Hello,
This idiot ChatGTP has forgotten the best additional signatures for ClamAV :
https://www.securiteinfo.com/clamav-antivirus/improve-detection-rate-of-zero-day-malwares-for-clamav.shtml
Le 11/03/2026 à 12:17, Turritopsis Dohrnii Teo En Ming a écrit :
On Wednesday, 11 March 2026 at 5:58 PM, Arnaud Jacques via clamav-users
<[email protected]> wrote:
Hello,
Is there a Bootable ClamAV Virus Scanner USB Thumbdrive/CD/DVD for scanning my
Windows 10/11 home desktop computer and laptops for rootkits, malware and
spyware?
You can use Kali
https://www.kali.org/get-kali/#kali-live
If you do not know how to use ClamAV inside Kali, you can find video
tutorials on youtube.
If you already know how to configure/use ClamAV, then do not forget to
use 3rd parties additional signatures to increase detection rate.
--
Cordialement / Best regards,
Arnaud Jacques
Gérant de SecuriteInfo.com
Téléphone : +33-(0)3.60.47.09.81
E-mail : [email protected]
Site web : https://www.securiteinfo.com
Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286
Twitter : @SecuriteInfoCom
Writing signatures for ClamAV antivirus since 2006
Dear Arnaud Jacques,
Thanks for the great information!
I have asked ChatGPT.
Below guide is generated by ChatGPT.
Below is a clean, complete workflow to scan a Windows disk from Linux using the
fast ClamAV daemon (clamd), including APT / nation-state malware hunting with
additional signatures and YARA rules.
This assumes you already booted into Kali Linux (or another Linux environment)
and want to scan a Windows partition offline.
The antivirus engine used is ClamAV.
1. Install Required Tools
Open a terminal.
Update packages:
sudo apt update
Install malware-scanning tools:
sudo apt install clamav clamav-daemon yara git wget curl
Verify installation:
clamscan --version
2. Stop Automatic Signature Service (Temporary)
The updater sometimes locks the database.
sudo systemctl stop clamav-freshclam
3. Download Official ClamAV Signatures
Update virus database:
sudo freshclam
You should see downloads such as:
main.cvd
daily.cvd
bytecode.cvd
These are stored in:
/var/lib/clamav/
4. Install Large Third-Party Signature Feeds
These greatly increase detection of APT malware, backdoors, RATs, and espionage
tools.
A well-known project aggregates many feeds automatically.
Install:
cd /opt
sudo git clone https://github.com/extremeshok/clamav-unofficial-sigs
cd clamav-unofficial-sigs
sudo bash install.sh
This installs feeds from threat-intelligence projects such as:
SaneSecurity
URLHaus
MalwareBazaar
These add tens of thousands of additional signatures.
Update them:
sudo /usr/local/sbin/unofficial-sigs.sh
5. Configure the ClamAV Daemon
Edit daemon configuration:
sudo nano /etc/clamav/clamd.conf
Important performance settings:
MaxThreads 12
MaxScanSize 2000M
MaxFileSize 1000M
MaxRecursion 20
MaxFiles 50000
ScanArchive yes
DetectPUA yes
LogTime yes
LogVerbose yes
Enable local socket (fastest communication):
LocalSocket /run/clamav/clamd.sock
LocalSocketMode 666
Save the file.
6. Start the ClamAV Daemon
Start the service:
sudo systemctl start clamav-daemon
Check status:
sudo systemctl status clamav-daemon
7. Install APT Malware Detection Rules (YARA)
APT malware is often detected by behavioral patterns rather than antivirus
signatures.
Install rules:
sudo mkdir /opt/yara-rules
cd /opt/yara-rules
Download common rule sets:
APT malware rules:
git clone https://github.com/Yara-Rules/rules
Advanced malware rules by Florian Roth:
git clone https://github.com/Neo23x0/signature-base
These contain thousands of rules used by threat hunters.
8. Identify the Windows Partition
List disks:
lsblk
Example output:
sda
├─sda1 EFI
├─sda2 Windows
9. Mount the Windows Partition
Create mount directory:
sudo mkdir /mnt/windows
Mount partition:
sudo mount /dev/sda2 /mnt/windows
Now the Windows filesystem is accessible at:
/mnt/windows
10. Run Fast Malware Scan Using ClamAV Daemon
Skip to step 17.
11. Save Scan Results to a Log File
Skip to step 17.
12. Run APT Malware Threat Hunt Using YARA
This can detect:
espionage malware
command-and-control implants
advanced backdoors
ransomware frameworks
Skip to step 17.
13. Scan Critical Windows Malware Locations
Many malware files hide here:
/mnt/windows/Windows/System32
/mnt/windows/Windows/System32/drivers
/mnt/windows/ProgramData
/mnt/windows/Users
/mnt/windows/Temp
Example targeted scan:
sudo clamdscan -r /mnt/windows/Windows/System32
14. Search for Suspicious Executables
Look for unusual binaries:
find /mnt/windows -name "*.exe"
find /mnt/windows -name "*.dll"
find /mnt/windows -name "*.sys"
Large suspicious files:
find /mnt/windows -type f -size +50M
15. Detect Hidden Persistence Locations
Common malware persistence directories:
/mnt/windows/ProgramData
/mnt/windows/Users/*/AppData/Roaming
/mnt/windows/Users/*/AppData/Local/Temp
Scan example:
sudo clamdscan -r /mnt/windows/ProgramData
16. Optional: Scan Windows Registry Hives
Registry files contain persistence entries.
Location:
/mnt/windows/Windows/System32/config
Example analysis:
strings SOFTWARE | less
Look for suspicious autoruns.
17. Full Automated Scan Command
The daemon scanner (clamdscan) is much faster than clamscan.
You can combine everything:
Recommended deep scan:
sudo clamdscan -r \
--fdpass \
--multiscan \
--log=/root/full_windows_scan.log \
/mnt/windows
Explanation:
Option Meaning
-r recursive scan
--fdpass bypass Linux file permissions
--multiscan parallel scanning threads
Then run YARA:
sudo yara -r /opt/yara-rules /mnt/windows >> /root/full_windows_scan.log
This can detect:
espionage malware
command-and-control implants
advanced backdoors
ransomware frameworks
==============================================================
Important Reality Check
Even with many signatures:
ClamAV
YARA
can detect known APT malware, but brand-new nation-state tools are often custom
and may evade antivirus.
Professional investigations also use:
memory forensics
network traffic analysis
behavioral monitoring
================================================================
✅ If you want, I can also show you a very powerful technique used by malware
analysts:
How to detect stealth rootkits and espionage implants by comparing Windows
system files against Microsoft's official hashes.
This method can expose very advanced malware that antivirus completely misses.
Regards,
Mr. Turritopsis Dohrnii Teo En Ming
Extremely Democratic People's Republic of Singapore
11 Mar 2026 Wednesday 7.17 pm Singapore Time
--
Cordialement / Best regards,
Arnaud Jacques
Gérant de SecuriteInfo.com
Téléphone : +33-(0)3.60.47.09.81
E-mail : [email protected]
Site web : https://www.securiteinfo.com
Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286
Twitter : @SecuriteInfoCom
Writing signatures for ClamAV antivirus since 2006
_______________________________________________
Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation
https://docs.clamav.net/#mailing-lists-and-chat
