Dear Arnaud Jacques, How do I use the additional signatures at www.securiteinfo.com?
Are the steps to install complicated? Thank you. Regards, Mr. Turritopsis Dohrnii Teo En Ming Extremely Democratic People's Republic of Singapore 12 Mar 2026 Thursday 3.12 pm Singapore Time On Wednesday, March 11th, 2026 at 12:00 PM, Arnaud Jacques <[email protected]> wrote: > Hello, > > This idiot ChatGTP has forgotten the best additional signatures for ClamAV : > https://www.securiteinfo.com/clamav-antivirus/improve-detection-rate-of-zero-day-malwares-for-clamav.shtml > > > > Le 11/03/2026 à 12:17, Turritopsis Dohrnii Teo En Ming a écrit : > > On Wednesday, 11 March 2026 at 5:58 PM, Arnaud Jacques via clamav-users > > <[email protected]> wrote: > > > >> Hello, > >> > >> > >>> Is there a Bootable ClamAV Virus Scanner USB Thumbdrive/CD/DVD for > >>> scanning my Windows 10/11 home desktop computer and laptops for rootkits, > >>> malware and spyware? > >> > >> You can use Kali > >> https://www.kali.org/get-kali/#kali-live > >> > >> If you do not know how to use ClamAV inside Kali, you can find video > >> tutorials on youtube. > >> > >> If you already know how to configure/use ClamAV, then do not forget to > >> use 3rd parties additional signatures to increase detection rate. > >> > >> -- > >> Cordialement / Best regards, > >> > >> Arnaud Jacques > >> Gérant de SecuriteInfo.com > >> > >> Téléphone : +33-(0)3.60.47.09.81 > >> E-mail : [email protected] > >> Site web : https://www.securiteinfo.com > >> Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 > >> Twitter : @SecuriteInfoCom > >> Writing signatures for ClamAV antivirus since 2006 > >> > > > > Dear Arnaud Jacques, > > > > Thanks for the great information! > > > > I have asked ChatGPT. > > > > Below guide is generated by ChatGPT. > > > > Below is a clean, complete workflow to scan a Windows disk from Linux using > > the fast ClamAV daemon (clamd), including APT / nation-state malware > > hunting with additional signatures and YARA rules. > > > > This assumes you already booted into Kali Linux (or another Linux > > environment) and want to scan a Windows partition offline. > > > > The antivirus engine used is ClamAV. > > > > 1. Install Required Tools > > > > Open a terminal. > > > > Update packages: > > > > sudo apt update > > > > Install malware-scanning tools: > > > > sudo apt install clamav clamav-daemon yara git wget curl > > > > Verify installation: > > > > clamscan --version > > > > 2. Stop Automatic Signature Service (Temporary) > > > > The updater sometimes locks the database. > > > > sudo systemctl stop clamav-freshclam > > > > 3. Download Official ClamAV Signatures > > > > Update virus database: > > > > sudo freshclam > > > > You should see downloads such as: > > > > main.cvd > > daily.cvd > > bytecode.cvd > > > > These are stored in: > > > > /var/lib/clamav/ > > > > 4. Install Large Third-Party Signature Feeds > > > > These greatly increase detection of APT malware, backdoors, RATs, and > > espionage tools. > > > > A well-known project aggregates many feeds automatically. > > > > Install: > > > > cd /opt > > sudo git clone https://github.com/extremeshok/clamav-unofficial-sigs > > cd clamav-unofficial-sigs > > sudo bash install.sh > > > > This installs feeds from threat-intelligence projects such as: > > > > SaneSecurity > > > > URLHaus > > > > MalwareBazaar > > > > These add tens of thousands of additional signatures. > > > > Update them: > > > > sudo /usr/local/sbin/unofficial-sigs.sh > > > > 5. Configure the ClamAV Daemon > > > > Edit daemon configuration: > > > > sudo nano /etc/clamav/clamd.conf > > > > Important performance settings: > > > > MaxThreads 12 > > MaxScanSize 2000M > > MaxFileSize 1000M > > MaxRecursion 20 > > MaxFiles 50000 > > > > ScanArchive yes > > DetectPUA yes > > > > LogTime yes > > LogVerbose yes > > > > Enable local socket (fastest communication): > > > > LocalSocket /run/clamav/clamd.sock > > LocalSocketMode 666 > > > > Save the file. > > > > 6. Start the ClamAV Daemon > > > > Start the service: > > > > sudo systemctl start clamav-daemon > > > > Check status: > > > > sudo systemctl status clamav-daemon > > > > 7. Install APT Malware Detection Rules (YARA) > > > > APT malware is often detected by behavioral patterns rather than antivirus > > signatures. > > > > Install rules: > > > > sudo mkdir /opt/yara-rules > > cd /opt/yara-rules > > > > Download common rule sets: > > > > APT malware rules: > > > > git clone https://github.com/Yara-Rules/rules > > > > Advanced malware rules by Florian Roth: > > > > git clone https://github.com/Neo23x0/signature-base > > > > These contain thousands of rules used by threat hunters. > > > > 8. Identify the Windows Partition > > > > List disks: > > > > lsblk > > > > Example output: > > > > sda > > ├─sda1 EFI > > ├─sda2 Windows > > > > 9. Mount the Windows Partition > > > > Create mount directory: > > > > sudo mkdir /mnt/windows > > > > Mount partition: > > > > sudo mount /dev/sda2 /mnt/windows > > > > Now the Windows filesystem is accessible at: > > > > /mnt/windows > > > > > > 10. Run Fast Malware Scan Using ClamAV Daemon > > > > Skip to step 17. > > > > 11. Save Scan Results to a Log File > > > > Skip to step 17. > > > > 12. Run APT Malware Threat Hunt Using YARA > > > > This can detect: > > > > espionage malware > > > > command-and-control implants > > > > advanced backdoors > > > > ransomware frameworks > > > > Skip to step 17. > > > > 13. Scan Critical Windows Malware Locations > > > > Many malware files hide here: > > > > /mnt/windows/Windows/System32 > > /mnt/windows/Windows/System32/drivers > > /mnt/windows/ProgramData > > /mnt/windows/Users > > /mnt/windows/Temp > > > > Example targeted scan: > > > > sudo clamdscan -r /mnt/windows/Windows/System32 > > > > 14. Search for Suspicious Executables > > > > Look for unusual binaries: > > > > find /mnt/windows -name "*.exe" > > find /mnt/windows -name "*.dll" > > find /mnt/windows -name "*.sys" > > > > Large suspicious files: > > > > find /mnt/windows -type f -size +50M > > > > 15. Detect Hidden Persistence Locations > > > > Common malware persistence directories: > > > > /mnt/windows/ProgramData > > /mnt/windows/Users/*/AppData/Roaming > > /mnt/windows/Users/*/AppData/Local/Temp > > > > Scan example: > > > > sudo clamdscan -r /mnt/windows/ProgramData > > > > 16. Optional: Scan Windows Registry Hives > > > > Registry files contain persistence entries. > > > > Location: > > > > /mnt/windows/Windows/System32/config > > > > Example analysis: > > > > strings SOFTWARE | less > > > > Look for suspicious autoruns. > > > > 17. Full Automated Scan Command > > > > The daemon scanner (clamdscan) is much faster than clamscan. > > > > You can combine everything: > > > > Recommended deep scan: > > > > sudo clamdscan -r \ > > --fdpass \ > > --multiscan \ > > --log=/root/full_windows_scan.log \ > > /mnt/windows > > > > Explanation: > > > > Option Meaning > > -r recursive scan > > --fdpass bypass Linux file permissions > > --multiscan parallel scanning threads > > > > Then run YARA: > > > > sudo yara -r /opt/yara-rules /mnt/windows >> /root/full_windows_scan.log > > > > This can detect: > > > > espionage malware > > > > command-and-control implants > > > > advanced backdoors > > > > ransomware frameworks > > > > ============================================================== > > > > Important Reality Check > > > > Even with many signatures: > > > > ClamAV > > > > YARA > > > > can detect known APT malware, but brand-new nation-state tools are often > > custom and may evade antivirus. > > > > Professional investigations also use: > > > > memory forensics > > > > network traffic analysis > > > > behavioral monitoring > > > > ================================================================ > > > > ✅ If you want, I can also show you a very powerful technique used by > > malware analysts: > > > > How to detect stealth rootkits and espionage implants by comparing Windows > > system files against Microsoft's official hashes. > > > > This method can expose very advanced malware that antivirus completely > > misses. > > > > Regards, > > > > Mr. Turritopsis Dohrnii Teo En Ming > > Extremely Democratic People's Republic of Singapore > > 11 Mar 2026 Wednesday 7.17 pm Singapore Time > > > > -- > Cordialement / Best regards, > > Arnaud Jacques > Gérant de SecuriteInfo.com > > Téléphone : +33-(0)3.60.47.09.81 > E-mail : [email protected] > Site web : https://www.securiteinfo.com > Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 > Twitter : @SecuriteInfoCom > Writing signatures for ClamAV antivirus since 2006 > > _______________________________________________ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
