Valkyrie Verdict Daemon Service for Linux

One of the key benefits of Valkyrie Verdict is its ability to give a trusted verdict within 45 seconds on 92% of files (after automated analysis), and 4 hours on the remaining 8% (after human analysis). Our industry leading auto-analysis consists of several static and dynamic techniques, including state-of-the-art machine learning, precise detectors and dynamic behavior signatures.

Nevertheless, it is impossible to provide 100% threat visibility using automated techniques alone as many problems in malware analysis have been shown to be undecidable [1, 2]. Many of these results are based on the fact that precisely deciding whether a given program/input satisfies a certain post-condition, for an arbitrary post-condition, is undecidable. The proofs are based on two general techniques:

* Either they build a self-contradictory program assuming the existence of a decider for the given problem, similar to [3]

* They give a reduction from a well-known undecidable problem, such as the Halting Problem, similar to [4]

The 8% of unclassified files that require further testing are then analyzed by human experts who specialize in identifying complex and zero-day malware samples. Verdicts on these files are available to our users after 4-hours according to our SLA. Valkyrie customers can be confident that 100% of threats have been correctly identified after this 4 hour period. This isn’t some wild marketing claim - it is a scientific ‘100%’ built on the candid recognition that even the most advanced automatic tests available today cannot provide the correct verdict on all files. For those that remain, human analysis is absolutely essential. Users should always beware vendors that claim total protection based on automated mechanisms alone.

Customers who also use Comodo security solutions on their network are, of course, completely safe during this four-hour period. The 8% of unknown files will be isolated in a secure virtual container which cannot access other processes, system files or user data.

Now with Valkyrie Verdict Daemon Service you can scan any file / folder in your server using commands over TCP, get latest analysis results of unknown files located in your environment. Moreover, by integrating scanner to other applications or processes, it is possible to develop any kind of next-generation verdicting application easily. Valkyrie Verdict Daemon supports same command-line interface with popular open-source malware detection tool ClamAV Daemon service, so it requires short amount of time to replace it with Valkyrie Verdict.

How it Works

Verdict Daemon Service (VVDaemon) listens incoming connections under TCP socket and scans files or directories on demand. VVDaemon supports similar commands with its command-line scanner alternative and reads default configuration file before starting background service. Daemon service is being distributed as Debian package and currently tested in Ubuntu 16.04 OS. VVDaemon reads default configuration from /etc/vvdaemon/vvdaemon.conf file and you can update any of the configuration and restart the service.

Supported Commands

VVDaemon supports following commands over TCP port (default port:9999):

Command Details
PING Checks the daemon's stats (should reply with "PONG").
VERSION Print program version.
SHUTDOWN Perform a clean exit.
SCAN file / directory Scan file or directory (recursively) with archive support enabled (a full path is required).
RAWSCAN file/directory Scan file or directory (recursively) with archive and special file support disabled (a full path is required).
CONTSCAN file/directory Scan file or directory (recursively) with archive support enabled and don’t stop the scanning when a virus is found.
MULTISCAN file/directory Scan file in a standard way or scan directory (recursively) using multiple threads (to make the scanning faster on SMP machines).
ALLMATCHSCAN file/directory ALLMATCHSCAN works just like SCAN except that it sets a mode where, after finding a virus within a file, continues scanning for additional viruses.


VVDaemon reads configuration values from: /etc/vvdaemon/vvdaemon.conf:

Configuration Value Default Value Details
Example BOOL no If this option is set vvdaemon will not run.
LogFile STRING disabled Save all reports to a log file.
LogFileUnlock BOOL no By default the log file is locked for writing and only a single daemon process can write to it. This option disables the lock.
LogFileMaxSize SIZE 1048576 Maximum size of the log file. Value of 0 disables the limit. In Megabytes.
LogTime BOOL no Log time for each message.
LogClean BOOL no Log all clean files. Useful in debugging but drastically increases the log size.
LogSyslog BOOL no Use the system logger (can work together with LogFile).
LogFacility STRING LOG_LOCAL6 Type of syslog messages. Please refer to 'man syslog' for facility names.
LogVerbose BOOL no Enable verbose logging.
LogRotate BOOL no Rotate log file. Requires LogFileMaxSize option set prior to this option.
ExtendedDetectionInfo BOOL no Log additional information about the infected file, such as its size and hash, together with the virus name.
TemporaryDirectory STRING system specific (usually /tmp or /var/tmp). This option allows you to change the default temporary directory.
TCPSocket NUMBER disabled TCP port number the daemon will listen on.
TCPAddr STRING disabled By default clamd binds to INADDR_ANY. This option allows you to restrict the TCP address and provide some degree of protection from the outside world. This option can be specified multiple times in order to listen on multiple IPs. IPv6 is now supported.
MaxThreads NUMBER 10 Maximum number of threads running at the same time.
ExcludePath REGEX disabled Don't scan files and directories matching REGEX. This directive can be used multiple times.
MaxDirectoryRecursion NUMBER 15 Maximum depth directories are scanned at.
Debug BOOL no Enable debug messages.
LeaveTemporaryFiles BOOL no Do not remove temporary files (for debugging purpose).
DetectPUA BOOL yes Detect Possibly Unwanted Applications.
ScanPE BOOL yes PE stands for Portable Executable - it's an executable file format used in all 32 and 64-bit versions of Windows operating systems. This option allows ClamAV to perform a deeper analysis of executable files and it's also required for decompression of popular executable packers such as UPX. 
If you turn off this option, the original files will still be scanned, but without additional processing.
MaxScanSize SIZE 100M Sets the maximum amount of data to be scanned for each input file. Archives and other containers are recursively extracted and scanned up to this value. The size of an archive plus the sum of the sizes of all files within archive count toward the scan size. For example, a 1M uncompressed archive containing a single 1M inner file counts as 2M toward the max scan size. Warning: disabling this limit or setting it too high may result in severe damage to the system.
MaxFileSize SIZE 25M Files larger than this limit won't be scanned. Affects the input file itself as well as files contained inside it (when the input file is an archive, a document or some other kind of container). Warning: disabling this limit or setting it too high may result in severe damage to the system.
MaxRecursion NUMBER 16 Nested archives are scanned recursively, e.g. if a Zip archive contains a RAR file, all files within it will also be scanned. This options specifies how deeply the process should be continued. Warning: setting this limit too high may result in severe damage to the system.
MaxFiles NUMBER 10M Number of files to be scanned within an archive, a document, or any other kind of container. MaxEmbeddedPE SIZE This option sets the maximum size of a file to check for embedded PE. Files larger than this value will skip the additional analysis step. Negative values are not allowed.

File Verdicts

VVDaemon prints following file verdicts given by analysis results log file:

Possible Verdicts
Verdict Explanation
MALWARE File is malware
CLEAN File is Clean (Safe to execute)
PUA File is Potentially Unwanted Application
NOT-SUPPORTED File format is not supported by Valkyrie Verdict
UNKNOWN (In Analysis) File verdict is still Unknown and analysis is in progress
UNKNOWN File verdict is Unknown and no analysis is being performed
REQUEST-LIMIT-REACHED Your request limit for this API Key is reached in Valkyrie Verdict

Download Debian Package

Latest Daemon service package v1.2.0

Package SHA-256: 6c0cb6f7727b11ca905fda305b2f18aa4767881c304fb15dbe0075f7bc4cdc94

[1] Ali A. Selçuk, Fatih Orhan, Berker Batur, "Undecidable Problems in Malware Analysis", 12th International Conference for Internet Technology and Secured Transactions (ICITST), 2017.

Online version:

[2] David Evans, "On the Impossibility of Virus Detection", 2017.

Online version:

[3] Fred Cohen, “Computer viruses: theory and experiments”, Computers and Security, 6(1):22-35, 1987

[4] Fred Cohen, “Computational aspects of computer viruses”, Computers and Security, 8(4):325-344, 1989.