[clamav-users] clamscan dumpcerts

Micah Snyder (micasnyd) micasnyd at cisco.com
Tue Jan 15 17:16:55 EST 2019

Hi Yas Man,

Right now, clamscan/clamd only parses PE Authenticode signatures when looking for false positives, which means a signature has to match before the sigs will be printed.

One of our malware researchers is in the process of updating this code. The plan is to change it so that the Authenticode signature is always checked / verified if a binary is signed so we can alert on files that match blacklisted signing certificates.


Micah Snyder
ClamAV Development
Cisco Systems, Inc.

On Jan 14, 2019, at 1:23 PM, Yas Man <clamav at outlook.com<mailto:clamav at outlook.com>> wrote:


I am trying to dump the certificates of a signed PE, but noting is being dumped, the output is simply the scan summary. I went through the list archive but I was not able to find a relevant topic. I also tried dumping the certificate of legitimate files and the results were the same, although running sigtool --print-certs successfully prints the authenticode.

I went through the signatures manual and the authenticode blog post and I can't figure out what am I doing wrong.  I am running ClamAV version 0.100.2.

clamav-users mailing list
clamav-users at lists.clamav.net<mailto:clamav-users at lists.clamav.net>

Help us build a comprehensive ClamAV guide:


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20190115/7419a55e/attachment.html>

More information about the clamav-users mailing list