Skip to content

ClamAV

ClamAV decode found matches

grep -h instream /var/log/clamav/clamav.log | sed -e "s@.*SecuriteInfo@SecuriteInfo@g;s@\.UNOFFICIAL.*@:@g" | grep -f - /var/lib/clamav/*.ndb |  sigtool --decode-sigs
  1. grep -h instream /var/log/clamav/clamav.log: This uses the grep utility to search for the string 'instream' in the /var/log/clamav/clamav.log file. The -h option suppresses the prefixing of file names on output when multiple files are searched.
  2. sed -e "s@.*SecuriteInfo@SecuriteInfo@g;s@\.UNOFFICIAL.*@:@g": We are using sed here for stream editing. The -e option allows to add the script directly from the command line. It consists of two parts, divided by the semicolon ;. Both parts use the substitute command s to replace certain text:
  3. s@.*SecuriteInfo@SecuriteInfo@g: Replaces everything that starts from the beginning of a line till the string 'SecuriteInfo' with the string 'SecuriteInfo'. The g indicates global replacement for every occurrence in the line, not just the first.
  4. s@\.UNOFFICIAL.*@:@g: Replaces the string '.UNOFFICIAL' together with everything that follows it till the end of the line with a single colon :.
  5. grep -f - /var/lib/clamav/*.ndb: Processes the filtered input from the previous commands and uses it as patterns file (-f -) to search through all .ndb files in the /var/lib/clamav directory. Each line of these files is checked against each pattern, and if matches are found, they are sent to the output.
  6. sigtool --decode-sigs: Lastly, sigtool is a utility that comes with the Clamav antivirus tool and is used for managing antivirus databases. The --decode-sigs switch is used here to decode the Clamav signatures from the previous step. This is done to convert the signatures from their encoded form into a more readable output that shows exactly what the signature is looking for.