[clamav-users] Read the signature in cdiff file.

Mark Allan markjallan at gmail.com
Mon Jan 29 10:31:02 UTC 2018

I agree with Al - I can't really see why anyone would need to do this, but I've been dealing a lot with cdiff and script files lately, so I know exactly how to do what you're asking!

At the start of each cdiff file is a header which reads something like this:
It's delimited with colons and can be interpreted like this:
	Type of file : DB version number (or scripted update version number) : file size of scripted update : <gzip representation of script data>

The final colon is important.  Count the number of characters up-to and including the final colon (unlike daily/main/bytecode cvd/cld files, the header doesn't appear to be a predefined length, so you'll need to count characters).  In this case it's 24.

Now, use dd to strip the header from the file, leaving a gzip archive.  In the example above, you can do:

dd bs=24 skip=1 if=daily-24262.cdiff of=daily-24262.gzip

Unpack the gzip file and you've got a plain text script file listing all the changes.

Doing all that programmatically is left as an exercise for the reader ;-)


> On 29 Jan 2018, at 9:55 am, Al Varnell <alvarnell at mac.com> wrote:
> Just trying to figure out why anybody would ever need to. As soon as they are downloaded they are immediately integrated into the appropriate .cld file where they can be read.
> Subscribe to the clamav-virusdb e-mail list if you want to see a list of what signatures are contained in a particular .cdiff file:
> <lists.clamav.net/cgi-bin/mailman/listinfo/clamav-virusdb>.
> -Al-
> On Mon, Jan 29, 2018 at 01:26 AM, Arul Raj wrote:
>> Hi Team,
>>   Can you please share, how to read the cdiff signature file in
>> human-readable format.
>> -
>> Arulraj I
>> _______________________________________________

More information about the clamav-users mailing list