You can view the documentation below, or browse our GitHub Repository, where you can contribute to user manual and FAQ.

Trusted and Revoked Certificates

Clamav 0.98 checks signed PE files for certificates and verifies each certificate in the chain against a database of trusted and revoked certificates. The signature format is


where the corresponding fields are:

  • Name: name of the entry

  • Trusted: bit field, specifying whether the cert is trusted. 1 for trusted. 0 for revoked

  • Subject: sha1 of the Subject field in hex

  • Serial: the serial number as clamscan --debug --verbose reports

  • Pubkey: the public key in hex

  • Exponent: the exponent in hex. Currently ignored and hardcoded to 010001 (in hex)

  • CodeSign: bit field, specifying whether this cert can sign code. 1 for true, 0 for false

  • TimeSign: bit field. 1 for true, 0 for false

  • CertSign: bit field, specifying whether this cert can sign other certs. 1 for true, 0 for false

  • NotBefore: integer, cert should not be added before this variable. Defaults to 0 if left empty

  • Comment: comments for this entry

The signatures for certs are stored inside .crb files.