Hello i am developing an Anti-Virus for educational purpose, for my anti-virus i would like to use database as used by ClamAV,

"but the thing is i want to be able to create new virus signatures without using sigtool of ClamAV. So it would be really helpful if someone can point me in the right direction regarding how sigtool generates signatures, i am talking about static signatures only. i have clamAV source code, in which in have sigtool.c, is that all i need to understand how sigtool generates signatures or it is just some part of it and i need to look into other references of clamav also." - solved as my first query

my second query is now that i have created virus signatures for my anti-virus, how do i use them in my AV, i mean what is the significance of .cvd, .hdb file extension for clamAV, i could simply save my database signatures which match the pattern of clamAV into a simple excel file or any other standard text format, could somebody enlighten me on this issue.

Hello. Here are some articles on how to create signatures for ClamAV: https://blog.adamsweet.org/?p=250 and https://blog.clamav.net/2014/02/introducing-clamav-community-signatures.html Alternatively, you can create simple MD5 signatures, which are fast and easy, since ClamAV doesn't have any type of dynamic signature detections, MD5 might be the best way to go. I am not sure what other tools you can use besides sigtool.

Glad you are interested in making signatures. ClamAV/ClamWin needs more people to make signatures.

There are some posts I have made on the ClamWin forums in the past about making your own signatures. If you can't find them, or if the information isn't too clear, send email to rscrogg at gmail dot com, and I'll provide info. I was an open source sigmaker for Clam AV for about 5 years on behalf of ClamWin.

Please let the ClamWin developers know about your project when you have something workable that they might be able to use. There is little/no development of ClamWin except for the Windows port whenever there is a new Clam AV version.

Regards,

Thank you for the reply, i have found that sigtool uses md5 code of a given file then coverts them into hexadecimal value of 32 digit

i will be glad to help clamwin grow, i am also developing my project in windows platform

What ClamWin needs is a new version without any Python dependency, a new GUI, a mini-filter in the kernel, a web browsing filter (or an auto-updated hosts file), and some basic heuristics to supplement the Clam AV signatures. Clam Sentinel was a good start on the heuristics, but it looks like that project has been abandoned. Let the ClamWin developers know about what you come up with.

Regards,

I am guessing the hexadecimal values must be for the bytecode signatures. I would recommend staying away from bytecode signatures, unless it is absolutely necessary, because they take a really long time to make. You can prepare 100 MD5 signatures by the time it takes to create 1 bytecode signature. Just stick with simple MD5 signatures until ClamAV can come up with some dynamic/heuristic ways to block malware.

rajneeshmaster: If you go here: https://www.clamav.net/doc/install.html and on the top you should see writing signatures, click it, and it will install a PDF file for you. There you can read about all about ClamAV signatures. As I said before, since ClamAV doesn't have any heuristic/dynamic way to detect malware, MD5 is the fastest and simplest way to go, and it would be a waste of time to prepare more complex signatures because of that. The PDF files also tell you what names to use, white listing false positives, and other useful stuff.

If you want to submit any signatures to ClamAV, you must submit them to their email at community-sigs@lists.clamav.net Remember that ClamWin also runs off the ClamAV engine and database, as well, so any support you provide to ClamAV, will also benefit ClamWin and any other software that runs the ClamAV engine. What GuitarBob suggested are things ClamWin really needs.

Good luck and hopefully you can be a big help for ClamAV/ClamWin.