Over the past couple of weeks, I was in the process of developing a simple virus scanner. It works great but my question is does anybody know where I can get a database (a single file) that contains 8000 or more virus signatures WITH their names, and possibly risk meter (high, low, unknown)?
Asked
Active
Viewed 4,221 times
1 Answers
5
Try the ClamAV database. This also includes some more complex signatures, but some are just byte sequences.
The CVD file format is a compressed tar file with a header block attached; see here for header information, or this PDF for the real details.
As I understand it, you should be able to decompress it with
dd if=file.cvd bs=512 skip=1 | tar zxvf -
This will unpack to a collection of various files; for files that have simple hex signatures, these will be found in a file with the extension .db. Not all of these signatures are pure hex -- many of them contain wildcards such as ?? for "allow any byte here", * for "allow any number of intervening bytes here", (-4096) for "allow up to 4k of intervening bytes here", and so forth.
Jeffrey Hantin
- 35,734
- 7
- 75
- 94
-
So how do I uncompress the cvd file or at least view its contents? BTW are the signatures in hex or md5, because md5 won't work for my situation. – Seif Shawkat Feb 11 '11 at 20:50
-
@Seif: Updated. Different files within the CVD archive contain different signature types. – Jeffrey Hantin Feb 11 '11 at 22:10
-
@Jeffrey Well then, how do I open the .cvd archive? Winrar says it's corrupted or something. – Seif Shawkat Feb 11 '11 at 23:42
-
@Seif If you strip the first 512 bytes off it's a standard `.tar.gz` archive. – Jeffrey Hantin Feb 11 '11 at 23:53
-
@Jeffrey: Thanks, I was able to open it after removing the first 512 bytes! – Seif Shawkat Feb 12 '11 at 16:29
-
The problem with the clamav signatures is that most of them are md5 signatures... Anyway, (i know this is too much) if you can, please show me another source with hex signatures... – Seif Shawkat Feb 12 '11 at 22:53