Difference between revisions of "Virus:Additional Signatures"
m |
|||
Line 11: | Line 11: | ||
In order to use these additional databases with your ClamAV installation you need to download them and add them to ClamAV. There is a script package from Sane Security which can be used to download and install the databases, and their addition provide 1,000's of new signatures for ClamAV to work with. | In order to use these additional databases with your ClamAV installation you need to download them and add them to ClamAV. There is a script package from Sane Security which can be used to download and install the databases, and their addition provide 1,000's of new signatures for ClamAV to work with. | ||
+ | |||
+ | {{Note box|Please be aware that these additional signatures can in rare cases contain false positives causing good emails to be caught. This has only been noticed once in 18 months for some hours though.}} | ||
===Installation=== | ===Installation=== |
Revision as of 21:49, 8 March 2011
Anti Virus - Additional Signatures
Introduction
SME Server uses Clam AntiVirus (http://www.clamav.net) as the default and built-in anti virus engine.
By default this system will automatically get virus signature updates from the clamav database. Other people and organizations have developed additional signatures which can be used with ClamAV. These include
- Sane Security (http://www.sanesecurity.com/clamav/) - who maintains nine signature databases (Phishing and Scam)
- Security Info (http://www.securiteinfo.com/) - maintains four signature databases
- Malware Block List (http://www.malware.com.br/) - who maintains a database for Malware
In order to use these additional databases with your ClamAV installation you need to download them and add them to ClamAV. There is a script package from Sane Security which can be used to download and install the databases, and their addition provide 1,000's of new signatures for ClamAV to work with.
Installation
Log in to a console shell as root
Create and edit a new file. Add the following
#!/bin/sh # script to install Bill Landry's <bill at inetmsg dot com> scripts # for maintaining Sanesecurity signatures for clamav # Copyright (C) 2009 Eric Shubert <ejs@shubes.net> ######################################################################## # 4/30/10 Amendments to install on SME Server - commented with SME # 9/25/09 Totally refactored by Eric Shubert <ejs@shubes.net> # 3/22/09 Originally Written by Jake Vickers <jake@qmailtoaster.com> # WEB_LOC=http://www.inetmsg.com/pub PKG_NAME=clamav-unofficial-sigs PKG_TGZ=$PKG_NAME.tar.gz # SME = changed variable name throughout and directory name SANE_DIR=/opt/sanesecurity ######################################################################## # initialization processing # a1_initialization(){ # Make sure we're root if [ "$UID" != "0" ]; then echo "Error: You are not logged in as root, please su -" exit 1 fi # remove files from previous version # SME - changed cron job from .sh to .cron, added removal of .sh script and redundant dbs rm -rf /etc/unofficial-clamav-sigs.conf \ /etc/cron.hourly/unofficial-clamav-sigs.cron \ /usr/unofficial-dbs \ /usr/bin/unofficial-clamav-sigs.sh \ /var/clamav/*.ndb \ /var/clamav/*.ldb \ /var/clamav/*.ftm \ /var/clamav/*.hdb # set a temp directory for the tar file. $$ is the current shell ID. TEMP_DIR=$(tempfile 2>/dev/null) || TEMP_DIR=/tmp/$me.$$ # make sure the temp directory is deleted when we're done trap "rm -rf $TEMP_DIR" 0 1 2 5 15 } ################################################################### ## download and unpack current package # a3_download_unpack(){ rm -rf $TEMP_DIR mkdir -p $TEMP_DIR echo "$me $myver - getting latest version of $PKG_NAME ..." wget -O $TEMP_DIR/$PKG_TGZ $WEB_LOC/$PKG_TGZ if [ "$?" != "0" ]; then echo "$me - unable to reach $WEB_LOC/$PKG_TGZ, please try again later." exit 1 fi tar -xz -C $TEMP_DIR -f $TEMP_DIR/$PKG_TGZ } ################################################################### ## install the package files # a5_install_files(){ # SME - Added make directories mkdir -p $SANE_DIR/bin mkdir -p $SANE_DIR/etc mkdir -p $SANE_DIR/man # install the shell script cp $TEMP_DIR/$PKG_NAME-*/$PKG_NAME.sh $SANE_DIR/bin/$PKG_NAME.sh chmod 755 $SANE_DIR/bin/$PKG_NAME.sh ln -sf ../..$SANE_DIR/bin/$PKG_NAME.sh /usr/sbin/$PKG_NAME.sh # install the configuration file # SME - removed substitutions for clamd reload - reload_opt and reload_dbs # SME - removed substitution to change default dbs download directory # SME - added substitution to set clamd_socket location # SME - removed substitution to silence information output - but see cron job below cat $TEMP_DIR/$PKG_NAME-*/$PKG_NAME.conf | sed \ -e "s|/var/lib/clamav|/var/clamav|" \ -e "/#clamd_socket=/aclamd_socket=\"/var/clamav/clamd.socket\"" \ -e "s|enable_logging=\"no\"|enable_logging=\"yes\"|" \ -e "s|log_file_path=\"/var/log\"|log_file_path=\"/var/log/clamav\"|" \ -e "s|log_file_name=\"clamav-unofficial|log_file_name=\"unofficial|" \ -e "s|configuration_complete=\"no\"|configuration_complete=\"yes\"|" \ > $SANE_DIR/etc/$PKG_NAME.conf ln -sf ../..$SANE_DIR/etc/$PKG_NAME.conf /etc/$PKG_NAME.conf # install the man page gzip $TEMP_DIR/$PKG_NAME-*/$PKG_NAME.8 cp $TEMP_DIR/$PKG_NAME-*/$PKG_NAME.8.gz $SANE_DIR/man/$PKG_NAME.8.gz ln -sf ../../../..$SANE_DIR/man/$PKG_NAME.8.gz /usr/share/man/man8/$PKG_NAME.8.gz # install the cron job (cannot symlink cron jobs) grep "^#" $TEMP_DIR/$PKG_NAME-*/$PKG_NAME-cron \ > /etc/cron.d/$PKG_NAME-cron # SME - added redirect stdout to null device and stderr to stdout so we only get error output from cron job echo -e "\n25 * * * * root /usr/sbin/$PKG_NAME.sh >/dev/null 2>&1" \ >>/etc/cron.d/$PKG_NAME-cron # install the logrotate spec cat $TEMP_DIR/$PKG_NAME-*/$PKG_NAME-logrotate | sed \ -e "s|clamav-unofficial|clamav/unofficial|" \ > $SANE_DIR/etc/$PKG_NAME-logrotate ln -sf ../..$SANE_DIR/etc/$PKG_NAME-logrotate /etc/logrotate.d/$PKG_NAME-logrotate # install documentation files # SME - removed superfluous $PKG_NAME sub-directory below $SANE_DIR/doc mkdir -p $SANE_DIR/doc mv $TEMP_DIR/$PKG_NAME-*/CHANGELOG $SANE_DIR/doc/CHANGELOG mv $TEMP_DIR/$PKG_NAME-*/INSTALL $SANE_DIR/doc/INSTALL mv $TEMP_DIR/$PKG_NAME-*/LICENSE $SANE_DIR/doc/LICENSE mv $TEMP_DIR/$PKG_NAME-*/README $SANE_DIR/doc/README } ################################################################### ## main script execution begins here # me=${0##*/} myver=v0.3.1-1 a1_initialization a3_download_unpack a5_install_files echo "$PKG_NAME installed successfully" echo "clamav database files provided by Sanesecurity will be updated within an hour," echo " and continuously after that." exit 0
Save the file as sanesecurity-install.sh
chmod 755 sanesecurity-install.sh
Now run the script. This will download the Sane Security package and install it for SME Server
./sanesecurity-install.sh
Run the Sane Security script for the first time to download the databases and check it works
/usr/sbin/clamav-unofficial-sigs.sh
If you want to immediately reload ClamAV to include the additional databases
signal-event clamav-update
Operation
Having installed the Sane Security package as above, it will operate as follows.
- A cron job (/etc/cron.d/clamav-unofficial-sigs-cron) will run once every hour and instigate the /use/sbin/clamav-unofficial-sigs.sh script
- The script will read the configuration settings in /etc/clamav-unofficial-sigs.conf
- The additional databases will be downloaded to /usr/unofficial_dbs and then added to the /var/clamav directory
- ClamAV will reload all its databases from /var/clamav every 30 minutes by default
All the files (apart from the cron job and downloaded databases) are in /opt/sanesecurity and soft linked to the main directories.
The sanesecurity-install.sh script used above can be run again if the Sane Security package of scripts etc is updated. Current version is 3.7 (April 2010). This assumes that nothing significant changes with regard to how the package needs to be installed.
Documentation
Documentation including a Change Log can be found in /opt/sanesecurity/doc as well as
man clamav-unofficial-sigs
Signature Databases
The additional databases to be downloaded and installed by the clamav-unofficial-sigs.sh script are controlled by the configuration file /etc/clamav-unofficial-sigs.conf
A default set of databases are defined for download. There are additional databases that can also be added to the list, or some or all of the defaults can be excluded. The configuration file is commented in this regard and gives an indication of the risk of false positives from the non-default databases.
To amend the databases you require, edit /etc/clamav-unofficial-sigs.conf and add or remove the database names as instructed.
Uninstall
Log in to a console shell as root
Create and edit a new file. Add the following
rm -f /etc/cron.d/clamav-unoffical-sigs-cron rm -fr /opt/sanesecurity \ /usr/unofficial-dbs rm -f /var/log/clamav/unofficial-sigs* \ /var/clamav/*.ndb \ /var/clamav/*.ldb \ /var/clamav/*.ftm \ /var/clamav/*.hdb signal-event clamav-update
Save the file as sanesecurity-uninstall.sh
chmod 755 sanesecurity-uninstall.sh
Now run the script. This will delete all the Sane Security package files, downloaded databases and directories
./sanesecurity-uninstall.sh
Old Installation Notes
A previous installation of the Sane Security scripts was provided for SME by swerts-knudsen.dk, and the installation notes for this are reproduced below for completeness. This is for version 2.4 of the scripts however, whereas the current version installed as above is 3.7 (April 2010)
Installation
cd /etc wget http://sme.swerts-knudsen.dk/downloads/unofficial-clamav-sigs-2.4/unofficial-clamav-sigs.conf
cd /etc/cron.hourly wget http://sme.swerts-knudsen.dk/downloads/unofficial-clamav-sigs-2.4/unofficial-clamav-sigs.cron chmod +x unofficial-clamav-sigs.cron
cd /usr/bin wget http://sme.swerts-knudsen.dk/downloads/unofficial-clamav-sigs-2.4/unofficial-clamav-sigs.sh chmod +x unofficial-clamav-sigs.sh
When you run it manually the first time it will complain about missing GPG keys - Just run it again.
./unofficial-clamav-sigs.sh
ClamAV will by default reload its databases every 1800 secs (30mins) but you can force a reload with:
signal-event email-update
References
See original forum post http://forums.contribs.org/index.php?topic=37861.0
See also http://forums.contribs.org/index.php/topic,45872.0.html
See forum announcement of this Howto for further comments at http://forums.contribs.org/index.php/topic,45915.0.html
Installation script originally produced by QmailToaster Plus - see http://qtp.qmailtoaster.com