I'm currently trying to develop an Anti-Virus Software using ANCI C and win32 API that uses the signature database file of ClamWin AV, my questions are-

1) How do I "Scan" an exe file? what should I check in the file?
2) How do I use the Virus Signature Database? In the cvd file, how are the signatures structured? I'm only scaning for exe files.

Pretty basic questions I know...but any reply will be greatly appreciated.

I think you should take a look at this example, https://github.com/vrtadmin/clamav-devel/blob/master/examples/ex1.c
It should answer most of your questions. If you are only interested in executables, you can check for MZ header (what Malwarebytes does). If you want to see the structure of ClamAV's database, I recommend you download and read this document, https://github.com/vrtadmin/clamav-devel/blob/master/docs/signatures.pdf
To unpack ClamAV's database, use "sigtool --unpack databasename.cvd". That will let you easily view their signatures. Unfortunately, I don't think there is a way to tell ClamAV to ignore certain signature types (eg. HTML/PDF/JAR/etc.)
Based on your questions, I think you should take some time to review ClamAV/ClamWin before starting on such a project.

Developing an antivirus is not easy, and developing a good antivirus is even harder. Many AV companies now use good, proven scan engines developed by other AV companies. The scan engines of Bit Defender, Kaspersky, and Avast are used by lots of other AVs.

My suggestion is to develop add-ons/snap-ins or utilities that can be used to increase user protection but will not be as difficult as developing a new AV. Example: enabling the web browser to use one of the blacklists of web sites harboring malware to keep the user from visiting "bad" sites (Malware Patrol's blacklists for example). Another nice utility would be one that "audited" the user's computer to ensure that Windows patches are up-to-date and set to automatic, and the Windows Action Center is properly configured for maximum protection.

As xqrzd said, take your time. The viruses will still be here when you are ready. Good luck.

Regards,

Thanks a ton for your quick reply guys. Well, I'm trying to develop the antivirus for my university term project and have less than a month to finish it. So my hands are pretty tied up. I'm just trying to develop a scan engine that takes a file (exe or not) and generates a signature and matches it with the database of Clamwin.

However, I checked the example (ex1.c), but it generates couple of errors:


--------------------Configuration: ex1 - Win32 Debug--------------------
Linking...
ex1.obj : error LNK2001: unresolved external symbol _cl_scandesc
ex1.obj : error LNK2001: unresolved external symbol _cl_engine_compile
ex1.obj : error LNK2001: unresolved external symbol _cl_engine_free
ex1.obj : error LNK2001: unresolved external symbol _cl_load
ex1.obj : error LNK2001: unresolved external symbol _cl_retdbdir
ex1.obj : error LNK2001: unresolved external symbol _cl_engine_new
ex1.obj : error LNK2001: unresolved external symbol _cl_strerror
ex1.obj : error LNK2001: unresolved external symbol _cl_init
Debug/ex1.exe : fatal error LNK1120: 8 unresolved externals
Error executing link.exe.

ex1.exe - 9 error(s), 0 warning(s)
//---------------------------------------------------------------------------------------------------

I'm using Visual C++6 btw. Also, Is there a sigtool.exe? because I could not compile the sigtool.c, tons of error:

--------------------Configuration: sigtool - Win32 Debug--------------------
Compiling...
sigtool.c
c:\program files (x86)\microsoft visual studio\vc98\include\dirent.h(874) : warning C4013: '_set_errno' undefined; assuming extern returning int
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\uniq.h(30) : error C2061: syntax error : identifier 'uint32_t'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\uniq.h(33) : error C2059: syntax error : '}'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\uniq.h(37) : error C2061: syntax error : identifier 'uint32_t'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\uniq.h(3 : error C2061: syntax error : identifier 'idx'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\uniq.h(3 : error C2059: syntax error : ';'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\uniq.h(3 : error C2059: syntax error : '['
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\uniq.h(39) : error C2059: syntax error : '}'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\uniq.h(43) : error C2061: syntax error : identifier 'uniq_add'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\uniq.h(43) : error C2059: syntax error : ';'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\uniq.h(43) : error C2059: syntax error : 'type'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\uniq.h(44) : error C2061: syntax error : identifier 'uniq_get'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\uniq.h(44) : error C2059: syntax error : ';'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\uniq.h(44) : error C2059: syntax error : 'type'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\clamav.h(178) : error C2632: 'long' followed by 'long' is illegal
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\clamav.h(180) : error C2632: 'long' followed by 'long' is illegal
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\clamav.h(270) : error C2632: 'long' followed by 'long' is illegal
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\fmap.h(47) : error C2061: syntax error : identifier 'uint32_t'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\fmap.h(4 : error C2059: syntax error : '}'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\fmap.h(50) : error C2143: syntax error : missing '{' before '*'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\fmap.h(51) : error C2143: syntax error : missing '{' before '*'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\fmap.h(52) : error C2143: syntax error : missing ')' before '*'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\fmap.h(52) : error C2143: syntax error : missing '{' before '*'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\fmap.h(52) : error C2059: syntax error : ')'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\fmap.h(53) : error C2143: syntax error : missing ')' before '*'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\fmap.h(53) : error C2143: syntax error : missing '{' before '*'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\fmap.h(53) : warning C4142: benign redefinition of type
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\fmap.h(53) : error C2370: 'size_t' : redefinition; different storage class
c:\program files (x86)\microsoft visual studio\vc98\include\stdio.h(70) : see declaration of 'size_t'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\fmap.h(53) : error C2146: syntax error : missing ';' before identifier 'at'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\fmap.h(53) : error C2059: syntax error : 'type'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\fmap.h(53) : error C2059: syntax error : ')'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\fmap.h(54) : error C2143: syntax error : missing ')' before '*'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\fmap.h(54) : error C2143: syntax error : missing '{' before '*'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\fmap.h(54) : warning C4142: benign redefinition of type
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\fmap.h(54) : error C2370: 'size_t' : redefinition; different storage class
c:\program files (x86)\microsoft visual studio\vc98\include\stdio.h(70) : see declaration of 'size_t'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\fmap.h(54) : error C2146: syntax error : missing ';' before identifier 'at'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\fmap.h(54) : error C2059: syntax error : 'type'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\fmap.h(54) : error C2059: syntax error : ')'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\fmap.h(55) : error C2143: syntax error : missing ')' before '*'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\fmap.h(55) : error C2143: syntax error : missing '{' before '*'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\fmap.h(55) : error C2059: syntax error : 'type'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\fmap.h(55) : error C2059: syntax error : ')'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\fmap.h(56) : error C2143: syntax error : missing ')' before '*'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\fmap.h(56) : error C2143: syntax error : missing '{' before '*'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\fmap.h(56) : error C2059: syntax error : 'type'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\fmap.h(56) : error C2059: syntax error : ')'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\fmap.h(57) : error C2143: syntax error : missing ')' before '*'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\fmap.h(57) : error C2143: syntax error : missing '{' before '*'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\fmap.h(57) : warning C4142: benign redefinition of type
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\fmap.h(57) : error C2370: 'size_t' : redefinition; different storage class
c:\program files (x86)\microsoft visual studio\vc98\include\stdio.h(70) : see declaration of 'size_t'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\fmap.h(57) : error C2146: syntax error : missing ';' before identifier 'at'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\fmap.h(57) : error C2059: syntax error : 'type'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\fmap.h(57) : error C2059: syntax error : ')'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\fmap.h(5 : error C2143: syntax error : missing ')' before '*'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\fmap.h(5 : error C2143: syntax error : missing '{' before '*'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\fmap.h(5 : error C2059: syntax error : 'type'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\fmap.h(5 : error C2059: syntax error : ')'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\fmap.h(59) : error C2143: syntax error : missing ')' before '*'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\fmap.h(59) : error C2143: syntax error : missing '{' before '*'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\fmap.h(59) : error C2059: syntax error : 'type'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\fmap.h(59) : error C2059: syntax error : ')'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\fmap.h(60) : error C2143: syntax error : missing ')' before '*'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\fmap.h(60) : error C2143: syntax error : missing '{' before '*'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\fmap.h(60) : error C2059: syntax error : 'type'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\fmap.h(60) : error C2059: syntax error : ')'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\fmap.h(61) : error C2143: syntax error : missing ')' before '*'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\fmap.h(61) : error C2143: syntax error : missing '{' before '*'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\fmap.h(61) : warning C4142: benign redefinition of type
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\fmap.h(61) : error C2370: 'size_t' : redefinition; different storage class
c:\program files (x86)\microsoft visual studio\vc98\include\stdio.h(70) : see declaration of 'size_t'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\fmap.h(61) : error C2146: syntax error : missing ';' before identifier 'at'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\fmap.h(61) : error C2059: syntax error : 'type'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\fmap.h(61) : error C2059: syntax error : ')'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\fmap.h(62) : error C2143: syntax error : missing ')' before '*'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\fmap.h(62) : error C2143: syntax error : missing '{' before '*'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\fmap.h(62) : error C2059: syntax error : 'type'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\fmap.h(62) : error C2059: syntax error : ')'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\filetypes.h(92) : error C2061: syntax error : identifier 'uint32_t'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\filetypes.h(96) : error C2061: syntax error : identifier 'length'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\filetypes.h(96) : error C2059: syntax error : ';'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\filetypes.h(97) : error C2059: syntax error : '}'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\filetypes.h(109) : error C2143: syntax error : missing ')' before '*'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\filetypes.h(109) : error C2143: syntax error : missing '{' before '*'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\filetypes.h(109) : error C2059: syntax error : 'type'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\filetypes.h(109) : error C2059: syntax error : ')'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\sha256.h(40) : error C2061: syntax error : identifier 'uint64_t'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\sha256.h(41) : error C2061: syntax error : identifier 'hash'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\sha256.h(41) : error C2059: syntax error : ';'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\sha256.h(41) : error C2059: syntax error : '['
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\sha256.h(42) : error C2061: syntax error : identifier 'bufferLength'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\sha256.h(42) : error C2059: syntax error : ';'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\sha256.h(44) : error C2061: syntax error : identifier 'uint32_t'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\sha256.h(46) : error C2059: syntax error : '}'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\sha256.h(50) : error C2059: syntax error : '}'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\sha256.h(59) : error C2146: syntax error : missing ')' before identifier 'len'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\sha256.h(59) : error C2081: 'uint32_t' : name in formal parameter list illegal
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\sha256.h(59) : error C2061: syntax error : identifier 'len'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\sha256.h(59) : error C2059: syntax error : ';'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\sha256.h(59) : error C2059: syntax error : ')'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\cvd.h(37) : error C2079: 'sha256ctx' uses undefined struct '_SHA256Context'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\dconf.h(34) : error C2061: syntax error : identifier 'uint32_t'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\dconf.h(35) : error C2061: syntax error : identifier 'elf'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\dconf.h(35) : error C2059: syntax error : ';'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\dconf.h(36) : error C2061: syntax error : identifier 'macho'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\dconf.h(36) : error C2059: syntax error : ';'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\dconf.h(37) : error C2061: syntax error : identifier 'archive'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\dconf.h(37) : error C2059: syntax error : ';'
d:\compressed\clamav-0.97.7.tar\clamav-0.97.7\libclamav\dconf.h(37) : fatal error C1003: error count exceeds 100; stopping compilation
Error executing cl.exe.

sigtool.exe - 102 error(s), 5 warning(s)

I'm afraid we can't give much help. The Clam AV scan engine has been around a long time now, and I suggest that you do some searching on the web. It has been used in several AVs.

Regards,

Hi,
ClamAV's Win32 project is not configured for MS VC++ 6. Use Visual Studio 2010. Read instructions here: https://github.com/vrtadmin/clamav-devel/tree/master/win32
cl_scanfile() is all you need, pass in a file and it will tell you if it matches any signatures. You don't need to match signatures yourself, that is the entire purpose of ClamAV.

Note that Visual Studio 2005 (8.0) and 2008 (9.0) should work too.
By the way, ClamWin 0.97.8 is out... and yes there is a sigtool.exe!

Thanks for the great reply's, took a while to get VS 10 SP1 running properly :P

Well, now it compiles right. But in order to use cl_scanfile(), which files should I include in my projects? how will it communicate with the update files (main.cvd)?

Look at the example I gave, it goes through loading the database and scanning a file. Include clamav.h, and link against libclamav.lib.

yes, i went through the example. Looks like it's not fully compatible with windows as it includes the unistd.h header file. Replacing it with some makeshift declarations, i tried to run the ex1.c independently (without installing clamwin av), but it still generates same errors:


--------------------Configuration: ex1 - Win32 Debug-------------------- Linking... ex1.obj : error LNK2001: unresolved external symbol _cl_scandesc ex1.obj : error LNK2001: unresolved external symbol _cl_engine_compile ex1.obj : error LNK2001: unresolved external symbol _cl_engine_free ex1.obj : error LNK2001: unresolved external symbol _cl_load ex1.obj : error LNK2001: unresolved external symbol _cl_retdbdir ex1.obj : error LNK2001: unresolved external symbol _cl_engine_new ex1.obj : error LNK2001: unresolved external symbol _cl_strerror ex1.obj : error LNK2001: unresolved external symbol _cl_init Debug/ex1.exe : fatal error LNK1120: 8 unresolved externals Error executing link.exe. ex1.exe - 9 error(s), 0 warning(s)

It looks like you didn't link to libclamav.lib. Add libclamav.lib to your project's dependencies.

Finally the Project at least run Thanks For Being With Me

However, I'm getting this output:

LibClamAV Error: cl_load(): Can't get status of D:\AV\AV\AV\Release\database
cl_load: Can't get file status

I have put 'main.cvd' in 'D:\AV\AV\AV\Release\database\' directory, but nothing happens...what is it expecting there?

I don't know why that would happen, it looks ok to me...
Try placing main.cvd in your root directory D:\
And then pass that to cl_load("D:\", ...) Maybe it will help.

It also *might* be because a temporary folder path wasn't specified, and ClamAV needs a place to unpack the database. That is just a guess, I don't know if ClamAV actually needs this, but you could try:

cl_engine_set_str(EngineInstance, CL_ENGINE_TMPDIR, "path to folder with write permission");

I replaced with
and it loads the signatures...but then i get the following error:



The image contains the error message-box...
https://postimg.org/image/f9ef7nc2j/

I have used the directory 'C:\\notepad.exe' (it's there) instead of argv[2], is it causing the problem ?

Try compiling ClamAV in release mode. I remember debug mode having issues. Also, are you also using Visual Studio 2010 to compile your new project? If you're using another version of VS, it could link against a different MSVCRT version and cause issues.