Skip to content

Latest commit

 

History

History

ClamAV

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
signatures
signatures
 
 
COPYING
COPYING
 
 
ClamAV_All_signatures_list.csv
ClamAV_All_signatures_list.csv
 
 
ClamAV_category_signature_list.csv
ClamAV_category_signature_list.csv
 
 
README.md
README.md
 
 
daily.cdb
daily.cdb
 
 
daily.cfg
daily.cfg
 
 
daily.crb
daily.crb
 
 
daily.fp
daily.fp
 
 
daily.ftm
daily.ftm
 
 
daily.hdb
daily.hdb
 
 
daily.hdu
daily.hdu
 
 
daily.hsu
daily.hsu
 
 
daily.idb
daily.idb
 
 
daily.ign
daily.ign
 
 
daily.ign2
daily.ign2
 
 
daily.info
daily.info
 
 
daily.ldu
daily.ldu
 
 
daily.mdb
daily.mdb
 
 
daily.mdu
daily.mdu
 
 
daily.msb
daily.msb
 
 
daily.msu
daily.msu
 
 
daily.ndb
daily.ndb
 
 
daily.ndu
daily.ndu
 
 
daily.pdb
daily.pdb
 
 
daily.sfp
daily.sfp
 
 
daily.wdb
daily.wdb
 
 
extract_signatures_categories.py
extract_signatures_categories.py
 
 
main.cdb
main.cdb
 
 
main.crb
main.crb
 
 
main.fp
main.fp
 
 
main.info
main.info
 
 
main.msb
main.msb
 
 
main.sfp
main.sfp
 
 

README.md

You can download the ClamAV signature databases directly from their update servers:

These .cvd files are compressed, and you can extract them using the sigtool utility, which is part of ClamAV.

Signatures Extraction on windows:

\clamav> .\clamav-1.4.0.win.x64\sigtool.exe --unpack .\main.cvd
\clamav> .\clamav-1.4.0.win.x64\sigtool.exe --unpack .\daily.cvd

image

This will extract the .ndb, .hdb, .ldb, etc., files containing the actual signatures.

  • *.ndb (e.g., daily.ndb, main.ndb)

    • These files contain standard signature definitions for ClamAV. They often include signatures for known malware in a simple text format.
    • Structure: Each line in the .ndb file contains a signature name, target file type, offset, and the signature's hexadecimal pattern.

  • *.hdb (e.g., daily.hdb, main.hdb)

    • These files contain MD5-based hash signatures. They are typically used for file-based malware detection via hash matching.
    • Structure: Each line has the hash, file size, and signature name.

  • *.ldb (e.g., daily.ldb, main.ldb)

    • These files contain logical signature definitions. These are more complex than simple hash or pattern-based signatures and can detect specific sequences of data.
    • Structure: Each line defines a logical signature that may involve conditions or sequences of bytes.

  • *.mdb (e.g., daily.mdb, main.mdb)

    • These files contain malware detection signatures that are byte sequences used by ClamAV for scanning. They are typically related to specific malware strains.
    • Structure: Byte sequences with conditions on file properties.

  • *.fp (e.g., daily.fp, main.fp)

    • These are false-positive exclusion lists. These files help ClamAV avoid flagging legitimate files as malicious.
    • Structure: Similar to other signature files but excludes specific hash signatures known to be false positives.

  • *.info (e.g., daily.info, main.info)

    • These files contain metadata about the signature databases themselves, including version information and database size. These are useful for tracking the updates and versions of the signature databases.

Github is limiting the size of files in this repo, so i am only adding the small files and the signatures names for references