You can view the documentation below, or browse our GitHub Repository, where you can contribute to user manual and FAQ.
General | Installing ClamAV | How to Report A Bug | Miscellaneous FAQ | ClamAV Virus Database FAQ | End of Life Policy (EOL) | Potentially Unwanted Applications (PUA) | Mailing Lists FAQ | Troubleshooting FAQ | Safebrowsing | Upgrading ClamAV | ClamAV on Microsoft Windows FAQ | Which Version of ClamAV should I use? | Uninstalling ClamAV | ClamAV Overview | Interpreting Scan Alerts FAQ | Freshclam FAQ | How do I ignore a ClamAV signature?
Manual | Clam AntiVirus User Manual
Manual | UserManual | Installing ClamAV on Unix / Linux / macOS from Source | Installing ClamAV on Windows | Introduction | LibClamAV | On-Access Scanning | Creating signatures for ClamAV | Usage | ClamAV Development | Contribute
Manual | UserManual | Installation-Unix | Installation on Debian and Ubuntu Linux Distributions | Installation on macOS (Mac OS X) | Installation on Redhat and CentOS Linux Distributions
Manual | UserManual | Signatures | Trusted and Revoked Certificates | Body-based Signature Content Format | Bytecode Signatures | Signatures based on container metadata | Database Info | Dynamic Configuration (DCONF) | Passwords for archive files \[experimental\] | Extended signature format | File Type Magic | ClamAV File Types | Functionality Levels (FLEVELs) | File hash signatures | Logical signatures | PhishSigs | Using YARA rules in ClamAV | Allow list databases
Manual | UserManual | Usage | Configuration | Scanning | Signature Testing and Management
Additional | Microsoft Authenticode Signature Verification | Private Local Mirrors
Table Of Contents
The tool freshclam
is used to download and update ClamAV’s official virus signature databases. While easy to use in its base configuration, freshclam
does require a working freshclam.conf
configuration file to run (the location of which can be passed in via command line if the default search location does not fit your needs).
Once you have a valid configuration file, you can invoke freshclam with the following command:
$ freshclam
By default, freshclam
will then attempt to connect to ClamAV’s virus signature database distribution network. If no databases exist in the directory specified, freshclam
will do a fresh download of the requested databases. Otherwise, freshclam
will attempt to update existing databases, pairing them against downloaded cdiffs. If a database is found to be corrupted, it is not updated and instead replaced with a fresh download.
Of course, all this behaviour–and more–can be changed to suit your needs by modifying freshclam.conf
and/or using various command line options.
You can find more information about freshclam with the commands:
$
man freshclam
and
$
freshclam --help
ClamAV provides sigtool
as a command-line testing tool for assisting users in their efforts creating and working with virus signatures. While sigtool has many uses–including crafting signatures–of particular note, is sigtool’s ability to help users and analysts in determining if a file detected by libclamav’s virus signatures is a false positive.
This can be accomplished by using the command:
$
sigtool --unpack=FILE
Where FILE points to your virus signature databases. Then, once sigtool
has finished unpacking the database into the directory from which you ran the command, you can search for the offending signature name (provided either by clamscan
scan reports or clamd
logs). As an example:
$
grep "Win.Test.EICAR" ./*
Or, do all that in one step with:
$
sigtool --find="Win.Test.EICAR"
This should give you the offending signature(s) in question, which can then be included as part of your false positive report.
To learn more in depth information on how sigtool
can be used to help create virus signatures and work with malicious (and non-malicious) files please reference the many online tutorials on the topic.
Otherwise, information on available sigtool functions can be easily referenced with:
$
sigtool --help
and
$
man sigtool
clambc
is Clam Anti-Virus’ bytecode signature testing tool. It can be used to test newly crafted bytecode signatures or to help verify existing bytecode is executing against a sample as expected.
For more detailed help, please use:
$
man clambc
or
$
clambc --help