PHP Malware Signatures to ClamAV

extending clamav signatures

Malware Signatures from malware expert help improve the detection rate of malware from PHP files. Our malware signatures are generated for real life PHP malware from live Web Hosting Servers.

Signatures

malware.expert.ndb is a Generic Hex pattern PHP malware, which can cause false positive alarms, because there are generic eval, base64 and other hex pattern signatures (very low false positive rate). We want to scan all .php files and check the false positives manually for malware. If some signature causes to you problems, you can whitelist them.

malware.expert.yara is a textual or binary patterns for PHP malwares (very low false positive rate). We want to scan all .php files and check the false positives manually for malwares.

malware.expert.hdb is statics MD5 pattern for files, and there are no false positive.

malware.expert.hsb is statics SHA1/SHA256 pattern for files, and there are no false positive.

malware.expert.ldb is LDB signatures(read more), which use multi-words search for malware in files.

malware.expert.fp is whitelisted, what we found is that cause false positive malware.

PHP Signatures
€25 /per month
Unlimited servers
ClamAV

Samples

If our signatures don’t detect malware, you can send a sample to us, so we can add them to the our database.
Samples can also be directly emailed to: samples ( at ) malware.expert

Or send us a link to the sample, so we can download it.

Send Sample

Whitelist specific signature

Create a file called local.ign2 or whitelist.ign2 in your ClamAV db directory. Add the signature names that you want whitelisted one per line at a time.

Example:

Malware.Expert.Generic.Eval.1

Whitelist files

Use the same name as the database in which the detection signatures exist. So if all signatures are in malware.expert.cld

The whitelisting file should be by the name malware.expert.fp and have this line (hash: size: random name) in the same dir as malware.expert.cld

5523530941c409b349ef40fa9415247e:51204:Malware.Expert.Generic.Eval.1

Despite a BAD signature existing in the malware.expert.cld. it will just IGNORE it

Example postive hit

Here example malware detects with ClamAV and malware expert PHP signatures:

Clamav Signatures
ClamAV Signatures