Virus scanner ClamAV: Developers start decluttering
Decluttering at virus scanner ClamAV: Cisco is having developers discard old signatures, and old Docker images also have to go.
(Image: ClamAV)
The virus scanner ClamAV is set to become significantly leaner again. Developers are reducing virus signatures, which noticeably reduces the size of the database. In addition, old Docker images are being removed; only images of actively supported ClamAV builds will continue to be maintained.
The development of the open-source project, managed by Cisco, has announced the decluttering operation on the project website. “ClamAV was first introduced in 2002. Since then, the signature set has grown without restriction to provide the community with as many detections as possible,” the developers explain, adding, “Due to the continuously growing database size and user numbers, we are facing significant cost increases for distributing the signature set to the community.”
Cisco Talos has therefore evaluated how relevant and efficient old signatures still are. As a result, the developers are retiring signatures that no longer have any value for the community. “Our first pass of this retirement action will result in a significant reduction in database size for both daily.cvd and main.cvd,” they state.
Detecting current threats
“Our goal is to ensure that detection content is focused on currently active threats and campaigns. We assess this based on signature detections that we observe over a longer period in our data feeds and those of our partners,” explains Cisco Talos. The programmers add: “We will continue to evaluate the detection frequency for retired signatures and will reintroduce old signatures into the active signature set if necessary to protect the community.”
In the future, they aim to compile a signature set that reflects the current threat landscape. This could lead to a further reduction in the number of signatures in the signature set -- in addition to the normal growth that comes from covering new threats.
The expected size reduction is indeed significant. While main.cvd from September still occupied 163 MB, it shrinks to around 80 MB in December. Daily.cvd is reduced even more, from 62 MB to about 22 MB. The FAQ of the announcement specifies December 16, 2025, as the concrete date for the transition.
Videos by heise
Cisco Talos also wants to relieve Docker Hub. Currently, there are around 300 GB of ClamAV container images stored there. On the one hand, images containing potential vulnerabilities are to be removed. On the other hand, only supported versions of ClamAV will be available, which currently include LTS versions 1.0, 1.0.9, 1.4, and 1.4.3, as well as 1.5, 1.5.1, and the “latest” and “stable” branches.
ClamAV is primarily used in corporate environments. It specializes in malware detection in email attachments.
The ClamAV development branch 1.5 was only released in October. The programmers improved the processing of some common document types, such as OLE2-based Microsoft Office documents or PDFs. A week and a half later, ClamAV 1.5.1 followed, which resolved some issues with the new software branch. Previously, the ClamAV Branch 1.4 had been current for over a year.
(dmk)
