Where Does ClamAV Get Its Virus Signatures?

Asked Dec 11 '15 at 04:23

Active Apr 21 '20 at 13:48

Viewed 9,214 times

I see that ClamAV has virus definition files which are mostly hash codes in md5, sha1, and sha256 formats, which either look at the whole file or what are called PE sections of an executable file. Of course, there are variations outside that which look for other things. However, the hashes make up the bulk of the megabytes on the virus definitions.

So how does ClamAV get these? Are there free sources on the web that we can pull these from in order to build our own antivirus software? (I'm a C++ developer, you see.)

EDIT: Clarifying more -- Surely ClamAV doesn't have a lab where they find malware and catalog these hash virus signatures, do they? Surely they use some national or international organization or company that is already doing this?

edited May 18 '16 at 20:43

Gilles 'SO- stop being evil'

50,912
13
120
179

asked Dec 11 '15 at 04:23

Volomike

6

Sure, they do have some lab, Sourcefire (the makers of ClamAV and snort) were bought by Cisco and its Talos Group in 2013. – Daniel Ruf Dec 11 '15 at 06:48
Good unoffical signatures to clamav antivirus detect malware: [https://www.securiteinfo.com/](https://www.securiteinfo.com/) [https://malware.expert/signatures/](https://malware.expert/signatures/) – Aug 29 '16 at 16:15

3 Answers3

ClamAV belongs to Cisco and its Talos Group. Cisco acquired Sourcefire, the makers of Snort and ClamAV in late 2013.

http://www.cisco.com/web/about/ac49/ac0/ac1/ac259/sourcefire.html

http://www.talosintel.com/about/
http://www.cisco.com/c/en/us/products/security/talos.html

© 2004 - 2015 Cisco and/or its affiliates. All rights reserved.

Sourcefire also belongs to Cisco: http://blog.clamav.net/2013/10/cisco-community-and-open-source.html

The signatures are on the server of ClamAV

http://www.clamwin.com/content/view/58/27/

Where can I manually download virus definition files from?

You can get the virus definitions without clamwin via http://

http://database.clamav.net/main.cvd
http://database.clamav.net/daily.cvd

Then copy the downloaded main.cvd and daily.cvd to your database location which is specified in the ClamWin Preferences, File Locations tab.

The default database location is: "C:Documents and SettingsAll Users.clamwindb"

Many big contributors are antivirus vendors and security companies: http://www.clamav.net/about#credits

Contributors

ClamAV Team

Joel Esler
Douglas Goddard
Nigel Houghton
Tom Judge
Kevin Lin
Steve Morgan
Matt Olney
Dave Raynor
Samir Sapra
Ryan Steinmetz
Dave Suffling
Matt Watchinkski
Alain Zidouemba

ClamAV QA

Erin Germ
Dragos Malene
Vijay Mistry
Matt Donnan

Talos Group

Andrea Allievi
Jonathan Arneson
Ben Baker
Nathan Benson
Andrew Blunk
Kevin Brooks
Jaime Filson
Paul Frank
Erick Galinkin
Douglas Goddard
Richard Harman, Jr.
Nicholas Herbert
Shaun Hurley
Richard Johnson
Alex Kambis
Brittany Lawler
Justin Lindsey
Chris Marczewski
Christopher Marshall
Nick Mavis
Christopher McBee
David McDaniel
Alex McDonnell
Kevin Miklavcic
Patrick Mullen
Marcin Noga
Katie Nolan
Carlos Pacho
Ryan Pentney
Nick Randolph
Marcos Rodriguez
Geoff Serrao
Brandon Stultz
Nick Suan
Emmanuel Tacheau
Melissa Taylor
Angel Villegas
Andy Walker
Alicia Willett
Yves Younan

Contributors

Aeriana, Andreas Cadhalpun, Mike Cathey, Michael Cichosz, Diego d'Ambra, Arnaud Jacques, Tomasz Papszun, Bill Parker, Robert Scroggins, Sven Strickroth, Trog, Steve Basford, Dennis de Messemacker, Jason Englander, Thomas Lamy, Thomas Masden, Boguslaw Brandys, Anthony Havé, Andreas Faust, Sebastian Andrzej Siewior

ClamAV Emeritus

Luca Gibelli, Török Edvin, Tomasz Kojm, Alberto Wu, Nigel Horne

Each update contains information about the sender, some mention Virus Total, VRT Sandbox and others.

Generally antivirus vendors, security researchers and contributors collaborate and share samples.

http://lists.clamav.net/pipermail/clamav-virusdb/
http://lists.clamav.net/pipermail/clamav-virusdb/2015-December/002519.html

Anyone can contribute and there is also a mailing list for community contributed signatures.

http://blog.clamav.net/2014/02/introducing-clamav-community-signatures.html
http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs

edited Apr 21 '20 at 13:48

answered Dec 11 '15 at 06:32

Daniel Ruf

1,682
14
18

2

I think it was not the question where you can download the signatures but from what sources these signatures are generated. – Steffen Ullrich Dec 11 '15 at 06:35
Yes, I've seen those. I think you misunderstood, so I'll edit my question to help you. What I mean is how do the makers of ClamAV make those virus hashes in the first place? What international or national group do they use that has already catalogued these hashes so that they can include them in Clam's own virus def files? However, good information you provided for others, here. I had seen those, as well as a PDF that explains those files, and the files inside. – Volomike Dec 11 '15 at 06:36
2

Well, there is a big community with many contributors (antivirus vendors, researchers and so on). The contributors are listed here: http://www.clamav.net/about#credits – Daniel Ruf Dec 11 '15 at 06:41
1

Also Cisco and its Talos Group own Snort and ClamAV, they work with many professional security researchers and vendors and share the information. – Daniel Ruf Dec 11 '15 at 06:46
1

Basically, they create the signatures themself in a format that the ClamAV engine needs. There are many ways how different AV vendors share samples they collect with each other. Also services live Virustotal and different sandbox services share the samples they get with AV vendors. There is not one national or international group that shares hash codes, there are many such groups/agreements how vendors share samples. Also they share SAMPLES, which means the actual executables. For obvious reasons it's not easy to get those samples as some random unknown guy. – Josef Dec 11 '15 at 09:44
Exactly. I added some information in my answer about this. – Daniel Ruf Dec 11 '15 at 10:11

Users submit samples of infected files to Clam AV that are processed by Cisco/Sourcefire personnel working on the Clam AV project. Virus Total and other AV industry sources also share infected files with the Clam AV project. Finally, the Cisco/sourcefile people share with Clam AV what they have learned on their end.

edited Jun 06 '16 at 19:24

S.L. Barth

5,486
8
38
47

answered Jun 06 '16 at 18:42

Robert Scroggins

-2

Well for the signatures in my organization, they are generated using samples received on our normal email servers and also from submitted samples. Signatures and hash signatures are then generated.

edited Dec 12 '15 at 17:55

schroeder

123,438
55
284
319

answered Dec 12 '15 at 10:21

Sanesecurity

This doesn't answer the question. The OP is asking how the main ClamAV database is built and how to download it. – schroeder Dec 12 '15 at 18:20
1

I know how to download it. I want to make my own AV product. Need virus definitions for that, though. – Volomike Dec 12 '15 at 20:33
1

@Volomike if that is true, then your accepted answer does not answer your question – schroeder Dec 12 '15 at 21:49