Writing ClamAV Signatures for the Official ClamAV Virus Database (CVD)
(TODO This should probably live in the ClamAV manual)
Table of Contents:
- Introduction to ClamAV
- Overview of the ClamAV Open Source Environment
- How to Write ClamAV Signatures
- How to Contribute Signatures to the Official CVD
Introduction to ClamAV
This section will provide an introduction to ClamAV, including how it’s used, the types of detection that it supports, and hopefully provide a compelling case for why your contributions to ClamAV can have a big impact in protecting users around the world from malware.
About ClamAV
- discuss AV types, brief history, basic open source info, platforms supported, ruleset definition
Capabilities
- file type detection, unpacking/extraction, bytecode rules, authenticode whitelisting, yara
Signature Format Overview
- at a high level, show what rules look like (hdb, ldb, etc.)
Typical Deployments
- mail server, NAS, etc.
Usage Metrics
- how many people actively run freshclam, download code, etc. Also, include geographic breakdown if possible. Mention that ClamAV is run against in VirusTotal. Briefly mention usage in Cisco products too. Convey that contributing will have a big impact
Overview of the ClamAV Open Source Environment
Open Source
- license, where the code lives, who manages ClamAV, etc
Virus Database
- CVD - official sigs, third-party sigs (SaneSecurity)
Resources
- IRC, mailing lists
How to Write ClamAV Signatures
For a detailed introduction to writing ClamAV signatures, including an overview of the signature formats and capabilities built in to ClamAV, check out the Creating signatures for ClamAV page in the ClamAV manual.
Writing Effective Signatures
- TODO
How to Test Signatures
- TODO
Supporting Tools for Signature Writing
- Sigtool, CASC, BASS, Scripts, etc.
How to Contribute Signatures to the Official CVD
Checking for Prior Coverage
- Do this before writing a new signature
Checking for Common Signature Mistakes
- TODO
Steps for Submitting Signatures
- what to submit, how, etc.
Overview of the Signature Review Process
After Rule Acceptance
- TODO Is there anywhere that their name gets published?