This repository contains Virus Definitions for the ScanCore Virus Scanner.
It may seem obvious, but it is important to describe what a Virus means in the context of a Virus Scanner. For the purpose of this document, a "Virus" is considered to be a piece of computer code or software which causes unauthorized or unintended behaviour without the consent or approval of the owner or operator of the device. This definition encompasses what is commonly referred to as Viruses (including Trojans, Ransomware, or Worms), Malware (including Keyloggers, Botnets or Trackers), & Potentially Unwanted Programs (PUPs) (including Remote Access Tools, Adware, or Auto-Miners).
Virus Definitions are descriptive data artifacts that the ScanCore Virus Scanner uses to identify specific strains of infection during scanning operations. Definitions within this repository are contained within Definition Files.
Definition Files are simple tab-separated files (TSV) with the .def file extension. These files can be opened by any plain text editor to reveal their contents. The Definition Files contained within this repository all have the filename prefix ScanCore_ & the file extension .def, but that is just to make them visually appealing. ScanCore will accept Definitions Files with any filename prefix or file extension so long as the contents of the file are formatted properly. Definition Files contain individual Virus Definitions organized into lines. Each line is similar to a row in a spreadsheet, with each row representing a different strain of infection. Each row is organized into columns which are separated by the tab character. Each column represents a different piece of information about the infection in the corresponding row. The columns contained within a row are ordered as follows;
- Infection Name
- Raw Data Match
- MD5 Hash
- SHA1 Hash
- SHA256 Hash
If a piece of data is not available for a strain of infection, that column can be left blank. If there are no more columns of a row that contain any data, the remaining columns of the row can be omitted. Definition Files themselves within this repository are organized into Definition Subscriptions represented in the filename after the ScanCore_ prefix, before the .def file extension.
ScanCore client installations can subscribe to specific Definition Subscriptions. Each definition file in this repository contains a different Definition Subscription. Definition Subscriptions currently represent the major different types of infection, including;
- Viruses
- Malware
- Potentially Unwanted Programs (PUPs)
In the future the list of subscriptions may expand to include geographic locations, industries, or more specific strains of infection. Only the Definition Files that a ScanCore client has in it's Definition Subscriptions will be installed during Definition Updates.
When a ScanCore client performs Definition Updates, it connects to a Git repository to download any Definition Files that match the local list of Definition Subscriptions. Definition Updates can be performed using one of two methods, including;
- Raw - Tries to download Definitions Files using url_fopen first, then tries again if needed using cURL.
- Git - Tries to download Definitions Files using Git.
Once Definition Files have been downloaded the ScanCore client compiles all Definition Files into a single local file known as the Combined Definitions File. A Combined Definitions File contains the contents of every Definition File that appears in the list of Definition Subscriptions for that client. Everything about Definition Updates can be adjusted in the ScanCore_Config.php file present in all default ScanCore installations. Administrators can specify their own source for Definition Updates as well as specific subscriptions for precise, granular control over their environment.
<3 Open-Source