ClamAV was first introduced in 2002; since then, the
signature set has grown without bound, delivering as many detections as
possible to the community. Due to continually increasing database sizes and
user adoption, we are faced with significantly increasing costs of distributing
the signature set to the community.
To address the issue, Cisco Talos has been working to
evaluate the efficacy and relevance of older signatures. Signatures which no
longer provide value to the community, based on today’s security landscape,
will be retired.
We are making this announcement as an advisory that our
first pass of this retirement effort will affect a significant drop in database
size for both the daily.cvd and main.cvd.
Our goal is to ensure that detection content is targeted to
currently active threats and campaigns. We will judge this based on signature
matches seen in our, and our partners, data feeds over an extended period of
time. We will continue to evaluate detection prevalence for retired signatures
and will restore any signatures to the active signature set as needed to
protect the community. Going forwards, we will continue to curate the signature
set to match the security landscape. This may result in further reductions in
the total number of signatures included in the signature set alongside the
normal growth that comes from new added coverage.
These are the impacts on signature database sizes you can expect from the first
pass:
|
File Name |
September 2025 |
December 2025 after retirement of signatures |
|
main.cvd |
163 MB |
~80 MB |
|
daily.cvd |
62 MB |
~22 MB |
In addition to the reduction in size of the signature set,
we will also begin to remove container images from Docker Hub. We are doing
this to remove container images which may contain vulnerabilities either in
ClamAV or in the base image, and to reduce the burden on Docker Hub itself,
which presently hosts over 300 GiB of ClamAV container images.
When complete, we will only provide container images on
Docker Hub for the supported versions of ClamAV. At this time, these will
include:
|
Release |
Tags |
|
1.5 |
1.5, 1.5.1, latest, stable |
|
1.4 LTS |
1.4, 1.4.3 |
|
1.0 LTS |
1.0, 1.0.9 |
We recommend that ClamAV container image users select a
feature release tag rather than a specific minor release tag in order
to stay up to date with security and bug fixes.
ClamAV Signature Retirement Open Source FAQ:
What if bad actors begin to reuse old malware and old exploits?
Our team is committed to reintroducing any signature based on the activity of
bad actors in a timely fashion.
Can open-source users access the signatures that have been retired from
main.cvd?
We intend to make the retired signatures available at a later date for
researchers and corner cases
Is this an ongoing process?
Cisco Talos will continue to curate the signature set and may retire signatures
as they lose relevance to today’s security landscape.
How will open source Users benefit from these changes?
Smaller file downloads come with inherent advantages, but unbound growth is not
sustainable and we already have outgrown resource needs for scanning on some
server configurations. We anticipate a noticeable RAM usage reduction for the
ClamAV engine, possibly by as much as 25%.
When will users see a change in file sizes?
Signature retirement and the file size reduction will begin on December 16th ,
2025.
Users will notice that the main.cvd and daily.cvd will be roughly 50% smaller
than they have seen prior to that date.
