ClamAV

Configuration

Download from ClamAVNet, clamav-1.0.1.win.x64.msi. Double-click to install it.

The default installation path is "C:\Program Files\ClamAV", you can change the path as you need.

 

Run

cd C:\Program Files\ClamAV\conf_examples
copy .\conf_examples\freshclam.conf.sample .\freshclam.conf
copy .\conf_examples\clamd.conf.sample .\clamd.conf

If it prompts "Access denied" warning, re-open your CMD in Administrator rights.

Open "freshclam.conf" and "clamd.conf", delete or comment out the line that says "Example". Design the conf file as you need.

 

Run

freshclam

to update the ClamAV signatures database file. All files will be downloaded to "database" folder, if "database" folder does not exist, it will create a new one. This signature set is actively maintained by Cisco Talos.

 

Run

clamconf

to print all current configurations.

 

Scanning

 

Run

clamd

it will start a clamd.exe instance, serve "clamdscan".

To install it as a Windows service

clamd --install-service

To uninstall

clamd --uninstall-service

 

Run

clamdscan --help

to check the usage.

 

Run

clamdscan [*options*] [*file/directory/-*]

to scan file or directory.

 

Run

clamscan --memory

to process memory scanning. Note, this will take too much RAM.

"clamdscan --memory" requires "clamd.exe" instance, monitor the log if it does not work.

 

One-time scanning

clamscan [options] [file/directory/-]

It does not require a running clamd.exe instance, but it loads in the virus database each time, it is better to unpack a cvd and specify the database file.

clamscan --database="C:\a\daily.wdb" "C:\Users\Downloads\v.html"

 

To unpack a ClamAV signatures database file

cd /a/writable/path
"C:\Program Files\ClamAV\sigtool.exe" --unpack="C:\Program Files\ClamAV\database\main.cvd"

Result

Name      Mode     Length LastWriteTime
----      ----     ------ -------------
COPYING   -a---     17992 4/26/2023 9:29:54 PM
main.cdb  -a---        44 4/26/2023 9:29:57 PM
main.crb  -a---        44 4/26/2023 9:29:57 PM
main.fp   -a---     27584 4/26/2023 9:29:57 PM
main.hdb  -a---   5220903 4/26/2023 9:29:54 PM
main.hsb  -a--- 167946684 4/26/2023 9:29:55 PM
main.info -a---      1221 4/26/2023 9:29:54 PM
main.ldb  -a---  11650768 4/26/2023 9:29:57 PM
main.mdb  -a--- 255457140 4/26/2023 9:29:56 PM
main.msb  -a---        92 4/26/2023 9:29:56 PM
main.ndb  -a---  23720141 4/26/2023 9:29:56 PM
main.sfp  -a---        87 4/26/2023 9:29:57 PM

 

Build Custom Signature db

Signatures - ClamAV Documentation

It is a little complicate, to be determined.

 

Build custom rule with YARA

YARA Rules - ClamAV Documentation

Writing YARA rules — yara 4.3.1 documentation

A rule to find file that contains "cmd.exe" string, save it to "custom.yara" file.

rule WebShell
{
    strings:
        $c_text = "cmd.exe"

    condition:
        $c_text
}

 

Run

clamscan --database="custom.yara" "C:\Users\WebApplication1\Shell.aspx.cs"

result

Loading:     0s, ETA:   0s [========================>]        1/1 sigs
Compiling:   0s, ETA:   0s [========================>]       40/40 tasks

C:\Users\WebApplication1\Shell.aspx.cs: YARA.WebShell.UNOFFICIAL FOUND

----------- SCAN SUMMARY -----------
Known viruses: 1
Engine version: 1.0.1
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 0.061 sec (0 m 0 s)
Start Date: 2023:04:27 00:11:06
End Date:   2023:04:27 00:11:06