Let's say I am researching the Dyre Banking Trojan and I pull up SecureWorks report about it located at http://www.secureworks.com/cyber-threat-intelligence/threats/dyre-banking-trojan/. As I scan through the report I come to the following section listing the MD5 checksums of the files I should look for on my enterprise network.
This is where Clam-AV can assist. You can create a custom database with these MD5 hashes. The format for a custom database with MD5's is hash:file size:malware name. So I then create the file as follows:
However, I quickly notice that I do not have the file size. I started to research to see if I could add a wildcard for the file size and came across this in the ClamAV documentation.
The above information allows a wild card for the file size. So then I create my custom database with the extension of .hsb as follows.