Security 10967 Published by

After a five-year hiatus, Adrian Kriel, better known as eXtremeSHOK, has released v8.0.0 of the ClamAV Unofficial Signatures Updater, its first major update since March 2021. The new version adds full ClamAV 1.x compatibility, official multi-arch Docker support, and two new optional signature sources for ditekshen/detection and twinclams, while finally patching a silent URLhaus bug that was corrupting previous installs. Internal refactoring stripped 380 lines of duplicated code and migrated the continuous integration pipeline to GitHub Actions for real ClamAV smoke testing and weekly source-liveness probes. Users upgrading from v7.x can run the --upgrade flag safely, though those with aggressive cleanup settings should check the changelog before their next run since yararulesproject signatures are now disabled by default.





ClamAV Unofficial Signatures Updater Lands v8.0.0 After Five-Year Hiatus

After sitting at v7.2.5 since March 2021, Adrian Kriel, better known as eXtremeSHOK, just pushed out v8.0.0 of the ClamAV Unofficial Signatures Updater. The five-year gap between releases was long enough to break a few things, but the new version modernizes the script for ClamAV 1.x, adds official Docker support, and finally fixes a URLhaus bug that had been silently deleting your signatures since the last development branch.

For anyone running ClamAV on Linux or BSD, this script is basically the standard way to pull in community threat intel without manually wrestling with rsync and config files. Sanesecurity, SecuriteInfo, URLhaus, and Linux Malware Detect all feed into ClamAV's database directory. Every downloaded file gets integrity-tested with clamscan before it touches your live scanner. It's the kind of quiet utility that just works until you upgrade your OS.

Serverdevil

What actually changed in eight years?

The headline move is full ClamAV 1.x compatibility. Kriel spent the time since v7.2.5 rebuilding the version parser to handle 1.4.x, 1.5.x, release candidates, and those pesky -dfsg suffixes that break older scripts. Verified against both the LTS and stable ClamAV branches, the new code also survived a full adversarial code review across eight distinct attack angles.

A couple of long-standing bugs finally got buried. URLhaus downloads were failing silently because the work directory never existed and a typo in the variable name tripped up the fetcher. On top of that, the cleanup routine was wiping URLhaus signatures right after install because they weren't in the tracking list. Both root causes are fixed. CLI flag parsing was also broken due to misplaced break statements, which meant only the first flag worked. That's patched now.

The script also lost about 380 lines of copy-paste code. Per-source test-and-install logic got consolidated into shared helpers, which caught hidden bugs like every backup file collapsing onto a single _file-bak name. Not a huge number, but enough to hide real issues.

Docker, new sources, and CI overhaul

The biggest quality-of-life win is the official Docker image. Published to ghcr.io/extremeshok/clamav-unofficial-sigs, it ships in both all-in-one and sidecar modes. It supports amd64 and arm64, and includes a healthcheck that actually catches stalled or failed update loops. Weekly image rebuilds keep it in sync with upstream mirrors.

Two new signature sources land in this release, both disabled by default. ditekshen/detection and twinclams (backed by Splunk/TwinWave) round out the optional feeds. SecuriteInfo premium support got a refresh with .pdb, .wdb, and .yara extensions. Meanwhile, the Yara-Rules Project is now disabled by default after upstream abandonment and a few rules that crashed modern ClamAV.

The CI pipeline finally moved off defunct Travis-CI and Code Climate. GitHub Actions now runs ShellCheck, config parse smoke tests on real ClamAV 1.4 and 1.5 across Ubuntu 22.04 and 24.04, Docker builds, and weekly source-liveness probes. It's a proper production-grade setup now.

It's a heavy update. The config_version bump to 100 means existing v7.x installations will still start and run --upgrade thanks to a backwards-compatible minimum of 96. If you had remove_disabled_databases="yes" enabled, yararulesproject files will get purged on your next run. Read the release notes before you hit upgrade.

Honestly, the five-year silence probably frustrated some packagers, but the refactoring, Docker support, and hardened CI prove this isn't just a patch. Kriel and the community contributors have turned a side-project maintenance script into something you can actually trust in production.

Head here for the full release notes and download.