Difference between revisions of "Clamav unofficial sigs"
Unnilennium (talk | contribs) |
Unnilennium (talk | contribs) |
||
Line 54: | Line 54: | ||
|- | |- | ||
|securiteinfo_premium | |securiteinfo_premium | ||
− | | | + | |no |
|yes,no | |yes,no | ||
| | | | ||
Line 126: | Line 126: | ||
|yes | |yes | ||
|yes,no | |yes,no | ||
+ | |Enables yararules in the various databases, automatically | ||
+ | |- | ||
+ | |enable_yararules | ||
+ | |no | ||
+ | |yes,no | ||
+ | |Enables yararules in the various databases, automatically | ||
+ | |- | ||
+ | |default_dbs_rating | ||
+ | |MEDIUM | ||
+ | |LOW, MEDIUM, HIGH, DISABLE | ||
+ | | | ||
+ | |- | ||
+ | |linuxmalwaredetect_dbs_rating | ||
+ | | | ||
+ | |<nowiki>LOW | MEDIUM | HIGH | DISABLE</nowiki> | ||
+ | |These ratings will override the global rating for the specific database | ||
+ | |- | ||
+ | |sanesecurity_dbs_rating | ||
+ | | | ||
+ | |<nowiki>LOW | MEDIUM | HIGH | DISABLE</nowiki> | ||
+ | |These ratings will override the global rating for the specific database | ||
+ | |- | ||
+ | |securiteinfo_dbs_rating | ||
+ | | | ||
+ | |<nowiki>LOW | MEDIUM | HIGH | DISABLE</nowiki> | ||
+ | |These ratings will override the global rating for the specific database | ||
+ | |- | ||
+ | |urlhaus_dbs_rating | ||
+ | | | ||
+ | |<nowiki>LOW | MEDIUM | HIGH | DISABLE</nowiki> | ||
+ | |These ratings will override the global rating for the specific database | ||
+ | |- | ||
+ | |yararulesproject_dbs_rating | ||
+ | | | ||
+ | |<nowiki>LOW | MEDIUM | HIGH | DISABLE</nowiki> | ||
+ | |These ratings will override the global rating for the specific database | ||
+ | |- | ||
+ | | | ||
+ | | | ||
+ | | | ||
| | | | ||
|} | |} | ||
Line 134: | Line 174: | ||
expand-template /etc/clamav-unofficial-sigs/os.conf | expand-template /etc/clamav-unofficial-sigs/os.conf | ||
signal-event clamav-update | signal-event clamav-update | ||
+ | === Known issue === | ||
+ | If you want to disable a single database from one provider, there are two way to do it : either this is known database that have a high risk of false positive then you can set the rating for this provider lower : | ||
+ | |||
+ | For securite info spam_marketing.ndb is set as HIGH in master.conf. If you set default_dbs_rating to MEDIUM/LOW or securiteinfo_dbs_rating to MEDIUM/LOW this db will be excluded. | ||
+ | |||
+ | Let's say that the db bothering you is provided by securite info which also provides other db that are important for you, you could edit the master.conf manually and either comment out the line with the db name or increase the level of it. However, the file could be updated by the main script and you might lost the changes. | ||
+ | |||
=== Bugs === | === Bugs === | ||
Please raise bugs under the SME-Contribs section in {{BugzillaFileBug|product=|component=|title=bugzilla}}and select the smeserver-clamav-unofficial-sigs component or use {{BugzillaFileBug|product=SME%20Contribs|component=smeserver-clamav-unofficial-sigs|title=this link}}. | Please raise bugs under the SME-Contribs section in {{BugzillaFileBug|product=|component=|title=bugzilla}}and select the smeserver-clamav-unofficial-sigs component or use {{BugzillaFileBug|product=SME%20Contribs|component=smeserver-clamav-unofficial-sigs|title=this link}}. |
Revision as of 04:39, 14 June 2022
Maintainer
Daniel B.
Firewall Services
mailto:daniel@firewall-services.com
Version
fws
About
ClamAV comes with a default database that is regularly and automatically updated. Next to the default database there are additional 'unofficial' databases that can be added to ClamAV. This contrib smeserver-clamav-unofficial-sigs adds various and well known databases to the default installation of SME Server, providing better chance of protection to viruses, malware, ransomeware and phishing attempts.
Note for Securiteinfo sigs
read this before installing : https://wiki.contribs.org/Talk:Clamav_unofficial_sigs
Installation
You can just install clamav-unofficial-sigs from EPEL and it should work.
We could add some configuration options into the contrib if required - see the bug below.
The smeserver-clamav-unofficial-sigs contrib is available from the fws and the epel repositories. These repo's should be enabled first. Please see fws and epel on how to enable these repositories. After both repositories have been enabled you can install smeserver-unofficial-sigs by the following command:
yum install smeserver-clamav-unofficial-sigs --enablerepo=fws,epel
Since there are much more signatures, ClamAV needs more memory to operate correctly. To set the required memory enter the following command:
config setprop clamd MemLimit 1610612736
followed by
signal-event clamav-update
To invoke the download of the unofficial signature databases the following script has to be run once (it's in the SME Server $PATH):
clamav-unofficial-sigs.sh
That's it, ClamAV now has a lot more signatures to work with, and will automatically update all signature databases.
Configuration
/etc/clamav-unofficial-sigs/os.conf is templated and will override the default in /etc/clamav-unofficial-sigs/master.conf.
Avoid to update manually the content of /etc/clamav-unofficial-sigs/master.conf as it could be updated by the script itself.
You can manually override what you want by editing /etc/clamav-unofficial-sigs/user.conf.
property | default | values | |
---|---|---|---|
status | enabled | enabled,disabled | |
securiteinfo_premium | no | yes,no | |
securiteinfo_authorisation_signature | YOUR-SIGNATURE-NUMBER | set your serial there to use the service | |
securiteinfo_enabled | yes | yes,no | default to disabled if key is not set |
malwareexpert_serial_key | YOUR-SERIAL-KEY | set your serial there to use the service | |
malwareexpert_enabled | yes | yes,no | default to disabled if key is not set |
malwarepatrol_receipt_code | YOUR-RECEIPT-NUMBER | set your serial there to use the service | |
malwarepatrol_enabled | yes | yes,no | default to disabled if key is not set |
malwarepatrol_list | clamav_basic | clamav_basic,clamav_ext | |
additional_enabled | yes | yes,no | |
additionnal | coma separated urls | list of url you want to download from additional db | |
interserver_enabled | yes | yes,no | |
linuxmalwaredetect_enabled | yes | yes,no | |
sanesecurity_enabled | yes | yes,no | |
urlhaus_enabled | yes | yes,no | |
yararulesproject_enabled | yes | yes,no | Enables yararules in the various databases, automatically |
enable_yararules | no | yes,no | Enables yararules in the various databases, automatically |
default_dbs_rating | MEDIUM | LOW, MEDIUM, HIGH, DISABLE | |
linuxmalwaredetect_dbs_rating | LOW | MEDIUM | HIGH | DISABLE | These ratings will override the global rating for the specific database | |
sanesecurity_dbs_rating | LOW | MEDIUM | HIGH | DISABLE | These ratings will override the global rating for the specific database | |
securiteinfo_dbs_rating | LOW | MEDIUM | HIGH | DISABLE | These ratings will override the global rating for the specific database | |
urlhaus_dbs_rating | LOW | MEDIUM | HIGH | DISABLE | These ratings will override the global rating for the specific database | |
yararulesproject_dbs_rating | LOW | MEDIUM | HIGH | DISABLE | These ratings will override the global rating for the specific database | |
just do
config setprop clamav-unofficial-sigs securiteinfo_authorisation_signature XXXXXXXXXXXXXXXXXXXXXXXX securiteinfo_premium no expand-template /etc/clamav-unofficial-sigs/os.conf signal-event clamav-update
Known issue
If you want to disable a single database from one provider, there are two way to do it : either this is known database that have a high risk of false positive then you can set the rating for this provider lower :
For securite info spam_marketing.ndb is set as HIGH in master.conf. If you set default_dbs_rating to MEDIUM/LOW or securiteinfo_dbs_rating to MEDIUM/LOW this db will be excluded.
Let's say that the db bothering you is provided by securite info which also provides other db that are important for you, you could edit the master.conf manually and either comment out the line with the db name or increase the level of it. However, the file could be updated by the main script and you might lost the changes.
Bugs
Please raise bugs under the SME-Contribs section in bugzilla and select the smeserver-clamav-unofficial-sigs component or use this link .
ID | Product | Version | Status | Summary |
---|---|---|---|---|
11995 | SME Contribs | 10.0 | CONFIRMED | NFR: panel |