Clamav additional signatures

F

Francesco M. Taurino

Renowned Member
Jan 29, 2016
27
7
68
47
You can improve clamav detection rate, mostly on virus and malware in the wild, with additional signatures.
Copy /var/lib/pmg/templates/freshclam.conf.in in /etc/pmg/templates and add these lines at the end:

DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/sigwhitelist.ign2
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/sanesecurity.ftm
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/junk.ndb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/jurlbl.ndb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/phish.ndb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/rogue.hdb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/scam.ndb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/spamimg.hdb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/spamattach.hdb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/blurl.ndb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/foxhole_generic.cdb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/foxhole_filename.cdb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/malwarehash.hsb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/malware.expert.hdb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/hackingteam.hsb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/winnow_malware.hdb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/winnow_malware_links.ndb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/winnow_extended_malware.hdb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/winnow.attachments.hdb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/winnow_bad_cw.hdb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/bofhland_cracked_URL.ndb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/bofhland_malware_URL.ndb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/bofhland_phishing_URL.ndb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/bofhland_malware_attach.hdb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/crdfam.clamav.hdb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/porcupine.ndb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/porcupine.hsb

then issue the command

pmgconfig sync --restart 1

This will dowload additional signatures, with low false positive, in the /var/lib/clamav directory.
Additional information about the signatures on this site

https://sanesecurity.com/usage/signatures/

Hope this can help improve this great product!

Francesco
 
Last edited:
  • Like
Reactions: itNGO, mdo, DerDanilo and 1 other person
Francesco M. Taurino said:
You can improve clamav detection rate, mostly on virus and malware in the wild, with additional signatures.
In /var/lib/pmg/templates/freshclam.conf.in add these lines at the end:
....
Click to expand...

Thanks for your contributions but please do NOT edit /var/lib/pmg/templates/freshclam.conf.in

Please follow the admin guide on chapter "4.3 Service Configuration Templates" for the correct way.
 
  • Like
Reactions: DerDanilo and Plaintext
adding these lines to the freshclam templates is simpler and the additional signatures will be downloaded as the other clamav updates.
I've also included -only- the low false positive signatures.
 
  • Like
Reactions: DerDanilo
Maybe, but the script also checks the acceptable download intervals and include Securiteinfo and MalwarePatrol. For sure, to have only low fp signatures is fine, did not found yet on how to adjust the script only to use them, also I miss a script update option, so maybe I will consider to change later to your recommendation. However, for doing so, where do you have the ftp URLs from (didn't find on SaneSecurity website) and why did you left out e.g. malware.expert.hdb? Asking for the URLs because maybe there are more nearby URLs e.g. from Europe or Germany. Although I like Australia, it's somehow far away.
 
I'll include also malware.exepert.hdb.

to obtain a list of mirror sites:

dig +ignore +short rsync.sanesecurity.net

you can access these repos via rsync

rsync rsync://212.24.139.164/sanesecurity

and then download required signatures.
 
Great, I get

213.152.3.110
45.55.230.41
185.12.6.218
94.142.245.58
212.24.139.164
208.79.241.67
89.145.113.192
185.66.251.102
194.77.111.24
176.9.102.216
128.232.98.11
185.103.157.37
141.42.206.35
67.225.188.197
46.21.115.195
37.59.95.34
185.87.185.65
212.183.175.206
185.95.29.15
188.226.251.154
147.102.222.211
150.214.142.197
185.85.248.30

Is there a possibility, also to get hostnames for this sites without checking each individually?
 
in a bash shell:

for i in `dig +ignore +short rsync.sanesecurity.net`; do echo -n $i" - "; dig +short -x $i; done

(ALWAYS try commands AFTER reading them and in a not super user shell)
 
  • Like
Reactions: mdo and heutger
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back