Which antivirus do your signatures work with?

Our signatures work with ClamAV 0.103 minimum if you have a paid subscription, and ClamXav. However, if you have version 0.102 or lower, you should update your antivirus immediately, as it has not been supported since January 2022.

Do you publish reports of your signature updates?

Yes, a report is published daily and is available on our website

What is the detection rate of your signatures?

For 0-day malware, the detection rate of our signatures is over 90%. It can reach up to 99%! The official ClamAV signatures have a detection rate below 10%. You can check these statistics for yourself on our daily updated web page of malware found on hacked websites.

Do your signatures duplicate ClamAV's official signatures?

No, our signatures target malware not yet detected by ClamAV. Our signatures are therefore complementary to ClamAV's and significantly increase its malware detection rate.

What are the benefits of getting a paid subscription?

The free subscription ("Basic") allows you to validate the installation of our product on your server but does not provide anti-malware security. On the other hand, a paid subscription ("Professional", "Gold", or "Reseller") provides access to antivirus signatures against "zero-hour" malware, meaning malware captured within the hour. Additionally, a paid subscription grants access to generic signatures that detect variants of new malware, offering optimal malware protection.

Does the subscription allow protection for multiple computers?

Yes, as long as you respect the maximum number of IP addresses allowed to download the signatures, based on the chosen subscription.

What is the best crontab configuration for freshclam?

You can download our signatures once per hour. We recommend the following configuration:
n * * * * freshclam --quiet
n is a random number you choose between 3 and 57.

Can I send you malware by email?

Yes, send your malware to malware@surfezsanspub.fr in a ZIP file protected by the password: infected
If your ZIP contains malware, signatures will be published within 60 minutes.

Do your signatures generate false positives?

No. The rate of false positives is extremely low. However, we recommend testing in a pre-production environment before using our signatures in production. If you find false positives, you can contact us through the "Contact Us" tab.

Can I use other unofficial signatures like SaneSecurity, MalwarePatrol, or YARA rules?

Yes, we recommend using other unofficial signatures for ClamAV antivirus to maximize your protection, depending on your needs.

Can I mirror your signatures on a server within my network?

Yes, you can. However, public mirroring of our signatures is strictly prohibited and will result in legal action!

There are several signature files. What are the differences between them?

Here is the breakdown of the signature files:

• securiteinfo.hdb: Mainly executable malware (exe, com, dll, ...) less than a year old. Typical use: any use.
• securiteinfohtml.hdb and javascript.ndb: HTML or JavaScript malware. Typical use: Proxy and mail server.
• securiteinfoascii.hdb: Text file malware (Perl or shell scripts, bat, exploits, ...). Typical use: any use.
• spam_marketing.ndb: Spammers blacklist. Typical use: mail server.
• securiteinfoandroid.hdb: Android malware. Typical use: Protection of Android smartphones and tablets.
• securiteinfo.ign2: Anti-false positives. Must be used regardless of the final use.
• securiteinfoold.hdb: Old malware over a year old. Optional. Use if you are not resource-constrained (RAM/CPU), want maximum malware detection, or are a virus collector doing antivirus software comparisons.
• securiteinfopdf.hdb: PDF malware and spam. Typical use: any use.
• securiteinfo0hour.hdb: Malware detected on the internet within the last 60 minutes. These are the most active malware at the time you read this. Must be used regardless of the final use. Not included in the Basic subscription
• securiteinfo.mdb: Generic malware signatures. Must be used regardless of the final use. Not included in the Basic subscription
• securiteinfo.yara: Generic malware signatures. Must be used regardless of the final use. Not included in the Basic subscription
• securiteinfo.pdb and securiteinfo.wdb: Anti-phishing signatures. Typical use: mail server. Not included in the Basic subscription

Do you contribute to ClamAV?

Yes, we regularly submit false positives and signatures to ClamAV. Unfortunately, for unknown reasons, ClamAV does not consistently integrate our contributions. See our contributions for more information.

Are the download URLs for signatures different between the free and paid versions?

No, the URLs are the same whether your account is free or paid, except for the addition of five new signature databases available with a paid subscription: securiteinfo0hour.hdb, securiteinfo.mdb, securiteinfo.yara, securiteinfo.pdb, and securiteinfo.wdb
See the "Setup" tab on your personal account.

What is the best configuration for clamd.conf?

To achieve the maximum detection rate, we recommend modifying the following lines in your clamd.conf:
WARNING: These changes assume you have at least 16GB of RAM

• DetectPUA yes
• ExcludePUA PUA.Win.Packer
• ExcludePUA PUA.Win.Trojan.Packed
• ExcludePUA PUA.Win.Trojan.Molebox
• ExcludePUA PUA.Win.Packer.Upx
• ExcludePUA PUA.Doc.Packed
• MaxScanTime 120000
• MaxScanSize 2048M
• MaxFileSize 2048M
• MaxRecursion 30
• MaxFiles 15000
• MaxEmbeddedPE 2048M
• MaxHTMLNormalize 2048M
• MaxHTMLNoTags 2048M
• MaxScriptNormalize 2048M
• MaxZipTypeRcg 50M
• PCREMaxFileSize 2048M

How to whitelist a signature so it is no longer detected?

Read this article (in English): Whitelisting signatures for ClamAV antivirus

What is the best method to download the signatures?

The only method we allow is to use freshclam, as indicated in the 'Installation' section.
Any other method, including third-party scripts, is not supported or maintained by SecuriteInfo.com.

I have an issue with ClamAV that is not resolved in the FAQ

Visit our page dedicated to resolving ClamAV issues: https://www.securiteinfo.com/clamav-antivirus/problemes-et-erreurs-les-plus-courantes-clamav.shtml

How to configure the MaxThreads setting in clamd.conf?

The MaxThreads setting tells ClamAV the maximum number of threads it can allocate during a scan.
We recommend using the following value:
MaxThreads = (number of logical cores of your CPU) + 1
Examples:

If your CPU has 8 cores and supports hyperthreading, you have 8 * 2 = 16 logical cores. Therefore, MaxThreads = 17.
If your CPU has 4 cores without hyperthreading, you have 4 logical cores, so MaxThreads = 5.

How to determine how many logical cores your computer has on Linux? Run the following command:

cat /proc/cpuinfo |grep "^processor"|wc -l

Add +1, and you have the number to set for MaxThreads.

Of course, you understand that if you need better performance, it is more beneficial to increase the number of cores in your CPU than any other aspect of your PC.

How to perform an antivirus scan as quickly as possible?

To perform a scan using all CPU cores, you need to install the parallel command:

apt-get install parallel

The parallel command allows you to execute a command multiple times based on the number of logical cores in your processor. It is equivalent to xargs but runs simultaneously. Parallel is thus a very powerful tool to accelerate all command-line tasks.

To perform an antivirus scan with ClamAV as quickly as possible, here’s what you need to do:


Antivirus scan including subdirectories:

find . -type f |parallel clamdscan -i --stream --no-summary {}

Antivirus scan of the current directory without subdirectories:

find . -maxdepth 1 -type f |parallel clamdscan -i --stream --no-summary {}

These commands will use all the logical cores of your CPU.
If you want to limit the number of logical cores used, use the "-j" parameter of parallel. For example:

Antivirus scan including subdirectories, using only 2 logical cores of your CPU:

find . -type f |parallel -j2 clamdscan -i --stream --no-summary {}


Who creates the signatures for SecuriteInfo.com?

The signatures are created by Arnaud Jacques, the manager of SecuriteInfo.com. He was an official signature creator for ClamAV for 8 years. You can find more information on this page


Note: ClamAV is a registered trademark of Cisco

Tags

ANTIVIRUS CLAMAV LINUX WINDOWS MACOS

Inscription à notre lettre d'information

Inscrivez-vous à notre lettre d'information pour vous tenir au courant de nos actualités et de nos dernières trouvailles.

SecuriteInfo.com est une entreprise française de cybersécurité. Nous proposons différentes solutions matérielles et prestations de services permettant de sécuriser les données des Systèmes d'Information d'entreprises ou de collectivités. Notre périmètre d'intervention couvre l'intégralité de votre système d'information : Sécurité périmétrique, réseaux, accès distants, VPN, solutions anti-spam et anti-malwares, différents audits réseaux et systèmes, vérification de la politique de sécurité, hébergement sécurisé ...