ClamAV Signatures from SecuriteInfo 90% Detection Rate!

Jun 10, 2021
33
5
8
Maryland, USA
I've seen many members here looking for a second anti-virus solution for pmg.

How about getting better signatures for ClamAV instead?

There is nothing wrong with ClamAV except for the detection rate, which is a function of the signatures.

I found SecuriteInfo who provides ClamAV signatures, they are claiming a 90% detection rate for 30 EU!

Has anyone used them?

How can I make ClamAV on pmg use and update those signatures automatically?

Thanks
 
Last edited:
1. Once you register and login to SecuriteInfo account and setup page, you will notice the DatabaseCustomURL entry.

1623975147978.png

2. Copy /var/lib/pmg/templates/freshclam.conf.in to /etc/pmg/templates/freshclam.conf.in.
3. Add the DatabaseCustomURL entry to the end of /etc/pmg/templates/freshclam.conf.in.
4. Restart freshclam (pmgconfig sync --restart 1) and double check it is downloading the SecuriteInfo ClamAV signature files.
 
Last edited:
  • Like
Reactions: fgams and poetry
I have not implemented yet. I ran out of time before my Florida vacation.

Will implement, test and let everyone know in two weeks or so.

They do have a free version with 30 day signatures if you want to test it yourself. The paid version gives you zero day sigs.
 
The default clamav signatures are abysmal and as many other users I have been searching for an alternative. Thank you to @fgams for mentioning this.
I have done the changes as noted by @hata_ph and it seems that it's working. If I see any better detection will push this up to management so we pay the price for Pro (it's a reasonable price if we get better detection).

I wish I could see anything on the web interface when it was the last update of custom signatures but I guess it's not implemented in pmg
clamav.png

EDIT: Now it does say on this if you do a manual update
1624823297852.png


Code:
Jun 27 21:01:33 HostName freshclam[822]: Testing database: '/var/lib/clamav//tmp.16af15fc66/clamav-cb88c3e033f4010a034977c315711014.tmp-securiteinfoascii.hdb' ...
Jun 27 21:01:33 HostName freshclam[822]: Testing database: '/var/lib/clamav//tmp.16af15fc66/clamav-cb88c3e033f4010a034977c315711014.tmp-securiteinfoascii.hdb' ...
Jun 27 21:01:34 HostName freshclam[822]: Database test passed.
Jun 27 21:01:34 HostName freshclam[822]: Database test passed.
Jun 27 21:01:34 HostName freshclam[822]: securiteinfoascii.hdb updated (version: custom database, sigs: 99947)
Jun 27 21:01:34 HostName freshclam[822]: securiteinfoascii.hdb updated (version: custom database, sigs: 99947)
Jun 27 21:01:56 HostName freshclam[822]: Testing database: '/var/lib/clamav//tmp.16af15fc66/clamav-189eaab26e4c109ccc740d6a56cafdd4.tmp-securiteinfoandroid.hdb' ...
Jun 27 21:01:56 HostName freshclam[822]: Testing database: '/var/lib/clamav//tmp.16af15fc66/clamav-189eaab26e4c109ccc740d6a56cafdd4.tmp-securiteinfoandroid.hdb' ...
Jun 27 21:01:56 HostName freshclam[822]: Database test passed.
Jun 27 21:01:56 HostName freshclam[822]: Database test passed.
Jun 27 21:01:56 HostName freshclam[822]: securiteinfoandroid.hdb updated (version: custom database, sigs: 84401)
Jun 27 21:01:56 HostName freshclam[822]: securiteinfoandroid.hdb updated (version: custom database, sigs: 84401)
Jun 27 21:00:03 HostName freshclam[822]: Testing database: '/var/lib/clamav//tmp.16af15fc66/clamav-1c9a64ee542014b3c92484b643d0c639.tmp-securiteinfo.hdb' ...
Jun 27 21:00:03 HostName freshclam[822]: Testing database: '/var/lib/clamav//tmp.16af15fc66/clamav-1c9a64ee542014b3c92484b643d0c639.tmp-securiteinfo.hdb' ...
Jun 27 21:00:03 HostName freshclam[822]: Database test passed.
Jun 27 21:00:03 HostName freshclam[822]: Database test passed.
Jun 27 21:00:03 HostName freshclam[822]: securiteinfo.hdb updated (version: custom database, sigs: 175412)
Jun 27 21:00:03 HostName freshclam[822]: securiteinfo.hdb updated (version: custom database, sigs: 175412)
Jun 27 21:00:05 HostName freshclam[822]: Testing database: '/var/lib/clamav//tmp.16af15fc66/clamav-8f6fa518ca87bff2f865c789255c0f1e.tmp-securiteinfo.ign2' ...
Jun 27 21:00:05 HostName freshclam[822]: Testing database: '/var/lib/clamav//tmp.16af15fc66/clamav-8f6fa518ca87bff2f865c789255c0f1e.tmp-securiteinfo.ign2' ...
Jun 27 21:00:05 HostName freshclam[822]: Database test passed.
Jun 27 21:00:05 HostName freshclam[822]: Database test passed.
Jun 27 21:00:05 HostName freshclam[822]: securiteinfo.ign2 updated (version: custom database, sigs: 106)
Jun 27 21:00:05 HostName freshclam[822]: securiteinfo.ign2 updated (version: custom database, sigs: 106)
Jun 27 21:00:49 HostName freshclam[822]: Testing database: '/var/lib/clamav//tmp.16af15fc66/clamav-7a9faeebe5b0125b3ca01aa5adab688d.tmp-javascript.ndb' ...
Jun 27 21:00:49 HostName freshclam[822]: Testing database: '/var/lib/clamav//tmp.16af15fc66/clamav-7a9faeebe5b0125b3ca01aa5adab688d.tmp-javascript.ndb' ...
Jun 27 21:00:49 HostName freshclam[822]: Database test passed.
Jun 27 21:00:49 HostName freshclam[822]: Database test passed.
Jun 27 21:00:49 HostName freshclam[822]: javascript.ndb updated (version: custom database, sigs: 43708)
Jun 27 21:00:49 HostName freshclam[822]: javascript.ndb updated (version: custom database, sigs: 43708)
Jun 27 21:00:56 HostName freshclam[822]: Testing database: '/var/lib/clamav//tmp.16af15fc66/clamav-25357bbe738fb622c66b96d177e8268c.tmp-spam_marketing.ndb' ...
Jun 27 21:00:56 HostName freshclam[822]: Testing database: '/var/lib/clamav//tmp.16af15fc66/clamav-25357bbe738fb622c66b96d177e8268c.tmp-spam_marketing.ndb' ...
Jun 27 21:00:56 HostName freshclam[822]: Database test passed.
Jun 27 21:00:56 HostName freshclam[822]: Database test passed.
Jun 27 21:00:56 HostName freshclam[822]: spam_marketing.ndb updated (version: custom database, sigs: 31016)
Jun 27 21:00:56 HostName freshclam[822]: spam_marketing.ndb updated (version: custom database, sigs: 31016)
Jun 27 21:01:09 HostName freshclam[822]: Testing database: '/var/lib/clamav//tmp.16af15fc66/clamav-312dda785700eee0d80eee7348fdb10c.tmp-securiteinfohtml.hdb' ...
Jun 27 21:01:09 HostName freshclam[822]: Testing database: '/var/lib/clamav//tmp.16af15fc66/clamav-312dda785700eee0d80eee7348fdb10c.tmp-securiteinfohtml.hdb' ...
Jun 27 21:01:09 HostName freshclam[822]: Database test passed.
Jun 27 21:01:09 HostName freshclam[822]: Database test passed.
Jun 27 21:01:09 HostName freshclam[822]: securiteinfohtml.hdb updated (version: custom database, sigs: 54529)
Jun 27 21:01:09 HostName freshclam[822]: securiteinfohtml.hdb updated (version: custom database, sigs: 54529)

Some notes from https://www.securiteinfo.com/clients/customers/account (FAQ) might be useful to implement as well.
Which antivirus your signatures do work ?
Our signatures are compatible with ClamAV 0.98.4 at least (out since 2015 !), Clamwin, and ClamXav. However, if you have version 0.98.x or 0.99.x of ClamAV, you should update very quickly because on March, 1st 2021, it will not be supported anymore by ClamAV.

Does your signatures duplicates with official ClamAV signatures ?
No, our signatures are based on malware that are not already detected by ClamAV. Our signatures are complementary with those of ClamAV

Advantages of a Professional/Gold/Reseller subscription ?
The Professional/Gold/Reseller allow you to access to 0 day and 0 hour malware signatures. It protects you from newly discovered malwares and active on the Internet.

Is the paid subscription allows me to protect multiple computers ?
Yes, as long as you respect the maximum number of IP addresses authorized to download the signatures corresponding to the selected subscription

Does your signatures generate some false positive detections ?
No. The false positive rate is extremely low. However, we recommend that you perform pre-production tests before using our signatures in production environment.

What is your signatures detection rate ?
Regarding 0 day malwares, the detection rate is always greater than 80%. This can reach up to 95% ! Official ClamAV signatures have a detection rate around 10%. You can verify by yourself the stats on our daily updated page about malwares found on hacked websites.

Can I use other unofficial signatures like for example SaneSecurity or MalwarePatrol ?
Yes, we recommend to use other unofficial signatures to maximize your protection

Can I do mirorring of your signatures on my network server ?
Yes you can. But public mirroring of our signatures is prohibited !

What is the best crontab configuration for freshclam ?
We recommend the following configuration :
n * * * * freshclam --quiet
n is a number you choose between 3 and 57.

There is several signature files. What are the differences ?
Here is the details of the signature files :

securiteinfo.hdb : Mainly executable malwares (exe, com, dll, ...) more recent than one year. Typical usage : Any usage.
securiteinfohtml.hdb and javascript.ndb : HTML or Javascript malwares. Typical usage : Proxy and mail server.
securiteinfoascii.hdb : Text file malwares (Perl or shell scripts, bat files, exploits, ...). Typical usage : Any usage.
spam_marketing.ndb : spammer blacklist. Typical usage : mail server.
securiteinfoandroid.hdb : Android malwares. Typical usage : Smartphone and tablet protection.
securiteinfo.ign2 : Anti-false positives. Mandatory use for any usage.
securiteinfoold.hdb : One year old malwares. Optional usage. Use it if you are not limited in resources (RAM/CPU), or if you want a maximum detection of malwares, or if you are a virus collector who compares antivirus software.
securiteinfopdf.hdb : PDF Malwares and spams. Typical usage : Any usage.
securiteinfo0hour.hdb : Malwares appeared on the Internet in the past 60 minutes. So these are the most active malwares at this moment. Mandatory use for any usage. Not included in Basic subscription
securiteinfo.mdb : Generic signatures of malwares. Mandatory use for any usage. Not included in Basic subscription


Do you contribute to ClamAV ?
Yes, we regularly submit false positives and signatures to ClamAV. Unfortunately, for some reason, ClamAV does not systematically integrate our contributions. See our contributions for more information.

Who creates the signatures of SecuriteInfo.com ?
Arnaud Jacques, CEO of SecuriteInfo.com, creates the signatures. He has been an official sigmaker of ClamAV during 8 years. You can find more information here

Does the URLs change in paid subscription ?
No, the URLs are the same as your account is in free or paid subscription, except you have 2 more signature databases to download in paid subscription : securiteinfo0hour.hdb and securiteinfo.mdb.

I have paid a professionnal subscription. When I want to download the 0-day signatures, I got a "up to date" message. What's wrong ?
Please delete the signature files you downloaded with the free subscription (securiteinfo.hdb, securiteinfoascii.hdb, securiteinfohtml.hdb, securiteinfo.ign2, spam_marketing.ndb, javascript.ndb and securiteinfoandroid.hdb) and then download them again. You will receive the 0-day signatures files.

I cannot download securiteinfoold.hdb, or I have an error : 'nonblock_recv: recv timing out (30 secs)' or 'Download failed (28) ... Message: Timeout was reached'. What's wrong ?

For ClamAV older than 0.102.2, add "ReceiveTimeout 2400" in your freshclam.conf and reload freshclam daemon.
For ClamAV 0.102.2 or newer, simply remove ReceiveTimeout from your freshclam.conf and reload freshclam daemon.

I can't download the following files : honeynet.hdb, securiteinfoelf.hdb, securiteinfosh.hdb, securiteinfooffice.hdb, securiteinfodos.hdb, securiteinfobat.hdb. What's wrong ?
These files were merged into securiteinfo.hdb. Please go to the 'Setup' tab to get your personnal download URLs. Any other URL used will be refused by the server

What is the best configuration for clamd.conf ?
To achieve maximum detection rates, we recommend modifying the following lines in your clamd.conf :
WARNING : These changes suggest that you have at least 8GB of RAM

DetectPUA yes
ExcludePUA PUA.Win.Packer
ExcludePUA PUA.Win.Trojan.Packed
ExcludePUA PUA.Win.Trojan.Molebox
ExcludePUA PUA.Win.Packer.Upx
ExcludePUA PUA.Doc.Packed
MaxScanSize 150M
MaxFileSize 100M
MaxRecursion 40
MaxEmbeddedPE 100M
MaxHTMLNormalize 50M
MaxScriptNormalize 50M
MaxZipTypeRcg 50M

How to whitelist a signature ?
Please see this article : Whitelisting signatures for ClamAV antivirus

Do you publish update reports about your antiviral signatures?
Yes, a report is published every day and is available on our website

What is the best method to download signatures ?
The easiest method to download our signatures is to use freshclam, as indicated in the 'Setup' tab. The only method supported and recommended by SecuriteInfo.com, is the use of freshclam. Any other method, including third-party scripts, is not supported/maintained by SecuriteInfo.com.

If you are using a third-party script like clamav-unofficial-sigs or fangfrisch, make sure you are using the latest version.
 
Last edited:
  • Like
Reactions: fgams and hata_ph
The default clamav signatures are abysmal and as many other users I have been searching for an alternative. Thank you to @fgams for mentioning this.
I have done the changes as noted by @hata_ph and it seems that it's working. If I see any better detection will push this up to management so we pay the price for Pro (it's a reasonable price if we get better detection).

I wish I could see anything on the web interface when it was the last update of custom signatures but I guess it's not implemented in pmg
View attachment 27099

EDIT: Now it does say on this if you do a manual update
View attachment 27100


Code:
Jun 27 21:01:33 HostName freshclam[822]: Testing database: '/var/lib/clamav//tmp.16af15fc66/clamav-cb88c3e033f4010a034977c315711014.tmp-securiteinfoascii.hdb' ...
Jun 27 21:01:33 HostName freshclam[822]: Testing database: '/var/lib/clamav//tmp.16af15fc66/clamav-cb88c3e033f4010a034977c315711014.tmp-securiteinfoascii.hdb' ...
Jun 27 21:01:34 HostName freshclam[822]: Database test passed.
Jun 27 21:01:34 HostName freshclam[822]: Database test passed.
Jun 27 21:01:34 HostName freshclam[822]: securiteinfoascii.hdb updated (version: custom database, sigs: 99947)
Jun 27 21:01:34 HostName freshclam[822]: securiteinfoascii.hdb updated (version: custom database, sigs: 99947)
Jun 27 21:01:56 HostName freshclam[822]: Testing database: '/var/lib/clamav//tmp.16af15fc66/clamav-189eaab26e4c109ccc740d6a56cafdd4.tmp-securiteinfoandroid.hdb' ...
Jun 27 21:01:56 HostName freshclam[822]: Testing database: '/var/lib/clamav//tmp.16af15fc66/clamav-189eaab26e4c109ccc740d6a56cafdd4.tmp-securiteinfoandroid.hdb' ...
Jun 27 21:01:56 HostName freshclam[822]: Database test passed.
Jun 27 21:01:56 HostName freshclam[822]: Database test passed.
Jun 27 21:01:56 HostName freshclam[822]: securiteinfoandroid.hdb updated (version: custom database, sigs: 84401)
Jun 27 21:01:56 HostName freshclam[822]: securiteinfoandroid.hdb updated (version: custom database, sigs: 84401)
Jun 27 21:00:03 HostName freshclam[822]: Testing database: '/var/lib/clamav//tmp.16af15fc66/clamav-1c9a64ee542014b3c92484b643d0c639.tmp-securiteinfo.hdb' ...
Jun 27 21:00:03 HostName freshclam[822]: Testing database: '/var/lib/clamav//tmp.16af15fc66/clamav-1c9a64ee542014b3c92484b643d0c639.tmp-securiteinfo.hdb' ...
Jun 27 21:00:03 HostName freshclam[822]: Database test passed.
Jun 27 21:00:03 HostName freshclam[822]: Database test passed.
Jun 27 21:00:03 HostName freshclam[822]: securiteinfo.hdb updated (version: custom database, sigs: 175412)
Jun 27 21:00:03 HostName freshclam[822]: securiteinfo.hdb updated (version: custom database, sigs: 175412)
Jun 27 21:00:05 HostName freshclam[822]: Testing database: '/var/lib/clamav//tmp.16af15fc66/clamav-8f6fa518ca87bff2f865c789255c0f1e.tmp-securiteinfo.ign2' ...
Jun 27 21:00:05 HostName freshclam[822]: Testing database: '/var/lib/clamav//tmp.16af15fc66/clamav-8f6fa518ca87bff2f865c789255c0f1e.tmp-securiteinfo.ign2' ...
Jun 27 21:00:05 HostName freshclam[822]: Database test passed.
Jun 27 21:00:05 HostName freshclam[822]: Database test passed.
Jun 27 21:00:05 HostName freshclam[822]: securiteinfo.ign2 updated (version: custom database, sigs: 106)
Jun 27 21:00:05 HostName freshclam[822]: securiteinfo.ign2 updated (version: custom database, sigs: 106)
Jun 27 21:00:49 HostName freshclam[822]: Testing database: '/var/lib/clamav//tmp.16af15fc66/clamav-7a9faeebe5b0125b3ca01aa5adab688d.tmp-javascript.ndb' ...
Jun 27 21:00:49 HostName freshclam[822]: Testing database: '/var/lib/clamav//tmp.16af15fc66/clamav-7a9faeebe5b0125b3ca01aa5adab688d.tmp-javascript.ndb' ...
Jun 27 21:00:49 HostName freshclam[822]: Database test passed.
Jun 27 21:00:49 HostName freshclam[822]: Database test passed.
Jun 27 21:00:49 HostName freshclam[822]: javascript.ndb updated (version: custom database, sigs: 43708)
Jun 27 21:00:49 HostName freshclam[822]: javascript.ndb updated (version: custom database, sigs: 43708)
Jun 27 21:00:56 HostName freshclam[822]: Testing database: '/var/lib/clamav//tmp.16af15fc66/clamav-25357bbe738fb622c66b96d177e8268c.tmp-spam_marketing.ndb' ...
Jun 27 21:00:56 HostName freshclam[822]: Testing database: '/var/lib/clamav//tmp.16af15fc66/clamav-25357bbe738fb622c66b96d177e8268c.tmp-spam_marketing.ndb' ...
Jun 27 21:00:56 HostName freshclam[822]: Database test passed.
Jun 27 21:00:56 HostName freshclam[822]: Database test passed.
Jun 27 21:00:56 HostName freshclam[822]: spam_marketing.ndb updated (version: custom database, sigs: 31016)
Jun 27 21:00:56 HostName freshclam[822]: spam_marketing.ndb updated (version: custom database, sigs: 31016)
Jun 27 21:01:09 HostName freshclam[822]: Testing database: '/var/lib/clamav//tmp.16af15fc66/clamav-312dda785700eee0d80eee7348fdb10c.tmp-securiteinfohtml.hdb' ...
Jun 27 21:01:09 HostName freshclam[822]: Testing database: '/var/lib/clamav//tmp.16af15fc66/clamav-312dda785700eee0d80eee7348fdb10c.tmp-securiteinfohtml.hdb' ...
Jun 27 21:01:09 HostName freshclam[822]: Database test passed.
Jun 27 21:01:09 HostName freshclam[822]: Database test passed.
Jun 27 21:01:09 HostName freshclam[822]: securiteinfohtml.hdb updated (version: custom database, sigs: 54529)
Jun 27 21:01:09 HostName freshclam[822]: securiteinfohtml.hdb updated (version: custom database, sigs: 54529)

Some notes from https://www.securiteinfo.com/clients/customers/account (FAQ) might be useful to implement as well.
Im not sure what im doing wrong these were the steps i took

Code:
cp /var/lib/pmg/templates/freshclam.conf.in /etc/pmg/templates/freshclam.conf.in

root@mail:~# cat /etc/pmg/templates/freshclam.conf.in
DatabaseOwner clamav
LogVerbose false
LogSyslog true
LogFacility LOG_LOCAL6
LogFileMaxSize 0
Foreground false
Debug false
MaxAttempts 5
Checks [% IF pmg.clamav.safebrowsing %]48[% ELSE %]24[% END %]
DatabaseDirectory /var/lib/clamav/
PidFile /var/run/clamav/freshclam.pid
DatabaseMirror [% pmg.clamav.dbmirror %]
ConnectTimeout 30
ReceiveTimeout 30
ScriptedUpdates no
CompressLocalDatabase no
NotifyClamd /etc/clamav/clamd.conf
Bytecode true
SafeBrowsing [% IF pmg.clamav.safebrowsing %]true[% ELSE %]false[% END %]
DNSDatabaseInfo current.cvd.clamav.net
[% IF proxy.host %]
HTTPProxyServer [% proxy.host %]
HTTPProxyPort [% proxy.port %]
[% IF proxy.username %]
HTTPProxyUsername [% proxy.username %]
[% END %]
[% IF proxy.password %]
HTTPProxyPassword [% proxy.password %]
[% END %]
[% END %]

 http://www.securiteinfo.com/get/signatures/80cd44e88e02d36aa96febfddb35bba2cadbefe20ccc3cf292078ae6809ad66703b0524d390bxxxxxx/securiteinfo.hdb
 http://www.securiteinfo.com/get/signatures/80cd44e88e02d36aa96febfddb35bba2cadbefe20ccc3cf292078ae6809ad66703b0524d390bxxxxxx/securiteinfo.ign2
 http://www.securiteinfo.com/get/signatures/80cd44e88e02d36aa96febfddb35bba2cadbefe20ccc3cf292078ae6809ad66703b0524d390bxxxxxx/javascript.ndb
 http://www.securiteinfo.com/get/signatures/80cd44e88e02d36aa96febfddb35bba2cadbefe20ccc3cf292078ae6809ad66703b0524d390bxxxxxx/spam_marketing.ndb
 http://www.securiteinfo.com/get/signatures/80cd44e88e02d36aa96febfddb35bba2cadbefe20ccc3cf292078ae6809ad66703b0524d390bxxxxxx/securiteinfohtml.hdb
 http://www.securiteinfo.com/get/signatures/80cd44e88e02d36aa96febfddb35bba2cadbefe20ccc3cf292078ae6809ad66703b0524d390bxxxxxx/securiteinfoascii.hdb
 http://www.securiteinfo.com/get/signatures/80cd44e88e02d36aa96febfddb35bba2cadbefe20ccc3cf292078ae6809ad66703b0524d390bxxxxxx/securiteinfoandroid.hdb
 http://www.securiteinfo.com/get/signatures/80cd44e88e02d36aa96febfddb35bba2cadbefe20ccc3cf292078ae6809ad66703b0524d390bxxxxxx/securiteinfoold.hdb
 http://www.securiteinfo.com/get/signatures/80cd44e88e02d36aa96febfddb35bba2cadbefe20ccc3cf292078ae6809ad66703b0524d390bxxxxxx/securiteinfopdf.hdb


service clamav-freshclam restart

but when i update i only see this

ClamAV update process started at Tue Jul 20 11:46:57 2021
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.101.4 Recommended version: 0.103.3
DON'T PANIC! Read https://www.clamav.net/documents/upgrading-clamav
main.cvd is up to date (version: 61, sigs: 6607162, f-level: 90, builder: sigmgr)
daily.cvd is up to date (version: 26238, sigs: 1962783, f-level: 90, builder: raynman)
safebrowsing.cvd is up to date (version: 49192, sigs: 2, f-level: 63, builder: google)
bytecode.cvd is up to date (version: 333, sigs: 92, f-level: 63, builder: awillia2)
TASK OK


after i reboot i get this error

ERROR: Missing argument for option at /etc/clamav/freshclam.conf:22
ERROR: Can't open/parse the config file /etc/clamav/freshclam.conf
TASK ERROR: command '/usr/bin/freshclam --stdout' failed: exit code 40
 
Last edited:
@poetry thanks for the reply,
sorry didnt know that was unique, i re read @hata_ph but still getting the same issue
i also ran pmgconfig sync --restart 1

not sure what i missed thank you again
 
@poetry thanks for the reply,
sorry didnt know that was unique, i re read @hata_ph but still getting the same issue
i also ran pmgconfig sync --restart 1

not sure what i missed thank you again

Here are the commands that work for me.

1. cp /var/lib/pmg/templates/freshclam.conf.in /etc/pmg/templates/freshclam.conf.in

cp = copy source (first file /var/lib/pmg/templates/freshclam.conf.in) destination (second file /etc/pmg/templates/freshclam.conf.in)

/var/lib/pmg/templates/freshclam.conf.in (location where the original template file is)
/etc/pmg/templates/freshclam.conf.in (where you want to create a new modified template)

2. nano /etc/pmg/templates/freshclam.conf.in (add to the bottom securiteinfo)

1626811759519.png
Exit with CTRL+X and Y to save changes.

3. pmgconfig sync --restart 1 (to apply changes)

4. run the update from GUI (Update now)
1626811834258.png

1626811888938.png
 
Last edited:
thank you i had to add the

DatabaseCustomURL

my bad

btw how have you seen the detection rate? any better?
 
thank you i had to add the

DatabaseCustomURL

my bad

btw how have you seen the detection rate? any better?
We have paid the license and it's quite good. Still not 100% detection but 90% better then before. The guy running the site is responsive if you send him new malware via your account messages he will add it quickly to his database so we are going to be using it from now on.
 
  • Like
Reactions: killmasta93
We implemented these a few days ago and it is a lot better.

There were some false positives, so I removed the pdf, marketing and ascii signatures.
quick question how do you remove or add to the whitelist the false positives? and which were the ones that you deleted?
 
The signature files you configure end in a descriptive name.

1623975147978-png.26924


I removed the one ending in:

spam_marketing - we have blacklists for that.
securiteinfopdf - I need pdf files
securiteinfoascii - we block most attachments except for pdf

I might remove the securiteinfohtml signatures as well.
 
  • Like
Reactions: killmasta93
hi guys i was wondering if someone else has had this issue before,
Currently updated to 6.4.4 but on the webGUI i dont see the database but when i click on update i do see it
1643986020038.png
1643986002094.png
 
hi guys i was wondering if someone else has had this issue before,
Currently updated to 6.4.4 but on the webGUI i dont see the database but when i click on update i do see it
If not mistaken, the AV page will not show clamav custom DB status.
 
thanks for the reply, whats very odd is that few viruses are passing thought when the securitedb should of blocked it

SecuriteInfo.com.Trojan.Hosts.49477.30444 using javascript.ndb

this is the virus that passed though (please take caution https://easyupload.io/m/r0xayp)

i talked directly to the support team of securite and they told me that should of got it the clamav so im thinking that i missed something in the config?

Thank you
 
thanks for the reply, whats very odd is that few viruses are passing thought when the securitedb should of blocked it

SecuriteInfo.com.Trojan.Hosts.49477.30444 using javascript.ndb

this is the virus that passed though (please take caution https://easyupload.io/m/r0xayp)

i talked directly to the support team of securite and they told me that should of got it the clamav so im thinking that i missed something in the config?

Thank you
Pls provide log file of how PMG process the spam mail.
 
Thanks for the reply,

Code:
Feb  4 22:13:48 mail postfix/verify[9111]: cache btree:/var/lib/postfix/verify_cache full cleanup: retained=1 dropped=0 entries
Feb  4 22:13:48 mail postfix/smtpd[9107]: 50C3A3E08A8: client=mail.client.com[181.xx.xxx]
Feb  4 22:13:48 mail postfix/cleanup[9112]: 50C3A3E08A8: message-id=<57f73105-8d5e-fb0d-f1c3-33a318940dbe@client.com>
Feb  4 22:13:48 mail postfix/smtpd[9107]: disconnect from mail.client.com[181.xx.xxx] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Feb  4 22:13:48 mail postfix/qmgr[807]: 50C3A3E08A8: from=<username@client.com>, size=492102, nrcpt=1 (queue active)
Feb  4 22:13:50 mail pmg-smtp-filter[3897]: 2022/02/04-22:13:50 CONNECT TCP Peer: "[127.0.0.1]:37482" Local: "[127.0.0.1]:10024"
Feb  4 22:13:52 mail pmg-smtp-filter[3897]: 3E111061FDEB6F1D107: new mail message-id=<57f73105-8d5e-fb0d-f1c3-33a318940dbe@client.com>#012
Feb  4 22:14:12 mail pmg-smtp-filter[3897]: 3E111061FDEB6F1D107: SA score=1/5 time=13.736 bayes=undefined autolearn=no autolearn_force=no hits=AWL(-0.497),DKIM_INVALID(0.1),DKIM_SIGNED(0.1),HTML_MESSAGE(0.001),KAM_DMARC_STATUS(0.01),RCVD_IN_SO$
Feb  4 22:14:13 mail postfix/smtpd[9160]: connect from localhost.localdomain[127.0.0.1]
Feb  4 22:14:13 mail postfix/smtpd[9160]: 1738D3E111E: client=localhost.localdomain[127.0.0.1], orig_client=mail.client.com[181.xx.xxx]
Feb  4 22:14:13 mail postfix/cleanup[9112]: 1738D3E111E: message-id=<57f73105-8d5e-fb0d-f1c3-33a318940dbe@client.com>
Feb  4 22:14:13 mail postfix/qmgr[807]: 1738D3E111E: from=<username@client.com>, size=492980, nrcpt=1 (queue active)
Feb  4 22:14:13 mail postfix/smtpd[9160]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Feb  4 22:14:13 mail pmg-smtp-filter[3897]: 3E111061FDEB6F1D107: accept mail to <sistemas@mydomain.com> (1738D3E111E) (rule: default-accept)
Feb  4 22:14:13 mail pmg-smtp-filter[3897]: 3E111061FDEB6F1D107: processing time: 22.062 seconds (13.736, 5.854, 0)
Feb  4 22:14:13 mail postfix/lmtp[9113]: 50C3A3E08A8: to=<sistemas@mydomain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=25, delays=0.25/0.08/2.5/22, dsn=2.5.0, status=sent (250 2.5.0 OK (3E111061FDEB6F1D107))
Feb  4 22:14:13 mail postfix/qmgr[807]: 50C3A3E08A8: removed
Feb  4 22:14:13 mail postfix/smtp[9161]: Anonymous TLS connection established to 192.168.7.245[192.168.7.245]:27: TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)
Feb  4 22:14:13 mail postfix/smtp[9161]: 1738D3E111E: to=<sistemas@mydomain.com>, relay=192.168.7.245[192.168.7.245]:27, delay=0.53, delays=0.18/0.06/0.16/0.13, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 83EA4BE77DA)
Feb  4 22:14:13 mail postfix/qmgr[807]: 1738D3E111E: removed
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!