https://blog.clamav.net/2021/03/clamav-cvds-cdiffs-and-magic-behind.html
ClamAV, CVDs, CDIFFs and the magic behind the curtain
The amount of malicious files that ClamAV can detect has increased immensely over the past few years, but with this increase in efficacy comes some challenges with scale.
Some of these challenges have required drastic measures to ensure the effective operation of the ClamAV infrastructure, including blocking certain methods of downloading the official ClamAV signature sets. To give the community more insight into these matters, we’d like to discuss some of these challenges in-depth and provide insight into future changes and optimizations coming to the product.
ClamAV signatures come in a variety of formats, one for each of the distinct detection methods that the ClamAV file scanning engine supports. ClamAV also uses the ClamAV Virus Database (CVD) file format, which serves as a container for the compressed and digitally-signed official signature sets that power ClamAV — daily.cvd, main.cvd, and bytecode.cvd. Each signature set serves a different purpose:
* bytecode.cvd contains all compiled bytecode signatures evaluated by the bytecode interpreter engine
* daily.cvd contains signatures for the latest threats (updated daily)
* main.cvd contains signatures previously in daily.cvd that have shown to have a low false-positive risk.
< — More — >
Please read the rest of the post at the above link..
--
Joel Esler
Manager, Communities Division
Cisco Talos Intelligence Group
http://www.talosintelligence.com | https://www.snort.org
ClamAV, CVDs, CDIFFs and the magic behind the curtain
The amount of malicious files that ClamAV can detect has increased immensely over the past few years, but with this increase in efficacy comes some challenges with scale.
Some of these challenges have required drastic measures to ensure the effective operation of the ClamAV infrastructure, including blocking certain methods of downloading the official ClamAV signature sets. To give the community more insight into these matters, we’d like to discuss some of these challenges in-depth and provide insight into future changes and optimizations coming to the product.
ClamAV signatures come in a variety of formats, one for each of the distinct detection methods that the ClamAV file scanning engine supports. ClamAV also uses the ClamAV Virus Database (CVD) file format, which serves as a container for the compressed and digitally-signed official signature sets that power ClamAV — daily.cvd, main.cvd, and bytecode.cvd. Each signature set serves a different purpose:
* bytecode.cvd contains all compiled bytecode signatures evaluated by the bytecode interpreter engine
* daily.cvd contains signatures for the latest threats (updated daily)
* main.cvd contains signatures previously in daily.cvd that have shown to have a low false-positive risk.
< — More — >
Please read the rest of the post at the above link..
--
Joel Esler
Manager, Communities Division
Cisco Talos Intelligence Group
http://www.talosintelligence.com | https://www.snort.org