The goal for the new sig format would be to include all the existing signature features currently spread across the existing ClamAV-specific signature file formats.

Right now we have different file formats for:

NDB
LDB
CDB
FTM
CRB
CFG
PDB,WDB, HDB, HSB, MDB, MSB, FP, SFP, IGN2, and PWDB).

from multiple file formats that are hard to read, hard to write, and hard to extend. We would like to the new down into one format that is easier both for the signature authors and the developers.

We want to make a sigtool feature that can transcode from the old to the new, though we have no plans to remove support for the old signature formats. We might say they're deprecated to encourage folks to develop new content in the new format, but they would continue to work for the foreseeable future.

New signature features would only be added to the new signature format.

The goal is not to do away with Yara rule support. We will continue to try to maintain the existing (limited) Yara rule support, and are still open to improving it.

Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.

From: clamav-users <clamav-users-bounces@lists.clamav.net> on behalf of Laurent S. via clamav-users <clamav-users@lists.clamav.net>
Sent: Tuesday, March 15, 2022 3:42 AM
To: ClamAV users ML <clamav-users@lists.clamav.net>
Cc: Laurent S. <110ef9e3086d8405c2929e34be5b4340@protonmail.ch>
Subject: Re: [clamav-users] human friendly signatures

On Tuesday, March 15th, 2022 at 00:36, Micah Snyder (micasnyd) <micasnyd@cisco.com> wrote:

> Starting with our own new language would let us maintain do that but make it easier for new analysts to train up on ClamAV.

I don't see at all the advantage of using a different, less used language. I don't know many people looking forward to learn a new language that is quite specific to one software and used more or less nowhere else.

One big reason I like to use ClamAV is that it's possible to add other sources of signatures. Lots of people use the sanesecurity ones. I add a lot of my own. I suppose there's a big amount of people who would love to add more (ie YARA) sources.

Is the goal for KDL to replace all of the existing ClamAV formats? I guess the transition would be a whole lot of effort from a LOT of people.

> What would be every more cool would be to be able to have an archive alert because we found weak indicators in several of the contained files.

I love the idea of weak indicators. But then, I'd like to have a more fine grained result in case of a hit. Something less binary but more something like a score. So that the amount of false positives could be more chosen. This would mean my paranoid customers could be as happy as the ones jumping to the roof at the first FP.

Best regards,
Laurent S.