sigtool

sigtool [OPTIONS] [ARGUMENTS...]

--help
    Displays the help message and exits.

--version
    Prints version information and exits.

--md5 FILE
    Calculates and prints the MD5 hash of the specified FILE.

--sha1 FILE
    Calculates and prints the SHA1 hash of the specified FILE.

--sha256 FILE
    Calculates and prints the SHA256 hash of the specified FILE.

--hex STRING
    Converts an ASCII STRING to its hexadecimal representation.

--vhex HEXSTRING
    Converts a hexadecimal HEXSTRING back to its ASCII representation.

--info VIRUSNAME
    Displays information about a signature matching VIRUSNAME from loaded databases.

--test FILE
    Tests all loaded signatures against the given FILE.

--unpack-cvd CVD_FILE
    Unpacks a CVD (ClamAV Virus Database) file into its component signature files in the current directory.

--html-info
    Dumps ClamAV database information in HTML format.

--ascii-dump
    Converts and prints non-printable bytes from standard input to their ASCII representation (useful for debugging binary data).

--decode-base64
    Decodes base64-encoded data from standard input.

--encode-base64
    Encodes data from standard input into base64 format.

--list-sigs
    Lists all loaded signature names.

--list-broken
    Lists broken signatures found in the loaded databases.

--gen-mdb
    Generates a MDB (MD5 Database) from files specified on the command line or standard input.

--find STRING
    Searches for STRING in loaded signatures. Useful for finding patterns.

sigtool is a powerful command-line utility bundled with the ClamAV antivirus engine, primarily designed for developers and advanced users to manage, create, test, and debug virus signatures.

It provides a comprehensive suite of functions for interacting with various ClamAV signature formats, including MD5, SHA1, SHA256 hashes, hexadecimal signatures, logical signatures (HDB/CDB), and Compiled ClamAV Database (CVD) files. Users can calculate file hashes, query signature information from loaded databases, create custom signatures for testing, unpack and inspect CVD files, and convert data formats.

While not intended for routine end-user operations, sigtool is an indispensable tool for understanding ClamAV's detection mechanisms, developing custom detection rules, and troubleshooting signature-related issues.

sigtool is primarily a developer and debugging tool for ClamAV. It requires a good understanding of ClamAV signature formats and internal workings. Incorrect usage, especially when generating or modifying signatures, can lead to false positives or ineffective detection. It also needs access to ClamAV's signature databases to perform most operations like --info or --test.

sigtool interacts with various ClamAV signature types:

MD5/SHA1/SHA256: Hash-based signatures for identifying exact file matches.
HDB (Hexadecimal Database): Simple hexadecimal string patterns.
CDB (Container Database): Signatures for detecting malware within container files (e.g., archives).
CVD (Compiled Virus Database): The main compiled signature database format used by ClamAV, which sigtool can unpack.
LDB (Logical Database): Advanced signatures combining multiple patterns and logical operators for complex detection rules.

For many operations (e.g., --info, --test, --list-sigs), sigtool needs to load the ClamAV signature databases. By default, it looks in standard ClamAV database locations (e.g., /var/lib/clamav or /usr/local/share/clamav). If databases are in a non-standard location, the CLAM_DBDIR environment variable can be used to specify the path.

sigtool has been an integral part of the ClamAV project since its early days, evolving alongside the antivirus engine itself. Its development has mirrored the increasing complexity of malware and the need for more sophisticated signature formats. Initially, it provided basic hashing and signature information. Over time, features like unpacking CVDs, testing signatures against files, and supporting various advanced signature types (e.g., logical signatures, bytecode) were added to empower security researchers and ClamAV signature writers in their fight against malicious software. It continues to be actively maintained as part of the official ClamAV distribution.

clamscan(1), freshclam(1), clamd(8), md5sum(1), sha1sum(1)