Extending ClamAV Signatures with RFXN Database for PHP Malware’s

You can use 3rd party compiled malware and virus signature databases to extend ClamAV signature database collection with better detection PHP malware.

RFXN (R-FX NETWORKS) Database signatures are updated typically once per day or more frequently depending on incoming threat data from the LMD checkout feature, IPS malware extraction, and other sources.

Malware.Expert also generates PHP Signatures to help improve the ClamAV detection rate on PHP malware in shared hosting environments. Our malware signatures are generated daily from shared web hosting servers that contain malware. We also collect manual way false and positive files, which our signatures are detected or not detected.


Add the following database lines into freshclam.conf at very bottom of file:

DatabaseCustomURL http://www.rfxn.com/downloads/rfxn.ndb
DatabaseCustomURL http://www.rfxn.com/downloads/rfxn.hdb
DatabaseCustomURL http://www.rfxn.com/downloads/rfxn.yara

Typically freshclam.conf file found in /etc folder, but this may depend your OS and installation method.

Updating ClamAV Database

You can then run freshclam command or restart freshclam daemon, which depend again your OS and installation method.

ClamAV update process started at Thu Aug 20 20:39:15 2020
Downloading malware.expert.ndb [100%]
malware.expert.ndb updated (version: custom database, sigs: 1115)
Downloading malware.expert.hdb [100%]
malware.expert.hdb updated (version: custom database, sigs: 425)
Downloading malware.expert.ldb [100%]
malware.expert.ldb updated (version: custom database, sigs: 142)
Downloading malware.expert.fp [100%]
malware.expert.fp updated (version: custom database, sigs: 62)
Downloading rfxn.ndb [100%]
rfxn.ndb updated (version: custom database, sigs: 2035)
Downloading rfxn.hdb [100%]
rfxn.hdb updated (version: custom database, sigs: 12785)
Downloading rfxn.yara [100%]
rfxn.yara updated (version: custom database, sigs: 23244)

main.cld is up to date (version: 59, sigs: 4564902, f-level: 60, builder: sigmgr)
daily.cld is up to date (version: 25905, sigs: 3971036, f-level: 63, builder: raynman)
bytecode.cld is up to date (version: 331, sigs: 94, f-level: 63, builder: anvilleg)
Database updated (8537776 signatures) from database.clamav.net

As we see, now there is downloaded rfxn.ndb, rfxn.hdb and rfxn.yara signatures to ClamAV.