forked from extremeshok/clamav-unofficial-sigs
-
Notifications
You must be signed in to change notification settings - Fork 0
/
clamav-unofficial-sigs.conf
415 lines (360 loc) · 18.2 KB
/
clamav-unofficial-sigs.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
# This file contains user configuration settings for clamav-unofficial-sigs.sh
###################
# This is property of eXtremeSHOK.com
# You are free to use, modify and distribute, however you may not remove this notice.
# Copyright (c) Adrian Jon Kriel :: [email protected]
##################
#
# Script updates can be found at: https://github.com/extremeshok/clamav-unofficial-sigs
#
# Originially based on:
# Script provide by Bill Landry ([email protected]).
#
# License: BSD (Berkeley Software Distribution)
#
##################
#
# NOT COMPATIBLE WITH VERSION 3.XX CONFIG
#
################################################################################
# Edit the quoted variables below to meet your own particular needs
# and requirements, but do not remove the "quote" marks.
# Set the appropriate ClamD user and group accounts for your system.
# If you do not want the script to set user and group permissions on
# files and directories, comment the next two variables.
# RHEL/CentOS
clam_user="clam"
clam_group="clam"
# Debian/Ubuntu
#clam_user="clamav"
#clam_group="clamav"
# If you do not want the script to change the file mode of all signature
# database files in the ClamAV working directory to 0644 (-rw-r--r--):
#
# owner: read, write
# group: read
# world: read
#
# as defined in the "clam_dbs" path variable below, then set the following
# "setmode" variable to "no".
setmode="yes"
# Set path to ClamAV database files location. If unsure, check
# your clamd.conf file for the "DatabaseDirectory" path setting.
clam_dbs="/var/lib/clamav"
# Set path to clamd.pid file (see clamd.conf for path location).
clamd_pid="/var/run/clamav/clamd.pid"
#clamd_pid="/var/run/clamd.pid"
# To enable "ham" (non-spam) directory scanning and removal of
# signatures that trigger on ham messages, uncomment the following
# variable and set it to the appropriate ham message directory.
#ham_dir="/var/lib/clamav-unofficial-sigs/ham-test"
# If you would like to reload the clamd databases after an update,
# change the following variable to "yes".
reload_dbs="yes"
# Top level working directory, script will attempt to create them.
work_dir="/var/lib/clamav-unofficial-sigs" #Top level working directory
# Log update information to '$log_file_path/$log_file_name'.
enable_logging="yes"
log_file_path="/var/log/clamav-unofficial-sigs"
log_file_name="clamav-unofficial-sigs.log"
# =========================
# MalwarePatrol : https://www.malwarepatrol.net
# MalwarePatrol 2015 free clamav signatures
#
# 1. Sign up for a free account : https://www.malwarepatrol.net/signup-free.shtml
# 2. You will recieve an email containing your password/receipt number
# 3. Enter the receipt number into the config: replacing YOUR-RECEIPT-NUMBER with your receipt number from the email
malwarepatrol_receipt_code="YOUR-RECEIPT-NUMBER"
# Set to no to enable the commercial subscription url.
malwarepatrol_free="yes"
# =========================
# SecuriteInfo : https://www.SecuriteInfo.com
# SecuriteInfo 2015 free clamav signatures
#
#Usage of SecuriteInfo 2015 free clamav signatures : https://www.securiteinfo.com
# - 1. Sign up for a free account : https://www.securiteinfo.com/clients/customers/signup
# - 2. You will recieve an email to activate your account and then a followup email with your login name
# - 3. Login and navigate to your customer account : https://www.securiteinfo.com/clients/customers/account
# - 4. Click on the Setup tab
# - 5. You will need to get your unique identifier from one of the download links, they are individual for every user
# - 5.1. The 128 character string is after the http://www.securiteinfo.com/get/signatures/
# - 5.2. Example https://www.securiteinfo.com/get/signatures/your_unique_and_very_long_random_string_of_characters/securiteinfo.hdb
# Your 128 character authorisation signature would be : your_unique_and_very_long_random_string_of_characters
# - 6. Enter the authorisation signature into the config securiteinfo_authorisation_signature: replacing YOUR-SIGNATURE-NUMBER with your authorisation signature from the link
securiteinfo_authorisation_signature="YOUR-SIGNATURE-NUMBER"
# ========================
# Database provider update time
# ========================
# Since the database files are dynamically created, non default values can cause banning, change with caution
securiteinfo_update_hours="4" # Default is 4 hours (6 downloads daily).
linuxmalwaredetect_update_hours="6" # Default is 6 hours (4 downloads daily).
malwarepatrol_update_hours="24" # Default is 24 hours (1 downloads daily).
yararules_update_hours="24" # Default is 24 hours (1 downloads daily).
# ========================
# Enabled Databases
# ========================
# Set to no to disable an entire database.
sanesecurity_enabled="yes" # Sanesecurity
securiteinfo_enabled="yes" # SecuriteInfo
linuxmalwaredetect_enabled="yes" # Linux Malware Detect
malwarepatrol_enabled="yes" # Malware Patrol
yararules_enabled="no" # Yara-Rule Project, requires clamAV 0.99+
# ========================
# Sanesecurity Database(s)
# ========================
# Add or remove database file names between quote marks as needed. To
# disable usage of any of the Sanesecurity distributed database files
# shown, remove the database file name from the quoted section below.
# Only databases defined as "low" risk have been enabled by default
# for additional information about the database ratings, see:
# http://www.sanesecurity.com/clamav/databases.htm
# Only add signature databases here that are "distributed" by Sanesecuirty
# as defined at the URL shown above. Database distributed by others sources
# (e.g., SecuriteInfo & MalewarePatrol, can be added to other sections of
# this config file below). Finally, make sure that the database names are
# spelled correctly or you will experience issues when the script runs
# (hint: all rsync servers will fail to download signature updates).
sanesecurity_dbs=" # BEGIN SANESECURITY DATABASE
### SANESECURITY http://sanesecurity.com/usage/signatures/
## REQUIRED, Do NOT disable
sanesecurity.ftm #REQUIRED Message file types, for best performance
sigwhitelist.ign2 #REQUIRED Fast update file to whitelist any problem signatures
## LOW
junk.ndb #LOW General high hitting junk, containing spam/phishing/lottery/jobs/419s etc
jurlbl.ndb #LOW Junk Url based
phish.ndb #LOW Phishing
rogue.hdb #LOW Malware, Rogue anti-virus software and Fake codecs etc. Updated hourly to cover the latest malware threats
scam.ndb #LOW Spam/scams
spamimg.hdb #LOW Spam images
spamattach.hdb #LOW Spam Spammed attachments such as pdf/doc/rtf/zip
blurl.ndb #LOW Blacklisted full urls over the last 7 days, covering malware/spam/phishing. URLs added only when main signatures have failed to detect but are known to be "bad"
## MED
#spear.ndb #MED Spear phishing email addresses (autogenerated from data here)
#lott.ndb #MED Lottery
#spam.ldb #MED Spam detected using the new Logical Signature type
#spearl.ndb #MED Spear phishing urls (autogenerated from data here)
#jurlbla.ndb #MED Junk Url based autogenerated from various feeds
#badmacro.ndb #MED Detect dangerous macros
### FOXHOLE http://sanesecurity.com/foxhole-databases/
## LOW
malwarehash.hsb #LOW Malware hashes without known Size
## MED
#foxhole_generic.cdb #MED See Foxhole page for more details
#foxhole_filename.cdb #MED See Foxhole page for more details
## HIGH
#foxhole_all.cdb #HIGH See Foxhole page for more details
### OITC http://www.oitc.com/winnow/clamsigs/index.html
### Note: the two databases winnow_phish_complete.ndb and winnow_phish_complete_url.ndb should NOT be used together.
# LOW
winnow.attachments.hdb #LOW Spammed attachments such as pdf/doc/rtf/zip
winnow_malware.hdb #LOW Current virus, trojan and other malware not yet detected by ClamAV.
winnow_malware_links.ndb #LOW Links to malware
winnow_extended_malware.hdb #LOW contain hand generated signatures for malware
winnow_bad_cw.hdb #LOW md5 hashes of malware attachments acquired directly from a group of botnets
# MED
#winnow_phish_complete_url.ndb #Med Similar to winnow_phish_complete.ndb except that entire urls are used
#winnow.complex.patterns.ldb #MED contain hand generated signatures for malware and some egregious fraud
#winnow_extended_malware_links.ndb #MED contain hand generated signatures for malware links
#winnow_spam_complete.ndb #MED Signatures to detect fraud and other malicious spam
# HIGH
#winnow_phish_complete.ndb #HIGH Phishing and other malicious urls and compromised hosts **DO NOT USE WITH winnow_phish_complete_url**
### SCAMNAILER http://www.scamnailer.info/
# MED
#scamnailer.ndb #MED Spear phishing and other phishing emails
### BOFHLAND http://clamav.bofhland.org/
# LOW
bofhland_cracked_URL.ndb #LOW Spam URLs
bofhland_malware_URL.ndb #LOW Malware URLs
bofhland_phishing_URL.ndb #LOW Phishing URLs
bofhland_malware_attach.hdb #LOW Malware Hashes
### RockSecurity http://rooksecurity.com/
#LOW
hackingteam.hsb #LOW Hacking Team hashes
### CRDF https://threatcenter.crdf.fr/
# LOW
crdfam.clamav.hdb #LOW List of new threats detected by CRDF Anti Malware
### Porcupine
# LOW
porcupine.ndb #LOW Brazilian e-mail phishing and malware signatures
phishtank.ndb #LOW Online and valid phishing urls from phishtank.com data feed
porcupine.hsb #LOW Sha256 Hashes of VBS and JSE malware, kept for 7 days
### Sanesecurity YARA Format rules
### Note: Yara signatures require ClamAV 0.99 or newer to work
#Sanesecurity_sigtest.yara #LOW Sanesecurity test signatures
#Sanesecurity_spam.yara #LOW detect spam
" # END SANESECURITY DATABASES
# ========================
# SecuriteInfo Database(s)
# ========================
# Only active when you set your securiteinfo_authorisation_signature
# Add or remove database file names between quote marks as needed. To
# disable any SecuriteInfo database downloads, remove the appropriate
# lines below.
securiteinfo_dbs="
### Securiteinfo https://www.securiteinfo.com/services/improve-detection-rate-of-zero-day-malwares-for-clamav.shtml
## REQUIRED, Do NOT disable
securiteinfo.ign2
# LOW
securiteinfo.hdb #LOW Malwares in the Wild
javascript.ndb #LOW Malwares Javascript
securiteinfohtml.hdb #LOW Malwares HTML
securiteinfoascii.hdb #LOW Text file malwares (Perl or shell scripts, bat files, exploits, ...)
securiteinfopdf.hdb #LOW Malwares PDF
# HIGH
#spam_marketing.ndb #HIGH Spam Marketing / spammer blacklist
" #END SECURITEINFO DATABASES
# ========================
# Linux Malware Detect Database(s)
# ========================
# Add or remove database file names between quote marks as needed. To
# disable any SecuriteInfo database downloads, remove the appropriate
# lines below.
linuxmalwaredetect_dbs="
### Linux Malware Detect https://www.rfxn.com/projects/linux-malware-detect/
# LOW
rfxn.ndb #LOW HEX Malware detection signatures
rfxn.hdb #LOW MD5 malware detection signatures
" #END LINUXMALWAREDETECT DATABASES
# =========================
# MalwarePatrol Database
# =========================
# Only active when you set your malwarepatrol_receipt_code
## REQUIRED, Do NOT disable
malwarepatrol_db="malwarepatrol.db" #LOW URLs containing of Viruses, Trojans, Worms, or Malware
# ========================
# Yara Rules Project Database(s)
# ========================
# Add or remove database file names between quote marks as needed. To
# disable any Yara Rule database downloads, remove the appropriate
# lines below.
yararules_dbs="
### Yara Rules https://github.com/Yara-Rules/rules
#
# Some rules are now in sub-directories. To reference a file in a sub-directory
# use subdir/file
# LOW
antidebug_antivm.yar #LOW anti debug and anti virtualization techniques used by malware
Malicious_Documents/malicious_document.yar #LOW documents with malicious code
# MED
#packer.yar #MED well-known sofware packers
# HIGH
#crypto.yar #HIGH detect the existence of cryptographic algoritms
" #END YARARULES DATABASES
# =========================
# Additional signature databases
# =========================
# Additional signature databases can be specified here in the following
# format: PROTOCOL://URL-or-IP/PATH/TO/FILE-NAME (use a trailing "/" in
# place of the "FILE-NAME" to download all files from specified location,
# but this *ONLY* works for files downloaded via rsync). For non-rsync
# downloads, curl is used. For download protocols supported by curl, see
# "man curl". This also works well for locations that have many ClamAV
# servers that use 3rd party signature databases, as only one server need
# download the remote databases, and all others can update from the local
# mirrors copy. See format examples below. To use, remove the comments
# and examples shown and add your own sites between the quote marks.
#add_dbs="
# rsync://192.168.1.50/new-db/sigs.hdb
# rsync://rsync.example.com/all-dbs/
# ftp://ftp.example.net/pub/sigs.ndb
# http://www.example.org/sigs.ldb
#" #END ADDITIONAL DATABASES
# ==================================================
# ==================================================
# A D V A N C E D O P T I O N S
# ==================================================
# ==================================================
# Enable or disable download time randomization. This allows the script to
# be executed via cron, but the actual database file checking will pause
# for a random number of seconds between the "min" and "max" time settings
# specified below. This helps to more evenly distribute load on the host
# download sites. To disable, set the following variable to "no".
enable_random="yes"
# If download time randomization is enabled above (enable_random="yes"),
# then set the min and max radomization time intervals (in seconds).
min_sleep_time="60" # Default minimum is 60 seconds (1 minute).
max_sleep_time="600" # Default maximum is 600 seconds (10 minutes).
# Set the clamd_restart_opt if the "reload_dbs" variable above is set
# Command to do a full clamd service stop/start
# RHEL/CentOS
clamd_restart_opt="service clamd restart"
# Debian/Ubuntu
#clamd_restart_opt="service clamav-daemon restart"
# If running clamd in "LocalSocket" mode (*NOT* in TCP/IP mode), and
# either "SOcket Cat" (socat) or the "IO::Socket::UNIX" perl module
# are installed on the system, and you want to report whether clamd
# is running or not, uncomment the "clamd_socket" variable below (you
# will be warned if neither socat nor IO::Socket::UNIX are found, but
# the script will still run). You will also need to set the correct
# path to your clamd socket file (if unsure of the path, check the
# "LocalSocket" setting in your clamd.conf file for socket location).
#clamd_socket="/tmp/clamd.socket"
#clamd_socket="/var/run/clamd.socket"
# Debian/Ubuntu
#clamd_socket="/var/run/clamav/clamd.ctl"
# If you would like to attempt to restart ClamD if detected not running,
# uncomment the next 2 lines. Enter the clamd service stop and start command
# for your particular distro for the "start_clamd" "stop_clamd" variables
# (the sample start command shown below should work for most linux distros).
# NOTE: these 2 variables are dependant on the "clamd_socket" variable
# shown above - if not enabled, then the following 2 variables will be
# ignored, whether enabled or not.
#clamd_start="service clamd start"
#clamd_stop="service clamd stop"
# Set rsync connection and data transfer timeout limits in seconds.
# The defaults settings here are reasonable, only change if you are
# experiencing timeout issues.
rsync_connect_timeout="30"
rsync_max_time="90"
# Set curl connection and data transfer timeout limits in seconds.
# The defaults settings here are reasonable, only change if you are
# experiencing timeout issues.
curl_connect_timeout="30"
curl_max_time="90"
# Set working directory paths (edit to meet your own needs). If these
# directories do not exist, the script will attempt to create them.
# Sub-directory names:
sanesecurity_dir="$work_dir/dbs-ss" # Sanesecurity sub-directory
securiteinfo_dir="$work_dir/dbs-si" # SecuriteInfo sub-directory
linuxmalwaredetect_dir="$work_dir/dbs-lmd" # Linux Malware Detect sub-directory
malwarepatrol_dir="$work_dir/dbs-mbl" # MalwarePatrol sub-directory
yararules_dir="$work_dir/dbs-yara" # Yara-Rules sub-directory
config_dir="$work_dir/configs" # Script configs sub-directory
gpg_dir="$work_dir/gpg-key" # Sanesecurity GPG Key sub-directory
add_dir="$work_dir/dbs-add" # User defined databases sub-directory
# If you would like to make a backup copy of the current running database
# file before updating, leave the following variable set to "yes" and a
# backup copy of the file will be created in the production directory
# with -bak appended to the file name.
keep_db_backup="no"
# If you want to silence the information reported by curl, rsync, gpg
# or the general script comments, change the following variables to
# "yes". If all variables are set to "yes", the script will output
# nothing except error conditions.
silence_ssl="yes" # Default is "yes" ignore ssl errors and warnings
curl_silence="no" # Default is "no" to report curl statistics
rsync_silence="no" # Default is "no" to report rsync statistics
gpg_silence="no" # Default is "no" to report gpg signature status
comment_silence="no" # Default is "no" to report script comments
# If necessary to proxy database downloads, define the rsync and/or curl
# proxy settings here. For rsync, the proxy must support connections to
# port 873. Both curl and rsync proxy setting need to be defined in the
# format of "hostname:port". For curl, also note the -x and -U flags,
# which must be set as "-x hostname:port" and "-U username:password".
rsync_proxy=""
curl_proxy=""
# After you have completed the configuration of this file, set the
user_configuration_complete="yes"
# ========================
# Database provider URLs, do not edit.
sanesecurity_url="rsync.sanesecurity.net"
sanesecurity_gpg_url="http://www.sanesecurity.net/publickey.gpg"
securiteinfo_url="https://www.securiteinfo.com/get/signatures/"
linuxmalwaredetect_url="http://cdn.rfxn.com/downloads/"
malwarepatrol_free_url="https://lists.malwarepatrol.net/cgi/getfile?product=8&list=clamav_basic"
malwarepatrol_subscription_url="https://lists.malwarepatrol.net/cgi/getfile?product=15&list=clamav_basic"
yararules_url="https://raw.githubusercontent.com/Yara-Rules/rules/master/"
# ========================
# do not edit
config_version="53"
# https://eXtremeSHOK.com ##############################################################