"><a class="header" href="#when-using-clamscan-is-there-a-way-to-know-which-message-within-an-mbox-is-infected">When using clamscan, is there a way to know which message within an mbox is infected?</a></h2>
<p>There are two solutions: Run <code>clamscan --debug</code>, look for <em>Deal with email number xxx</em> Alternatively you can convert the mbox to Maildir format, run clamscan on it and then convert it back to mbox format. There are many tools available which can convert to and from Maildir format: formail, mbox2maildir and maildir2mbox</p>
<h2 id="what-platforms-does-it-support"><a class="header" href="#what-platforms-does-it-support">What platforms does it support?</a></h2>
<p>Clam AntiVirus works with Linux®, Solaris, FreeBSD, OpenBSD, NetBSD, Mac OS X, Cygwin B20 on multiple architectures such as Intel, Alpha, Sparc, Cobalt MIPS boxes, PowerPC, RISC 6000.</p>
<h2 id="where-can-i-find-more-information-about-clamav"><a class="header" href="#where-can-i-find-more-information-about-clamav">Where can I find more information about ClamAV?</a></h2>
<p>Please read the complete documentation in pdf/ps format. You will find it inside the package or in the <a href="https://www.clamav.net/manual/installing.md">documentation</a> section of this website. You can also try searching the <a href="https://www.clamav.net/contact#ml">mailing list archives</a>. If you can't find the answer, you can ask for support on the clamav-users mailing-list, but <em>please</em> before doing it, search the archives! Also, make sure that you don't send HTML messages and that you don't top post: these violate the netiquette and lessen your chances of being answered.</p>
<div style="break-before: page; page-break-before: always;"></div><h1 id="mailing-lists-faq"><a class="header" href="#mailing-lists-faq">Mailing Lists FAQ</a></h1>
<p>If you're unable to find an answer to your question in our FAQ, you can seek help in <a href="https://www.clamav.net/contact.html#ml">our clamav-users mailing list</a>, on our <a href="https://discord.gg/6vNAqWnVgw">Discord server</a>, or by submitting an <a href="https://github.com/Cisco-Talos/clamav/issues">issue on GitHub</a>. The mailing list archives and existing Github issues (open or closed) may also have an answer to your question.</p>
<p>Please consider contributing answered questions back to this FAQ, and improving the quality of these answers, by submitting pull requests to <a href="https://github.com/Cisco-Talos/clamav-documentation">our documentation source repository</a>.</p>
<h2 id="where-can-i-ask-questions-about-using-clamav"><a class="header" href="#where-can-i-ask-questions-about-using-clamav">Where can I ask questions about using ClamAV?</a></h2>
<p>Subscribe to our <a href="https://lists.clamav.net/mailman/listinfo/clamav-users">clamav-users</a> mailing-list.</p>
<h2 id="i-want-to-take-part-to-the-development-of-clamav-where-can-i-get-more-info"><a class="header" href="#i-want-to-take-part-to-the-development-of-clamav-where-can-i-get-more-info">I want to take part to the development of ClamAV. Where can I get more info?</a></h2>
<p>Subscribe to the <a href="https://lists.clamav.net/mailman/listinfo/clamav-devel">clamav-devel</a> mailing-list.</p>
<h2 id="the-mailing-lists-generate-too-many-messages-per-day-i-cant-handle-them-what-shall-i-do"><a class="header" href="#the-mailing-lists-generate-too-many-messages-per-day-i-cant-handle-them-what-shall-i-do">The mailing-lists generate too many messages per day. I can't handle them. What shall I do?</a></h2>
<p>There are two possible solutions:</p>
<ul>
<li>Go to the <a href="https://lists.clamav.net/mailman/listinfo/">mailing-list</a> mailman interface, click on <strong>Unsubscribe or edit options</strong>, and turn <em>digest mode</em> on.</li>
<li>Access the mailing-lists using a "news reader".</li>
</ul>
<h2 id="i-sent-a-message-to-one-of-clamavs-mailing-lists-but-the-mail-was-rejectedheld-for-approval-why"><a class="header" href="#i-sent-a-message-to-one-of-clamavs-mailing-lists-but-the-mail-was-rejectedheld-for-approval-why">I sent a message to one of ClamAV's mailing-lists, but the mail was rejected/held for approval. Why?</a></h2>
<p>Only subscribers are allowed to post to the mailing-list. This is done to avoid spammers.</p>
<h2 id="i-read-the-mailing-list-from-the-gmane-news-gateway-can-i-post-to-the-mailing-list"><a class="header" href="#i-read-the-mailing-list-from-the-gmane-news-gateway-can-i-post-to-the-mailing-list">I read the mailing-list from the Gmane news gateway. Can I post to the mailing-list?</a></h2>
<p>See previous FAQ.</p>
<h2 id="ive-been-unsubscribed-from-one-of-the-mailing-lists-what-happened"><a class="header" href="#ive-been-unsubscribed-from-one-of-the-mailing-lists-what-happened">I've been unsubscribed from one of the mailing-lists. What happened?</a></h2>
<p>There are two possible reasons: If your account generates too many bounces you'll be automatically unsubscribed. Please subscribe again with a more reliable account. If we receive even one <em>out of office notification</em> from your vacation program, your address will be unsubscribed and banned from our mailing-lists forever. Sorry for that, there are just too many stupid people out there.</p>
<h2 id="how-do-i-disable-mail-delivery-from-the-mailing-list-im-subscribed-to"><a class="header" href="#how-do-i-disable-mail-delivery-from-the-mailing-list-im-subscribed-to">How do I disable mail delivery from the mailing-list I'm subscribed to?</a></h2>
<p>Suppose you are subscribed to <a href="https://lists.clamav.net/mailman/listinfo/clamav-users">clamav-users</a>. Go to <a href="https://lists.clamav.net/mailman/listinfo/clamav-users">clamav-users</a> and enter your mail address at the bottom of the page. Click on <strong>Unsubscribe or edit options</strong>. At the next page enter your password and press <em>Log in</em>. Under <em>Your clamav-users Subscription Options</em> choose <em>Disabled</em> opposite <em>Mail delivery</em> and press <em>Submit My Changes</em> at the bottom of the page.</p>
<div style="break-before: page; page-break-before: always;"></div><h1 id="safebrowsing"><a class="header" href="#safebrowsing">Safebrowsing</a></h1>
<h2 id="about"><a class="header" href="#about">About</a></h2>
<p><a href="https://safebrowsing.google.com/">Google Safe Browsing</a> may be used to get advanced protection against emails with links to suspicious websites.</p>
<h2 id="current-status"><a class="header" href="#current-status">Current Status</a></h2>
<p>The Safe Browsing feature has now been spun off into a <a href="https://github.com/Cisco-Talos/clamav-safebrowsing">related project</a>.</p>
<p>ClamAV previously provided a "safebrowsing" signature database derived from Google's Safe Browsing API using our own account and API key. Due to changes to the terms of service, we can no longer provide the signature content for you. Users that desire Safe Browsing coverage for non-commercial purposes can still generate their own safebrowsing signature database using the clamav-safebrowsing tools with a Google Safe Browsing API key.</p>
<p>Briefly, clamav-safebrowsing tools are needed to:</p>
<ol>
<li>
<p>Download the data from Google to a local MySQL database using Google's API [*];</p>
</li>
<li>
<p>Produce a local copy of the safebrowsing database file in a form suitable for use by the ClamAV tools;</p>
</li>
</ol>
<p>You will have to decide how to distribute this database file to the systems which need it; and to notify any clamd daemons of the change so that they load the new signatures.</p>
<p>[*] For efficiency, the API permits downloading differences, in much the same way that ClamAV itself uses <code>.cdiff</code> files. The clamav-safebrowsing tool uses a MySQL database to store the Safe Browsing data so it can apply these differences the next time you use it.</p>
<p>For more information, please visit <a href="https://github.com/Cisco-Talos/clamav-safebrowsing">the ClamAV Safebrowsing project on Github</a>.</p>
<h2 id="history"><a class="header" href="#history">History</a></h2>
<p>ClamAV 0.95 introduced an optional "safebrowsing" signature database to provide advanced protection against emails with links to suspicious websites. This was generated using Google's Safe Browsing API.</p>
<p>The "safebrowsing" signature database which was distributed in the same way as the other ClamAV database files via the ClamAV mirror network. Downloading the database was disabled by default, and the feature was to be enabled only with extreme caution. In order to enable this feature it was necessary to add the option <code>SafeBrowsing Yes</code> to <code>freshclam.conf</code>.</p>
<p>As of Nov. 11, 2019, we stopped updating the "safebrowsing" signature database because Google announced changes to their Safe Browsing API terms of service. Google now requires commercial users to use the Google Web Risk API, a for-profit feature, instead of the Safe Browsing API. Though ClamAV itself is free and open-source, we cannot continue to provide Google Safe Browsing data to the general public.</p>
<div style="break-before: page; page-break-before: always;"></div><h1 id="troubleshooting-faq"><a class="header" href="#troubleshooting-faq">Troubleshooting FAQ</a></h1>
<p>The following questions and answers may help you troubleshoot issues you may encounter when using ClamAV.</p>
<p>If you're unable to find an answer to your question in our FAQ, you can seek help in <a href="https://www.clamav.net/contact.html#ml">our clamav-users mailing list</a>, on our <a href="https://discord.gg/6vNAqWnVgw">Discord server</a>, or by submitting an <a href="https://github.com/Cisco-Talos/clamav/issues">issue on GitHub</a>. The mailing list archives and existing Github issues (open or closed) may also have an answer to your question.</p>
<p>Please consider contributing answered questions back to this FAQ, and improving the quality of these answers, by submitting pull requests to <a href="https://github.com/Cisco-Talos/clamav-documentation">our documentation source repository</a>.</p>
<h2 id="after-clamav-is-installed-then-what-how-do-i-update--refresh-the-virus-database"><a class="header" href="#after-clamav-is-installed-then-what-how-do-i-update--refresh-the-virus-database">After ClamAV is installed, then what? How do I update / refresh the virus database?</a></h2>
<p>You will need to edit the <code>freshclam.conf.example</code> file located in <code>/usr/local/etc</code>. Once that is done, you will need to run a <code>sudo freshclam</code> to download the signatures. You will need to run the command to update signatures often so that ClamAV has the most up to date signatures.</p>
<h2 id="how-many-times-per-hour-shall-i-run-freshclam"><a class="header" href="#how-many-times-per-hour-shall-i-run-freshclam">How many times per hour shall I run FreshClam?</a></h2>
<p>You can check for database update as often as 4 times per hour provided that you have the following options in <code>freshclam.conf</code>:</p>
<pre><code class="language-ini">DNSDatabaseInfo current.cvd.clamav.net
DatabaseMirror database.clamav.net
</code></pre>
<h2 id="i-get-this-error-when-running-freshclam-invalid-dns-reply-falling-back-to-http-mode-or-error-cant-query-currentcvdclamavnet--what-does-it-mean"><a class="header" href="#i-get-this-error-when-running-freshclam-invalid-dns-reply-falling-back-to-http-mode-or-error-cant-query-currentcvdclamavnet--what-does-it-mean">I get this error when running FreshClam: <em>Invalid DNS reply. Falling back to HTTP mode</em> or <em>ERROR: Can't query current.cvd.clamav.net</em> . What does it mean?</a></h2>
<p>There is a problem with your DNS server. Please check the entries in /etc/resolv.conf and verify that you can resolve the TXT record manually:</p>
<pre><code class="language-bash">host -t txt current.cvd.clamav.net
</code></pre>
<p>If you can't, it means your network is broken. You'll be still able to download the updates, but you'll waste a lot of bandwidth checking for updates.</p>
<h2 id="what-does-warning-dns-record-is-older-than-3-hours-mean"><a class="header" href="#what-does-warning-dns-record-is-older-than-3-hours-mean">What does <em>WARNING: DNS record is older than 3 hours</em> mean?</a></h2>
<p>FreshClam attempts to detect potential problems with DNS caches and switches to use HTTPS if something looks suspicious. If this message appears seldomly, you can safely ignore it. If you get the error every time you run FreshClam, check your system clock. If it is set correctly, check your dns settings. If those didn't help, try putting this at the top of your cronjob:</p>
<pre><code class="language-bash">host -t txt current.cvd.clamav.net; perl -e 'printf "%d\n", time;'
</code></pre>
<p>The 4th field of the first line should be less than 3 ∗ 3600 behind the output of the second line. If not, you have a caching DNS server somewhere misbehaving.</p>
<h2 id="i-get-this-error-when-running-freshclam-error-connection-with--failed--what-shall-i-do"><a class="header" href="#i-get-this-error-when-running-freshclam-error-connection-with--failed--what-shall-i-do">I get this error when running FreshClam: <em>ERROR: Connection with ??? failed</em> . What shall I do?</a></h2>
<p>Either your dns servers are not working or you are blocking port 53/tcp. You should manually check that you can resolve host names with:</p>
<pre><code class="language-bash">host database.clamav.net
</code></pre>
<p>If it doesn't work, check your dns settings in <code>/etc/resolv.conf</code>. If it works, check that you can receive dns answers longer than 512 bytes, e.g. check that your firewall is not blocking packets which originate from <code>port 53/tcp</code>.</p>
<p>An easy way to find it out is:</p>
<pre><code class="language-bash">dig @ns1.clamav.net db.us.big.clamav.net
</code></pre>
<h2 id="how-do-i-know-if-my-ip-address-has-been-blocked"><a class="header" href="#how-do-i-know-if-my-ip-address-has-been-blocked">How do I know if my IP address has been blocked?</a></h2>
<p>Run FreshClam in verbose-mode (<code>-v</code>) to view the HTTP requests and responses. If you're seeing an HTTP 403 response, then you may have been blocked. If think you've been blocked, feel free to contact us for help getting un-blocked. For more information about HTTP error codes, see the <a href="faq/faq-freshclam.html">FreshClam FAQ</a></p>
<h2 id="i-cant-resolve-currentcvdclamavnet-is-there-a-problem-with-yourmy-dns-servers"><a class="header" href="#i-cant-resolve-currentcvdclamavnet-is-there-a-problem-with-yourmy-dns-servers">I can't resolve <code>current.cvd.clamav.net</code>! Is there a problem with your/my DNS servers?</a></h2>
<p>current.cvd.clamav.net has got only a TXT record, not a type A record! Try this command:</p>
<pre><code class="language-bash">$ host -t txt current.cvd.clamav.net
</code></pre>
<p>Please note that some not RFC compliant DNS servers (namely the one shipped with the <em>Alcatel</em> (now <em>Thomson</em>) <strong>SpeedTouch 510 modem</strong>) can't resolve <code>TXT</code> record. If that's the case, please recompile ClamAV with the flag <code>--enable-dns-fix</code> if using <code>./configure</code> or <code>-D ENABLE_FRESHCLAM_DNS_FIX=ON</code> if using CMake.</p>
<hr />
<p>For other questions regarding issues with the signature databases, see our <a href="faq/faq-cvd.html">Virus Database FAQ</a>.</p>
<div style="break-before: page; page-break-before: always;"></div><h1 id="interpreting-scan-alerts-faq"><a class="header" href="#interpreting-scan-alerts-faq">Interpreting Scan Alerts FAQ</a></h1>
<p>If you're unable to find an answer to your question in our FAQ, you can seek help in <a href="https://www.clamav.net/contact.html#ml">our clamav-users mailing list</a>, on our <a href="https://discord.gg/6vNAqWnVgw">Discord server</a>, or by submitting an <a href="https://github.com/Cisco-Talos/clamav/issues">issue on GitHub</a>. The mailing list archives and existing Github issues (open or closed) may also have an answer to your question.</p>
<p>Please consider contributing answered questions back to this FAQ, and improving the quality of these answers, by submitting pull requests to <a href="https://github.com/Cisco-Talos/clamav-documentation">our documentation source repository</a>.</p>
<h2 id="clamav-alerted-on-a-file-during-a-scan-what-do-i-do"><a class="header" href="#clamav-alerted-on-a-file-during-a-scan-what-do-i-do">ClamAV alerted on a file during a scan. What do I do?</a></h2>
<p>ClamAV may have found a malicious or suspicious file. However, you're probably asking yourself if the alert is a False Positive (FP). It may well be, so don't just delete the file out-of-hand.</p>
<h2 id="clamav-alerted-on-a-file-in-the-clamav-source-code-am-i-infected"><a class="header" href="#clamav-alerted-on-a-file-in-the-clamav-source-code-am-i-infected">ClamAV alerted on a file in the clamav source code. Am I infected?</a></h2>
<p>If you scan the build directory for ClamAV, you may see an alert on a ClamAV test file, like this:</p>
<pre><code>clamav-0.104.1/build/unit_tests/input/clamav_hdb_scanfiles/clam.chm: Clamav.Test.File-6 FOUND
</code></pre>
<p>You can savely ignore this alert. The files found under the clamav unit_tests/input in the build directory are supposed to alert, to demonstrate correct file parser functionality.</p>
<h3 id="online-research"><a class="header" href="#online-research">Online Research</a></h3>
<p>First, consider the file itself and whether or not the alert makes sense. If you're concerned, start by searching the name of the signature on Google. If FP's are being reported, you may see others complaining about the same thing, or you may be able to get an understanding of what the signature is trying to find.</p>
<h3 id="technical-investigation"><a class="header" href="#technical-investigation">Technical Investigation</a></h3>
<p>Second, if you're technically inclined, you may want to try to read the signature details to understand how it works and what, specifically, it's alerting on. Take heed, this investigation might leave you more confused than when you started. ClamAV doesn't post write-ups on how each signature in-part because a good number of our signatures these days are generated automatically and not by a human mind.</p>
<ol>
<li>
<p>Start by opening a command prompt in a new empty directory, for example:</p>
<pre><code class="language-bash">user@laptop:~$ mkdir /tmp/sigdump
user@laptop:~$ cd /tmp/sigdump
</code></pre>
</li>
<li>
<p>Use the <code>sigtool</code> program to unpack the ClamAV databases into their separate components. SigTool should be installed alongside clamscan, probably in <code>/usr/local/bin/sigtool</code>. The ClamAV databases are traditionally installed in <code>/usr/local/share/clamav</code> although if you installed from a package manager, your paths may vary:</p>
<pre><code class="language-bash">user@laptop:/tmp/sigdump$ sigtool -u /usr/local/share/clamav/main.cvd
user@laptop:/tmp/sigdump$ sigtool -u /usr/local/share/clamav/daily.cvd # May be: daily.cld
user@laptop:/tmp/sigdump$ sigtool -u /usr/local/share/clamav/bytecode.cvd # May be: bytecode.cld
</code></pre>
</li>
<li>
<p>Use <code>ls</code> to verify that you've successfully unpacked the databases:</p>
<pre><code class="language-bash">user@laptop:/tmp/sigdump$ ls
3986187.cbc 3986230.cbc 3986303.cbc 4553522.cbc 6335443.cbc 6399052.cbc daily.cfg daily.msb
3986188.cbc 3986231.cbc 3986305.cbc 4970075.cbc 6335540.cbc 6404655.cbc daily.crb daily.msu
3986206.cbc 3986232.cbc 3986306.cbc 5044126.cbc 6335560.cbc 6428210.cbc daily.fp daily.ndb
3986212.cbc 3986233.cbc 3986310.cbc 5588995.cbc 6335564.cbc 6428556.cbc daily.ftm daily.ndu
3986214.cbc 3986234.cbc 3986321.cbc 5819336.cbc 6335669.cbc 6441308.cbc daily.hdb daily.pdb
3986215.cbc 3986235.cbc 3986322.cbc 5999914.cbc 6336023.cbc 6442366.cbc daily.hdu daily.sfp
3986216.cbc 3986236.cbc 3986327.cbc 5999936.cbc 6336035.cbc 6447941.cbc daily.hsb daily.wdb
3986217.cbc 3986242.cbc 3986328.cbc 6300337.cbc 6336074.cbc 6453673.cbc daily.hsu main.crb
3986218.cbc 3986244.cbc 3986334.cbc 6311970.cbc 6336259.cbc 6471051.cbc daily.idb main.fp
3986219.cbc 3986249.cbc 3986337.cbc 6316126.cbc 6336260.cbc 6497366.cbc daily.ign main.hdb
3986220.cbc 3986259.cbc 4306126.cbc 6324281.cbc 6336630.cbc 6539706.cbc daily.ign2 main.hsb
3986221.cbc 3986282.cbc 4306157.cbc 6327695.cbc 6336737.cbc 6566834.cbc daily.info main.info
3986222.cbc 3986283.cbc 4307467.cbc 6329916.cbc 6336739.cbc 6614848.cbc daily.ldb main.mdb
3986223.cbc 3986289.cbc 4416867.cbc 6329917.cbc 6364361.cbc COPYING daily.ldu main.msb
3986224.cbc 3986292.cbc 4510302.cbc 6335400.cbc 6380163.cbc bytecode.info daily.mdb main.ndb
3986229.cbc 3986301.cbc 4526683.cbc 6335427.cbc 6395243.cbc daily.cdb daily.mdu main.sfp
</code></pre>
</li>
<li>
<p>Use <code>grep</code> to search for the signature in question. For example:</p>
<pre><code class="language-bash">user@laptop:/tmp/sigdump$ grep -r Win.Downloader.DDECmdExec-6683887-5
Win.Downloader.DDECmdExec-6683887-5;Engine:81-255,Target:0;4;0:1f8b;0:255044462d;0:4d5a{-100}50450000;7c27{-255}2721;(0=0&1=0&2=0)&3/(?<!\x20)[=+\-@]\s*?(\w+\s*?\x28)?.{0,50}(certutil|cmd|cmstp|cscript|dnscmd|msiexec|netsh|regsvr32|rpcping|rundll32|schtasks|telnet|tscon|tsdiscon|wmic|wscript).{0,50}\|\s*?\x27[^\x27]{5,255}\x27\s*?\x21/i
</code></pre>
</li>
<li>
<p>Reading ClamAV signatures is hard. You can familiarize yourself with the ClamAV signature format by reading the documentation on <a href="https://github.com/Cisco-Talos/clamav/blob/dev/0.101/docs/UserManual/Signatures.md#introduction">writing ClamAV Signatures</a>.</p>
<p>To get a jump start, you can make <code>sigtool</code> print out a more human readable represenation of what the signature is looking for. Pipe the output from grep directly into sigtool by using the <code>--decode-sigs</code> option:</p>
<pre><code class="language-bash">user@laptop:/tmp/sigdump$ grep Win.Downloader.DDECmdExec-6683887-5 -r . | ../../bin/sigtool --decode-sigs
</code></pre>
<p>The output will look something like this:</p>
<pre><code class="language-bash"> VIRUS NAME: ./daily.ldb:Win.Downloader.DDECmdExec-6683887-5
TDB: Engine:81-255,Target:0
LOGICAL EXPRESSION: 4
* SUBSIG ID 0
+-> OFFSET: 0
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
�
* SUBSIG ID 1
+-> OFFSET: 0
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
%PDF-
* SUBSIG ID 2
+-> OFFSET: 0
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
MZ{WILDCARD_ANY_STRING(LENGTH<=100)}PE
* SUBSIG ID 3
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
|'{WILDCARD_ANY_STRING(LENGTH<=255)}'!
* SUBSIG ID 4
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
+-> TRIGGER: (0=0&1=0&2=0)&3
+-> REGEX: (?<!\x20)[=+\-@]\s*?(\w+\s*?\x28)?.{0,50}(certutil|cmd|cmstp|cscript|dnscmd|msiexec|netsh|regsvr32|rpcping|rundll32|schtasks|telnet|tscon|`tsdiscon|wmic|wscript).{0,50}\|\s*?\x27[^\x27]{5,255}\x27\s*?\x21
+-> CFLAGS: i
</code></pre>
</li>
<li>
<p>Interpret the results. ClamAV signatures can be as simple as a hash-based signature of a known-malicious file, but they can also be a complex logical test. You may not learn enough to make an educated decision. The above example is a pretty complicated one, so I will try to walk you through it.</p>
<p>You can see that there are 5 subsignatures (numbered 0 - 4). The <code>LOGICICAL EXPRESSION</code> indicates which subsignature(s) matter and why. This could be something like <code>0 AND 1</code> to indicate that 2 subsignatures must both trigger in order for the overall signature to alert. In this case, only subsignature <code>4</code> is required by the <code>LOGICAL EXPRESSION</code>.</p>
<p>If you look at <code>SUBSIG ID 4</code>, you'll see that has a has a <code>TRIGGER</code> which acts in much the same way as the above <code>LOGICAL EXPRESSION</code>. If the subsignatures in the logical expression are satisfied, then the regular expression <code>REGEX</code> will be tested. If the regular expression matches, then the SUBSIG ID 4 will trigger and the overall signature will alert.</p>
</li>
</ol>
<h3 id="reporting"><a class="header" href="#reporting">Reporting</a></h3>
<p>If you believe that the signature alerted on a benign file, please report the False Positive so our analysts can refine or remove the faulty signature. You can report false positives <a href="https://www.clamav.net/reports/fp">on our website</a> or you can submit the report using the <code>clamsubmit</code> command-line program.</p>
<p>If you're concerned that the file may be malicious, and aren't comfortable quarantining and/or deleting the file, feel free to ask in the user mailing lists for advice. Please subscribe to <a href="https://lists.clamav.net/mailman/listinfo/">clamav-users</a> and then post a message to all the list members by sending an email to clamav-users -at- lists -dot- clamav -dot- net.</p>
<div style="break-before: page; page-break-before: always;"></div><h1 id="upgrading-clamav"><a class="header" href="#upgrading-clamav">Upgrading ClamAV</a></h1>
<h2 id="clamav-from-packages"><a class="header" href="#clamav-from-packages">ClamAV from Packages</a></h2>
<p>If you installed from a package, we suggest you find the approved package from your distro provider and install that. The ClamAV team does not maintain individual packages for every distribution build.
If there are no new packages, you have three options:</p>
<ul>
<li>Wait</li>
<li>Build ClamAV Package</li>
<li>Install ClamAV From Source</li>
</ul>
<h2 id="install-clamav-from-source"><a class="header" href="#install-clamav-from-source">Install ClamAV From Source</a></h2>
<p>If you installed from sources, first <a href="faq/faq-uninstall.html">uninstall the old version</a>.</p>
<p>Then, <a href="faq/../manual/Installing/Installing-from-source-Unix.html">compile and install the new one</a>.</p>
<p>Depending on your installation method, you might want to backup configuration (located in <code>/usr/local/etc</code> by default) and signature database (located in <code>/usr/local/share/clamav</code> by default). Don't forget to restore backups before starting up updated ClamAV.</p>
<p>Backup your database signature (located in <code>/usr/local/share/clamav</code> by default) before upgrading to newer ClamAV version. Restore the backed up database signature before running the updated version. This is to avoid getting the <code>/usr/local/share/clamav not locked</code> error message when doing <code>freshclam</code>.</p>
<h2 id="webmin-and-yum"><a class="header" href="#webmin-and-yum">Webmin and Yum</a></h2>
<p>To obtain a new version:</p>
<pre><code class="language-bash">yum list clamav
yum update clamav
</code></pre>
<p>If everything updated properly, run <code>freshclam</code> to update your signature database.</p>
<h3 id="what-does-warning-current-functionality-level--1-required--2-mean"><a class="header" href="#what-does-warning-current-functionality-level--1-required--2-mean">What does "<em>WARNING: Current functionality level = 1, required = 2</em>" mean?</a></h3>
<p>The <em>functionality level</em> of the database determines which scanner engine version is required to use all of its signatures. If you don't upgrade immediately you will be missing the latest viruses.</p>
<h3 id="what-does-your-clamav-installation-is-outdated-mean"><a class="header" href="#what-does-your-clamav-installation-is-outdated-mean">What does "<em>Your ClamAV installation is OUTDATED</em>" mean?</a></h3>
<p>You'll get this message whenever a new version of ClamAV is released. In order to detect all the latest viruses, it's not enough to keep your database up to date. You also need to run the latest version of the scanner. You can download the <a href="https://github.com/Cisco-Talos/clamav">sources</a> of the latest release from our website. If you are afraid to break something while upgrading, use the <a href="http://www.clamav.net/download.html#otherversions">pre-compiled packages</a> for your operating system/distribution. Remember: running the latest stable release also improves stability.</p>
<h3 id="i-upgraded-to-the-latest-stable-version-but-i-still-get-the-message-your-clamav-installation-is-outdated-why"><a class="header" href="#i-upgraded-to-the-latest-stable-version-but-i-still-get-the-message-your-clamav-installation-is-outdated-why">I upgraded to the latest stable version but I still get the message "<em>Your ClamAV installation is OUTDATED</em>", why?</a></h3>
<p>Make sure there is really only one version of ClamAV installed on your system:</p>
<pre><code class="language-bash">whereis freshclam
whereis clamscan
</code></pre>
<p>Also make sure that you haven't got old libraries (<code>libclamav.so*</code>) lying around your filesystem. You can verify it using:</p>
<pre><code class="language-bash">ldd $(which freshclam)
</code></pre>
<h3 id="what-does-malformed-hexstring-this-clamav-version-has-reached-end-of-life-mean"><a class="header" href="#what-does-malformed-hexstring-this-clamav-version-has-reached-end-of-life-mean">What does "<em>Malformed hexstring: This ClamAV version has reached End of Life</em>" mean?</a></h3>
<p>Please refer to our <a href="faq/faq-eol.html">End-of-Life (EOL) policy</a>.</p>
<h3 id="how-do-i-verify-the-integrity-of-clamav-sources"><a class="header" href="#how-do-i-verify-the-integrity-of-clamav-sources">How do I verify the integrity of ClamAV sources?</a></h3>
<p>Using <a href="http://www.gnupg.org/">GnuPG</a> you can easily verify the authenticity of your stable release downloads by using the following method: Download the <a href="http://www.clamav.net/downloads#collapsePGP">Talos PGP public key</a> from the VRT labs site. Import the key into your local public keyring:</p>
<pre><code class="language-bash">gpg --import vrt.gpg
</code></pre>
<p>Download the stable release AND the corresponding <code>.sig</code> file to the same directory. Verify that the stable release download is signed with the <a href="http://www.clamav.net/downloads#collapsePGP">Talos PGP public key</a>:</p>
<pre><code class="language-bash">gpg --verify clamav-X.XX.tar.gz.sig
</code></pre>
<p>Please note that the resulting output should look like the following:</p>
<pre><code class="language-bash"> gpg: Signature made Wed Jan 24 19:31:26 2018 EST
gpg: using RSA key F13F9E16BCA5BFAD
gpg: Good signature from "Talos (Talos, Cisco Systems Inc.) [email address]" [unknown]
</code></pre>
<p>For other PGP implementation, please refer to their manual.</p>
<h3 id="where-can-i-get-the-latest-release-beta-or-release-candidate-of-clamav"><a class="header" href="#where-can-i-get-the-latest-release-beta-or-release-candidate-of-clamav">Where can I get the latest release, beta, or release candidate of ClamAV?</a></h3>
<p>Visit the <a href="http://www.clamav.net/downloads">source download page</a>.</p>
<h3 id="is-my-compilerhardwareoperating-system-supported-by-clamav"><a class="header" href="#is-my-compilerhardwareoperating-system-supported-by-clamav">Is my compiler/hardware/operating system supported by ClamAV?</a></h3>
<p>ClamAV supports a wide variety of compilers, hardware and operating systems. Our core compiler is GCC with Linux on 32 and 64 bit Intel platforms, LLVM/Clang on macOS, and MSVC on Windows.</p>
<div style="break-before: page; page-break-before: always;"></div><h1 id="clamav-rust-faq"><a class="header" href="#clamav-rust-faq">ClamAV-Rust FAQ</a></h1>
<h2 id="why-is-rust-required-to-compile-clamav-in-version-0105"><a class="header" href="#why-is-rust-required-to-compile-clamav-in-version-0105">Why is Rust required to compile ClamAV in version 0.105?</a></h2>
<p>For those unfamiliar with <a href="https://www.rust-lang.org/">the Rust programming language</a>, Rust is a systems programming language that guarantees memory-safety and thread-safety without relying on garbage collection. Rust does not guarantee against memory leaks, but its modern type sytem and novel ownership model all but eliminate accidental memory leaks. You can write "unsafe" Rust code that disables some of Rust's safety checks and offers the same flexibility that C has when complex optimizations are needed or when interfacing with C code.</p>
<p>Runtime performance for software written in Rust is also comparable to that of C and C++. Rust has a vibrant and growing ecosystem of libraries and tools. Rust's build system and package manager is called Cargo. Cargo makes it easy to leverage third party libraries.</p>
<p>Linus Torvalds once described programming in the C language to be "like juggling chainsaws." We agree. To mitigate the pitfalls of the C and C++ programming langauges, the ClamAV team decided to switch to write new components and rewrite select existing components in the Rust programming language.</p>
<p>Starting with ClamAV v0.105, the Rust toolchain is required to compile ClamAV.</p>
<p>We believe that by switching from C to Rust, it will enable us to focus more during development on actual feature correctness because of the reduced risk of accidental memory safety issues or critical vulnerabilities.</p>
<p>We're also leveraging Rust's vibrant ecosystem to provide valuable tools for processing different file types, such as those used for our new image fuzzy hash matching feature.</p>
<h2 id="if-rust-is-required-should-i-run-cargo-instead-of-cmake-to-build-clamav"><a class="header" href="#if-rust-is-required-should-i-run-cargo-instead-of-cmake-to-build-clamav">If Rust is required, should I run Cargo instead of CMake to build ClamAV?</a></h2>
<p>No. ClamAV is still mostly written in C. Our CMake build system will automatically detect the Rust toolchain and use it behind the scenes to compile the Rust componets into the overall project.</p>
<h2 id="ive-heard-that-rust-requires-an-internet-connection-to-work-will-i-need-the-internet-to-compile-clamav"><a class="header" href="#ive-heard-that-rust-requires-an-internet-connection-to-work-will-i-need-the-internet-to-compile-clamav">I've heard that Rust requires an internet connection to work. Will I need the internet to compile ClamAV?</a></h2>
<p>Yes and no.</p>
<p>If you're using the release tarball from <a href="https://www.clamav.net/downloads">clamav.net/downloads</a> then the third-party libraries from the Rust ecosystem will be vendored into the tarball and an internet connection <strong>will not</strong> be required for the build.</p>
<p>If you're using some other means to obtain the ClamAV source code, such as Git or the release artifacts provided automatically by GitHub, then an internet connection <strong>will</strong> be required in order to build ClamAV.</p>
<div style="break-before: page; page-break-before: always;"></div><h1 id="clamav-on-microsoft-windows-faq"><a class="header" href="#clamav-on-microsoft-windows-faq">ClamAV on Microsoft Windows FAQ</a></h1>
<p>ClamAV offers a versions of ClamAV for Microsoft Windows compatible with both 32bit and 64bit versions of Windows 7 and newer.</p>
<p>We provide both two install packages for Windows:</p>
<ul>
<li>
<p>Portable Install Package</p>
<ul>
<li>Zip file containing all you need to run ClamAV without running an installer.</li>
</ul>
</li>
<li>
<p>Install Program</p>
<ul>
<li>Traditional executable installer that will install ClamAV in the "Program Files" directory.</li>
</ul>
</li>
</ul>
<p>In addition to the above ClamAV versions that run on Windows, Cisco offers two more endpoint security products powered in-part by ClamAV. These are:</p>
<ul>
<li>
<p>Immunet</p>
<ul>
<li>Immunet is a malware and antivirus protection system that utilizes cloud computing to provide enhanced community-based security.</li>
<li>Immunet is free for non-commercial use.</li>
<li>Commercial users should consider Cisco AMP.</li>
</ul>
</li>
<li>
<p>Cisco Advanced Malware Protection (AMP) for Endpoints</p>
<ul>
<li>AMP for Endpoints prevents threats at point of entry, then continuously tracks every file it lets onto your endpoints. AMP can uncover even the most advanced threats, including fileless malware and ransomware.</li>
<li>AMP for Endpoints is subscription-based, managed through a web-based management console, and may be deployed on a variety of platforms to include Windows, macOS, and Linux operating systems.</li>
<li>For details, please visit the [AMP for Endpoints] website.</li>
</ul>
</li>
</ul>
<h2 id="what-is-the-difference-between-clamav-immunet-and-clamwin"><a class="header" href="#what-is-the-difference-between-clamav-immunet-and-clamwin">What is the difference between ClamAV, Immunet, and ClamWin?</a></h2>
<p><strong>ClamAV</strong> is available for Windows with the same scanning and detection capabilities available when using ClamAV on macOS and Linux, with exception to the On-Access Scanning feature (Linux).</p>
<p><strong>Immunet</strong> is a real-time fully featured desktop AV solution. It contains cloud based detection technologies and the enterprise grade ClamAV detection engine. The product is produced and maintained by Cisco which owns both ClamAV and Immunet.</p>
<p><strong>ClamWin</strong> is a free application that provides a graphical front-end for ClamAV, similar to ClamTk. ClamWin is maintained by ClamWin Pty Ltd., and has no association with <em>ClamAV</em>, <em>Cisco</em>, or the <em>Immunet</em> product. Additionally, <em>ClamWin</em> does not contain an on-access real-time scanner, and can only be used to manually scan files.</p>
<h2 id="is-immunet-free-for-commercial-use"><a class="header" href="#is-immunet-free-for-commercial-use">Is Immunet free for commercial use?</a></h2>
<p>Immunet is not free for commercial use. <a href="https://www.cisco.com/c/en/us/products/security/amp-for-endpoints/index.html">Cisco Secure Endpoint</a> (formerly AMP for Endpoints) is our product that replaced the commercial version. If you are interested in deploying this in a commercial environment, we highly suggest checking that out.</p>
<h2 id="will-immunet-send-any-sensitive-data-from-my-computer-to-the-cloud"><a class="header" href="#will-immunet-send-any-sensitive-data-from-my-computer-to-the-cloud">Will Immunet send any sensitive data from my computer to the cloud?</a></h2>
<p>Immunet sends information about the files its scanning back to the cloud. This information is in the form of SHA hashes and file heuristics. Currently, this information is only collected for Windows PE files, or in other terms what most people refer to as executable files. No information is collected for other types of files, like Word, Excel, or PDF. Additionally, in some situations the entire PE file will be uploaded to the Cloud to determine if it is malicious.
For a complete overview please see the <a href="https://www.cisco.com/c/en/us/about/legal/privacy.html">privacy policy</a>.</p>
<h2 id="are-you-going-to-make-use-of-the-cloud-in-clamav"><a class="header" href="#are-you-going-to-make-use-of-the-cloud-in-clamav">Are you going to make use of the Cloud in ClamAV?</a></h2>
<p>No. Users that want a lighter memory footprint and additional advanced detection features of an endpoint security suite should look to Immunet or Cisco Secure Endpoint.</p>
<h2 id="can-i-use-immunet-with-my-current-av-solution"><a class="header" href="#can-i-use-immunet-with-my-current-av-solution">Can I use Immunet with my current AV solution?</a></h2>
<p>Yes. In fact it is encouraged.</p>
<h2 id="where-should-i-report-false-positives-or-undetected-malware"><a class="header" href="#where-should-i-report-false-positives-or-undetected-malware">Where should I report false positives or undetected malware?</a></h2>
<p>Please report <strong>Undetected Malware</strong> <a href="https://www.clamav.net/reports/malware">here</a>.</p>
<p>Please report <strong>False Positives</strong> <a href="https://www.clamav.net/reports/fp">here</a>.</p>
<h2 id="are-there-64-bit-versions-of-clamav-for-windows-as-well-as-32-bit"><a class="header" href="#are-there-64-bit-versions-of-clamav-for-windows-as-well-as-32-bit">Are there 64 bit versions of ClamAV for Windows as well as 32 bit?</a></h2>
<p>Yes. You can find both versions at <a href="https://www.clamav.net/downloads#otherversions">ClamAV/downloads</a>.</p>
<div style="break-before: page; page-break-before: always;"></div><h1 id="potentially-unwanted-applications-pua"><a class="header" href="#potentially-unwanted-applications-pua">Potentially Unwanted Applications (PUA)</a></h1>
<p>ClamAV supports the detection of Potentially Unwanted Applications (PUA).</p>
<h2 id="pua-config-options"><a class="header" href="#pua-config-options">PUA Config Options</a></h2>
<p>You can customize PUA detection for ClamD with these <code>clamd.conf</code> options:</p>
<pre><code class="language-bash"> DetectPUA yes # Detect Possibly Unwanted Applications
ExcludePUA CAT # Skip PUA sigs of category CAT
IncludePUA CAT # Load PUA sigs of category CAT
</code></pre>
<p>You can customize PUA detection for ClamScan with these command-line options:</p>
<pre><code class="language-bash"> --detect-pua # Detect Possibly Unwanted Applications
--exclude-pua=CAT # Skip PUA sigs of category CAT
--include-pua=CAT # Load PUA sigs of category CAT
</code></pre>
<p>The category name is a string match with the 2nd token in a <code>PUA.*</code> signature name.</p>
<pre><code class="language-bash"> PUA.category.subcategory.description-version
</code></pre>
<p>Some examples:</p>
<ul>
<li>
<p><code>PUA.Win.Packer.BorlandDelphi-5</code> : The category name is <code>Win</code>.</p>
</li>
<li>
<p><code>PUA.Cert.Revoked.PEAuthenticode-5750538-0</code> : The category name is <code>Cert</code>.</p>
</li>
</ul>
<p>There is presently <em>no</em> support for including or excluding by subcategory.</p>
<h2 id="current-pua-categories"><a class="header" href="#current-pua-categories">Current PUA Categories</a></h2>
<p>PUA categories are the product of signature naming conventions. These vary over time as new signatures are added.</p>
<blockquote>
<p><strong>Disclaimer</strong>: PUA signatures are not as carefully curated as malware signatures because they are not as commonly used. You should expect more false positives when using PUA signatures. Further, inclusion or exclusion of specific categories may not be very intuitive or predictable. Specifically, excluding the <code>Win</code> category will not exclude all Windows application PUA signatures. There are undoubtedly more Windows PUA signatures in the <code>Packed</code>, <code>Tool</code>, <code>Spy</code>, <code>NetTool</code>, etc categories that target Windows applications. Similarly, excluding the <code>Packed</code> category will not guarantee that you exclude signatures like <code>PUA.Win.Packer.Whatever-0123</code>. In short, the inclusion and exclusion of PUA signatures will likely be frustrating. Improvements to PUA include/exclude options to support subcategories as well as SigTool features to enumerate current PUA categories and subcategories would be a good candidate for a community contribution project.</p>
</blockquote>
<blockquote>
<p><strong>Disclaimer 2</strong>: The <code>Virus</code>/<code>Ransomeware</code>/<code>Trojan</code>/etc malware categories or subcategories for PUA signatures were mistakenly selected by automated tools. Those tools have since been fixed and no new signatures should appear with these names. The existing malware-name categories for these PUA signatures are expected to be removed/renamed as time permits.</p>
</blockquote>
<p>The following is a snapshot of the PUA signature name categories and subcategories from daily.cvd & main.cvd (Jan 29, 2020):</p>
<pre><code>PUA.Andr.Adware
PUA.Andr.Downloader
PUA.Andr.Dropper
PUA.Andr.Tool
PUA.Andr.Trojan
PUA.Andr.Virus
PUA.Cert.Revoked
PUA.Doc.Dropper
PUA.Doc.Packed
PUA.Doc.Tool
PUA.Doc.Trojan
PUA.Email.Phishing
PUA.Email.Trojan
PUA.Embedded.File
PUA.Html.Exploit
PUA.Html.Tool
PUA.Html.Trojan
PUA.Java.Exploit
PUA.Java.Packer
PUA.Js.Exploit
PUA.Osx.File
PUA.Osx.Trojan
PUA.Packed.Tool
PUA.Pdf.Exploit
PUA.Pdf.Trojan
PUA.Php.Trojan
PUA.Rtf.Exploit
PUA.Spy.Tool
PUA.Swf.Spyware
PUA.Tool.Countermeasure
PUA.Tool.Tool
PUA.Unix.Adware
PUA.Unix.Coinminer
PUA.Unix.Downloader
PUA.Unix.File
PUA.Unix.Malware
PUA.Unix.Tool
PUA.Unix.Trojan
PUA.Unix.Virus
PUA.Win.Adware
PUA.Win.Coinminer
PUA.Win.Downloader
PUA.Win.Dropper
PUA.Win.Exploit
PUA.Win.File
PUA.Win.Ircbot
PUA.Win.Joke
PUA.Win.Keylogger
PUA.Win.Malware
PUA.Win.Packed
PUA.Win.Packer
PUA.Win.Proxy
PUA.Win.Ransomware
PUA.Win.Spyware
PUA.Win.Tool
PUA.Win.Trojan
PUA.Win.Virus
</code></pre>
<h2 id="pua-category-descriptions"><a class="header" href="#pua-category-descriptions">PUA Category Descriptions</a></h2>
<p>The following category descriptions should give you some idea of how the PUA signature naming conventions are used. Please note this list is not exhaustive. As noted above, PUA signatures are not as carefully curated and there will be exceptions:</p>
<ul>
<li>
<p>Andr</p>
<p>Potentially unwanted applications for Android mobile devices.</p>
</li>
<li>
<p>Java</p>
<p>Potentially unwanted applications written for the Java runtime.</p>
</li>
<li>
<p>NetTool</p>
<p>Applications that can be used to sniff, filter, manipulate or scan network traffic or networks. While a network scanner - for example - can be a extremely helpful tool for admins, you may not want to see an average user playing around with it. Same goes for tools like <code>netcat</code> and the like.</p>
</li>
<li>
<p>P2P</p>
<p>Peer to Peer clients can be used to generate a lot of unwanted traffic and sometimes it happens that copyrights are violated by downloading copyright protected content (Music, Movies) - therefore we consider them possibly unwanted as well.</p>
</li>
<li>
<p>Packed</p>
<p>This is a detection for files that use some kind of runtime packer. A runtime packer can be used to reduce the size of executable files without the need for an external unpacker. While this can't be considered malicious in general, runtime packers are widely used with malicious files since they can prevent a already known malware from detection by an anti-virus product.</p>
</li>
<li>
<p>PwTool</p>
<p>Password tools are all applications that can be used to recover or decrypt passwords for various applications - like mail clients or system passwords. Such tools can be quite helpful if a password is lost, however, it can also be used to spy out passwords.</p>
</li>
<li>
<p>IRC</p>
<p>IRC Clients can be a productivity killer and depending on the client - a powerful platform for malicious scripts (take mIRC for example).</p>
</li>
<li>
<p>Osx</p>
<p>Potentially unwanted applications for macOS systems.</p>
</li>
<li>
<p>RAT</p>
<p>Remote Access Trojans are used to remotely access systems, but can be used also by system admins, for example VNC or RAdmin.</p>
</li>
<li>
<p>Server</p>
<p>Server based badware like DistributedNet.</p>
</li>
<li>
<p>Script</p>
<p>Known "problem" scripts written in JavaScript, ActiveX or similar.</p>
</li>
<li>
<p>Spy</p>
<p>Keyloggers, spying tools.</p>
</li>
<li>
<p>Tool</p>
<p>General system tools, like process killers/finders.</p>
</li>
<li>
<p>Unix</p>
<p>Potentially unwanted applications for Unix systems.</p>
</li>
<li>
<p>Win</p>
<p>Potentially unwanted applications for Windows systems.</p>
</li>
</ul>
<div style="break-before: page; page-break-before: always;"></div><h1 id="how-do-i-ignore-a-clamav-signature"><a class="header" href="#how-do-i-ignore-a-clamav-signature">How do I ignore a ClamAV signature?</a></h1>
<h2 id="creating-an-ignore-file"><a class="header" href="#creating-an-ignore-file">Creating an ignore file</a></h2>
<p>Change Directory into the location where your ClamAV databases are stored. Create a file called <code>ignore_list.ign2</code>, for example, like this:</p>
<p><code>touch ignore_list.ign2</code></p>
<h2 id="ignore-individual-signatures"><a class="header" href="#ignore-individual-signatures">Ignore individual signatures</a></h2>
<p>Place the signatures you'd like to ignore, each on it's own line, within the file <code>ignore_list.ign2</code>.</p>
<p>For example:</p>
<p><code>Signature.Ignore-1</code></p>
<p><code>Signature.Ignore-2</code></p>
<div style="break-before: page; page-break-before: always;"></div><h1 id="uninstalling-clamav"><a class="header" href="#uninstalling-clamav">Uninstalling ClamAV</a></h1>
<h2 id="if-you-installed-from-source"><a class="header" href="#if-you-installed-from-source">If you installed from source</a></h2>
<h3 id="if-you-installed-using-autotools-01030-and-older"><a class="header" href="#if-you-installed-using-autotools-01030-and-older">If you installed using Autotools (0.103.0 and older)</a></h3>
<p>If you installed from source, the easiest way to uninstall will require that same source and build configuration in order to uninstall.</p>
<p>Then run:</p>
<pre><code class="language-bash">sudo make uninstall
</code></pre>
<blockquote>
<p><em>Tip</em>: If you don't have the old source / build directory from when you installed, you can get the source again and re-configure, as if for a build, so that you can use the build system to uninstall. Just be sure you use the same <code>./configure</code> options as when you first installed. For example:</p>
<pre><code class="language-bash">./configure
sudo make uninstall
</code></pre>
</blockquote>
<h3 id="if-you-installed-using-cmake-01040-and-newer"><a class="header" href="#if-you-installed-using-cmake-01040-and-newer">If you installed using CMake (0.104.0 and newer)</a></h3>
<p>CMake doesn't provide a simple command to uninstall. However, CMake does build an <code>install_manifest.txt</code> file when you do the install. You can use the manifest to remove the installed files.</p>
<p>You will find the manifest in the directory where you compiled ClamAV. If you followed the recommendations in our <a href="faq/../manual/Installing/Installing-from-source-Unix.html">Installing from Source</a> section, then you will find it at <code><clamav source directory>/build/install_manifest.txt</code>.</p>
<p>Feel free to inspect the file so you're comfortable knowing what you're about to delete.</p>
<p>Open a terminal and <code>cd</code> to that <code><clamav source directory>/build</code> directory. Then run:</p>
<pre><code class="language-bash">xargs rm < install_manifest.txt
</code></pre>
<p>This will leave behind the directories, and will leave behind any files added after install including the signature databases and any config files. You will have to delete these extra files yourself.</p>
<blockquote>
<p><em>Tip</em>: If you don't have the old source / build directory from when you installed, you can get the source again. Unlike with Autotools, you'll have to do more than just re-configure. You'll have to compile and re-install overtop of your existing install in order to get a new copy of the <code>install_manifest.txt</code> file. But once you do that, you should be able to use the command above to uninstall. For example:</p>
<pre><code class="language-bash">cmake . &&
make && sudo make install
sudo xargs rm < install_manifest.txt
</code></pre>
</blockquote>
<h2 id="if-you-installed-from-packages"><a class="header" href="#if-you-installed-from-packages">If you installed from packages</a></h2>
<ul>
<li>
<p>Debian/Ubuntu:</p>
<p><code>apt remove clamav</code></p>
</li>
<li>
<p>Redhat/Fedora:</p>
<p><code>dnf remove clamav*</code></p>
<p>or, on older systems:</p>
<p><code>yum remove clamav*</code></p>
</li>
<li>
<p>Mandriva:</p>
<p><code>urpme clamav</code></p>
</li>
<li>
<p>Gentoo:</p>
<p><code>emerge -C clamav</code></p>
</li>
<li>
<p>FreeBSD:</p>
<p><code>pkg delete clamav</code></p>
</li>
<li>
<p>OpenBSD:</p>
<p><code>pkg_delete clamav</code></p>
</li>
<li>
<p>NetBSD:</p>
<p><code>pkgin remove clamav</code></p>
</li>
<li>
<p>Slackware:</p>
<p><code>/etc/rc.d/rc.clamav stop; removepkg clamav</code></p>
</li>
</ul>
<h2 id="caveats"><a class="header" href="#caveats">Caveats</a></h2>
<p>Make sure that you haven’t got old libraries (<em>libclamav.so</em>) lying around your filesystem. You can verify it using:</p>
<pre><code class="language-bash">ldd `which freshclam`
</code></pre>
<p>Also make sure there is really only one version of ClamAV installed on your system:</p>
<pre><code class="language-bash">whereis freshclam
whereis clamscan
</code></pre>
<div style="break-before: page; page-break-before: always;"></div><h1 id="end-of-life-eol-policy"><a class="header" href="#end-of-life-eol-policy">End of Life (EOL) Policy</a></h1>
<p>This document describes the End of Life (EOL) policy for Long Term Support (LTS) feature releases and for regular (non-LTS) feature releases.</p>
<p>Skip to our <a href="faq/faq-eol.html#version-support-matrix">Version Support Matrix</a> to quickly check if your version is still supported.</p>
<blockquote>
<p><em>Disclaimer</em>: If this policy has to change due to a compatibility problem that prohibits the use of new detection technology, or impacts the stability of ClamAV infrastructure, we will announce the end of life for those versions four months before they become unsupported.</p>
</blockquote>
<h2 id="long-term-support-lts-feature-releases"><a class="header" href="#long-term-support-lts-feature-releases">Long Term Support (LTS) Feature Releases</a></h2>
<p>ClamAV <em><strong>0.103</strong></em> is the first Long Term Support (LTS) feature release.</p>
<p>LTS feature releases will be supported for <em>at least</em> <strong>three (3)</strong> years from the initial publication date of that LTS feature version. In other words, support for the LTS release "X.Y" starts when version "X.Y.0" is published and ends three years after.</p>
<p>Each LTS feature release will be supported with critical patch versions <em>and</em> access to download signatures for the duration of the three year support period.</p>
<p>A new LTS feature release will be identified <em>approximately</em> every <strong>two (2)</strong> years.</p>
<p><em>Users must stay up-to-date with the latest patch versions for continued support. As of November 3, that means version 0.103.4.</em></p>
<h2 id="regular-non-lts-feature-releases"><a class="header" href="#regular-non-lts-feature-releases">Regular (non-LTS) Feature Releases</a></h2>
<p>Non-LTS feature releases will be supported with critical patch versions for <em>at least</em> <strong>four (4) months</strong> from the initial publication date of the <em><strong>next</strong></em> feature release or until the <em>next</em>-<em><strong>next</strong></em> feature release is published.</p>
<p>Non-LTS feature releases will be allowed access to download signatures until at least four (4) months after the <em>next</em>-<em><strong>next</strong></em> feature release is published.</p>
<h2 id="definitions"><a class="header" href="#definitions">Definitions</a></h2>
<ul>
<li>
<p><em>"feature release"</em> -- A version starting with MAJOR.MINOR.0 to include all PATCH versions.</p>
<p>For example: 0.103.0 and 0.103.1 are both "patch versions" within the same "feature release".</p>
</li>
<li>
<p><em>"patch version"</em> -- A specific MAJOR.MINOR.PATCH version.</p>
<p>For example: 0.103.1 is a "patch version" in the 0.103 "feature release".</p>
</li>
<li>
<p><em>"end of life" (EOL)</em> -- The date after which the ClamAV Team will no longer support a feature version in any way.</p>
<p>After this point, all patch versions of that release may be blocked from downloading official signature content.</p>
</li>
<li>
<p><em>"long term support (LTS) release"</em> -- A feature release that will get critical patch versions for an extended period.</p>
<p>The latest patch version will continue to get access to download signature databases for the duration of the support period. See <a href="faq/faq-eol.html#long-term-support-lts-feature-releases">above</a> for policy details.</p>
</li>
<li>
<p><em>"regular (non-LTS) release"</em> -- A feature release that will only be supported until a little after the next feature release.</p>
<p>The latest patch version will continue to get access to download signature databases a little longer than that, but users are encouraged to upgrade and may be vulnerable if a security patch is only published for the next feature release and they fail to upgrade. See <a href="faq/faq-eol.html#regular-non-lts-feature-releases">above</a> for policy details.</p>
</li>
<li>
<p><em>"support"</em> -- The ClamAV project defines "support" in several ways:</p>
<ol>
<li>
<p><em>Critical patch support</em>:</p>
<p>The ClamAV Team provides critical patch versions for supported feature releases(<a href="faq/faq-eol.html#additional-detail-about-critical-patch-support">**</a>).</p>
<p>The Application Binary Interface (ABI) shall not change between patch versions within a given feature release. That is, the SONAMEs for the ClamAV libraries will remain the same and changes in a patch version will not break compatibility with older library versions.</p>
<p>Users are responsible for updating to the latest patch version for continued support.</p>
</li>
<li>
<p><em>Signature Database (CVD) Access</em>:</p>
<p>Supported releases are allowed free access to download the latest signature databases.</p>
<p>Users must keep up-to-date with the latest patch version to maintain access to the official signature database content.</p>
<p>We reserve the right to block older/problematic patch versions 4 months after the release of a newer patch version.</p>
</li>
<li>
<p><em>New-Signature Load/Functional Testing</em>:</p>
<p>The ClamAV Team will load-test new sigantures for functional correctness on <strong>all versions</strong> that are allowed access to download the official signature databases.</p>
</li>
<li>
<p><em>New-Signature False Positive Testing</em>:</p>
<p>The ClamAV Team will perform false positive testing for new signature content, but only using the latest patch version of the latest feature release. False positive testing requires scanning large data sets. It is more time consuming than functional testing.</p>
</li>
</ol>
<p>Cisco does not offer paid technical support or paid extended long term support for ClamAV.</p>
</li>
</ul>
<h2 id="version-support-matrix"><a class="header" href="#version-support-matrix">Version Support Matrix</a></h2>
<blockquote>
<p><em>Note</em>: This markdown table is generated from a spreadsheet using <a href="https://thisdavej.com/copy-table-in-excel-and-paste-as-a-markdown-table/">this tool</a>.</p>
</blockquote>
<table><thead><tr><th>Feature release</th><th>First Published</th><th>Latest patch version</th><th>Expected End of Life (EOL)</th><th>Signature load testing until</th><th>Signature FP testing until</th><th>DB downloads allowed until</th><th>Patch versions continue until</th></tr></thead><tbody>
<tr><td>0.104</td><td>Sep-3 2021</td><td>0.104.1</td><td>0.106 + 4 months</td><td>0.106 + 4 months</td><td></td><td>0.106 + 4 months</td><td>0.105 + 4 months, or 0.106</td></tr>
<tr><td><strong>0.103 LTS</strong></td><td><strong>Sep-14 2020</strong></td><td><strong>0.103.4</strong></td><td><strong>Sep-14 2023</strong></td><td><strong>Sep-14 2023</strong></td><td>0.104 published</td><td><strong>Sep-14 2023</strong></td><td><strong>Sep-14 2023</strong></td></tr>
<tr><td>0.102</td><td>Oct-2 2019</td><td>0.102.4</td><td>Jan-3 2022 (0.104 + 4 mo.)</td><td>Jan-3 2022</td><td></td><td>Jan-3 2022</td><td></td></tr>
<tr><td>0.101</td><td>Dec-3 2018</td><td>0.101.5</td><td>Jan-3 2022</td><td>Jan-3 2022</td><td></td><td>Jan-3 2022</td><td></td></tr>
<tr><td>0.100</td><td>Apr-9 2018</td><td>0.100.3</td><td>Oct-29 2021</td><td>Oct-29 2021</td><td></td><td>Oct-29 2021</td><td></td></tr>
<tr><td>0.99</td><td>Dec-1 2015</td><td>0.99.4</td><td>Mar-1 2021</td><td></td><td></td><td></td><td></td></tr>
</tbody></table>
<p>Currently, every version from ClamAV 0.100 and down, including all patch versions, are unsupported, and <strong>are actively blocked from downloading new updates</strong>.</p>
<h2 id="additional-detail-about-critical-patch-support"><a class="header" href="#additional-detail-about-critical-patch-support">Additional Detail About Critical Patch Support</a></h2>
<p>Like all bugs, security patches are first prepared for our upcoming feature release. Only security patches and other critical fixes or critical improvements are backported to previous feature releases.</p>
<p>The ClamAV Team is small and can't afford to publish patch versions for every release. To keep up momentum crafting new features and other improvements, our policy is to backport no further than 1 or 2 of the latest feature releases plus the Long Term Support (LTS) feature releases.</p>
<h3 id="critical-patches-after-a-breaking-change"><a class="header" href="#critical-patches-after-a-breaking-change">Critical Patches After a Breaking Change</a></h3>
<p>On rare occasion we have made breaking changes to the way that users or other software interact with ClamAV or libclamav. The 0.101.0 release was one such example where we made a breaking change to the libclamav programming API. When this happens, we will provide extra time for users to upgrade to a newer feature release before we discontinue support for the older feature release.</p>
<p>The amount of extra time before we discontinue support will vary depending on the severity of the breaking change and the level of difficulty to upgrade.</p>
<h3 id="examples"><a class="header" href="#examples">Examples</a></h3>
<h4 id="security-patches-less-than-four-4-months-after-a-feature-release"><a class="header" href="#security-patches-less-than-four-4-months-after-a-feature-release">Security Patches Less than four (4) Months After a Feature Release</a></h4>
<p>If the non-disclosure / release date for a security patch falls within four (4) months since the previous feature release was published, we will craft a security patch version for the future feature release, the current feature release, the previous feature release, and any LTS feature releases.</p>
<blockquote>
<p><em>Example</em>: Let's say ClamAV 0.105.0 was just released and development begins on 0.106. But shortly after the release or as we're preparing for the release, it is discovered that 0.105.0 contains one or more security issues.</p>
<p>We understand with such a recent release, not everyone has had time to verify that they can indeed upgrade without some other supporting changes to their system or product.</p>
<p>In this situation, we would prepare a security patch version for:</p>
<ul>
<li>the 0.105 feature release (eg. 0.105.1),</li>
<li>for the 0.104 feature release (eg. 0.104.3),</li>
<li>and for the 0.103 LTS feature release.</li>
</ul>
<p>Once the critical patch versions have been published, the same or equivalent fixes will be merged into the <code>main</code> branch for inclusion into the next feature release (0.106.0).</p>
</blockquote>
<h4 id="security-patches-more-than-four-4-months-after-a-feature-release-has-been-available"><a class="header" href="#security-patches-more-than-four-4-months-after-a-feature-release-has-been-available">Security Patches More than four (4) Months After a Feature Release Has Been Available</a></h4>
<p>If the non-disclosure / release date for a security patch falls after four (4) months since the previous feature release was published, we will only craft a security patch version for the future feature release, the current feature release, and any LTS feature releases.</p>
<blockquote>
<p><em>Example</em>: If 0.105.0 was released in January and a security issue was found in March, but the non-disclosure agreement allowed for the bug to be patched after the standard 90 days, then a security patch release will likely be prepared for release in early June.</p>
<p>This would exceed our 4-month policy, so we would publish the fix:</p>
<ul>
<li>in 0.105 (eg. 0.105.1),</li>
<li>and in 0.103 LTS, ...</li>
</ul>
<p>... but would not publish a patch version for the 0.104 feature release.</p>
</blockquote>
<div style="break-before: page; page-break-before: always;"></div><h1 id="community-resources"><a class="header" href="#community-resources">Community Resources</a></h1>
<p>Have a resource you'd like to share? You can add it here with a simple pull-request. Just drop it in <a href="https://github.com/Cisco-Talos/clamav-documentation/tree/main/src/community_resources">the community resources section of our docs</a> and place a link to it below.</p>
<blockquote>
<p><em>Tip</em>: Use a relative link for additional markdown-based documentation, or use an absolute link like the one above for a link to a specific file.</p>
</blockquote>
<h2 id="build-guides"><a class="header" href="#build-guides">Build Guides</a></h2>
<ul>
<li></li>
</ul>
<h2 id="configuration-guides"><a class="header" href="#configuration-guides">Configuration Guides</a></h2>
<ul>
<li></li>
</ul>
<h2 id="scripts"><a class="header" href="#scripts">Scripts</a></h2>
<ul>
<li></li>
</ul>
<h2 id="other"><a class="header" href="#other">Other</a></h2>
<ul>
<li></li>
</ul>
<div style="break-before: page; page-break-before: always;"></div><h1 id="appendix"><a class="header" href="#appendix">Appendix</a></h1>
<ul>
<li><a href="appendix/CvdPrivateMirror.html">Hosting a Private Database Mirror</a></li>
<li><a href="appendix/Authenticode.html">All about Microsoft Authenticode Signature Verification</a></li>
<li><a href="appendix/FileTypes.html">ClamAV File Types and Target Types</a></li>
<li><a href="appendix/FunctionalityLevels.html">ClamAV Functionality Levels</a></li>
</ul>
<div style="break-before: page; page-break-before: always;"></div><h1 id="terminology"><a class="header" href="#terminology">Terminology</a></h1>
<h2 id="general-terminology"><a class="header" href="#general-terminology">General Terminology</a></h2>
<table><thead><tr><th>Term</th><th>Description</th></tr></thead><tbody>
<tr><td><em>adware</em></td><td>Adware is software that injects extra advertisements into other applications like your browser, or extra advertisements bundled by a third party into software that is ordinarily free of advertisements. Adware is often considered to be a type of Potentially Unwanted Application (PUA) when the the advertisements aren't used to fund development of the application but are injected by a third party.</td></tr>
<tr><td><em>bytecode</em></td><td>Bytecode is a partially compiled executable that is platform agnostic but must be further compiled or otherwise interpreted in order to be executed. For ClamAV, "bytecode signature" refer to ClamAV plugin with a <code>.cbc</code> file extension. Some bytecode signatures detect specific types of malware, as the name suggests. Other bytecode signatures extend file parser support within ClamAV, enabling faster deployment of new ClamAV features.</td></tr>
<tr><td><em>CLD</em></td><td>A CLD is the uncompressed ClamAV signature database archive. CLD files are created by FreshClam when a CVD or CLD database archive is updated with a CDIFF patch file.</td></tr>
<tr><td><em>CVD</em></td><td>A CVD is an compressed ClamAV signature database archive that is signed and distributed by Cisco-Talos. "CVD" refers to the <code>.cvd</code> file extension, although when updated using a CDIFF database patch file, the extension is changed to <code>.cld</code>.</td></tr>
<tr><td><em>CDIFF</em></td><td>A CDIFF is a patch file for a CVD or CLD database archive. CDIFFs allow for frequent updates to the ClamAV database set without requiring a large download each time.</td></tr>
<tr><td><em>endpoint</em></td><td>An endpoint is a computer that a human interacts with, such as a laptop, desktop, or mobile device.</td></tr>
<tr><td><em>endpoint security suite</em></td><td>An endpoint security suite is software that bundles a variety of services to protect a computer system. In addition to scheduled malware scanning, this may include features like a firewall, on-access scanning, network traffic monitoring, process behavioral monitoring, and other real time protection features.</td></tr>
<tr><td><em>false negative</em></td><td>A false negative is when a scan fails to alert on a file. You can <a href="https://www.clamav.net/reports/malware">report false negatives on clamav.net</a>.</td></tr>
<tr><td><em>false positive</em></td><td>A false positive is when a scan incorrectly alerts on a file. You can <a href="https://www.clamav.net/reports/fp">report false positive detections on clamav.net</a>.</td></tr>
<tr><td><em>malware</em></td><td>Malware is a general term for software intended to cause harm, disrupt, or gain unauthorized access to a computer system. Trojans, worms, miners, rootkits, viruses, keyloggers, and ransomware are all examples of different types of malware.</td></tr>
<tr><td><em>on-access</em></td><td>On-access in the context of malware detection refers to a technology to scan files when they are created, opened, moved, or otherwise accessed. On-access scanning is one form of "real time protection". The scan may block access to the file and prevent access if an alert occurs, or it may simply scan as the file is being accessed to alert or take some action when the scan is complete.</td></tr>
<tr><td><em>PUA</em></td><td>A Potentially Unwanted Application (PUA) or Potentially Unwanted Program (PUP) is a program that probably isn't malware, but little benefit to the user and is considered to be undesirable by most people. This may include software like crypto currency mining software, adware, and other software that may be legitimate but may also be used to take advantage of unsuspecting users. See our <a href="appendix/../faq/faq-pua.html">FAQ page about PUA signatures</a> for more information.</td></tr>
</tbody></table>
<h2 id="clamav-components"><a class="header" href="#clamav-components">ClamAV Components</a></h2>
<table><thead><tr><th>Component</th><th>Description</th></tr></thead><tbody>
<tr><td><code>clamav-config</code></td><td>This is a script for checking how ClamAV was compiled. <code>clamav-config</code> is not present on Windows installations.</td></tr>
<tr><td><code>clamav-milter</code></td><td>ClamAV-Milter is a daemon that performs email filter scanning through <code>clamd</code>.</td></tr>
<tr><td><code>clambc-compiler</code></td><td>The ClamAV Bytecode Compiler (ClamBC-Compiler or ClamBCC) is a compiler for building bytecode executable signature plugins. The Bytecode Compiler installed separately. See the <a href="https://github.com/Cisco-Talos/clamav-bytecode-compiler">ClamAV Bytecode Compiler project on Github</a> for more details.</td></tr>
<tr><td><code>clambc</code></td><td>ClamBC is another signature manipulation tool specifically for bytecode signatures.</td></tr>
<tr><td><code>clamconf</code></td><td>ClamConf is a tool to check or generate ClamAV configuration files and collect additional information that may be needed to help remotely debug issues.</td></tr>
<tr><td><code>clamd</code></td><td>ClamD is a multi threaded daemon that listens for scan requests on a network socket or unix socket. Client applications for <code>clamd</code> include <code>clamdtop</code>, <code>clamdscan</code>, <code>clamav-milter</code>, and <code>clamonacc</code>. The socket interface is documented and there are also a variety of third-party clients for <code>clamd</code>. See the <a href="appendix/../manual/Installing/Community-projects.html">Community Projects page</a> for more details.</td></tr>
<tr><td><code>clamdscan</code></td><td>ClamDScan is a command line program to scan files and directories through <code>clamd</code>.</td></tr>
<tr><td><code>clamdtop</code></td><td>ClamDTop is a command line GUI to monitor ClamD.</td></tr>
<tr><td><code>clamonacc</code></td><td>ClamOnAcc is a daemon that receives on-access events from the kernel for real-time protection scanning through ClamD. ClamOnAcc is only available for Linux at this time.</td></tr>
<tr><td><code>clamscan</code></td><td>ClamScan is a command line program to scan files and directories that does not require the clamd daemon.</td></tr>
<tr><td><code>freshclam</code></td><td>FreshClam is the signature database (cvd) update tool.</td></tr>
<tr><td><code>libclamav</code></td><td>The ClamAV library enables you to build the ClamAV engine into your programs. The C programming API can be found in <code>clamav.h</code>.</td></tr>
<tr><td><code>libfreshclam</code></td><td>The FreshClam library enables you to build the signature update update features into your programs. The C programming API can be found in <code>libfreshclam.h</code>.</td></tr>
<tr><td><code>sigtool</code></td><td>SigTool is a signature database (cvd) manipulation tool for malware analysts and signature writers.</td></tr>
</tbody></table>
<div style="break-before: page; page-break-before: always;"></div><h1 id="private-local-mirrors"><a class="header" href="#private-local-mirrors">Private Local Mirrors</a></h1>
<p>There are some situations in which it may be desirable to set up a private mirror for distributing ClamAV databases.</p>
<p>If you run ClamAV on many clients on your network, each new installation will download a copy of the database files. This is a waste of bandwidth and resources for your network and for our mirrors network.</p>
<p>Sometimes the servers which perform the scan are not directly connected to Internet and can only download updates from a server in the same network segment.</p>
<p>For people who face these problems, we recommend using one of the following solutions:</p>
<ul>
<li><a href="appendix/CvdPrivateMirror.html#use-cvdupdate-to-serve-whole-databases-and-database-patch-files-from-a-private-mirror">Use <code>cvdupdate</code> to serve whole databases and database patch files from a private mirror</a></li>
<li><a href="appendix/CvdPrivateMirror.html#use-freshclam-to-serve-only-whole-database-files-from-a-private-mirror">Use <code>freshclam</code> to serve only whole database files from a private mirror</a></li>
<li><a href="appendix/CvdPrivateMirror.html#use-an-http-proxy">Use an HTTP proxy</a></li>
</ul>
<h2 id="use-cvdupdate-to-serve-whole-databases-and-database-patch-files-from-a-private-mirror"><a class="header" href="#use-cvdupdate-to-serve-whole-databases-and-database-patch-files-from-a-private-mirror">Use <code>cvdupdate</code> to serve whole databases and database patch files from a private mirror</a></h2>
<p>You may use a tool named <code>cvdupdate</code> on a private mirror to maintain the latest CVD databases <em>and</em> CDIFF patch files.</p>
<p>This solution will allow you to host a mirror that functions in the same way as the official database CDN, serving CVD and CDIFF files. This means that your downstream <code>freshclam</code> clients will be able to update using the CDIFF patch files, which should save some bandwidth between your private mirror and your clients.</p>
<p>These instructions use a tool named <a href="https://github.com/Cisco-Talos/cvdupdate">cvdupdate</a>. <code>cvdupdate</code> requires:</p>
<ul>
<li>Python 3.6 or newer.</li>
<li>An internet connection with DNS enabled.</li>
<li>It should work fine on Linux/Unix and on Windows.</li>
</ul>
<p><strong>IMPORTANT</strong>: Please do NOT use <code>cvdupdate</code> if you don't need to host a private database mirror. <code>freshclam</code> is far more efficient, even for a small cluster of installs, because it will update with CDIFF patches after the initial database downloads. <code>cvdupdate</code>, on the otherhand, will download both the new daily CDIFF <em>and</em> the daily CVD every day.</p>
<p>You can easily install <code>cvdupdate</code> using Python 3's Pip package manager:</p>
<pre><code class="language-bash">pip3 install cvdupdate
</code></pre>
<p>(optional) Once installed, you may wish to configure where the databases are stored:</p>
<pre><code class="language-bash">cvd config set --dbdir <your www path>
</code></pre>
<p>Now run this as often as you need, or at least once a day to download/update the databases:</p>
<pre><code class="language-bash">cvd update
</code></pre>
<p>You may wish to <a href="https://github.com/Cisco-Talos/cvdupdate#cron-example">set up a <code>cron</code> job</a> to check for updates.</p>
<p>If you didn't set a custom database path, the databases will be stored in <code>~/.cvdupdate/database</code></p>
<blockquote>
<p><em>Tip</em>: You can use <code>--help</code> with any <code>cvd</code> command to learn more. For ore detailed instructions, or to report issues, please visit: https://github.com/Cisco-Talos/cvdupdate](https://github.com/Cisco-Talos/cvdupdate)</p>
</blockquote>
<p>Once you have the database files, host them with your favorite webserver, or use the <code>cvd serve</code> test-webserver (not intended for production).</p>
<p>Next, you'll need to configure the <code>freshclam</code> clients so they'll update from your private mirror.</p>
<p>For <code>freshclam.conf</code> on your downstream <code>freshclam</code> clients, set:</p>
<pre><code class="language-ini"># Replace `mirror.mylan` and `8000` with your domain and port number.
DatabaseMirror http://mirror.mylan:8000
</code></pre>
<p>You may wish to set up a proxy to enable HTTPS. If you do, you can specify <code>https</code> instead of <code>http</code>:</p>
<pre><code class="language-ini">DatabaseMirror https://mirror.mylan
</code></pre>
<p>You could also host the files in a subdirectory. E.g.:</p>
<pre><code class="language-ini">DatabaseMirror http://mirror.mylan:8000/clamav
</code></pre>
<p>When you run <code>freshclam</code> on your client machines, they will still use a DNS query to clamav.net to find out if there should be an update before attempting to update from your private server. If your <code>freshclam</code> clients attempt to update before your private mirror updates, that's okay. The <code>freshclam</code> clients will tolerate being 1 version behind what was advertised on clamav.net.</p>
<blockquote>
<p><em>Tip</em>: If the <code>freshclam</code> clients will not have access to the internet to perform that DNS lookup, you may wish to set <code>DNSDatabaseInfo no</code> in your <code>freshclam.conf</code> file. <code>freshclam</code> may complain that the DNS lookup to "no" failed, which is fine. It will fall-back to checking the database version using an HTTP Range-request to your server.</p>
</blockquote>
<blockquote>
<p><em>CAUTION</em>: If your <code>freshclam</code> clients cannot use DNS to check if there is an update, be certain that your private mirror's webserver supports HTTP Range-requests, or else it may serve the ENTIRE database CVD file when a <code>freshclam</code> client means to check if a newer version exists, and not just a small portion containing the database version.</p>
<p>The Python <code>simple.http</code> server does <em>NOT</em> support HTTP Range requests.</p>
</blockquote>
<h2 id="use-freshclam-to-serve-only-whole-database-files-from-a-private-mirror"><a class="header" href="#use-freshclam-to-serve-only-whole-database-files-from-a-private-mirror">Use <code>freshclam</code> to serve only whole database files from a private mirror</a></h2>
<p>You may use <code>freshclam</code> on a private mirror to maintain the latest CVD or CLD databases.</p>
<p>The <code>freshclam</code> program running on your private mirror will update using the CDIFF patch files. When you update a CVD database with ClamAV's CDIFF patching process, it produces a CLD "local" database. With this solution for hosting a private mirror, you will serve those CVD or CLD databases to downstream <code>freshclam</code> clients. Unlike when using <code>cvdupdate</code>, this option will not allow you to serve CDIFF patch files.</p>
<blockquote>
<p><em>Tip</em>: This method may be best if your public IP address is shared with other clients. At present we rate-limit CVD downloads by IP address. So if your public IP address is used by others, <code>cvdupdate</code> may be rate-limited when it attempts to download <code>daily.cvd</code>. But <code>freshclam</code> should never be rate limited for attempting to download the lateset CDIFF patch file.</p>
</blockquote>
<p>This solution is simple to implement. But because you will not be serving CDIFF patch files, it is only effective if your clients are all on the same local network or if bandwidth between your private mirror and your clients is not an issue for you.</p>
<p>To get started, configure a local webserver on one of your machines (say <code>mirror.mylan</code>). Set up <code>freshclam</code> on that server so it downloads the database files from http://database.clamav.net and stores them in your webserver’s <em>DocumentRoot</em> directory.</p>
<p>For <code>freshclam.conf</code> on your private mirror, set:</p>
<pre><code class="language-ini"># The private mirror will update from database.clamav.net.
DatabaseMirror database.clamav.net
# Customize the DatabaseDirectory so that FreshClam will update the DocumentRoot.
DatabaseDirectory /your/server/www
# Enable CLD compression to save bandwidth between your mirror and your clients.
CompressLocalDatabase yes
</code></pre>
<p>Set up <code>freshclam</code> to run as a service or in a cron job so that your private mirror always serves the latest databases.</p>
<p>Next, you'll need to configure the <code>freshclam</code> clients so they'll update from your private mirror.</p>
<p>For <code>freshclam.conf</code> on your downstream <code>freshclam</code> clients, set:</p>
<pre><code class="language-ini"># PrivateMirror is used instead of DatabaseMirror so that FreshClam will:
# 1. Accept CVD or CLD files, not just CVD files.
# 2. Use an HTTP Range-request to check if there is an update, rather than DNS.
PrivateMirror http://mirror.mylan:8000
# ScriptedUpdates is needed because you won't be serving CDIFF files.
ScriptedUpdates no
</code></pre>
<p>When you run <code>freshclam</code> on your client machines, they should check for updates from your private server over HTTP by downloading just the database header<code>*</code>. If there is a new version, the client will download the whole CVD or CLD file from your private server to update.</p>
<blockquote>
<p><code>*</code><em>Important</em>: Make sure your HTTP server will accept and handle HTTP Range requests. If yours does not, then each time a client checks for an update it will download the whole database!</p>
<p>The Python <code>simple.http</code> server does <em>NOT</em> support HTTP Range requests.</p>
</blockquote>
<h2 id="use-an-http-proxy"><a class="header" href="#use-an-http-proxy">Use an HTTP proxy</a></h2>
<p>This solution is really easy to implement and is bandwidth efficient.</p>
<p>Install a proxy server that supports caching files (e.g. squid) and then tell your <code>freshclam</code> clients to use it. This can be done by setting the <em>HTTPProxyServer</em> parameter in <em>freshclam.conf</em> (see <code>man 5 freshclam.conf</code> for the details).</p>
<div style="break-before: page; page-break-before: always;"></div><h1 id="microsoft-authenticode-signature-verification"><a class="header" href="#microsoft-authenticode-signature-verification">Microsoft Authenticode Signature Verification</a></h1>
<h2 id="about-microsoft-authenticode"><a class="header" href="#about-microsoft-authenticode">About Microsoft Authenticode</a></h2>
<p>Authenticode is Microsoft's system for using digital signatures to ensure that programs to be run/installed on Windows systems come from a verified source and has not been modified by anyone else. At a high level, it works by having software developers:</p>
<ol>
<li>Obtain a code-signing certificate from a certificate authority trusted by the Windows OS.</li>
<li>Compute digital signatures for executables and related software installation files using that certificate.</li>
<li>Include the signatures as part of the software execution/installation process so that Windows can use them in the verification process.</li>
</ol>
<p>In addition, Authenticode signatures can be countersigned by a time-stamping service that allows signature verification to succeed even if the code-signing certificate expires or gets revoked.</p>
<p>For more information, check-out the following resources:</p>
<ul>
<li>
<p><a href="https://blogs.msdn.microsoft.com/ieinternals/2011/03/22/everything-you-need-to-know-about-authenticode-code-signing/">Everything you need to know about Authenticode code-signing</a></p>
</li>
<li>
<p><a href="https://docs.microsoft.com/en-us/windows-hardware/drivers/install/authenticode">Authenticode Digital Signatures</a></p>
</li>
<li>
<p><a href="https://docs.microsoft.com/en-us/windows/desktop/seccrypto/time-stamping-authenticode-signatures">Time Stamping Authenticode Signatures</a></p>
</li>
<li>
<p><a href="https://blogs.msdn.microsoft.com/ieinternals/2014/09/04/caveats-for-authenticode-code-signing/">Caveats for Authenticode Code Signing</a></p>
</li>
</ul>
<h2 id="authenticode-and-clamav"><a class="header" href="#authenticode-and-clamav">Authenticode and ClamAV</a></h2>
<p>ClamAV supports parsing the Authenticode section and performing signature verification on a given executable to determine whether it should be trusted (based on rules loaded in from ClamAV <code>.crb</code> files). An overview of this process, including information on the <code>.crb</code> file format and on how to add new trusted certificate entries, is explained in the <a href="https://blog.clamav.net/2013/02/authenticode-certificate-chain.html">Authenticode Certificate Chain Verification</a> ClamAV blog post.</p>
<p>There are a few things not covered in the blog post that are worth mentioning:</p>
<ul>
<li>
<p>As of ClamAV 0.102, leaf certificates (the ones actually issued to the entity signing the binary) may be used for certificate verification in addition to certificates that issued the leaf certificate (and certificates higher up in the chain) can be used.</p>
</li>
<li>
<p>As of ClamAV 0.102, <code>.crb</code> rules may also be used to block malicious executables where in previous versions these block list entries just override <code>.crb</code> rules that would otherwise trust a given sample.</p>
</li>
<li>
<p>SigTool offers the <code>--print-certs</code> flag, which can be used to show information about embedded Authenticode signatures without having to first match on a signature (which is currently a requirement for clamscan)</p>
</li>
<li>
<p>External Authenticode signatures contained in <code>.cat</code> files can be loaded in to ClamAV by passing a <code>-d</code> flag and indicating the path to the .cat file from which to load signatures. Note, however, that at least one certificate in the <code>.cat</code> file's certificate chain must be trusted (in other words, it must have a backing <code>.crb</code> trusted certificate rule.)</p>
</li>
</ul>
<h1 id="helpful-info-for-working-with-authenticode-signatures"><a class="header" href="#helpful-info-for-working-with-authenticode-signatures">Helpful Info for Working with Authenticode Signatures</a></h1>
<p>Below is some useful information collected when improving ClamAV support for Authenticode signatures.</p>
<h2 id="format-specifications"><a class="header" href="#format-specifications">Format Specifications</a></h2>
<p>The Windows Authenticode 2008 specification document can be found at the link below. Note, however, that it is not 100% accurate. For instance, the documented steps for computing the Authenticode hash are not correct in the case where you have sections that overlap with the PE header or with one another.</p>
<ul>
<li><a href="http://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/Authenticode_PE.docx">Windows Authenticode PE Signature Format</a></li>
</ul>
<h2 id="verifying-the-signature"><a class="header" href="#verifying-the-signature">Verifying the Signature</a></h2>
<p>On Linux, osslsigncode can be used to verify a signature:</p>
<pre><code class="language-bash"> $ osslsigncode verify /path/to/signed/file
Current PE checksum : 00092934
Calculated PE checksum: 00092934
Message digest algorithm : SHA256
Current message digest : 56924EB391B1B04572B1841ED5D5C10927CE7D6E9553A69F994B9BA855A73933
Calculated message digest : 56924EB391B1B04572B1841ED5D5C10927CE7D6E9553A69F994B9BA855A73933
Signature verification: ok
Number of signers: 1
Signer #0:
Subject: /C=US/ST=California/L=Mountain View/O=Google Inc/CN=Google Inc
Issuer : /C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 SHA256 Code Signing CA
Number of certificates: 2
Cert #0:
Subject: /C=US/ST=California/L=Mountain View/O=Google Inc/CN=Google Inc
Issuer : /C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 SHA256 Code Signing CA
Cert #1:
Subject: /C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 SHA256 Code Signing CA
Issuer : /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
Succeeded
</code></pre>
<p>On Windows,</p>
<p><a href="https://blog.didierstevens.com/programs/authenticode-tools/">AnalyzePESig</a> is a great tool for displaying signature information. In addition,
<a href="https://docs.microsoft.com/en-us/dotnet/framework/tools/signtool-exe#examples">signtool</a> can be used.</p>
<p>NOTE that the machine on which these commands is run should have Internet connectivity so that revocation lists can be consulted. Otherwise, Windows may default to assuming that none of the certificates are revoked.</p>
<p>There is also the <a href="http://code.google.com/p/verify-sigs">verify-sigs</a> python script that performs verification, but this script is no longer maintained.</p>
<h2 id="extracting-the-signature"><a class="header" href="#extracting-the-signature">Extracting the Signature</a></h2>
<p>On Linux, the osslsigncode command can be used to extract the contents of the PE security section:</p>
<p><code>osslsigncode extract-signature -in /path/to/exe -out /path/to/extracted</code></p>
<blockquote>
<p><em>Note</em>: This will also extract the 8-byte <a href="https://docs.microsoft.com/en-us/windows/desktop/api/wintrust/ns-wintrust-_win_certificate">WIN_CERTIFICATE</a> structure data.
To skip this data, use:</p>
<pre><code class="language-bash">dd if=/path/to/extracted of=/path/to/extracted.p7b bs=1 skip=8`
</code></pre>
</blockquote>
<h2 id="inspecting-the-signature"><a class="header" href="#inspecting-the-signature">Inspecting the Signature</a></h2>
<p>On Linux, <code>openssl</code> has some useful functions for printing the certificate information and parsing the PKCS7 ASN1:</p>
<pre><code class="language-bash"> $ openssl pkcs7 -inform der -print_certs -in extracted.p7b -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
2a:9c:21:ac:aa:a6:3a:3c:58:a7:b9:32:2b:ee:94:8d
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA
Validity
Not Before: Dec 16 00:00:00 2015 GMT
Not After : Dec 16 23:59:59 2018 GMT
Subject: C=US, ST=California, L=Mountain View, O=Google Inc, CN=Google Inc
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c4:0d:82:c4:41:29:28:e5:fd:0c:3f:a5:c7:0e:
66:bd:a5:c4:8b:b3:8a:ac:84:03:9f:84:2e:38:df:
06:b1:4e:fd:33:60:58:38:36:dd:22:cf:df:f1:50:
1f:47:f1:55:05:c1:81:01:e7:28:3e:ff:5f:89:12:
09:ea:df:aa:17:49:2c:71:ab:48:d1:9d:2e:f4:51:
e0:03:e0:f7:16:6c:7b:0c:22:75:6d:7e:1f:49:c4:
43:28:88:41:dc:6c:ed:13:2a:03:99:eb:62:14:f9:
35:26:6e:12:2c:03:e2:f7:81:b9:1a:05:67:06:7c:
a6:1a:5b:ed:20:15:e5:2d:83:de:8e:36:fa:1e:08:
41:1c:1a:48:9f:b6:f1:c3:2f:02:13:4b:a7:ca:ba:
ef:1c:58:6f:8e:d3:0f:14:a4:0b:2b:5d:ba:f4:5a:
a3:0d:64:34:a5:8a:d7:8f:4d:22:66:4d:a4:ae:e1:
f9:cd:c6:58:e6:c6:11:77:32:df:ba:df:39:48:8a:
d1:27:d7:33:77:a8:c9:e4:5e:ed:fa:12:cf:f3:fd:
fa:ee:ab:80:86:13:34:eb:5a:7e:6f:6c:1b:ee:d8:
4b:b2:cc:77:98:87:ac:ca:f5:bb:64:6f:49:1e:5b:
91:63:50:1f:63:2d:83:27:73:07:9f:2b:16:f4:7b:
71:29
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage: critical
Digital Signature
X509v3 Extended Key Usage:
Code Signing
X509v3 Certificate Policies:
Policy: 2.16.840.1.113733.1.7.23.3
CPS: https://d.symcb.com/cps
User Notice:
Explicit Text: https://d.symcb.com/rpa
X509v3 Authority Key Identifier:
keyid:96:3B:53:F0:79:33:97:AF:7D:83:EF:2E:2B:CC:CA:B7:86:1E:72:66
X509v3 CRL Distribution Points:
Full Name:
URI:http://sv.symcb.com/sv.crl
Authority Information Access:
OCSP - URI:http://sv.symcd.com
CA Issuers - URI:http://sv.symcb.com/sv.crt
Netscape Cert Type:
Object Signing
1.3.6.1.4.1.311.2.1.27:
0.......
Signature Algorithm: sha256WithRSAEncryption
23:e7:93:93:af:db:a8:4d:af:af:54:e8:d8:26:95:80:cd:23:
91:70:ed:0b:5b:b1:e9:d8:dd:1e:40:37:78:97:18:ed:9f:e5:
84:67:85:06:50:b5:f1:ab:e6:83:5a:17:7b:51:be:7f:18:c6:
47:5e:2b:aa:f4:a0:1f:35:3e:05:9f:43:40:f7:9f:d1:f4:e1:
a7:02:f3:8e:c9:71:fe:18:37:48:42:d7:e4:36:73:10:92:d4:
d8:d9:1c:c4:26:58:18:67:b6:24:22:69:63:02:f7:49:51:6b:
75:f6:b4:7d:56:ff:2c:f4:88:f7:67:6f:08:86:f3:8b:0b:30:
02:7f:6d:92:d9:4e:bd:99:f7:7b:74:86:0c:cb:b9:ad:2c:bf:
44:79:a8:00:82:9c:62:f4:aa:11:df:d2:bf:f0:e1:92:28:11:
90:bb:5e:33:88:86:96:4d:dd:0b:af:c3:67:a1:95:2d:44:32:
c6:fa:f7:b8:80:c1:4e:38:be:1f:b6:84:f7:f1:21:31:67:49:
a8:9f:8a:75:07:df:3b:3a:c3:ea:72:cd:40:7f:a7:da:7c:c9:
2e:7c:a9:0c:f1:5d:5c:82:42:62:b9:49:94:8f:70:e6:a5:c0:
5f:17:fb:40:36:c1:3a:89:63:03:1c:3f:66:a0:3d:8f:a1:4c:
4e:5c:ac:bf
...
</code></pre>
<pre><code class="language-bash"> $ openssl asn1parse -inform der -i -in extracted.p7b
0:d=0 hl=4 l=6984 cons: SEQUENCE
4:d=1 hl=2 l= 9 prim: OBJECT :pkcs7-signedData
15:d=1 hl=4 l=6969 cons: cont [ 0 ]
19:d=2 hl=4 l=6965 cons: SEQUENCE
23:d=3 hl=2 l= 1 prim: INTEGER :01
26:d=3 hl=2 l= 15 cons: SET
28:d=4 hl=2 l= 13 cons: SEQUENCE
30:d=5 hl=2 l= 9 prim: OBJECT :sha256
41:d=5 hl=2 l= 0 prim: NULL
43:d=3 hl=2 l= 92 cons: SEQUENCE
45:d=4 hl=2 l= 10 prim: OBJECT :1.3.6.1.4.1.311.2.1.4
57:d=4 hl=2 l= 78 cons: cont [ 0 ]
59:d=5 hl=2 l= 76 cons: SEQUENCE
61:d=6 hl=2 l= 23 cons: SEQUENCE
63:d=7 hl=2 l= 10 prim: OBJECT :1.3.6.1.4.1.311.2.1.15
75:d=7 hl=2 l= 9 cons: SEQUENCE
77:d=8 hl=2 l= 1 prim: BIT STRING
80:d=8 hl=2 l= 4 cons: cont [ 0 ]
82:d=9 hl=2 l= 2 cons: cont [ 2 ]
84:d=10 hl=2 l= 0 prim: cont [ 0 ]
86:d=6 hl=2 l= 49 cons: SEQUENCE
88:d=7 hl=2 l= 13 cons: SEQUENCE
90:d=8 hl=2 l= 9 prim: OBJECT :sha256
101:d=8 hl=2 l= 0 prim: NULL
103:d=7 hl=2 l= 32 prim: OCTET STRING [HEX DUMP]:56924EB391B1B04572B1841ED5D5C10927CE7D6E9553A69F994B9BA855A73933
...
</code></pre>
<p>On Windows, the <code>certutil</code> executable has a great ASN parser:</p>
<pre><code class="language-bash"> C:\>certutil -asn extracted.p7b
0000: 30 82 1b 48 ; SEQUENCE (1b48 Bytes)
0004: | 06 09 ; OBJECT_ID (9 Bytes)
0006: | | 2a 86 48 86 f7 0d 01 07 02
| | ; 1.2.840.113549.1.7.2 PKCS 7 Signed
000f: | a0 82 1b 39 ; OPTIONAL[0] (1b39 Bytes)
0013: | 30 82 1b 35 ; SEQUENCE (1b35 Bytes)
0017: | 02 01 ; INTEGER (1 Bytes)
0019: | | 01
001a: | 31 0f ; SET (f Bytes)
001c: | | 30 0d ; SEQUENCE (d Bytes)
001e: | | 06 09 ; OBJECT_ID (9 Bytes)
0020: | | | 60 86 48 01 65 03 04 02 01
| | | ; 2.16.840.1.101.3.4.2.1 sha256 (sha256NoSign)
0029: | | 05 00 ; NULL (0 Bytes)
002b: | 30 5c ; SEQUENCE (5c Bytes)
002d: | | 06 0a ; OBJECT_ID (a Bytes)
002f: | | | 2b 06 01 04 01 82 37 02 01 04
| | | ; 1.3.6.1.4.1.311.2.1.4 SPC_INDIRECT_DATA_OBJID
0039: | | a0 4e ; OPTIONAL[0] (4e Bytes)
003b: | | 30 4c ; SEQUENCE (4c Bytes)
003d: | | 30 17 ; SEQUENCE (17 Bytes)
003f: | | | 06 0a ; OBJECT_ID (a Bytes)
0041: | | | | 2b 06 01 04 01 82 37 02 01 0f
| | | | ; 1.3.6.1.4.1.311.2.1.15 SPC_PE_IMAGE_DATA_OBJID
004b: | | | 30 09 ; SEQUENCE (9 Bytes)
...
</code></pre>
<p>There is also a website that offers ASN1 parser and allows you to interactively
hide/view parts of the structure:</p>
<ul>
<li><a href="https://lapo.it/asn1js/">ASN1 JavaScript Parser</a></li>
</ul>
<h2 id="creating-signed-executables"><a class="header" href="#creating-signed-executables">Creating Signed Executables</a></h2>
<p>For Linux, Didier Stevens has a great post about how to create signed binaries using self-signed certificates:</p>
<ul>
<li><a href="https://blog.didierstevens.com/2018/09/24/quickpost-signing-windows-executables-on-kali/">Signing Windows Executables on Kali</a></li>
</ul>
<p>On Windows, a program called <code>signtool</code> ships with the Windows SDK and can be used. See the following for tutorials/examples:</p>
<ul>
<li>
<p><a href="https://www.digicert.com/code-signing/signcode-signtool-command-line.htm">Authenticode Code Signing with Microsoft SignTool</a></p>
</li>
<li>
<p><a href="https://docs.microsoft.com/en-us/dotnet/framework/tools/signtool-exe#examples">Signtool Examples</a></p>
</li>
</ul>
<h2 id="samples-with-interesting-authenticode-signatures"><a class="header" href="#samples-with-interesting-authenticode-signatures">Samples with Interesting Authenticode Signatures</a></h2>
<p>Below are some PE files with interesting Authenticode signatures. These are probably only interesting to other researchers who are looking at Authenticode in-depth. All samples are available via VirusTotal.</p>
<ul>
<li>
<p>SHA256-based code-signing signature without a countersignature</p>
<ul>
<li><code>8886d96e9ed475e4686ffba3d242e97836de8a56b75cc915e21bb324cc89de03</code></li>
</ul>
</li>
<li>
<p>SHA256-based code-signing sig and SHA1-based timestamping countersig</p>
<ul>
<li><code>20367d0e3a5ad12154095d424b8d9818c33e7d6087525e6a3304ef6c22a53665</code></li>
</ul>
</li>
<li>
<p>SHA384-based cert used in the code-signing chain</p>
<ul>
<li><code>2249611fef630d666f667ac9dc7b665d3b9382956e41f10704e40bd900decbb8</code></li>
</ul>
</li>
<li>
<p>Uses SHA512 to compute the Authenticode hash</p>
<ul>
<li><code>eeb5469a214d5aac1dcd7e8415f93eca14edc38f47d1e360d3d97d432695207a</code></li>
</ul>
</li>
<li>
<p>Signed by an MS root cert that doesn't have a KU or EKU specified</p>
<ul>
<li><code>69b61b2c00323cea3686315617d0f452e205dae10c47e02cbe1ea96fea38f582</code></li>
</ul>
</li>
<li>
<p>Has a v1 x509 cert and uses MD2-based hashing</p>
<ul>
<li><code>1cb16f94cebdcad7dd05c8537375a6ff6379fcdb08528fc83889f26efaa84e2a</code></li>
</ul>
</li>
<li>
<p>Countersignature with version 0 instead of version 1</p>
<ul>
<li><code>145fbbf59b1071493686bf41f4eb364627d8be3c9dc8fb927bbe853e593864ec</code></li>
</ul>
</li>
<li>
<p>Countersignature with contentType == timestampToken instead of pkcs7-data</p>
<ul>
<li><code>8a364e0881fd7201cd6f0a0ff747451c9b93182d5699afb28ad8466f7f726660</code></li>
</ul>
</li>
<li>
<p>Countersignature with AlgoIdentifier sha1WithRSAEncryption instead of SHA1</p>
<ul>
<li><code>2aa6b18d509090c60c3e4ecdd8aeb16e5f149807e3404c86892112710eab576d</code></li>
</ul>
</li>
<li>
<p>Countersignature uses v1 x509 certs</p>
<ul>
<li><code>934860a4ac2446240e4c7053ddc27ff4c2463d4ad433cc28c9fcc2ea4690fb86</code></li>
</ul>
</li>
<li>
<p>Certificate chain has old certificates without a version</p>
<ul>
<li><code>374a31b20fbafdcd31d52ae11a0dcad58baba556c8942a3cdfae0bb96ae117a1</code></li>
</ul>
</li>
<li>
<p>Has extra data after the PKCS7, a violation of <a href="https://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-098">MS13-098</a></p>
<ul>
<li><code>0ee196bb23f0eafe4f61d30bf6c676fd7365cb12ae66a6bde278851e91901ac1</code></li>
</ul>
</li>
<li>
<p>Authenticode signature covers data not in a section</p>
<ul>
<li><code>0123c163ac981e639565caff72ee3af2df7174613ee12003ac89124be461c6e6</code></li>
</ul>
</li>
<li>
<p>Authenticode signature with a section that overlaps the PE header (UPX-packed)</p>
<ul>
<li><code>0059fb3f225c5784789622eeccb97197d591972851b63d59f5bd107ddfdb7a21</code></li>
</ul>
</li>
<li>
<p>Authenticode signature with overlapping sections</p>
<ul>
<li><code>014b66cf2cef39620e9a985d237971b8cf272043e9ac372d5dcef44db754a1d2</code></li>
</ul>
</li>
<li>
<p>Uses certs with no NULL after AlgorithmIdentifier OID</p>
<ul>
<li><code>66b797b3b4f99488f53c2b676610dfe9868984c779536891a8d8f73ee214bc4b</code></li>
</ul>
</li>
<li>
<p>Uses an ASN1 indefinite length object</p>
<ul>
<li><code>8ca912e397a9e1b0cc54c216144ff550da9d43610392208193c0781b1aa5d695</code></li>
</ul>
</li>
<li>
<p>Unexpected contentType for embedded mode signature (copied from a .cat?)</p>
<ul>
<li><code>6ed9b5f6d32f94b3d06456b176c8536be123e1047763cc0a31c6e8fd6a0242b1</code></li>
</ul>
</li>
<li>
<p>Security directory appears to overlap with the PE header</p>
<ul>
<li><code>ff482f69f2183b5fd3c1b45d9006156524b8f8a5f518e33d6e92ea079787e64d</code></li>
</ul>
</li>
<li>
<p>x509 cert with a public key using exponent 3</p>
<ul>
<li><code>012760e582e541c6dd34a2cbd5d053f402eebcb8b60ed4a88fecb5589bd17bb9</code></li>
</ul>
</li>
<li>
<p>x509 UTCDate is missing the seconds field</p>
<ul>
<li><code>05de45fd6a406dc147a4c8040a54eee947cd6eba02f28c0279ffd1a229e17130</code></li>
</ul>
</li>
<li>
<p>x509 cert with a negative serial number</p>
<ul>
<li><code>6218d50eb5c898acd3482daaea8f615b4f1f87ef0d06220cc1d7f700bc35888b</code></li>
</ul>
</li>
</ul>
<h2 id="additional-references"><a class="header" href="#additional-references">Additional References</a></h2>
<ul>
<li>
<p><a href="https://www.cryptologie.net/article/262/what-are-x509-certificates-rfc-asn1-der/">What are x509 certificates?</a> (Provides an overview of the ASN1 structure of x509 certificates)</p>
</li>
<li>
<p><a href="http://users.umiacs.umd.edu/%7Etdumitra/signedmalware/index.html">Signed Malware</a> (Research papers on signed malware with interactive tables of malicious code signing certs)</p>
</li>
</ul>
<div style="break-before: page; page-break-before: always;"></div><h1 id="clamav-file-types"><a class="header" href="#clamav-file-types">ClamAV File Types</a></h1>
<p>ClamAV has two file typing systems for filtering signature matches: Target Types and File Types.</p>
<h2 id="target-types"><a class="header" href="#target-types">Target Types</a></h2>
<p>A Target Type is an integer that indicates which kind of file the signature will match against. Target Type notation was first created for the purposes writing efficient signatures. A signature with a target type of <code>0</code> will be run against every file type, and thus is not ideal. However, the Target Type notation is limited and it may be unavoidable.</p>
<p>Although the newer CL_TYPE string name notation has replaced the Target Type for some signature formats, many signature formats require a target type number.</p>
<p>This is the current list of available Target Types:</p>
<table><thead><tr><th>Target Type</th><th>Description</th></tr></thead><tbody>
<tr><td>0</td><td>any file</td></tr>
<tr><td>1</td><td>Portable Executable, both 32- and 64-bit</td></tr>
<tr><td>2</td><td>OLE2 containers, including specific macros. Primarily used by MS Office and MSI installation files</td></tr>
<tr><td>3</td><td>HTML (normalized)</td></tr>
<tr><td>4</td><td>Mail file</td></tr>
<tr><td>5</td><td>Graphics</td></tr>
<tr><td>6</td><td>ELF</td></tr>
<tr><td>7</td><td>ASCII text file (normalized)</td></tr>
<tr><td>8</td><td>Unused</td></tr>
<tr><td>9</td><td>Mach-O files</td></tr>
<tr><td>10</td><td>PDF files</td></tr>
<tr><td>11</td><td>Flash files</td></tr>
<tr><td>12</td><td>Java class files</td></tr>
</tbody></table>
<blockquote>
<p><em>Important</em>: HTML, ASCII, Javascript are all normalized:</p>
<ul>
<li>ASCII - All lowercase.</li>
<li>HTML - Whitespace transformed to spaces, tags/tag attributes normalized, all lowercase.</li>
<li>Javascript - All strings are normalized (hex encoding is decoded), numbers are parsed and normalized, local variables/function names are normalized to <code>n001</code> format, argument to <code>eval()</code> is parsed as JS again, unescape() is handled, some simple JS packers are handled, output is whitespace normalized.</li>
</ul>
</blockquote>
<h2 id="file-types"><a class="header" href="#file-types">File Types</a></h2>
<p>ClamAV maintains it's own file typing format and assigns these types using either:</p>
<ul>
<li>
<p>Evaluation of a unique sequence of bytes at the start of a file (<a href="appendix/../manual/Signatures/FileTypeMagic.html">File Type Magic</a>).</p>
</li>
<li>
<p>File type indicators when parsing container files.</p>
<ul>
<li>For example:
<code>CL_TYPE_SCRIPT</code> may be assigned to data contained in a PDF when the PDF indicates that a stream of bytes is "Javascript"</li>
</ul>
</li>
<li>
<p>File type determination based on the names or characteristics contained within the file.</p>
<ul>
<li>For example:
<code>CL_TYPE_OOXML_WORD</code> may be assigned to a Zip file containing files with specific names.</li>
</ul>
</li>
</ul>
<p>ClamAV File Types are prefixed with <code>CL_TYPE_</code>. The following is an exhaustive list of all current file types.</p>
<table><thead><tr><th>CL_TYPE</th><th>Description</th></tr></thead><tbody>
<tr><td><code>CL_TYPE_7Z</code></td><td>7-Zip Archive</td></tr>
<tr><td><code>CL_TYPE_7ZSFX</code></td><td>Self-Extracting 7-Zip Archive</td></tr>
<tr><td><code>CL_TYPE_APM</code></td><td>Disk Image - Apple Partition Map</td></tr>
<tr><td><code>CL_TYPE_ARJ</code></td><td>ARJ Archive</td></tr>
<tr><td><code>CL_TYPE_ARJSFX</code></td><td>Self-Extracting ARJ Archive</td></tr>
<tr><td><code>CL_TYPE_AUTOIT</code></td><td>AutoIt Automation Executable</td></tr>
<tr><td><code>CL_TYPE_BINARY_DATA</code></td><td>binary data</td></tr>
<tr><td><code>CL_TYPE_BINHEX</code></td><td>BinHex Macintosh 7-bit ASCII email attachment encoding</td></tr>
<tr><td><code>CL_TYPE_BZ</code></td><td>BZip Compressed File</td></tr>
<tr><td><code>CL_TYPE_CABSFX</code></td><td>Self-Extracting Microsoft CAB Archive</td></tr>
<tr><td><code>CL_TYPE_CPIO_CRC</code></td><td>CPIO Archive (CRC)</td></tr>
<tr><td><code>CL_TYPE_CPIO_NEWC</code></td><td>CPIO Archive (NEWC)</td></tr>
<tr><td><code>CL_TYPE_CPIO_ODC</code></td><td>CPIO Archive (ODC)</td></tr>
<tr><td><code>CL_TYPE_CPIO_OLD</code></td><td>CPIO Archive (OLD, Little Endian or Big Endian)</td></tr>
<tr><td><code>CL_TYPE_CRYPTFF</code></td><td>Files encrypted by CryptFF malware</td></tr>
<tr><td><code>CL_TYPE_DMG</code></td><td>Apple DMG Archive</td></tr>
<tr><td><code>CL_TYPE_EGG</code></td><td>ESTSoft EGG Archive, new in 0.102</td></tr>
<tr><td><code>CL_TYPE_ELF</code></td><td>ELF Executable (Linux/Unix program or library)</td></tr>
<tr><td><code>CL_TYPE_GIF</code></td><td>GIF Graphics File, new in 0.103</td></tr>
<tr><td><code>CL_TYPE_GPT</code></td><td>Disk Image - GUID Partition Table</td></tr>
<tr><td><code>CL_TYPE_GRAPHICS</code></td><td>Other graphics files; BMP, JPEG2000</td></tr>
<tr><td><code>CL_TYPE_GZ</code></td><td>GZip Compressed File</td></tr>
<tr><td><code>CL_TYPE_HTML_UTF16</code></td><td>Wide-Character / UTF16 encoded HTML</td></tr>
<tr><td><code>CL_TYPE_HTML</code></td><td>HTML data</td></tr>
<tr><td><code>CL_TYPE_HWP3</code></td><td>Hangul Word Processor (3.X)</td></tr>
<tr><td><code>CL_TYPE_HWPOLE2</code></td><td>Hangul Word Processor embedded OLE2</td></tr>
<tr><td><code>CL_TYPE_INTERNAL</code></td><td>Internal properties</td></tr>
<tr><td><code>CL_TYPE_ISHIELD_MSI</code></td><td>Windows Install Shield MSI installer</td></tr>
<tr><td><code>CL_TYPE_ISO9660</code></td><td>ISO 9660 file system for optical disc media</td></tr>
<tr><td><code>CL_TYPE_JAVA</code></td><td>Java Class File</td></tr>
<tr><td><code>CL_TYPE_JPEG</code></td><td>JPEG Graphics File, new in 0.103.1</td></tr>
<tr><td><code>CL_TYPE_LNK</code></td><td>Microsoft Windows Shortcut File</td></tr>
<tr><td><code>CL_TYPE_MACHO_UNIBIN</code></td><td>Universal Binary/Java Bytecode</td></tr>
<tr><td><code>CL_TYPE_MACHO</code></td><td>Apple/NeXTSTEP Mach-O Executable file format</td></tr>
<tr><td><code>CL_TYPE_MAIL</code></td><td>Email file</td></tr>
<tr><td><code>CL_TYPE_MBR</code></td><td>Disk Image - Master Boot Record</td></tr>
<tr><td><code>CL_TYPE_MHTML</code></td><td>MHTML Saved Web Page</td></tr>
<tr><td><code>CL_TYPE_MSCAB</code></td><td>Microsoft CAB Archive</td></tr>
<tr><td><code>CL_TYPE_MSCHM</code></td><td>Microsoft CHM help archive</td></tr>
<tr><td><code>CL_TYPE_MSEXE</code></td><td>Microsoft EXE / DLL Executable file</td></tr>
<tr><td><code>CL_TYPE_MSOLE2</code></td><td>Microsoft OLE2 Container file</td></tr>
<tr><td><code>CL_TYPE_MSSZDD</code></td><td>Microsoft Compressed EXE</td></tr>
<tr><td><code>CL_TYPE_NULSFT</code></td><td>NullSoft Scripted Installer program</td></tr>
<tr><td><code>CL_TYPE_OLD_TAR</code></td><td>TAR archive (old)</td></tr>
<tr><td><code>CL_TYPE_OOXML_HWP</code></td><td>Hangul Office Open Word Processor (5.X)</td></tr>
<tr><td><code>CL_TYPE_OOXML_PPT</code></td><td>Microsoft Office Open XML PowerPoint</td></tr>
<tr><td><code>CL_TYPE_OOXML_WORD</code></td><td>Microsoft Office Open Word 2007+</td></tr>
<tr><td><code>CL_TYPE_OOXML_XL</code></td><td>Microsoft Office Open Excel 2007+</td></tr>
<tr><td><code>CL_TYPE_PART_HFSPLUS</code></td><td>Apple HFS+ partition</td></tr>
<tr><td><code>CL_TYPE_PDF</code></td><td>Adobe PDF document</td></tr>
<tr><td><code>CL_TYPE_PNG</code></td><td>PNG Graphics File, new in 0.103</td></tr>
<tr><td><code>CL_TYPE_POSIX_TAR</code></td><td>TAR archive</td></tr>
<tr><td><code>CL_TYPE_PS</code></td><td>Postscript</td></tr>
<tr><td><code>CL_TYPE_RAR</code></td><td>RAR Archive</td></tr>
<tr><td><code>CL_TYPE_RARSFX</code></td><td>Self-Extracting RAR Archive</td></tr>
<tr><td><code>CL_TYPE_RIFF</code></td><td>Resource Interchange File Format container formatted file</td></tr>
<tr><td><code>CL_TYPE_RTF</code></td><td>Rich Text Format document</td></tr>
<tr><td><code>CL_TYPE_SCRENC</code></td><td>Files encrypted by ScrEnc malware</td></tr>
<tr><td><code>CL_TYPE_SCRIPT</code></td><td>Generic type for scripts (Javascript, Python, etc)</td></tr>
<tr><td><code>CL_TYPE_SIS</code></td><td>Symbian OS Software Installation Script Archive</td></tr>
<tr><td><code>CL_TYPE_SWF</code></td><td>Adobe Flash File (LZMA, Zlib, or uncompressed)</td></tr>
<tr><td><code>CL_TYPE_TEXT_ASCII</code></td><td>ASCII text</td></tr>
<tr><td><code>CL_TYPE_TEXT_UTF16BE</code></td><td>UTF-16BE text</td></tr>
<tr><td><code>CL_TYPE_TEXT_UTF16LE</code></td><td>UTF-16LE text</td></tr>
<tr><td><code>CL_TYPE_TEXT_UTF8</code></td><td>UTF-8 text</td></tr>
<tr><td><code>CL_TYPE_TIFF</code></td><td>TIFF Graphics File (Little or Big Endian), new in 0.103.1</td></tr>
<tr><td><code>CL_TYPE_TNEF</code></td><td>Microsoft Outlook & Exchange email attachment format</td></tr>
<tr><td><code>CL_TYPE_UUENCODED</code></td><td>UUEncoded (Unix-to-Unix) binary file (Unix email attachment)</td></tr>
<tr><td><code>CL_TYPE_XAR</code></td><td>XAR Archive</td></tr>
<tr><td><code>CL_TYPE_XDP</code></td><td>Adobe XDP - Embedded PDF</td></tr>
<tr><td><code>CL_TYPE_XML_HWP</code></td><td>Hangul Word Processor XML (HWPML) Document</td></tr>
<tr><td><code>CL_TYPE_XML_WORD</code></td><td>Microsoft Word 2003 XML Document</td></tr>
<tr><td><code>CL_TYPE_XML_XL</code></td><td>Microsoft Excel 2003 XML Document</td></tr>
<tr><td><code>CL_TYPE_XZ</code></td><td>XZ Archive</td></tr>
<tr><td><code>CL_TYPE_ZIP</code></td><td>Zip Archive</td></tr>
<tr><td><code>CL_TYPE_ZIPSFX</code></td><td>Self-Extracting Zip Archive</td></tr>
</tbody></table>
<div style="break-before: page; page-break-before: always;"></div><h1 id="versions--functionality-levels-flevels"><a class="header" href="#versions--functionality-levels-flevels">Versions & Functionality Levels (FLEVELs)</a></h1>
<p>The Functionality Level (or FLEVEL) is an integer that signatures may use to define which versions of ClamAV the signature features support. It is up to the signature writers to select the correct FLEVEL or range of FLEVELs when writing a signature so that it does not cause failures in older versions of ClamAV.</p>
<p>Setting appropriate FLEVELs in signatures is particularly crucial when using features added in the last 3-4 major release versions.</p>
<h2 id="clamav-version-to-flevel-chart"><a class="header" href="#clamav-version-to-flevel-chart">ClamAV Version to FLEVEL chart</a></h2>
<blockquote>
<p><em>Note</em>: This markdown table is generated from a spreadsheet using <a href="https://thisdavej.com/copy-table-in-excel-and-paste-as-a-markdown-table/">this tool</a>.</p>
</blockquote>
<table><thead><tr><th>Release Date</th><th>Release</th><th>FLEVEL</th><th>FunctionalityLevel (bytecode enum)</th><th>clamav lib</th><th>.so</th><th>freshclam lib</th><th>.so</th><th>API/ABI changes, major features, other notes</th></tr></thead><tbody>
<tr><td>n/a</td><td>1.0.0</td><td>160</td><td>FUNC_LEVEL_1_0</td><td>n/a</td><td>n/a</td><td>n/a</td><td>n/a</td><td></td></tr>
<tr><td>n/a</td><td>0.105.0</td><td>150</td><td>FUNC_LEVEL_0105</td><td>n/a</td><td>n/a</td><td>n/a</td><td>n/a</td><td></td></tr>
<tr><td>Nov-2021</td><td>0.104.1</td><td>141</td><td>FUNC_LEVEL_0104_1</td><td>10:00:01</td><td>9.1.0</td><td>2:02:00</td><td>2.0.2</td><td>Critical bug fixes</td></tr>
<tr><td>Sep-2021</td><td>0.104.0</td><td>140</td><td>FUNC_LEVEL_0104</td><td>10:00:01</td><td>9.1.0</td><td>2:02:00</td><td>2.0.2</td><td>CMake stabilized (autotools removed); Added db load/compile/free callbacks to clamav.h API.</td></tr>
<tr><td>Nov-2021</td><td>0.103.4</td><td>125</td><td>FUNC_LEVEL_0103_4</td><td>9:05:00</td><td>9.0.5</td><td>2:01:00</td><td>2.0.1</td><td>Critical bug fixes</td></tr>
<tr><td>Jun-2021</td><td>0.103.3</td><td>124</td><td>FUNC_LEVEL_0103_3</td><td>9:05:00</td><td>9.0.5</td><td>2:01:00</td><td>2.0.1</td><td>Critical bug fixes</td></tr>
<tr><td>Apr-2021</td><td>0.103.2</td><td>123</td><td>FUNC_LEVEL_0103_2</td><td>9:05:00</td><td>9.0.5</td><td>2:01:00</td><td>2.0.1</td><td>Security fixes</td></tr>
<tr><td>Feb-2021</td><td>0.103.1</td><td>122</td><td>FUNC_LEVEL_0103_1</td><td>9:05:00</td><td>9.0.5</td><td>2:01:00</td><td>2.0.1</td><td>Fix PNG parser; Loosen GIF format validation (trailer byte); Fix scan issue on Windows RAM disks; Fix clamonacc FD-passing; Enable JPEG & TIFF validation; Add CL_TYPE_JPEG, CL_TYPE_TIFF; Adds ALERT_BROKEN_IMAGES scan heuristics option</td></tr>
<tr><td>Sep-2020</td><td>0.103.0</td><td>120</td><td>FUNC_LEVEL_0103</td><td>9:05:00</td><td>9.0.5</td><td>2:01:00</td><td>2.0.1</td><td>Add CL_TYPE_PNG, CL_TYPE_GIF; Add XLM macro detection; Add bzip2 & LZMA decompression functions to bytecode API</td></tr>
<tr><td>Jul-2020</td><td>0.102.4</td><td>115</td><td>FUNC_LEVEL_0102_4</td><td>9:04:00</td><td>9.0.4</td><td>2:00:00</td><td>2.0.0</td><td>Security fixes</td></tr>
<tr><td>May-2020</td><td>0.102.3</td><td>114</td><td>FUNC_LEVEL_0102_3</td><td>9:04:00</td><td>9.0.4</td><td>2:00:00</td><td>2.0.0</td><td>Security fixes</td></tr>
<tr><td>Feb-2020</td><td>0.102.2</td><td>113</td><td>FUNC_LEVEL_0102_2</td><td>9:04:00</td><td>9.0.4</td><td>2:00:00</td><td>2.0.0</td><td>Security fixes</td></tr>
<tr><td>Nov-2019</td><td>0.102.1</td><td>112</td><td>FUNC_LEVEL_0102_1</td><td>9:04:00</td><td>9.0.4</td><td>2:00:00</td><td>2.0.0</td><td>Security fixes; Significant load time improvement for LDBs with common pattern prefixes</td></tr>
<tr><td>Oct-2019</td><td>0.102.0</td><td>110</td><td>FUNC_LEVEL_0102</td><td>9:04:00</td><td>9.0.4</td><td>2:00:00</td><td>2.0.0</td><td>BytecodeKind: BC_ELF_UNPACKER, BC_MACHO_UNPACKER; Add CL_TYPE_EGG/CL_TYPE_EGG_SFX; Added scan time limit</td></tr>
<tr><td>Nov-2019</td><td>0.101.5</td><td>106</td><td>FUNC_LEVEL_0101_5</td><td>9:04:00</td><td>9.0.4</td><td></td><td></td><td>Security fixes; Significant load time improvement for LDBs with common pattern prefixes</td></tr>
<tr><td>Aug-2019</td><td>0.101.4</td><td>105</td><td>FUNC_LEVEL_0101_4</td><td>9:04:00</td><td>9.0.4</td><td></td><td></td><td>Security fixes; Added scan time limit, bzip vuln fix</td></tr>
<tr><td>Aug-2019</td><td>0.101.3</td><td>102</td><td>FUNC_LEVEL_0101_3</td><td>9:03:00</td><td>9.0.3</td><td></td><td></td><td>Security fixes; Flevel not incremented (whoops)</td></tr>
<tr><td>Mar-2019</td><td>0.101.2</td><td>102</td><td>FUNC_LEVEL_0101_2</td><td>9:02:00</td><td>9.0.2</td><td></td><td></td><td>Security fixes; Flevel not incremented (whoops)</td></tr>
<tr><td>Jan-2019</td><td>0.101.1</td><td>102</td><td>FUNC_LEVEL_0101_1</td><td>9:01:00</td><td>9.0.1</td><td></td><td></td><td>Fix to clamav.h header; Adds clamav-types.h</td></tr>
<tr><td>Dec-2018</td><td>0.101.0</td><td>100</td><td>FUNC_LEVEL_0101</td><td>9:00:00</td><td>9.0.0</td><td></td><td></td><td>Non-backwards compatible API/ABI change: Added filename to scanfile & scandesc, and scan options became a struct; RAR5 Support; Byte-Compare Subsigs; Add CL_TYPE_LNK</td></tr>
<tr><td>Mar-2019</td><td>0.100.3</td><td>94</td><td>FUNC_LEVEL_0100_3</td><td>8:02:01</td><td>7.1.2</td><td></td><td></td><td>Security fixes</td></tr>
<tr><td>Sep-2018</td><td>0.100.2</td><td>93</td><td>FUNC_LEVEL_0100_2</td><td>8:01:01</td><td>7.1.1</td><td></td><td></td><td>Security fixes; Some lenience changes to FreshClam</td></tr>
<tr><td>Jun-2018</td><td>0.100.1</td><td>92</td><td>FUNC_LEVEL_0100_1</td><td>8:01:01</td><td>7.1.1</td><td></td><td></td><td>Security fixes; Add support for HTTPS in ClamSubmit</td></tr>
<tr><td>Mar-2018</td><td>0.100.0</td><td>90</td><td>FUNC_LEVEL_0100</td><td>8:01:01</td><td>7.1.1</td><td></td><td></td><td>Feature release 2 years in dev't; Many improvements; Notably Container/Intermediates changes; Changes to wildcard signatures</td></tr>
<tr><td>Mar-2018</td><td>0.99.4</td><td>85</td><td>FUNC_LEVEL_099_4</td><td>8:01:01</td><td>7.1.1</td><td></td><td></td><td>Security fixes; Other important bug fixes</td></tr>
<tr><td>Jan-2018</td><td>0.99.3</td><td>84</td><td>FUNC_LEVEL_099_3</td><td>8:01:01</td><td>7.1.1</td><td></td><td></td><td>Security fixes; Minor bug fixes</td></tr>
<tr><td>May-2016</td><td>0.99.2</td><td>82</td><td>FUNC_LEVEL_099_2</td><td>8:01:01</td><td>7.1.1</td><td></td><td></td><td>Various bug fixes</td></tr>
<tr><td>Mar-2016</td><td>0.99.1</td><td>82</td><td>FUNC_LEVEL_099_1</td><td>8:01:01</td><td>7.1.1</td><td></td><td></td><td>Security fixes; HWP support</td></tr>
<tr><td>Dec-2015</td><td>0.99.0</td><td>81</td><td>FUNC_LEVEL_099</td><td>8:01:01</td><td>7.1.1</td><td></td><td></td><td>Add Yara and PCRE support; Add 'other' targets type (14) for non-listed target types; Improved on-access scanning.</td></tr>
<tr><td>Apr-2015</td><td>0.98.7</td><td>80</td><td>FUNC_LEVEL_098_7</td><td>7:26:01</td><td>6.1.26</td><td></td><td></td><td>Security fixes; MSXML & PDF fixes</td></tr>
<tr><td>Jan-2016</td><td>0.98.6</td><td>79</td><td>FUNC_LEVEL_098_6</td><td>7:25:01</td><td>6.1.25</td><td></td><td></td><td>Security fixes; Other bug fixes</td></tr>
<tr><td>Nov-2014</td><td>0.98.5</td><td>79</td><td>FUNC_LEVEL_098_5</td><td>7:22:01</td><td>6.1.22</td><td></td><td></td><td>Added internal target type (13); File properties JSON output.</td></tr>
<tr><td>Jun-2014</td><td>0.98.4</td><td>77</td><td>FUNC_LEVEL_098_4</td><td>7:23:01</td><td>6.1.23</td><td></td><td></td><td></td></tr>
<tr><td>May-2014</td><td>0.98.3</td><td>77</td><td>FUNC_LEVEL_098_3</td><td>7:22:01</td><td>6.1.22</td><td></td><td></td><td></td></tr>
<tr><td>May-2014</td><td>0.98.2</td><td>77</td><td>FUNC_LEVEL_098_2</td><td>7:22:01</td><td>6.1.22</td><td></td><td></td><td>Add engine_options bit field (and DisableCache option); Add stats callbacks and callback context</td></tr>
<tr><td>Jan-2014</td><td>0.98.1</td><td>76</td><td>FUNC_LEVEL_098_1</td><td>7:20:01</td><td>6.1.20</td><td></td><td></td><td>Added XZ support and ForceToDisk scan option; Added Libxml2 dependency + XAR, DMG, HFS+/HFSX support; Added FTM type 4 (for in-buffer partition magic, analogous to type 0 for files)</td></tr>
<tr><td>Sep-2013</td><td>0.98.0</td><td>74</td><td>FUNC_LEVEL_098</td><td>7:18:01</td><td>6.1.18</td><td></td><td></td><td>Add Target-Types 10 - 13 (PDF, FLASH, JAVA, and INTERNAL); Introduced all-scan options; SWF and Java targets (11 & 12); Introduced with "SE" offset modifier; Introduced with ISO9660 scanning support; Add wild card bracket notation{} for body-based signatures; Disable SWF parser</td></tr>
<tr><td>Apr-2013</td><td>0.97.8</td><td>69</td><td>FUNC_LEVEL_097_8</td><td>7:17:01</td><td>6.1.17</td><td></td><td></td><td>Security fixes</td></tr>
<tr><td>Mar-2013</td><td>0.97.7</td><td>68</td><td>FUNC_LEVEL_097_7</td><td>7:16:01</td><td>6.1.16</td><td></td><td></td><td>Security fixes</td></tr>
<tr><td>Sep-2012</td><td>0.97.6</td><td>67</td><td>FUNC_LEVEL_097_6</td><td>7:15:01</td><td>6.1.15</td><td></td><td></td><td>Fixed error-handling issues</td></tr>
<tr><td>Jun-2012</td><td>0.97.5</td><td>65</td><td>FUNC_LEVEL_097_5</td><td>7:14:01</td><td>6.1.14</td><td></td><td></td><td>First Sourcefire ClamAV release</td></tr>
<tr><td>Mar-2012</td><td>0.97.4</td><td>64</td><td>FUNC_LEVEL_097_4</td><td>7:13:01</td><td>6.1.13</td><td></td><td></td><td>Support comment lines in ALL DB files</td></tr>
<tr><td>Oct-2011</td><td>0.97.3</td><td>63</td><td>FUNC_LEVEL_097_3</td><td>7:12:01</td><td>6.1.12</td><td></td><td></td><td></td></tr>
<tr><td>Jul-2011</td><td>0.97.2</td><td>62</td><td>FUNC_LEVEL_097_2</td><td>7:11:01</td><td>6.1.11</td><td></td><td></td><td></td></tr>
<tr><td>Jun-2011</td><td>0.97.1</td><td>61</td><td>FUNC_LEVEL_097_1</td><td>7:10:01</td><td>6.1.10</td><td></td><td></td><td></td></tr>
<tr><td>Feb-2011</td><td>0.97.0</td><td>60</td><td>FUNC_LEVEL_097</td><td>7:09:01</td><td>6.1.9</td><td></td><td></td><td></td></tr>
<tr><td>Nov-2010</td><td>0.96.5</td><td>58</td><td>FUNC_LEVEL_096_5</td><td>7:07:01</td><td>6.1.7</td><td></td><td></td><td></td></tr>
<tr><td>Oct-2010</td><td>0.96.4</td><td>56</td><td>FUNC_LEVEL_096_4</td><td>7:06:01</td><td>6.1.6</td><td></td><td></td><td>Minimal FLEVEL allowed for all current bytecode signatures (quadratic load-time before this point)</td></tr>
<tr><td>Sep-2010</td><td>0.96.3</td><td>55</td><td>FUNC_LEVEL_096_3</td><td>7:05:01</td><td>6.1.5</td><td></td><td></td><td></td></tr>
<tr><td>Aug-2010</td><td>0.96.2</td><td>54</td><td>FUNC_LEVEL_096_2</td><td>7:04:01</td><td>6.1.4</td><td></td><td></td><td></td></tr>
<tr><td>May-2010</td><td>0.96.1</td><td>53</td><td>FUNC_LEVEL_096_1</td><td>7:03:01</td><td>6.1.3</td><td></td><td></td><td></td></tr>
<tr><td>Mar-2010</td><td>0.96</td><td>51</td><td>FUNC_LEVEL_096</td><td>7:02:01</td><td>6.1.2</td><td></td><td></td><td>Add bytecode & CDB signatures, Ignores should use IGN2 (or take name field only from IGN)</td></tr>
<tr><td>Oct-2009</td><td>0.95.3</td><td>44</td><td></td><td>6:05:00</td><td>6.0.5</td><td></td><td></td><td></td></tr>
<tr><td>Jun-2009</td><td>0.95.2</td><td>43</td><td></td><td>6:04:00</td><td>6.0.4</td><td></td><td></td><td></td></tr>
<tr><td>Apr-2009</td><td>0.95.1</td><td>42</td><td></td><td>6:03:00</td><td>6.0.3</td><td></td><td></td><td></td></tr>
<tr><td>Mar-2009</td><td>0.95</td><td>41</td><td></td><td>6:02:00</td><td>6.0.2</td><td></td><td></td><td>Ignores should use IGN format (including line number)</td></tr>
</tbody></table>
<hr />
<p>For more information on ClamAV file type support, see the <a href="appendix/FileTypes.html">File Types Reference</a>.</p>
</main>
<nav class="nav-wrapper" aria-label="Page navigation">
<!-- Mobile navigation buttons -->
<div style="clear: both"></div>
</nav>
</div>
</div>
<nav class="nav-wide-wrapper" aria-label="Page navigation">
</nav>
</div>
<script type="text/javascript">
window.playground_line_numbers = true;
</script>
<script type="text/javascript">
window.playground_copyable = true;
</script>
<script src="ace.js" type="text/javascript" charset="utf-8"></script>
<script src="editor.js" type="text/javascript" charset="utf-8"></script>
<script src="mode-rust.js" type="text/javascript" charset="utf-8"></script>
<script src="theme-dawn.js" type="text/javascript" charset="utf-8"></script>
<script src="theme-tomorrow_night.js" type="text/javascript" charset="utf-8"></script>
<script src="elasticlunr.min.js" type="text/javascript" charset="utf-8"></script>
<script src="mark.min.js" type="text/javascript" charset="utf-8"></script>
<script src="searcher.js" type="text/javascript" charset="utf-8"></script>
<script src="clipboard.min.js" type="text/javascript" charset="utf-8"></script>
<script src="highlight.js" type="text/javascript" charset="utf-8"></script>
<script src="book.js" type="text/javascript" charset="utf-8"></script>
<!-- Custom JS scripts -->
<script type="text/javascript">
window.addEventListener('load', function() {
MathJax.Hub.Register.StartupHook('End', function() {
window.setTimeout(window.print, 100);
});
});
</script>
</body>
</html>
OHA YOOOO