MalShare-CAV - MalShare to ClamAV database conversion

On malshare.com a not small amount of potential dangerous files are uploaded everyday.

At the same time many of the submitted samples are not submitted to ClamAV. To change this, this site was created: On demand malshare.com's newest signaures are downloaded and converted to ClamAV's hash-based signature format.

Naming

MalShare provides the hashes without names so the signatures are named in the format MalShare.YYYYMMDD.number. ClamAV suffixes those names with .UNOFFICIAL

Daily signatures have an additional "c" in the number.

Download

Full database (excluding today's signatures; over one million signatures as of 2018-01-04):

Current database (only today's signatures):

Installation

Manual

As freshclam does not support https it is impossible to download the custom database securely. Best would be to use an external tool like curl or wget. Many environments do already provide on of the listed tools.

For regular updates i.e. put this in your update user's crontab:

0 0 * * Sun wget -q https://sbiewald.de/api/malshare/MalShare.hdb -O /path/to/db/folder/MalShare.hdb

This will fetch the latest database every sunday.

An increase of the update frequency is not recommended. Please also note that the freshly downloaded database is not tested to work. Test the database before using!

Freshclam

To automatically download the MalShare database with freshclam add following line to your freshclam.conf:

DatabaseCustomURL http://insecure.sbiewald.de/api/malshare/MalShare.hdb

ClamAV sadly does not support https. To download the databas securely, see manual setup. Also ClamAV does not update the installed database. To trigger a new download the old database must be removed.

Self hosting

It is possible to install the conversion server on own servers and integrate it in the own infrastructure. For an easy installation within Python execute following command:

pip3 install git+https://github.com/Varbin/malshare_db

Please see the command line references

The code can be found on GitHub: Varbin/malshare_db.

Copyright & Disclaimer

The database source is malshare.com. Respsect their Terms of Use.

This site has no connection to The Silent Sigma Foundation (operator of malshare.com).

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.