ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
Reply to topic
What is the format of each files inside the CVD
garl4


Joined: 13 Apr 2017
Posts: 3
Reply with quote
Inside of each CVD (ClamAV Virus Database : http://database.clamav.net/daily.cvd) files they are a bunch of files inside what are the format for each of them ?

I've extracted these files with ;

dd if=daily.cvd of=daily.tar.gz bs=512 skip=1
tar xzvf clam.tar.gz


I've found the format for some but not for all of them for example ;

PE section based hash signatures

You can create a hash signature for a specific section in a PE file. Such signatures shall be stored inside .mdb files in the following format: PESectionSize:PESectionHash:MalwareName

*.info, *.cfg, *.ign, *.ign2, *.ftm, *.hdb, *.hdu, *.hsb, *.hsu, *.mdb, *.mdu, *.msb, *.msu, *.ndb, *.ndu, *.ldb, *.ldu, *.idb, *.fp, *.sfp, *.pdb, *.wdb, *.crb, *.cdb

do you have the "format" for all others extension ? any documentations ?

I'm just asking because I'm curious,
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4213
Location: USA
Reply with quote
Check the available information about Clam AV signatures. There have been lots of articles/blogs related to this topic. ClamWin is not responsible for the Clam AV signatures--it just uses the Clam AV scan engine and signatures as they come from Clam. We really have no information about the signatures/formats.

Regards,
View user's profileSend private message
garl4


Joined: 13 Apr 2017
Posts: 3
Reply with quote
.hdb :
MD5 hash-based signatures
HashString:FileSize:MalwareName

.hsb :
SHA1 and SHA256 hash-based signatures
HashString:FileSize:MalwareName

.mdb :
PE section based hash signatures
PESectionSize:PESectionHash:MalwareName

.db :
Hexadecimal based signatures (and now deprecated)
MalwareName=HexSignature

.ndb :
Extended signature format
MalwareName:TargetType:Offset:HexSignature[:MinFL:[MaxFL]]

.ldb :
Logical signatures
SignatureName;TargetDescriptionBlock;LogicalExpression;Subsig0;Subsig1;Subsig2;...

.crb :
Trusted and Revoked Certificates
Name;Trusted;Subject;Serial;Pubkey;Exponent;CodeSign;TimeSign;CertSign;NotBefore;Comment[;minFL[;maxFL]]

.cdb :
Signatures based on container metadata
VirusName:ContainerType:ContainerSize:FileNameREGEX:FileSizeInContainer:FileSizeReal:IsEncrypted:FilePos:Res1:Res2[:MinFL[:MaxFL]]

.zmd or .rmd :
Signatures based on ZIP/RAR metadata (obsolete)
virname:encrypted:filename:normal size:csize:crc32:cmethod:fileno:max depth

.sfp :
Whitelist databases

.pwdb :
Passwords for archive files [experimental]
SignatureName;TargetDescriptionBlock;PWStorageType;Password
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4213
Location: USA
Reply with quote
Thanks for the info/research. ClamWin has no control over the virus signatures--we have to take what Clam AV provides. We badly need some real heuristics for unknown malware detection, but that would mean a change in the code ported over from Clam AV, which the developers do not want to do.

Also thanks for using ClamWin!

Regards,
View user's profileSend private message
What is the format of each files inside the CVD
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 1  

  
  
 Reply to topic