Documentation

You can view the documentation below, or browse our GitHub Repository, where you can contribute to user manual and FAQ.

General | Installing ClamAV | How to Report A Bug | Miscellaneous FAQ | ClamAV Virus Database FAQ | End of Life Policy (EOL) | Potentially Unwanted Applications (PUA) | Mailing Lists FAQ | Troubleshooting FAQ | Safebrowsing | Upgrading ClamAV | ClamAV on Microsoft Windows FAQ | Which Version of ClamAV should I use? | Uninstalling ClamAV | ClamAV Overview | Interpreting Scan Alerts FAQ | Freshclam FAQ | How do I ignore a ClamAV signature?

Manual | Clam AntiVirus User Manual

Manual | UserManual | Installing ClamAV on Unix / Linux / macOS from Source | Installing ClamAV on Windows | Introduction | LibClamAV | On-Access Scanning | Creating signatures for ClamAV | Usage | ClamAV Development

Manual | UserManual | Installation-Unix | Installation on Debian and Ubuntu Linux Distributions | Installation on macOS (Mac OS X) | Installation on Redhat and CentOS Linux Distributions

Manual | UserManual | Signatures | Trusted and Revoked Certificates | Body-based Signature Content Format | Bytecode Signatures | Signatures based on container metadata | Database Info | Dynamic Configuration (DCONF) | Passwords for archive files \[experimental\] | Extended signature format | File Type Magic | ClamAV File Types | Functionality Levels (FLEVELs) | File hash signatures | Logical signatures | PhishSigs | Using YARA rules in ClamAV | Allow list databases

Manual | UserManual | Usage | Configuration | Scanning | Signature Testing and Management

Additional | Microsoft Authenticode Signature Verification | Private Local Mirrors

Trusted and Revoked Certificates

Clamav 0.98 checks signed PE files for certificates and verifies each certificate in the chain against a database of trusted and revoked certificates. The signature format is

    Name;Trusted;Subject;Serial;Pubkey;Exponent;CodeSign;TimeSign;CertSign;
    NotBefore;Comment[;minFL[;maxFL]]

where the corresponding fields are:

  • Name: name of the entry

  • Trusted: bit field, specifying whether the cert is trusted. 1 for trusted. 0 for revoked

  • Subject: sha1 of the Subject field in hex

  • Serial: the serial number as clamscan --debug --verbose reports

  • Pubkey: the public key in hex

  • Exponent: the exponent in hex. Currently ignored and hardcoded to 010001 (in hex)

  • CodeSign: bit field, specifying whether this cert can sign code. 1 for true, 0 for false

  • TimeSign: bit field. 1 for true, 0 for false

  • CertSign: bit field, specifying whether this cert can sign other certs. 1 for true, 0 for false

  • NotBefore: integer, cert should not be added before this variable. Defaults to 0 if left empty

  • Comment: comments for this entry

The signatures for certs are stored inside .crb files.

© 2004 - 2021 Cisco and/or its affiliates. All rights reserved. | Privacy Policy | Sitemap All content on this website, unless otherwise noted, is licensed under the Creative Commons Attribution - NoDerivs License.