Clamav additional signatures

Jan 29, 2016
27
6
23
46
You can improve clamav detection rate, mostly on virus and malware in the wild, with additional signatures.
Copy /var/lib/pmg/templates/freshclam.conf.in in /etc/pmg/templates and add these lines at the end:

DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/sigwhitelist.ign2
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/sanesecurity.ftm
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/junk.ndb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/jurlbl.ndb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/phish.ndb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/rogue.hdb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/scam.ndb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/spamimg.hdb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/spamattach.hdb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/blurl.ndb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/foxhole_generic.cdb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/foxhole_filename.cdb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/malwarehash.hsb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/malware.expert.hdb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/hackingteam.hsb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/winnow_malware.hdb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/winnow_malware_links.ndb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/winnow_extended_malware.hdb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/winnow.attachments.hdb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/winnow_bad_cw.hdb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/bofhland_cracked_URL.ndb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/bofhland_malware_URL.ndb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/bofhland_phishing_URL.ndb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/bofhland_malware_attach.hdb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/crdfam.clamav.hdb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/porcupine.ndb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/porcupine.hsb

then issue the command

pmgconfig sync --restart 1

This will dowload additional signatures, with low false positive, in the /var/lib/clamav directory.
Additional information about the signatures on this site

https://sanesecurity.com/usage/signatures/

Hope this can help improve this great product!

Francesco
 
Last edited:

tom

Proxmox Staff Member
Staff member
Aug 29, 2006
15,521
908
163
You can improve clamav detection rate, mostly on virus and malware in the wild, with additional signatures.
In /var/lib/pmg/templates/freshclam.conf.in add these lines at the end:
....

Thanks for your contributions but please do NOT edit /var/lib/pmg/templates/freshclam.conf.in

Please follow the admin guide on chapter "4.3 Service Configuration Templates" for the correct way.
 
Jan 29, 2016
27
6
23
46
adding these lines to the freshclam templates is simpler and the additional signatures will be downloaded as the other clamav updates.
I've also included -only- the low false positive signatures.
 
  • Like
Reactions: DerDanilo

heutger

Well-Known Member
Apr 25, 2018
845
238
48
Fulda, Hessen, Germany
www.heutger.net
Maybe, but the script also checks the acceptable download intervals and include Securiteinfo and MalwarePatrol. For sure, to have only low fp signatures is fine, did not found yet on how to adjust the script only to use them, also I miss a script update option, so maybe I will consider to change later to your recommendation. However, for doing so, where do you have the ftp URLs from (didn't find on SaneSecurity website) and why did you left out e.g. malware.expert.hdb? Asking for the URLs because maybe there are more nearby URLs e.g. from Europe or Germany. Although I like Australia, it's somehow far away.
 
Jan 29, 2016
27
6
23
46
I'll include also malware.exepert.hdb.

to obtain a list of mirror sites:

dig +ignore +short rsync.sanesecurity.net

you can access these repos via rsync

rsync rsync://212.24.139.164/sanesecurity

and then download required signatures.
 

heutger

Well-Known Member
Apr 25, 2018
845
238
48
Fulda, Hessen, Germany
www.heutger.net
Great, I get

213.152.3.110
45.55.230.41
185.12.6.218
94.142.245.58
212.24.139.164
208.79.241.67
89.145.113.192
185.66.251.102
194.77.111.24
176.9.102.216
128.232.98.11
185.103.157.37
141.42.206.35
67.225.188.197
46.21.115.195
37.59.95.34
185.87.185.65
212.183.175.206
185.95.29.15
188.226.251.154
147.102.222.211
150.214.142.197
185.85.248.30

Is there a possibility, also to get hostnames for this sites without checking each individually?
 
Jan 29, 2016
27
6
23
46
in a bash shell:

for i in `dig +ignore +short rsync.sanesecurity.net`; do echo -n $i" - "; dig +short -x $i; done

(ALWAYS try commands AFTER reading them and in a not super user shell)
 
  • Like
Reactions: mdo and heutger

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!