 |
 | What is the format of each files inside the CVD |  |
|
garl4
|
|
Inside of each CVD (ClamAV Virus Database : https://database.clamav.net/daily.cvd) files they are a bunch of files inside what are the format for each of them ?
I've extracted these files with ; dd if=daily.cvd of=daily.tar.gz bs=512 skip=1 tar xzvf clam.tar.gz I've found the format for some but not for all of them for example ; PE section based hash signatures You can create a hash signature for a specific section in a PE file. Such signatures shall be stored inside .mdb files in the following format: PESectionSize:PESectionHash:MalwareName *.info, *.cfg, *.ign, *.ign2, *.ftm, *.hdb, *.hdu, *.hsb, *.hsu, *.mdb, *.mdu, *.msb, *.msu, *.ndb, *.ndu, *.ldb, *.ldu, *.idb, *.fp, *.sfp, *.pdb, *.wdb, *.crb, *.cdb do you have the "format" for all others extension ? any documentations ? I'm just asking because I'm curious, |
|||||||||||
|
|||||||||||||
 |
| |
|
GuitarBob
|
|
Check the available information about Clam AV signatures. There have been lots of articles/blogs related to this topic. ClamWin is not responsible for the Clam AV signatures--it just uses the Clam AV scan engine and signatures as they come from Clam. We really have no information about the signatures/formats.
Regards, |
|||||||||||
|
|||||||||||||
|
| |
|
garl4
|
|
.hdb :
MD5 hash-based signatures HashString:FileSize:MalwareName .hsb : SHA1 and SHA256 hash-based signatures HashString:FileSize:MalwareName .mdb : PE section based hash signatures PESectionSize:PESectionHash:MalwareName .db : Hexadecimal based signatures (and now deprecated) MalwareName=HexSignature .ndb : Extended signature format MalwareName:TargetType:Offset:HexSignature[:MinFL:[MaxFL]] .ldb : Logical signatures SignatureName;TargetDescriptionBlock;LogicalExpression;Subsig0;Subsig1;Subsig2;... .crb : Trusted and Revoked Certificates Name;Trusted;Subject;Serial;Pubkey;Exponent;CodeSign;TimeSign;CertSign;NotBefore;Comment[;minFL[;maxFL]] .cdb : Signatures based on container metadata VirusName:ContainerType:ContainerSize:FileNameREGEX:FileSizeInContainer:FileSizeReal:IsEncrypted:FilePos:Res1:Res2[:MinFL[:MaxFL]] .zmd or .rmd : Signatures based on ZIP/RAR metadata (obsolete) virname:encrypted:filename:normal size:csize:crc32:cmethod:fileno:max depth .sfp : Whitelist databases .pwdb : Passwords for archive files [experimental] SignatureName;TargetDescriptionBlock;PWStorageType;Password |
|||||||||||
|
|||||||||||||
|
| |
|
GuitarBob
|
|
Thanks for the info/research. ClamWin has no control over the virus signatures--we have to take what Clam AV provides. We badly need some real heuristics for unknown malware detection, but that would mean a change in the code ported over from Clam AV, which the developers do not want to do.
Also thanks for using ClamWin! Regards, |
|||||||||||
|
|||||||||||||
|
 | What is the format of each files inside the CVD | |
|
||
|
|
|
Powered by phpBB © phpBB Group
Design by phpBBStyles.com | Styles Database.
Content © ClamWin Free Antivirus GNU GPL Free Software Open Source Virus Scanner. Free Windows Antivirus. Stay Virus Free with Free Software.
Design by phpBBStyles.com | Styles Database.
Content © ClamWin Free Antivirus GNU GPL Free Software Open Source Virus Scanner. Free Windows Antivirus. Stay Virus Free with Free Software.