Let's say I am researching the Dyre Banking Trojan and I pull up SecureWorks report about it located at http://www.secureworks.com/cyber-threat-intelligence/threats/dyre-banking-trojan/. As I scan through the report I come to the following section listing the MD5 checksums of the files I should look for on my enterprise network.
This is where Clam-AV can assist. You can create a custom database with these MD5 hashes. The format for a custom database with MD5's is hash:file size:malware name. So I then create the file as follows:
However, I quickly notice that I do not have the file size. I started to research to see if I could add a wildcard for the file size and came across this in the ClamAV documentation.
The above information allows a wild card for the file size. So then I create my custom database with the extension of .hsb as follows.
Then to utilize the database that I created I use the following command of 'clamscan -i -r -d test.hsb'. With the -i it only shows the infected files, -r is recursive, -d is the directory or file where my databases exist. If it finds a file that matches the custom dictionary that I came up with then it will have .UNOFFICIAL next to it as shown below in the picture.