Difference between revisions of "Clamav unofficial sigs"

From SME Server
Jump to navigationJump to search
Line 54: Line 54:
 
|-
 
|-
 
|securiteinfo_premium
 
|securiteinfo_premium
|yes
+
|no
 
|yes,no
 
|yes,no
 
|
 
|
Line 126: Line 126:
 
|yes
 
|yes
 
|yes,no
 
|yes,no
 +
|Enables yararules in the various databases, automatically
 +
|-
 +
|enable_yararules
 +
|no
 +
|yes,no
 +
|Enables yararules in the various databases, automatically
 +
|-
 +
|default_dbs_rating
 +
|MEDIUM
 +
|LOW, MEDIUM, HIGH, DISABLE
 +
|
 +
|-
 +
|linuxmalwaredetect_dbs_rating
 +
|
 +
|<nowiki>LOW | MEDIUM | HIGH | DISABLE</nowiki>
 +
|These ratings will override the global rating for the specific database
 +
|-
 +
|sanesecurity_dbs_rating
 +
|
 +
|<nowiki>LOW | MEDIUM | HIGH | DISABLE</nowiki>
 +
|These ratings will override the global rating for the specific database
 +
|-
 +
|securiteinfo_dbs_rating
 +
|
 +
|<nowiki>LOW | MEDIUM | HIGH | DISABLE</nowiki>
 +
|These ratings will override the global rating for the specific database
 +
|-
 +
|urlhaus_dbs_rating
 +
|
 +
|<nowiki>LOW | MEDIUM | HIGH | DISABLE</nowiki>
 +
|These ratings will override the global rating for the specific database
 +
|-
 +
|yararulesproject_dbs_rating
 +
|
 +
|<nowiki>LOW | MEDIUM | HIGH | DISABLE</nowiki>
 +
|These ratings will override the global rating for the specific database
 +
|-
 +
|
 +
|
 +
|
 
|
 
|
 
|}
 
|}
Line 134: Line 174:
 
  expand-template /etc/clamav-unofficial-sigs/os.conf
 
  expand-template /etc/clamav-unofficial-sigs/os.conf
 
  signal-event clamav-update
 
  signal-event clamav-update
 +
=== Known issue ===
 +
If you want to disable a single database from one provider, there are two way to do it : either this is known database that have a high risk of false positive then you can set the rating for this provider lower :
 +
 +
For securite info  spam_marketing.ndb is set as HIGH in master.conf. If you set default_dbs_rating to MEDIUM/LOW or securiteinfo_dbs_rating to MEDIUM/LOW this db will be excluded.
 +
 +
Let's say that the db bothering you is provided by securite info which also provides other db that are important for you, you could edit the master.conf manually and either comment out the line with the db name or increase the level of it. However, the file could be updated by the main script and you might lost the changes.
 +
 
=== Bugs ===
 
=== Bugs ===
 
Please raise bugs under the SME-Contribs section in {{BugzillaFileBug|product=|component=|title=bugzilla}}and select the smeserver-clamav-unofficial-sigs component or use {{BugzillaFileBug|product=SME%20Contribs|component=smeserver-clamav-unofficial-sigs|title=this link}}.
 
Please raise bugs under the SME-Contribs section in {{BugzillaFileBug|product=|component=|title=bugzilla}}and select the smeserver-clamav-unofficial-sigs component or use {{BugzillaFileBug|product=SME%20Contribs|component=smeserver-clamav-unofficial-sigs|title=this link}}.

Revision as of 04:39, 14 June 2022

Maintainer

Daniel B.
Firewall Services
mailto:daniel@firewall-services.com

Version

Contrib 10:
smeserver-clamav-unofficial-sigs
The latest version of smeserver-clamav-unofficial-sigs is available in the SME repository, click on the version number(s) for more information.


fws

About

ClamAV comes with a default database that is regularly and automatically updated. Next to the default database there are additional 'unofficial' databases that can be added to ClamAV. This contrib smeserver-clamav-unofficial-sigs adds various and well known databases to the default installation of SME Server, providing better chance of protection to viruses, malware, ransomeware and phishing attempts.

Note for Securiteinfo sigs

read this before installing : https://wiki.contribs.org/Talk:Clamav_unofficial_sigs

Installation

Important.png Note:
The Koozal SME v10 version of the contrib does not do anything.


You can just install clamav-unofficial-sigs from EPEL and it should work.

We could add some configuration options into the contrib if required - see the bug below.


Warning.png Warning:
Do not use the The Koozal SME v10 contrib as it does not work correctly


The smeserver-clamav-unofficial-sigs contrib is available from the fws and the epel repositories. These repo's should be enabled first. Please see fws and epel on how to enable these repositories. After both repositories have been enabled you can install smeserver-unofficial-sigs by the following command:

yum install smeserver-clamav-unofficial-sigs --enablerepo=fws,epel

Since there are much more signatures, ClamAV needs more memory to operate correctly. To set the required memory enter the following command:

config setprop clamd MemLimit 1610612736

followed by

signal-event clamav-update

To invoke the download of the unofficial signature databases the following script has to be run once (it's in the SME Server $PATH):

clamav-unofficial-sigs.sh

That's it, ClamAV now has a lot more signatures to work with, and will automatically update all signature databases.

Configuration

/etc/clamav-unofficial-sigs/os.conf is templated and will override the default in /etc/clamav-unofficial-sigs/master.conf.

Avoid to update manually the content of /etc/clamav-unofficial-sigs/master.conf as it could be updated by the script itself.

You can manually override what you want by editing /etc/clamav-unofficial-sigs/user.conf.

clamav-unofficial-sigs
property default values
status enabled enabled,disabled
securiteinfo_premium no yes,no
securiteinfo_authorisation_signature YOUR-SIGNATURE-NUMBER set your serial there to use the service
securiteinfo_enabled yes yes,no default to disabled if key is not set
malwareexpert_serial_key YOUR-SERIAL-KEY set your serial there to use the service
malwareexpert_enabled yes yes,no default to disabled if key is not set
malwarepatrol_receipt_code YOUR-RECEIPT-NUMBER set your serial there to use the service
malwarepatrol_enabled yes yes,no default to disabled if key is not set
malwarepatrol_list clamav_basic clamav_basic,clamav_ext
additional_enabled yes yes,no
additionnal coma separated urls list of url you want to download from additional db
interserver_enabled yes yes,no
linuxmalwaredetect_enabled yes yes,no
sanesecurity_enabled yes yes,no
urlhaus_enabled yes yes,no
yararulesproject_enabled yes yes,no Enables yararules in the various databases, automatically
enable_yararules no yes,no Enables yararules in the various databases, automatically
default_dbs_rating MEDIUM LOW, MEDIUM, HIGH, DISABLE
linuxmalwaredetect_dbs_rating LOW | MEDIUM | HIGH | DISABLE These ratings will override the global rating for the specific database
sanesecurity_dbs_rating LOW | MEDIUM | HIGH | DISABLE These ratings will override the global rating for the specific database
securiteinfo_dbs_rating LOW | MEDIUM | HIGH | DISABLE These ratings will override the global rating for the specific database
urlhaus_dbs_rating LOW | MEDIUM | HIGH | DISABLE These ratings will override the global rating for the specific database
yararulesproject_dbs_rating LOW | MEDIUM | HIGH | DISABLE These ratings will override the global rating for the specific database


just do

config setprop clamav-unofficial-sigs securiteinfo_authorisation_signature  XXXXXXXXXXXXXXXXXXXXXXXX securiteinfo_premium no 
expand-template /etc/clamav-unofficial-sigs/os.conf
signal-event clamav-update

Known issue

If you want to disable a single database from one provider, there are two way to do it : either this is known database that have a high risk of false positive then you can set the rating for this provider lower :

For securite info spam_marketing.ndb is set as HIGH in master.conf. If you set default_dbs_rating to MEDIUM/LOW or securiteinfo_dbs_rating to MEDIUM/LOW this db will be excluded.

Let's say that the db bothering you is provided by securite info which also provides other db that are important for you, you could edit the master.conf manually and either comment out the line with the db name or increase the level of it. However, the file could be updated by the main script and you might lost the changes.

Bugs

Please raise bugs under the SME-Contribs section in bugzilla and select the smeserver-clamav-unofficial-sigs component or use this link .


IDProductVersionStatusSummary
11995SME Contribs10.0CONFIRMEDNFR: panel