Clamav Signatures from malware expert help improve the detection rate on malware from PHP files. You can add malware expert clamav signatures to freshclam.conf file:
DatabaseCustomURL http://cdn.malware.expert/malware.expert.ndb
DatabaseCustomURL http://cdn.malware.expert/malware.expert.hdb
DatabaseCustomURL http://cdn.malware.expert/malware.expert.ldb
Note:
malware.expert.ndb is Generix Hex patterns real PHP malware, which can cause false positive alarms, because there is generic eval, base64 and etc. hex pattern signatures. (Very low false positive rate).
malware.expert.hdb is statics MD5 pattern form files, there is no false postive signatures.
malware.expert.ldb is LDB signatures, which use multi words search malwares in files.
malware.expert.fp is whitelist, what we found that cause false positive malware.
