Difference between revisions of "Clamav unofficial sigs"

From SME Server
Jump to navigationJump to search
 
(4 intermediate revisions by 2 users not shown)
Line 3: Line 3:
 
===Version===
 
===Version===
 
{{#smeversion: smeserver-clamav-unofficial-sigs }}
 
{{#smeversion: smeserver-clamav-unofficial-sigs }}
[[Version::Contrib9| ]] [[Has SME9::true| ]]
+
[[Version::Contrib9|fws]] [[Has SME9::true| ]]
  
 
==About==
 
==About==
Line 13: Line 13:
  
 
==Installation==
 
==Installation==
 +
<tabs container><tab name="For SME 10">
 +
You can just install clamav-unofficial-sigs from smecontribs/epel and it should work OR use the full contrib:
 +
yum install smeserver-clamav-unofficial-sigs --enablerepo=smecontribs
 +
</tab>
 +
<tab name="For SME 9">
 
The '''smeserver-clamav-unofficial-sigs''' contrib is available from the [[fws|'''fws''']] and the [[epel|'''epel''']] repositories. These repo's should be enabled first. Please see [[fws|'''fws''']] and [[epel|'''epel''']] on how to enable these repositories. After both repositories have been enabled you can install smeserver-unofficial-sigs by the following command:
 
The '''smeserver-clamav-unofficial-sigs''' contrib is available from the [[fws|'''fws''']] and the [[epel|'''epel''']] repositories. These repo's should be enabled first. Please see [[fws|'''fws''']] and [[epel|'''epel''']] on how to enable these repositories. After both repositories have been enabled you can install smeserver-unofficial-sigs by the following command:
 
  yum install smeserver-clamav-unofficial-sigs --enablerepo=fws,epel
 
  yum install smeserver-clamav-unofficial-sigs --enablerepo=fws,epel
 
Since there are much more signatures, ClamAV needs more memory to operate correctly. To set the required memory enter the following command:
 
Since there are much more signatures, ClamAV needs more memory to operate correctly. To set the required memory enter the following command:
  config setprop clamd MemLimit 1500000000
+
  config setprop clamd MemLimit 1610612736
  
 
followed by
 
followed by
 
  signal-event clamav-update
 
  signal-event clamav-update
 +
</tab>
 +
</tabs>
 
To invoke the download of the unofficial signature databases the following script has to be run once (it's in the SME Server $PATH):
 
To invoke the download of the unofficial signature databases the following script has to be run once (it's in the SME Server $PATH):
 
  clamav-unofficial-sigs.sh
 
  clamav-unofficial-sigs.sh
  
 
That's it, ClamAV now has a lot more signatures to work with, and will automatically update all signature databases.
 
That's it, ClamAV now has a lot more signatures to work with, and will automatically update all signature databases.
 +
 +
=== Configuration ===
 +
/etc/clamav-unofficial-sigs/os.conf is templated and will override the default in /etc/clamav-unofficial-sigs/master.conf.
 +
 +
Avoid to update manually the content of /etc/clamav-unofficial-sigs/master.conf as it could be updated by the script itself.
 +
 +
You can manually override what you want by editing /etc/clamav-unofficial-sigs/user.conf.
 +
 +
{| class="wikitable"
 +
|+clamav-unofficial-sigs
 +
!property
 +
!default
 +
!values
 +
!
 +
|-
 +
|status
 +
|enabled
 +
|enabled,disabled
 +
|
 +
|-
 +
|securiteinfo_premium
 +
|no
 +
|yes,no
 +
|
 +
|-
 +
|securiteinfo_authorisation_signature
 +
|YOUR-SIGNATURE-NUMBER
 +
|
 +
|set your serial there to use the service
 +
|-
 +
|securiteinfo_enabled
 +
|yes
 +
|yes,no
 +
|default to disabled if key is not set
 +
|-
 +
|malwareexpert_serial_key
 +
|YOUR-SERIAL-KEY
 +
|
 +
|set your serial there to use the service
 +
|-
 +
|malwareexpert_enabled
 +
|yes
 +
|yes,no
 +
|default to disabled if key is not set
 +
|-
 +
|malwarepatrol_receipt_code
 +
|YOUR-RECEIPT-NUMBER
 +
|
 +
|set your serial there to use the service
 +
|-
 +
|malwarepatrol_enabled
 +
|yes
 +
|yes,no
 +
|default to disabled if key is not set
 +
|-
 +
|malwarepatrol_list
 +
|clamav_basic
 +
|clamav_basic,clamav_ext
 +
|
 +
|-
 +
|additional_enabled
 +
|yes
 +
|yes,no
 +
|
 +
|-
 +
|additionnal
 +
|
 +
|coma separated urls
 +
|list of url you want to download from additional db
 +
|-
 +
|interserver_enabled
 +
|yes
 +
|yes,no
 +
|
 +
|-
 +
|linuxmalwaredetect_enabled
 +
|yes
 +
|yes,no
 +
|
 +
|-
 +
|sanesecurity_enabled
 +
|yes
 +
|yes,no
 +
|
 +
|-
 +
|urlhaus_enabled
 +
|yes
 +
|yes,no
 +
|
 +
|-
 +
|yararulesproject_enabled
 +
|yes
 +
|yes,no
 +
|Enables yararules in the various databases, automatically
 +
|-
 +
|enable_yararules
 +
|no
 +
|yes,no
 +
|Enables yararules in the various databases, automatically
 +
|-
 +
|default_dbs_rating
 +
|MEDIUM
 +
|LOW, MEDIUM, HIGH, DISABLE
 +
|
 +
|-
 +
|linuxmalwaredetect_dbs_rating
 +
|
 +
|<nowiki>LOW | MEDIUM | HIGH | DISABLE</nowiki>
 +
|These ratings will override the global rating for the specific database
 +
|-
 +
|sanesecurity_dbs_rating
 +
|
 +
|<nowiki>LOW | MEDIUM | HIGH | DISABLE</nowiki>
 +
|These ratings will override the global rating for the specific database
 +
|-
 +
|securiteinfo_dbs_rating
 +
|
 +
|<nowiki>LOW | MEDIUM | HIGH | DISABLE</nowiki>
 +
|These ratings will override the global rating for the specific database
 +
|-
 +
|urlhaus_dbs_rating
 +
|
 +
|<nowiki>LOW | MEDIUM | HIGH | DISABLE</nowiki>
 +
|These ratings will override the global rating for the specific database
 +
|-
 +
|yararulesproject_dbs_rating
 +
|
 +
|<nowiki>LOW | MEDIUM | HIGH | DISABLE</nowiki>
 +
|These ratings will override the global rating for the specific database
 +
|-
 +
|
 +
|
 +
|
 +
|
 +
|}
 +
 +
 +
just do
 +
config setprop clamav-unofficial-sigs securiteinfo_authorisation_signature  XXXXXXXXXXXXXXXXXXXXXXXX securiteinfo_premium no
 +
expand-template /etc/clamav-unofficial-sigs/os.conf
 +
signal-event clamav-update
 +
=== Known issue ===
 +
If you want to disable a single database from one provider, there are two way to do it : either this is known database that have a high risk of false positive then you can set the rating for this provider lower :
 +
 +
For securite info  spam_marketing.ndb is set as HIGH in master.conf. If you set default_dbs_rating to MEDIUM/LOW or securiteinfo_dbs_rating to MEDIUM/LOW this db will be excluded.
 +
 +
Let's say that the db bothering you is provided by securite info which also provides other db that are important for you, you could edit the master.conf manually and either comment out the line with the db name or increase the level of it. However, the file could be updated by the main script and you might lost the changes.
  
 
=== Bugs ===
 
=== Bugs ===

Latest revision as of 04:41, 14 June 2022

Maintainer

Daniel B.
Firewall Services
mailto:daniel@firewall-services.com

Version

Contrib 10:
smeserver-clamav-unofficial-sigs
The latest version of smeserver-clamav-unofficial-sigs is available in the SME repository, click on the version number(s) for more information.


fws

About

ClamAV comes with a default database that is regularly and automatically updated. Next to the default database there are additional 'unofficial' databases that can be added to ClamAV. This contrib smeserver-clamav-unofficial-sigs adds various and well known databases to the default installation of SME Server, providing better chance of protection to viruses, malware, ransomeware and phishing attempts.

Note for Securiteinfo sigs

read this before installing : https://wiki.contribs.org/Talk:Clamav_unofficial_sigs

Installation

You can just install clamav-unofficial-sigs from smecontribs/epel and it should work OR use the full contrib:

yum install smeserver-clamav-unofficial-sigs --enablerepo=smecontribs

The smeserver-clamav-unofficial-sigs contrib is available from the fws and the epel repositories. These repo's should be enabled first. Please see fws and epel on how to enable these repositories. After both repositories have been enabled you can install smeserver-unofficial-sigs by the following command:

yum install smeserver-clamav-unofficial-sigs --enablerepo=fws,epel

Since there are much more signatures, ClamAV needs more memory to operate correctly. To set the required memory enter the following command:

config setprop clamd MemLimit 1610612736

followed by

signal-event clamav-update

To invoke the download of the unofficial signature databases the following script has to be run once (it's in the SME Server $PATH):

clamav-unofficial-sigs.sh

That's it, ClamAV now has a lot more signatures to work with, and will automatically update all signature databases.

Configuration

/etc/clamav-unofficial-sigs/os.conf is templated and will override the default in /etc/clamav-unofficial-sigs/master.conf.

Avoid to update manually the content of /etc/clamav-unofficial-sigs/master.conf as it could be updated by the script itself.

You can manually override what you want by editing /etc/clamav-unofficial-sigs/user.conf.

clamav-unofficial-sigs
property default values
status enabled enabled,disabled
securiteinfo_premium no yes,no
securiteinfo_authorisation_signature YOUR-SIGNATURE-NUMBER set your serial there to use the service
securiteinfo_enabled yes yes,no default to disabled if key is not set
malwareexpert_serial_key YOUR-SERIAL-KEY set your serial there to use the service
malwareexpert_enabled yes yes,no default to disabled if key is not set
malwarepatrol_receipt_code YOUR-RECEIPT-NUMBER set your serial there to use the service
malwarepatrol_enabled yes yes,no default to disabled if key is not set
malwarepatrol_list clamav_basic clamav_basic,clamav_ext
additional_enabled yes yes,no
additionnal coma separated urls list of url you want to download from additional db
interserver_enabled yes yes,no
linuxmalwaredetect_enabled yes yes,no
sanesecurity_enabled yes yes,no
urlhaus_enabled yes yes,no
yararulesproject_enabled yes yes,no Enables yararules in the various databases, automatically
enable_yararules no yes,no Enables yararules in the various databases, automatically
default_dbs_rating MEDIUM LOW, MEDIUM, HIGH, DISABLE
linuxmalwaredetect_dbs_rating LOW | MEDIUM | HIGH | DISABLE These ratings will override the global rating for the specific database
sanesecurity_dbs_rating LOW | MEDIUM | HIGH | DISABLE These ratings will override the global rating for the specific database
securiteinfo_dbs_rating LOW | MEDIUM | HIGH | DISABLE These ratings will override the global rating for the specific database
urlhaus_dbs_rating LOW | MEDIUM | HIGH | DISABLE These ratings will override the global rating for the specific database
yararulesproject_dbs_rating LOW | MEDIUM | HIGH | DISABLE These ratings will override the global rating for the specific database


just do

config setprop clamav-unofficial-sigs securiteinfo_authorisation_signature  XXXXXXXXXXXXXXXXXXXXXXXX securiteinfo_premium no 
expand-template /etc/clamav-unofficial-sigs/os.conf
signal-event clamav-update

Known issue

If you want to disable a single database from one provider, there are two way to do it : either this is known database that have a high risk of false positive then you can set the rating for this provider lower :

For securite info spam_marketing.ndb is set as HIGH in master.conf. If you set default_dbs_rating to MEDIUM/LOW or securiteinfo_dbs_rating to MEDIUM/LOW this db will be excluded.

Let's say that the db bothering you is provided by securite info which also provides other db that are important for you, you could edit the master.conf manually and either comment out the line with the db name or increase the level of it. However, the file could be updated by the main script and you might lost the changes.

Bugs

Please raise bugs under the SME-Contribs section in bugzilla and select the smeserver-clamav-unofficial-sigs component or use this link .


IDProductVersionStatusSummary
11995SME Contribs10.0CONFIRMEDNFR: panel