Signatures database
The signatures database is the heart of bucketAV. It contains patterns or “signatures” of known malware. The scan engine uses these signatures to identify and detect malware. Without a comprehensive and up-to-date signatures database, a malware scanning tool may be ineffective in detecting and protecting against new and emerging threats.
bucketAV updates the signature database during startup as well as approximately every 1 hour (bucketAV powered by Sophos®) respectively 2 hours (bucketAV powered by ClamAV®).
We also host a mirror of the ClamAV® or Sophos® signature database that we sync approximately every hour to guarantee priority access to the signatures database for our customers. We validate updates to against a set of known clean and infected files before we sync them to our mirrors.
You can add additional databases via the AdditionalDatabaseUrls configuration parameter, e.g., to deal with false-positives & false-negatives or the following requirements:
More strict Microsoft Office macros matching
This feature is only available for bucketAV powered by ClamAV®!
Requires bucketAV for Amazon S3 powered by ClamAV® version >= 2.4.0.
To update to the latest version, follow the Update Guide.
To mark any Microsoft Office document with a macro as infected, set the AdditionalDatabaseUrls configuration parameter to https://bucketav-clamav-customdb-REGION.s3.REGION.amazonaws.com/macro.yara and replace REGION with your AWS Region (e.g., us-east-1; get the value from the top right in the AWS Management Console).
Less strict EICAR matching
This feature is only available for bucketAV powered by ClamAV®!
Requires bucketAV for Amazon S3 powered by ClamAV® version >= 2.4.0.
To update to the latest version, follow the Update Guide.
The EICAR Standard Anti-Virus Test File is strictly defined. Some customers and penetration testers also prefer to flag files similar to an EICAR Standard Anti-Virus Test File. E.g., some penetration testers embed the EICAR string into a PDF and expect the file to be still detected even though it does not match the formal definition of an EICAR Standard Anti-Virus Test File anymore. You can configure bucketAV to detect files similar to an EICAR Standard Anti-Virus Test File.
Set the AdditionalDatabaseUrls configuration parameter to https://bucketav-clamav-customdb-REGION.s3.REGION.amazonaws.com/extendedeicar.hdb and replace REGION with your AWS Region (e.g., us-east-1; get the value from the top right in the AWS Management Console).