Tuesday, November 27, 2012

Back in February, Joel Esler who is our Open Source Community Manager, explained how you could contribute rules to Snort. We just wanted to let you know that the VRT is seeking and accepting your contribution on the ClamAV side as well.

One of the best features of ClamAV is the openness of the signatures database. There are very few anti-malware products out there that will allow you see exactly how a signature is constructed and let you use your  own custom signatures. We strive to provide the best protection we can to our users through the official signature releases we provide several times a day. However, the nature of our field makes it that you will at some point (if you haven't already) come across malware for which there are no official signatures to detect it.

That's where your contribution is sought and would be highly appreciated. If you come across malware that isn't detected with the official ClamAV signatures and you have your own signature to detect it, please provide it to us! It will go through our regular QA cycle and we will provide you with personal feedback. Your signature will be tweaked if necessary and tested against our clean files in order to prevent false positives once released. We will also give you credit for the signature your contributed unless you choose to remain anonymous.

You have a few ways of contributing signatures:

- Go to http://www.clamav.net/lang/en/sendvirus/submit-malware/ 

In the description field, provide your signature along with supporting evidence. Attach your sample and submit.

- Submit your password protected zip (a typical password is 'infected') along with your research and signature via email to vrt[at]sourcefire.com

We prefer "body-based" signatures as opposed to "checksum-based" signatures. Hex (body) signatures are based on a fragment of a malware sample's body converted into a hexadecimal string which can be extended using various wildcards. More on how to write ClamAV signatures here and here.

Of course we are always accepting false positive submissions here.