ClamAV For Windows SigUI Manual

User Manual: Pdf

Open the PDF directly: View PDF PDF.
Page Count: 23

DownloadClamAV For Windows - SigUI Sigui-manual
Open PDF In BrowserView PDF
Signature configuration UI
User Manual

Contents
1 Overview
1.1 Features . . . . . . .
1.2 Using SigUI . . . . .
1.2.1 Launching the
1.2.2 How it works

. . . . . . .
. . . . . . .
application
. . . . . . .

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

3
3
4
4
4

2 Usage examples
5
2.1 Configuring a proxy . . . . . . . . . . . . . . . . . . . . . . . . 5
2.2 Choosing a mirror . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.3 Deploying custom signature updates . . . . . . . . . . . . . . 6
2.3.1 Deploying your own signatures from a webserver . . . . 7
2.3.2 Deploying your own signatures from a network share . 7
2.3.3 Deploying third-party signatures . . . . . . . . . . . . . 8
2.3.4 Manually copying custom signatures to database directory 8
2.3.5 Removing signature files . . . . . . . . . . . . . . . . . 9
2.3.6 Automating signature and configuration file deployments on a network . . . . . . . . . . . . . . . . . . . . 10
2.4 Setting up a local mirror . . . . . . . . . . . . . . . . . . . . . 11
3 User interface
3.1 Updater configuration . . . . . . . . .
3.1.1 Proxy settings . . . . . . . . . .
3.1.2 Signature sources . . . . . . . .
3.1.3 Saving configuration and testing
3.2 Local signature management . . . . . .
3.3 Run freshclam to test configuration . .
3.4 Custom URLs . . . . . . . . . . . . . .
3.5 Reloading the databases . . . . . . . .
4 Copyright and License

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

13
13
13
13
14
14
15
15
17
19

2

Contents

Glossary

21

ClamAV for Windows - Signature configuration UI - User Manual,
© 2010 Sourcefire, Inc.
Authors: Török Edvin
This document is distributed under the terms of the GNU General Public
License v2.
Clam AntiVirus is free software; you can redistribute it and/or modify it
under the terms of the GNU General Public License as published by the
Free Software Foundation; version 2 of the License.
This program is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along
with this program; if not, write to the Free Software Foundation, Inc., 51
Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
ClamAV and Clam AntiVirus are trademarks of Sourcefire, Inc.

2

1
Overview
CHAPTER

ClamAVallows users to deploy and use their own (or third party) virus
signatures in addition to the official virus signatures. The virus signature
database updater (freshclam) can also be adapted to the user’s environment.
This is usually done by editing the configuration file freshclam.conf,
and copying the custom signatures to the database directory.
However ClamAV for Windows protects the database directory against
changes, even if those changes are attempted by a user with Administrator privileges. A new tool is needed to make these changes: Signature
configuration UI (SigUI).

1.1. Features
Using SigUI an Administrator can:
• Configure freshclam to use a proxy
• Configure which mirror freshclam should use
• Configure updates of custom signatures by freshclam
• Manually copy virus signature databases to ClamAV’s database directory
• Deploy an existing freshclam.conf
1

created using SigUI

1

to multiple machines

4

1.2. Using SigUI

1.2. Using SigUI
1.2.1. Launching the application
The application can be launched from the Start Menu: Start → All Programs
→ ClamAV for Windows → SigUI
Or you can navigate to the installation directory of ClamAV for Windows1 , and from the clamav subfolder launch sigui.exe:

In either case you must run this program with administrative privileges. On
Windows Vista and later you will get the UAC popup to grant Administrator
privileges to the application 2 . On earlier versions you will need to login as
Administrator.

1.2.2. How it works
When changing freshclam settings via the UI, it first verifies that the settings
are syntactically correct, and saves them in freshclam.conf.
When installing custom signatures, SigUI verifies that ClamAVcan successfully load the databases, and install only those that are successfully
loaded.
Once the databases are successfully installed, a reload is queued. ClamAV
for Windows will reload the databases the next time the system is idle. SigUI
will show a notification when the reload happens.

1

C:\Program Files\ClamAV for Windows by default
If you are running as a user that has Administrator privileges, this is a simple "I
Allow/Continue" style popup, otherwise it asks you for a login and password of a user with
Administrator privileges
2

4

2
Usage examples
CHAPTER

2.1. Configuring a proxy
Freshclam by default attemps to connect to the Internet directly. If you can
only access the Internet by using a proxy, then you should configure the proxy
using SigUI.
If you have already configured a system wide proxy setting, then easiest
is to just press the Retrieve system proxy settings button on the Updater
configuration tab. This will retrieve the proxy settings from Internet Explorer,
and display them in the Proxy settings section. If the settings are correct,
click Save settings.
You can also manually input the proxy settings:
• Tick the Proxy required for Internet access checkbox
• Set the proxy server and port in the Proxy server: and Proxy port:
fields
• If the proxy requires a username and password, then tick the Authentication required checkbox
– Enter the username in the Proxy username: field
– Enter the password in the Proxy password: field

1

• Check that the settings are correct
• Click Save settings
To test whether the proxy settings work, click Run freshclam to test
configuration. This will run freshclam, and display an error if it failed to
connect through the proxy. See Section 3.3 for details.
1

Note that the password will be saved as cleartext in freshclam.conf

6

2.2. Choosing a mirror

2.2. Choosing a mirror
Freshclam by default uses the db.local.win.clamav.net mirror. Although
this works well most of the time, you can get better download speeds by using
a mirror from your country:
• Open SigUI
• Open the Download Official Signatures from mirror dropdown

1

• Mirrors are of the form db.XY.clamav.net, where XY is your two-letter
country-code
• Select the mirror corresponding to your country
• Click Save settings
You can also enter the hostname of the mirror you wish to use, instead of
choosing one from the dropdown. This mirror can be a server on your own
network too. See Section 2.4.

2.3. Deploying custom signature updates
In addition to the official virus signatures, you can use your own signatures, or
signatures provided by third-parties. To deploy them you have these choices:
• Put your custom signatures on your own webserver. See Section 2.3.1
• Put your custom signatures on a network share. See Section 2.3.2
• Manually copy your custom signatures each time you change them. See
Section 2.3.4
• Write and deploy a script that copies the signatures to a local drive,
and runs SigUI in command-line mode. See Section 2.3.6
A reload of the signatures is queued once the signatures are installed. See
Section 3.5.
1

On the Updater configuration tab, in the Signature sources section

6

7

Chapter 2. Usage examples

2.3.1. Deploying your own signatures from a webserver
If you have written your own signatures and want to deploy them to multiple
ClamAV for Windows installations on your network, then the easiest is
to put the signatures on your webserver (in your LAN).
The custom signature can be in any format that ClamAV understands.
See http://www.clamav.net/doc/latest/signatures.pdf section 3 "Signature formats" for details about the format. All the signature files, except
CVD, are ASCII files. Both Unix (LF) and Windows-style (CR+LF) lineendings are accepted. CVD files are binary files though, so you should not
modify them. The format of signatures is determined based on the database
extension (in a case insensitive manner), so you must make sure to preserve
the file’s contents and extension when copying it. (You can safely rename the
file, as long as you preserve the extension).
Since these files are not digitally signed 1 , it is your responsibility to ensure
that the signature files are not altered (by malware, etc.).
Deploying a new signature file is easy:
• Copy the signature to your webserver, at a location of your choice
• Open SigUI
• Click the Add button next to the Custom signature URLs section
• Enter the full URL to your new signature file
• Click OK.
• Click Save settings
• See Section 3.4 for details
• You can repeat this operation on each machine that has ClamAV for Windows installed, or you can automate it, see Section 2.3.6

2.3.2. Deploying your own signatures from a network
share
This is similar to downloading a signature file from a webserver, see Section 2.3.1. Except you have to add an UNC path instead of an http://
URL.
1

Official CVD files are digitally signed

7

8

2.3. Deploying custom signature updates

However ClamAV for Windows requires this UNC path to be readable
by the SYSTEM account. Usually network shares, and network mapped
drives are not accessible to this user. If you have made them accessible (it is
out of scope for this document to discuss how), then you can of course use
them in SigUI.

2.3.3. Deploying third-party signatures
If you want to deploy third-party signatures that are not in CVD format 1 , you
can do so with some additional steps:
• Download the third-party signatures to your server
• Check their integrity by comparing against the third-party supplied
checksum and digital signatures. There usually are scripts to accomplish
this
• Copy the signatures to your webserver, at a location of your choice
• Make sure you preserve the extension of the files, as the signature format
is determined based on the extension
• Add the full URL path to these signatures to freshclam.conf using
SigUI. See Section 3.4
Note that if you add third-party signatures memory usage will increase
(depending on the complexity and size of the signatures), and performance
may be different.
Note that the downloaded signature files will all be placed in the same
directory. Hence you must make sure you don’t have two URLs that, when
downloaded, have the same filename. The UI will warn you if you try to do
that2 .

2.3.4. Manually copying custom signatures to database
directory
If you want ClamAV to use a custom signature, you just need to copy it to
its database directory. However, as explained earlier in this document, that
directory is protected against changes so you need to use SigUI to copy the
databases.
This can be achieved by using the Local signature management tab:
1

freshclam supports third-party signatures in CVD format, but there are no such
signatures yet
2
the two URLs with same filenames will just keep overwriting the same file

8

9

Chapter 2. Usage examples

• Click Add
• This will open the standard Open file(s) dialog
• Select the file(s) you want to add
• Click Open
• The files will show up in the New signatures list
At this point the files haven’t been installed yet. The databases currently
installed can be seen in the Installed signatures list. By default you should
see main.cvd,daily.cvd, and bytecode.cvd 1 .
You want your new signatures to show up in the Installed signatures, so
the next step is clicking on Verify and Install signatures. This will perform
the following:
• Copy all the signatures to a (protected) temporary staging directory 2 .
• Test the signatures by loading each one3 . CVD files also have their
digital signature checked.
• The signatures that pass verification are installed in the real database
directory
• ClamAV for Windows will load them the next time it updates the
database (usually once ah hour)
• If there are signatures that fail verification an error message will be
shown, with details on why the signatures failed to load.

2.3.5. Removing signature files
If you want to remove one of your signatures, you can select the file in the
Installed signatures list, and click Delete. This will erase the file from the disk!
Note that you can delete the files automatically downloaded by freshclam
too, but they will just reappear at the next update. The only file you can’t
delete is daily.cvd and daily.cld. The presence of one these files is essential to
the proper operation of the ClamAV engine.
1

Or .cld once they are updated. CVD files change into CLD files upon an update. Of
course if the updater didn’t run yet you won’t see any files there
2
clamav\staging_dir subdirectory
3
Using libclamav.dll only, they are not loaded in the realtime engine

9

10

2.3. Deploying custom signature updates

2.3.6. Automating signature and configuration file deployments on a network
The graphical mode of SigUI is useful for making local changes to freshclam.conf
and the database directory. However if you want to automate the process
(call it from a script), there is a commandline interface too:
• You must run it as Administrator user. Otherwise you get the UAC
popup, which is not what you want in a script.
• If you want to copy signatures to the database directory:
– Create a file signatureslist with the full path to the signatures
you want to install, one on a line. Don’t quote or escape the
filenames, just write them as is.
– Run:
" C :\ Program Files \ ClamAV for Windows \ clamav \ SigUI . exe
" -i < signatureslist

– Another alternative is to pipe it the output of another program 1 :
echo ’< databasepath > ’ | " C :\ Program Files \ ClamAV for
Windows \ clamav \ SigUI . exe " -i

– SigUI will test each database by loading them, and prints progress
messages to the standard output.
– SigUI will print error messages on failed database loads to the
standard error
– The exitcode will be 0 if all signatures were successfully installed,
and nonzero if some signatures failed to install
Note that using freshclam’s support for custom signature URLs is
usually a better solution, you will only need to deploy the modified
freshclam.conf.
• Deploying a modified freshclam.conf:
– Create a freshclam.conf on one machine with SigUI
– Test it, see Section 3.3
1

Interactively entering the filenames from the commandprompt won’t work

10

11

Chapter 2. Usage examples

– Write a script to automatically invoke SigUI.exe on each machine on your network (for example using a logon script, or a msi
installer)
– Have it execute this command:
" C :\ Program Files \ ClamAV for Windows \ clamav \ SigUI . exe
" -w < new \ _freshclam . conf

– Alternatively you can pipe it the freshclam.conf:
somecommand | " C :\ Program Files \ ClamAV for Windows \
clamav \ SigUI . exe " -w

– SigUI will test the config file for syntactic correctness, and install
it if it is valid

2.4. Setting up a local mirror
If you have a lot of ClamAV installations on your local network, then you
can setup freshclam as described in the answer for I’m running ClamAV
on a lot of clients on my local network at http://www.clamav.net/lang/
en/support/faq/faq-cvd/. Once you’ve setup the local mirror you can
configure it:
• Open SigUI
• Enter the hostname, or IP address of your local mirror in the Download
official signatures from mirror: field
• Click Save settings
• Click Run freshclam to test configuration. See Section 3.3
Another option is to setup a caching proxy, and set ClamAV to use that.
See Section 2.1.

11

12

2.4. Setting up a local mirror

12

3
User interface
CHAPTER

3.1. Updater configuration
When you open SigUI the Updater configuration tab is open, see Figure 3.1.
It has 2 sections:

3.1.1. Proxy settings
If Proxy required for Internet access
is not ticked, then freshclam will
connect directly to the internet.
If it is ticked, then the server
and port fields, and Authentication
required checkbox will be enabled.
If the Authentication required
checkbox is ticked the username and
password fields will be enabled too.
The Retrieve system proxy settings will attempt to retrieve the
proxy settings from Internet Explorer, and fill the above fields.
See Section 2.1 for an example.

3.1.2. Signature sources
Here you can configure what databases
will freshclam automatically download.

Figure 3.1: Updater configuration

14

3.2. Local signature management

Download Official Signatures from
mirror allows you to choose the mirror that freshclam will use to download the virus databases. You can either
enter a custom hostname, or select one from the list (preferably the one that
matches your countrycode). See Section 2.2 for an example.
Official bytecode signatures is by default enabled. If you want to disable
it, untick it. But you must be aware that you will miss some detections, or
even bugfixes.
Custom signature URLs is a list of custom URLs that freshclam will
download and install as new virus signature databases. You can use the Add
and Remove buttons to manage the list. The list accepts http:// URLs, or
UNC pathes. See Section 2.3 for detailed examples.

3.1.3. Saving configuration and testing
Pressing the Save settings will validate all the fields on this tab, and save
the settings to freshclam.conf. If there is anything wrong an error message
will be shown.
Pressing the Run freshclam to test configuration will test whether the new
freshclam.conf works as expected. If this results in error you should fix it,
otherwise your custom databases won’t be used.1

3.2. Local signature management
This tab allows you to manage the signatures installed in the database
directory, see Figure 3.2.
There upper section, New signatures shows the signatures you are about
to install, and the bottom section, Installed signatures shows the already
installed signatures. You can manage the top list using the Add and Remove
button (Add launches a standard Open file dialog).
The bottom list is managed by SigUI and freshclam. You can press
Verify and Install signatures to validate and copy the signatures from the
list above to the one below. Signatures are only copied after they have been
verified as valid, an error is shown for malformed signatures. See Section 2.3.4
for an example.
1

The official ones should still be downloaded correctly even in case of errors, unless
freshclam.conf is very broken

14

15

Chapter 3. User interface

The Delete button will delete the
actual signatures files from disk, it
should be used only if you know
what you are doing (a confirmation
message is shown prior to delete of
course).

3.3. Run freshclam to
test configuration
Pressing this button will launch
freshclam, and opens a window to
show its output, see Figure 3.3.
The output shows the progress
of the update, and any error messages from freshclam. It is recommended that once you change
freshclam.conf, by clicking Save
settings, to test it by clicking on Run Figure 3.2: Local signature management
freshclam to test configuration.
The window has a button to forcefully terminate freshclam, but this
should only be used if for some reason it hangs. Note that by default
the timeout for connecting to a remote server is 30 seconds, so you should wait at least 30 seconds before
terminating it.
Once freshclam finishes the button changes to a Close window button, that can be safely pressed to
dismiss the window.

3.4. Custom URLs
The Custom signature URLs section
on the Updater configuration page
allows you to add custom URLs.

Figure 3.3: SigUI: Freshclam output
window

15

16

3.4. Custom URLs

Freshclam will automatically
download these each time it updates
the official signatures (usually once
an hour). If your webserver supports
If-Modified-Since headers, it will only download the new database if it is
newer than the already installed one.
Digital signatures are checked only for CVD signatures1 . Freshclam automatically tests all signatures (for syntactic correctness) after downloading,
but before installing them. If a signature file is malformed it is not installed
and an error is logged.
Usage:
• Click Add to add a new URL, press OK when done
• If the URL is not in the correct format, an error message is shown.
Correct the URL and press OK again.
• The new URL shows up in the Custom signature URLs section
• Add as many URLs as needed
• You can remove an URL by clicking the Remove button. WARNING:
If the database was already downloaded it won’t remove the downloaded
signature file from the disk. See Section 2.3.5 on how to do that.
• Check that you entered the correct URLs.
• Click Save settings.
• Click Run freshclam to test configuration to make sure freshclam is
able to correctly download the signatures. Freshclam will only install
signatures that are in the syntactically correct. See Section 3.3
Note that the downloaded signature files will all be placed in the same
directory. Hence you must make sure you don’t have two URLs that, when
downloaded, have the same filename. The UI will warn you if you try to do
that. 2 .
1
2

because they are the only ones that contain such signatures
the two URLs with same filenames will just keep overwriting the same file

16

17

Chapter 3. User interface

3.5. Reloading the databases
A database reload is automatically queued in the following situations:
• You click Run freshclam to test configuration, after freshclam finishes
and you close the window
• You install new databases by clicking on Verify and Install signatures
• You remove a database by using the Delete button
The reload will happen the next time the system is idle (or immediately
if already idle).

17

18

3.5. Reloading the databases

18

4
Copyright and License
CHAPTER

The Signature configuration UI is released under the GNU General Public
License version 2.
Copyright (C) 2010 Sourcefire, Inc.
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License version 2 as
published by the Free Software Foundation.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
MA 02110-1301, USA.

20

20

Glossary
ClamAV Clam AntiVirus engine, see http://www.clamav.net. 3, 4, 7–9,
21
CVD ClamAV Virus Database. A file that contains multiple signature types,
and a digital signature. This is the format in which the official signatures
are distributed. 7, 8, 16
daily.cld A daily.cvd, after freshclam updated it. 9
daily.cvd An important database file for ClamAV. Contains often updated
virus signatures, file type definitions, engine configuration, and whitelists.
9, 21
db.local.win.clamav.net db.local.win.clamav.net is a round robin record
that tries to equally balance the traffic between the best database
mirrors.. 6
freshclam ClamAV’s signature databases updater application. 3–6, 9–11,
13–16, 21
freshclam.conf The configuration file for freshclam. 3–5, 8, 10, 14, 15
hostname DNS name of a server. 6
mirror A server holding an exact copy of the original server, for better load
balancing and bandwidth purposes.. 6, 14
SigUI ClamAV for Windows - Signature Configuration User Interface. The
application documented in this manual. 8, 10
SYSTEM account A highly privileged account. This is the account used
by system services. You cannot login as SYSTEM. 8

22

Glossary

UAC User Account Control, a security infrastructure introduced in Windows
Vista. 10
UNC path Uniform Naming Convention path. A path of the form \\ComputerName
\\SharedFolder \\Resource, or a long UNC path starting with \\?\.
7, 8, 14

22
Source Exif Data: 
File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
PDF Version                     : 1.5
Linearized                      : No
Page Count                      : 23
Page Mode                       : UseOutlines
Page Layout                     : OneColumn
Author                          : Török Edvin 
Title                           : ClamAV for Windows - SigUI
Subject                         : User Manual
Creator                         : LaTeX with hyperref package
Producer                        : pdfTeX-1.40.10
Create Date                     : 2011:01:20 10:30:59+02:00
Modify Date                     : 2011:01:20 10:30:59+02:00
Trapped                         : False
PTEX Fullbanner                 : This is pdfTeX, Version 3.1415926-1.40.10-2.2 (TeX Live 2009/Debian) kpathsea version 5.0.0
EXIF Metadata provided by EXIF.tools

Navigation menu