ViScan is a lightweight malware scanner that detects malicious files by matching file hashes and patterns against known ClamAV signatures. It supports a wide range of ClamAV database formats and performs recursive scanning across directories.
-
Recursive scanning of files and directories
-
MD5-based and pattern-based signature matching
-
Supports multiple ClamAV signature formats:
.hdb(MD5).fp(false positives list).ndb,.ldb,.mdb(pattern-based)
-
Skips unsupported or unrecognized formats
-
Verbose mode for detailed logs
-
Automatic quarantine of detected files
-
Automatic download and unpacking of ClamAV signature databases
-
Periodic database freshness checks (every 6 weeks)
-
Manual force-update option
To compile the project, run:
makeThis will build the viscan executable in the root directory.
.
├── database/ # Contains ClamAV signature databases
│ ├── main.cvd
│ ├── daily.cvd
│ ├── main.hdb, .ndb, .ldb, .mdb, .fp, ...
│ └── daily.hdb, .ndb, .ldb, .mdb, .fp, ...
├── quarantine/ # Quarantined malware logs
├── src/ # Source code
│ ├── main.c
│ ├── hash_utils.c/h
│ ├── hdb_parser.c/h
│ ├── quarantine.c/h
│ └── update_database.c/h
├── Makefile
└── viscan # Compiled binary
| Extension | Description | Support |
|---|---|---|
.hdb |
MD5-based signatures | Supported |
.fp |
False positives list | Supported |
.ndb |
Pattern-based | Supported |
.ldb |
Pattern-based (logical) | Supported |
.mdb |
Extended pattern rules | Supported |
.cdb |
Compressed database | Ignored |
.sfp |
Suspicious files list | Not supported |
Only supported formats are parsed and loaded. Unsupported or unparseable formats are skipped automatically.
ViScan uses the official ClamAV databases:
These databases are automatically downloaded and unpacked if missing or outdated.
ViScan checks the last modification time of:
database/main.cvddatabase/daily.cvd
If either is older than 6 weeks, it will automatically:
- Redownload the
.cvdfiles - Unpack them into the
database/directory - Remove old signature files before extraction
To manually force a refresh, use:
./viscan --force-update <file_or_dir>./viscan [--verbose] [--force-update] <file_or_dir1> [file_or_dir2 ...]| Option | Description |
|---|---|
--verbose |
Enables detailed output during scanning and loading |
--force-update |
Forces database update, even if it is up-to-date |
./viscan --verbose ~/Downloads
./viscan --force-update ./testfile.exeTo test detection functionality, you can create the standard EICAR test file using:
echo -n 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' > eicar.comThen scan it:
./viscan --verbose ./eicar.comIf the signature database is properly loaded, this file will be detected and quarantined.
ViScan is licensed under the GNU General Public License v2.0 (GPLv2).
See the LICENSE file in the project directory for full details.