You can view the documentation below, or browse our GitHub Repository, where you can contribute to user manual and FAQ.
General | Installing ClamAV | How to Report A Bug | Miscellaneous FAQ | ClamAV Virus Database FAQ | End of Life Policy (EOL) | Potentially Unwanted Applications (PUA) | Mailing Lists FAQ | Troubleshooting FAQ | Safebrowsing | Upgrading ClamAV | ClamAV on Microsoft Windows FAQ | Which Version of ClamAV should I use? | Uninstalling ClamAV | ClamAV Overview | Interpreting Scan Alerts FAQ | Freshclam FAQ | How do I ignore a ClamAV signature?
Manual | Clam AntiVirus User Manual
Manual | UserManual | Installing ClamAV on Unix / Linux / macOS from Source | Installing ClamAV on Windows | Introduction | LibClamAV | On-Access Scanning | Creating signatures for ClamAV | Usage | ClamAV Development | Contribute
Manual | UserManual | Installation-Unix | Installation on Debian and Ubuntu Linux Distributions | Installation on macOS (Mac OS X) | Installation on Redhat and CentOS Linux Distributions
Manual | UserManual | Signatures | Trusted and Revoked Certificates | Body-based Signature Content Format | Bytecode Signatures | Signatures based on container metadata | Database Info | Dynamic Configuration (DCONF) | Passwords for archive files \[experimental\] | Extended signature format | File Type Magic | ClamAV File Types | Functionality Levels (FLEVELs) | File hash signatures | Logical signatures | PhishSigs | Using YARA rules in ClamAV | Allow list databases
Manual | UserManual | Usage | Configuration | Scanning | Signature Testing and Management
Additional | Microsoft Authenticode Signature Verification | Private Local Mirrors
Clamav 0.98 checks signed PE files for certificates and verifies each certificate in the chain against a database of trusted and revoked certificates. The signature format is
Name;Trusted;Subject;Serial;Pubkey;Exponent;CodeSign;TimeSign;CertSign; NotBefore;Comment[;minFL[;maxFL]]
where the corresponding fields are:
Name:
name of the entry
Trusted:
bit field, specifying whether the cert is trusted. 1 for trusted. 0 for revoked
Subject:
sha1 of the Subject field in hex
Serial:
the serial number as clamscan --debug --verbose
reports
Pubkey:
the public key in hex
Exponent:
the exponent in hex. Currently ignored and hardcoded to 010001 (in hex)
CodeSign:
bit field, specifying whether this cert can sign code. 1 for true, 0 for false
TimeSign:
bit field. 1 for true, 0 for false
CertSign:
bit field, specifying whether this cert can sign other certs. 1 for true, 0 for false
NotBefore:
integer, cert should not be added before this variable. Defaults to 0 if left empty
Comment:
comments for this entry
The signatures for certs are stored inside .crb
files.