You can view the documentation below, or browse our GitHub Repository, where you can contribute to user manual and FAQ.
General | Installing ClamAV | How to Report A Bug | Miscellaneous FAQ | ClamAV Virus Database FAQ | End of Life Policy (EOL) | Potentially Unwanted Applications (PUA) | Mailing Lists FAQ | Troubleshooting FAQ | Safebrowsing | Upgrading ClamAV | ClamAV on Microsoft Windows FAQ | Which Version of ClamAV should I use? | Uninstalling ClamAV | ClamAV Overview | Interpreting Scan Alerts FAQ | Freshclam FAQ | How do I ignore a ClamAV signature?
Manual | Clam AntiVirus User Manual
Manual | UserManual | Installing ClamAV on Unix / Linux / macOS from Source | Installing ClamAV on Windows | Introduction | LibClamAV | On-Access Scanning | Creating signatures for ClamAV | Usage | ClamAV Development
Manual | UserManual | Installation-Unix | Installation on Debian and Ubuntu Linux Distributions | Installation on macOS (Mac OS X) | Installation on Redhat and CentOS Linux Distributions
Manual | UserManual | Signatures | Trusted and Revoked Certificates | Body-based Signature Content Format | Bytecode Signatures | Signatures based on container metadata | Database Info | Dynamic Configuration (DCONF) | Passwords for archive files \[experimental\] | Extended signature format | File Type Magic | ClamAV File Types | Functionality Levels (FLEVELs) | File hash signatures | Logical signatures | PhishSigs | Using YARA rules in ClamAV | Allow list databases
Manual | UserManual | Usage | Configuration | Scanning | Signature Testing and Management
Additional | Microsoft Authenticode Signature Verification | Private Local Mirrors
The extended signature format is ClamAV’s most basic type of body-based signature since the deprecation of the original .db
database format.
Extended sigantures allow for specification of additional information beyond just hexidecimal content such as a file “target type”, virus offset, or engine functionality level (FLEVEL), making the detection more reliable.
The format is:
MalwareName:TargetType:Offset:HexSignature[:min_flevel:[max_flevel]]
MalwareName
: The virus name. Should conform to the standards defined here.
TargetType
: A number specifying the type of the target file: Target Types
Offset
: An asterisk or a decimal number n
possibly combined with a special modifier:
*
= anyn
= absolute offsetEOF-n
= end of file minus n
bytesSignatures for PE, ELF and Mach-O files additionally support:
EP+n
= entry point plus n bytes (EP+0
for EP
)EP-n
= entry point minus n bytesSx+n
= start of section x
’s (counted from 0) data plus n
bytesSEx
= entire section x
(offset must lie within section boundaries)SL+n
= start of last section plus n
bytesAll the above offsets except *
can be turned into floating offsets and represented as Offset,MaxShift
where MaxShift
is an unsigned integer. A floating offset will match every offset between Offset
and Offset+MaxShift
, eg. 10,5
will match all offsets from 10 to 15 and EP+n,y
will match all offsets from EP+n
to EP+n+y
. Versions of ClamAV older than 0.91 will silently ignore the MaxShift
extension and only use Offset
. Optional MinFL
and MaxFL
parameters can restrict the signature to specific engine releases. All signatures in the extended format must be placed inside *.ndb
files.
HexSignature
: The body-based content matching format.
min_flevel
: (optional) The minimum ClamAV engine that the file type signature works with. See the FLEVEL reference for details. To be used in the event that file type support has been recently added.
max_flevel
: (optional, requires min_flevel
) The maximum ClamAV engine that the file type signature works with. To be used in the event that file type support has been recently removed.