ClamAV alternatives

Looking for a better tool, or simply want to learn about alternatives? There is typically more than one option.

56

bingrep

Bingrep is a utility that can be described as the 'grep for binaries'. It runs on Linux and helps with reverse engineering and malware analysis.

Searches through binaries and highlights the most important areas with colors.

Supported binary formats:

  • ELF 32/64, arm, x86, openrisc
  • Mach 32/64, arm, x86
  • PE

63

chkrootkit

chkrootkit is a malware scanner to locally check for signs of a rootkit. It is written in shell script and runs on the host system itself.

The chkrootkit tool consists of multiple parts that may detect the presence of rootkit parts of rootkit behavior on a system.

Some areas that are checked include:

  • interface in promiscuous mode
  • lastlog deletions
  • wtmp deletions
  • wtmpx deletions
  • signs of LKM trojans
  • utmp deletions

Project details

chkrootkit is written in C, shell script.

Strengths and weaknesses

  • + Used language is shell script
  • + Project is mature (10+ years)
  • - Long time between releases

Typical usage

  • Malware detection
  • Malware scanning

chkrootkit project page

89

Cuckoo Sandbox (cuckoo)

Cuckoo Sandbox is a malware analysis system. By feeding it suspicious files, Cuckoo can provide detailed findings on what a file did and how it behaved.

In a matter of seconds, Cuckoo Sandbox provides detailed results on what a file does within an isolated environment. This helps with malware analysis and understanding what it exactly tries to achieve. Further analysis can be done, based on the previous actions that were done.

Cuckoo Sandbox was created by Claudio Guarnieri as part of the Google Summer of Code project in 2010.

Project details

Cuckoo Sandbox is written in Python.

Strengths and weaknesses

  • + More than 2000 GitHub stars
  • + The source code of this software is available
  • - Many provided pull requests are still open
  • - Many reported issues are still open

Typical usage

  • Digital forensics
  • Malware analysis

Cuckoo Sandbox project page

64

Diamorphine

Diamorphine is a so-called LKM rootkit for Linux. It runs on different kernels in the 2.6, 3.x, and 4.x branch.

Project details

Diamorphine is written in C.

Strengths and weaknesses

  • + The source code of this software is available

    Typical usage

    • Learning

    Diamorphine project page

    64

    EvilAbigail

    Evil Abigail automates a so-called evil maid attack. It does so by backdooring the initial ramdisk (initrd) of Linux systems.

    97

    hBlock

    hBlock is a security tool to protect against advertisements, trackers, and malware. It does so by altering the /etc/hosts file and block bad or malicious hosts.

    Project details

    hBlock is written in shell script.

    Strengths and weaknesses

    • + Used language is shell script
    • + The source code of this software is available

      Typical usage

      • Malware protection
      • Privacy enhancement

      hBlock project page

      81

      LMD

      Linux Malware Detect (LMD) is a malware scanner for systems running Linux. The open source software project is released with the GPLv2 license.

      LMD uses MD5 file hashes and HEX pattern matches to define the malware signatures. These are used to detect malware.

      Project details

      LMD is written in shell script.

      Strengths and weaknesses

      • + The source code of this software is available

        Typical usage

        • Malware scanning

        LMD project page

        93

        Loki

        Loki is security tool to find so-called indicators of compromise (IOC). It does this by scanning files and then uses pattern matching.

        Project details

        Loki is written in Python.

        Strengths and weaknesses

        • + Commercial support available
        • + More than 10 contributors
        • + More than 500 GitHub stars
        • + The source code of this software is available

          Typical usage

          • Digital forensics
          • Intrusion detection
          • Security monitoring

          Loki project page

          74

          Malscan

          Malscan is a tool that sells itself as the robust ClamAV-based malware scanner for web servers. It can use signatures from multiple sources to perform scanning.

          Malscan has multiple sources for its malware signatures:

          • RFX Networks Signatures
          • Metasploit Signatures
          • Malscan Signatures
          • ClamAV Main Signatures

          Detection methods include HEX or MD5 matches, string length (e.g. base64), and MimeType mismatches.

          Project details

          Malscan is written in shell script.

          Strengths and weaknesses

          • + Used language is shell script
          • + The source code of this software is available

            Typical usage

            • Malware protection
            • Malware scanning

            Malscan project page

            84

            PHP Malware Finder

            PHP Malware Finder is a tool to find malicious PHP scripts. This threat is common for most web hosters and websites of their customers.

            Project details

            PHP Malware Finder is written in shell script.

            Strengths and weaknesses

            • + More than 500 GitHub stars
            • + The source code of this software is available

              Typical usage

              • Malware scanning

              PHP Malware Finder project page

              67

              Rootkit Hunter (rkhunter)

              Security tool to search for traces of rootkits, backdoors, and other malicious components on systems running Linux and other flavors of Unix

              Rootkit Hunter is a small utility to find suspicious rootkit components. Other known backdoors or malicious software can also be discovered, especially if it has the goal to hide.

              The tool uses different ways to hunt, like using predefined directory locations and comparing the output of system utilities. Another method is by requesting a specific output and see if this output is altered, therefore tricking rootkits to reveal themselves.

              Project details

              Rootkit Hunter is written in shell script.

              Strengths and weaknesses

              • + Used language is shell script
              • + Project is mature (10+ years)
              • + The source code of this software is available

                Typical usage

                • Malware detection
                • Malware scanning

                Rootkit Hunter project page

                52

                Samba-VirusFilter

                On-access antivirus filter for Samba to detect malware threats and prevent them from investing file shares.

                Project details

                Strengths and weaknesses

                • + The source code of this software is available

                  Samba-VirusFilter project page

                  93

                  Viper

                  Viper is a binary analysis and management framework for security researchers. It provides a way to organization your collection of malware samples and exploits.

                  Viper organizes the malware samples and exploits you found over time. It calls itself "Metasploit for malware researchers". Viper has a terminal interface to store, search and analyze files. As it is a framework, is also allows you to create your plugins.

                  60

                  WeBaCoo

                  WeBaCoo is short for Web Backdoor Cookie Script-Kit. It is a tool to get a backdoor that is controlled by a specified cookie.

                  Project details

                  WeBaCoo is written in Perl, Ruby.

                  Strengths and weaknesses

                  • + The source code of this software is available

                    Typical usage

                    • Application testing
                    • Penetration testing

                    WeBaCoo project page

                    84

                    YaraGuardian

                    YaraGuardian is a web-based tool to manage and change Yara rules. It is useful for those who create custom rules to detect malware.

                    Project details

                    YaraGuardian is written in Python.

                    Strengths and weaknesses

                    • + The source code of this software is available

                      Typical usage

                      • Malware analysis

                      YaraGuardian project page

                      76

                      yarGen

                      The yarGen utility helps with creating YARA rules for malware detection. It can combine both 'goodware' and 'malware', to properly craft the right rules.

                      The tool with the highest score in this overview is hBlock. It might be a good candidate to replace ClamAV.