From: "Massimo S." <ecs-isp@2rosenthals.com>
Subject: Fwd: [clamav-users] ClamAV Signature Retirement Announcement
Reply-To: ml@ecomstation.it
References: <DM6PR11MB473723F6218FE188BC42F278B2D7A@DM6PR11MB4737.namprd11.prod.outlook.com>
To: eCS ISP Mailing List <ecs-isp@2rosenthals.com>
Organization: Massimo S.
Message-ID: <a5410e9c-8b5a-129f-e8b4-0bbd14fc888f@ecomstation.it>
Date: Wed, 19 Nov 2025 21:07:23 +0100
User-Agent: Mozilla/5.0 (OS/2; U; Warp 4.5; it-IT; rv:1.7.13) Gecko/20060424
 Thunderbird/1.0.8 Mnenhy/0.7.4.0
MIME-Version: 1.0
In-Reply-To: <DM6PR11MB473723F6218FE188BC42F278B2D7A@DM6PR11MB4737.namprd11.prod.outlook.com>
Content-Type: multipart/mixed;
 boundary="------------69CEA651771D983BBB6DFAD3"
Content-Language: it

This is a multi-part message in MIME format.
--------------69CEA651771D983BBB6DFAD3
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 8bit

FYI

massimo


-------- Messaggio Inoltrato --------
Oggetto: 	[clamav-users] ClamAV Signature Retirement Announcement
Data: 	Wed, 19 Nov 2025 17:18:32 +0000
Mittente: 	Brendan Bell (brebell) via clamav-users <clamav-users@lists.clamav.net>
Rispondi-a: 	ClamAV users ML <clamav-users@lists.clamav.net>
A: 	ClamAV users ML <clamav-users@lists.clamav.net>
CC: 	Brendan Bell (brebell) <brebell@cisco.com>



ClamAV was first introduced in 2002; since then, the signature set has grown without bound, delivering as many 
detections as possible to the community. Due to continually increasing database sizes and user adoption, we 
are faced with significantly increasing costs of distributing the signature set to the community.
To address the issue, Cisco Talos has been working to evaluate the efficacy and relevance of older signatures. 
Signatures which no longer provide value to the community, based on today’s security landscape, will be retired.
We are making this announcement as an advisory that our first pass of this retirement effort will affect a 
significant drop in database size for both the daily.cvd and main.cvd.
Our goal is to ensure that detection content is targeted to currently active threats and campaigns. We will 
judge this based on signature matches seen in our, and our partners, data feeds over an extended period of 
time. We will continue to evaluate detection prevalence for retired signatures and will restore any signatures 
to the active signature set as needed to protect the community. Going forwards, we will continue to curate the 
signature set to match the security landscape. This may result in further reductions in the total number of 
signatures included in the signature set alongside the normal growth that comes from new added coverage.

These are the impacts on signature database sizes you can expect from the first pass:
File Name
	
September 2025
	
December 2025 after retirement of signatures
main.cvd
	
163 MB
	
~80 MB
daily.cvd
	
62 MB
	
~22 MB

In addition to the reduction in size of the signature set, we will also begin to remove container images from 
Docker Hub. We are doing this to remove container images which may contain vulnerabilities either in ClamAV or 
in the base image, and to reduce the burden on Docker Hub itself, which presently hosts over 300 GiB of ClamAV 
container images.
When complete, we will only provide container images on Docker Hub for the supported versions of ClamAV. At 
this time, these will include:
Release
	
Tags
1.5
	
1.5, 1.5.1, latest, stable
1.4 LTS
	
1.4, 1.4.3
1.0 LTS
	
1.0, 1.0.9

We recommend that ClamAV container image users select a feature release tag rather than a specific minor 
release tag in order to stay up to date with security and bug fixes.

ClamAV Signature Retirement Open Source FAQ:

What if bad actors begin to reuse old malware and old exploits?
Our team is committed to reintroducing any signature based on the activity of bad actors in a timely fashion.

Can open-source users access the signatures that have been retired from main.cvd?
We intend to make the retired signatures available at a later date for researchers and corner cases

Is this an ongoing process?
Cisco Talos will continue to curate the signature set and may retire signatures as they lose relevance to 
today’s security landscape.
How will open source Users benefit from these changes?
Smaller file downloads come with inherent advantages, but unbound growth is not sustainable and we already 
have outgrown resource needs for scanning on some server configurations. We anticipate a noticeable RAM usage 
reduction for the ClamAV engine, possibly by as much as 25%.

When will users see a change in file sizes?
Signature retirement and the file size reduction will begin on December 16th , 2025.
Users will notice that the main.cvd and daily.cvd will be roughly 50% smaller than they have seen prior to 
that date.


If you have any questions please ask here or join our ClamAV discord:
https://discord.gg/K5jjC9Td

Thanks.

--------------69CEA651771D983BBB6DFAD3
Content-Type: text/plain; charset=UTF-8;
 name="Parte allegato al messaggio"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="Parte allegato al messaggio"

_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat


--------------69CEA651771D983BBB6DFAD3--