Skip to content

A Windows desktop application built with C# and Windows Forms that implements ClamAV signature-based virus scanning functionality. This application can scan files and directories using ClamAV virus signatures.

License

Notifications You must be signed in to change notification settings

khanh779-9/ClamAV_Engine

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

ClamAV Engine - Virus Detection Application

A Windows desktop application built with C# and Windows Forms that implements ClamAV signature-based virus scanning functionality. This application can scan files and directories using ClamAV virus signatures.

Table of Contents

Features

  • File Scanning: Scan individual files for virus signatures
  • Directory Scanning: Recursively scan directories for infected files
  • Multiple Signature Types: Support for various ClamAV signature formats:
    • HDB (MD5 hash-based)
    • HSB (SHA-1 hash-based)
    • MDB (MD5 hash with offset)
    • NDB (Hex pattern matching)
    • LDB (Logical signatures with operators)
    • LDU (Logical signatures unsigned)
    • CDB (Container metadata signatures)
    • FP (False positive signatures)
  • Aho-Corasick Algorithm: Efficient pattern matching for virus detection
  • Database Organization: Support for Daily and Main virus signature databases
  • Real-time Logging: Monitor scanning progress and results
  • Signature Details: View detailed information about detected threats

Requirements

  • Operating System: Windows (XP/7/8/10/11)
  • .NET Framework: .NET Framework 4.5 or higher
  • RAM: Minimum 512 MB (2 GB recommended for large databases)
  • Disk Space: 500 MB minimum (for virus signatures database)

Installation

1. Clone or Download the Project

git clone https://github.com/yourusername/ClamAV_Engine.git
cd ClamAV_Engine

2. Build the Project

Option A: Using Visual Studio

  • Open ClamAV_Engine.slnx in Visual Studio 2015 or later
  • Build the solution (Ctrl + Shift + B)
  • Run the application (F5)

Option B: Using Command Line

cd ClamAV_Engine
msbuild ClamAV_Engine.csproj /p:Configuration=Release

Database Setup

Downloading ClamAV Virus Signature Database

The ClamAV signature database files are required for the application to detect viruses. Follow these steps:

Step 1: Download the Database Files

You can download the ClamAV virus signatures from the official ClamAV mirror:

Option 1: Using ClamAV Official Repository

  • Visit: https://www.clamav.net/downloads/productive-use-downloads
  • Download the latest version of the following files:
    • main.cvd - Main virus definitions
    • daily.cvd - Daily updated definitions
    • safebrowsing.cvd - SafeBrowsing database (optional)
    • bytecode.cvd - Bytecode signatures (optional)

Option 2: Automated Download (Recommended)

Step 2: Extract the Database Files

The .cvd files are actually compressed archives (similar to ZIP files). You need to extract them:

Using ClamAV Tools:

# Extract main.cvd
clamunrar main.cvd

# Extract daily.cvd
clamunrar daily.cvd

Using 7-Zip or WinRAR:

  • Right-click on main.cvd → Open with Archive Manager
  • Extract all files to a folder
  • Repeat for daily.cvd

Step 3: Organize Database Files

Create the following directory structure in your application folder:

ClamAV_Engine/
  bin/
    Debug/
      clamdb/
        daily/
          [extracted daily database files]
        main/
          [extracted main database files]
        bytecode/
          [optional bytecode files]

Detailed Steps:

  1. Create a folder named clamdb in bin/Debug/ directory:

    bin\Debug\clamdb\
    
  2. Create two subfolders inside clamdb:

    bin\Debug\clamdb\daily\
    bin\Debug\clamdb\main\
    
  3. Extract daily.cvd contents and place all .xxx files in:

    bin\Debug\clamdb\daily\
    
  4. Extract main.cvd contents and place all .xxx files in:

    bin\Debug\clamdb\main\
    
  5. (Optional) If you have bytecode files, create:

    bin\Debug\clamdb\bytecode\
    

    And place .cbc files there.

Step 4: Verify Database Installation

The application will automatically load the database when you:

  1. Click the "Load Database" button
  2. Select the clamdb folder
  3. The application will display the total number of loaded signatures

Expected format of signature files:

  • Files without extension or with numeric extensions (e.g., 001, 002)
  • Each file contains virus signatures in text format
  • The application recognizes signature types by format and content

Example ClamAV Signature Database Structure

After extraction, your folder should look like:

clamdb/
├── daily/
│   ├── 001
│   ├── 002
│   ├── 003
│   └── ...
├── main/
│   ├── 001
│   ├── 002
│   ├── 003
│   └── ...
└── bytecode/
    ├── 3986187.cbc
    ├── 3986188.cbc
    └── ...

Usage

Loading the Database

  1. Run the application (ClamAV_Engine.exe)
  2. Click the "Load Database" button
  3. Browse to your clamdb folder (contains daily/ and main/ subfolders)
  4. Click "OK" to load the signatures
  5. The status bar will show "Signatures Loaded: [count]"

Scanning a File

  1. Click the "Select File" button
  2. Choose a file to scan
  3. Click the "Scan File" button
  4. Results will appear in the log area
  5. If threats are detected, they will be listed with:
    • Threat name
    • Detection type
    • Signature information

Scanning a Directory

  1. Click the "Select Folder" button
  2. Choose a directory to scan
  3. Click the "Scan Folder" button
  4. The application will recursively scan all files in the directory
  5. Progress will be displayed in real-time
  6. A summary of results will show at the end

Viewing Signature Details

  1. In the Signatures List window (if available), double-click on any signature
  2. A details window will open showing:
    • Signature name
    • Pattern/Hash
    • Offset information
    • Signature type
    • Detection statistics

Supported Signature Formats

HDB (Hash-based Detection)

  • Format: Name:MD5:Size
  • Example: Trojan.Win32.Generic:4D01D7B2D4FF4F92A9A7D2B6E8F3C9B1:1024

HSB (Hash SHA-1 Based)

  • Format: Similar to HDB but uses SHA-1 hash

MDB (Metadata Hash-based)

  • Format: Name:MD5:Offset:Size
  • Detects specific sections of files

NDB (Normalised Hex)

  • Format: Name:HexPattern:Offset:Target:SectionType
  • Pattern matching with hex values

LDB (Logical Signatures)

  • Complex signatures using logical operators (AND, OR, NOT)
  • Can combine multiple conditions

LDU (Logical Signatures Unsigned)

  • Unsigned version of LDB signatures

CDB (Container Database)

  • Signatures for container file metadata
  • Used for encrypted/compressed archives

FP (False Positives)

  • Whitelisted signatures to prevent false detections

Project Structure

ClamAV_Engine/
├── ClamLib/                      # Core ClamAV Engine Library
│   ├── ClamAVEngine.cs          # Main scanning engine
│   ├── ClamAVDatabase.cs        # Database storage
│   ├── ClamAVSignature.cs       # Signature definition
│   ├── ClamAVResult.cs          # Scan results
│   ├── AhoCorasickEngine.cs     # Pattern matching algorithm
│   ├── AhoCorasickMatcher.cs    # Pattern matcher implementation
│   ├── ScanOptions.cs           # Scan configuration
│   ├── ScanStatus.cs            # Scan status enum
│   ├── SignatureType.cs         # Signature type definitions
│   ├── TargetType.cs            # Target type (file/folder)
│   └── Helpers/
│       ├── HashHelper.cs        # Hash calculation utilities
│       ├── PatternMatcher.cs    # Pattern matching helpers
│       ├── ExpressionEvaluator.cs # Logical expression evaluation
│       └── TargetTypeHelper.cs  # Target type utilities
├── Form1.cs                     # Main scanning interface
├── Form2.cs                     # Secondary interface/dialogs
├── Program.cs                   # Application entry point
├── App.config                   # Application configuration
├── ClamAV_Engine.csproj        # Project file
└── Properties/                  # Assembly information

Screenshots

Main window - database loaded Main window - scan result

Troubleshooting

Database Not Loading

  • Verify the folder structure matches the expected format:
    • clamdb/daily/ contains signature files
    • clamdb/main/ contains signature files
  • Check that the database files have read permissions
  • Ensure database files are not corrupted

No Signatures Detected

  • Confirm the database loading was successful (check the signatures count)
  • Verify your test file matches a known signature pattern
  • Check the application log for any error messages

Slow Scanning

  • Large databases may take time to load (first load is slower)
  • Scanning large directories takes proportional time
  • Consider using the daily database only for faster scanning

Out of Memory

  • Reduce the database size (use daily database only)
  • Scan smaller directories instead of entire drives
  • Increase available system RAM

Building from Source

Prerequisites

  • Visual Studio 2015 or later
  • .NET Framework 4.5 or higher SDK
  • Git (optional, for cloning)

Build Steps

# Clone the repository
git clone https://github.com/yourusername/ClamAV_Engine.git
cd ClamAV_Engine

# Build Release version
msbuild ClamAV_Engine.csproj /p:Configuration=Release /p:Platform="Any CPU"

# Output will be in bin/Release/

License

  • Project source code: Released under the MIT License.
  • ClamAV signature databases (main/daily/bytecode) are not included in this repository. When you download and use official ClamAV signatures, you must comply with the ClamAV GPL licensing terms and any accompanying COPYING/README files.
  • Trademarks: ClamAV is a trademark of its respective owner; this project is an independent implementation for educational/use-case purposes.

Attribution

  • ClamAV Signatures: Provided by ClamAV Foundation
  • Aho-Corasick Algorithm: String matching algorithm for pattern detection

Support and Documentation

For more information about ClamAV:

Version History

  • v1.0.0 - Initial release
    • File and folder scanning
    • ClamAV signature support
    • Multiple signature format support
    • Database loading and management

Last Updated: January 2026 Tested On: Windows 10/11, .NET Framework 4.5+

About

A Windows desktop application built with C# and Windows Forms that implements ClamAV signature-based virus scanning functionality. This application can scan files and directories using ClamAV virus signatures.

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published