Installare definizioni virus Sanesecurity su clamav in Debian per Amavis

Malware

Molti malware e virus non vengono intercettati da amavis/clamav, per aggiungere ulteriori definizioni ci viene in aiuto uno script molto utile e ben fatto su github https://github.com/extremeshok/clamav-unofficial-sigs che ci consente di aggiungere diverse definizioni aggiuntive presenti gratuitamente su internet.

Scaricate il master.zip dal github:

cd /opt
wget https://github.com/extremeshok/clamav-unofficial-sigs/archive/master.zip
unzip master.zip
cd clamav-unofficial-sigs-master/
cp clamav-unofficial-sigs.sh /usr/local/bin/
chmod 755 /usr/local/bin/clamav-unofficial-sigs.sh
mkdir /etc/clamav-unofficial-sigs/
cd config/
cp * /etc/clamav-unofficial-sigs/
mkdir /var/log/clamav-unofficial-sigs/
cd /etc/clamav-unofficial-sigs/
mv os.debian8.conf os.conf

 

Ora editate il file os.conf e commentate clamd_pid=”/var/run/clamd.pid” e de-commentate clamd_socket=”/var/run/clamav/clamd.ctl”, salvate e chiudete.

Editate user.conf e de-commentate la riga user_configuration_complete=”yes”, salvate e chiudete.

Ok adesso siete pronti per lanciarlo la prima  /usr/local/bin/clamav-unofficial-sigs.sh
vedrete che scaricherà diversi db di definizioni e nella /var/lib/clamav trovetere tutte le definizioni aggiuntive con i permessi corretti:

-rw-r--r-- 1 clamav clamav     47260 mag 13 10:18 antidebug_antivm.yar
-rw-r--r-- 1 clamav clamav    288262 mag 13 09:55 blurl.ndb
-rw-r--r-- 1 clamav clamav      1740 mag 13 09:48 bofhland_cracked_URL.ndb
-rw-r--r-- 1 clamav clamav     99837 mag 13 09:48 bofhland_malware_attach.hdb
-rw-r--r-- 1 clamav clamav      4832 mag 13 09:48 bofhland_malware_URL.ndb
-rw-r--r-- 1 clamav clamav      6216 mag 13 09:48 bofhland_phishing_URL.ndb
-rw-r--r-- 1 clamav clamav    378368 apr 15 21:35 bytecode.cld
-rw-r--r-- 1 clamav clamav    417603 mag 13 09:48 crdfam.clamav.hdb
-rw-r--r-- 1 clamav clamav  10137088 mag 13 08:18 daily.cld
-rw-r--r-- 1 clamav clamav     25780 mag 12 10:53 foxhole_filename.cdb
-rw-r--r-- 1 clamav clamav     44147 mar 25 19:53 foxhole_generic.cdb
-rw-r--r-- 1 clamav clamav     48176 ago  5  2015 hackingteam.hsb
-rw-r--r-- 1 clamav clamav   6595967 mag 11 09:54 junk.ndb
-rw-r--r-- 1 clamav clamav   1687824 mag 13 09:55 jurlbl.ndb
-rw-r--r-- 1 clamav clamav 109143933 mar 29 17:19 main.cvd
-rw-r--r-- 1 clamav clamav      8376 mag 13 10:18 malicious_document.yar
-rw-r--r-- 1 clamav clamav      9460 feb 19  2015 malwarehash.hsb
-rw-r--r-- 1 clamav clamav      1040 mag 13 10:18 mirrors.dat
-rw-r--r-- 1 clamav clamav   3859098 mag 11 21:14 phish.ndb
-rw-r--r-- 1 clamav clamav   5055292 mag 13 09:46 phishtank.ndb
-rw-r--r-- 1 clamav clamav     56820 mag 13 09:46 porcupine.hsb
-rw-r--r-- 1 clamav clamav    298884 mag 13 09:46 porcupine.ndb
-rw-r--r-- 1 clamav clamav    598699 apr  6 03:48 rfxn.hdb
-rw-r--r-- 1 clamav clamav    437666 apr  6 03:48 rfxn.ndb
-rw-r--r-- 1 clamav clamav   3203193 mag 12 16:56 rogue.hdb
-rw-r--r-- 1 clamav clamav     11102 mar  9 09:56 sanesecurity.ftm
-rw-r--r-- 1 clamav clamav      1462 lug  1  2015 Sanesecurity_sigtest.yara
-rw-r--r-- 1 clamav clamav      1233 feb 22 13:21 Sanesecurity_spam.yara
-rw-r--r-- 1 clamav clamav   1881431 apr 21 09:58 scam.ndb
-rw-r--r-- 1 clamav clamav      6679 apr  6 13:55 sigwhitelist.ign2
-rw-r--r-- 1 clamav clamav       199 apr  6 16:55 spamattach.hdb
-rw-r--r-- 1 clamav clamav       671 apr 18 17:57 spamimg.hdb
-rw-r--r-- 1 clamav clamav    526635 mag 12 09:14 winnow.attachments.hdb
-rw-r--r-- 1 clamav clamav        66 mag 12 09:14 winnow_bad_cw.hdb
-rw-r--r-- 1 clamav clamav    107753 mag 12 09:14 winnow_extended_malware.hdb
-rw-r--r-- 1 clamav clamav    165256 mag 12 09:14 winnow_malware.hdb
-rw-r--r-- 1 clamav clamav    632292 mag 12 09:14 winnow_malware_links.ndb
-rw-r--r-- 1 clamav clamav      1584 mag 12 09:14 winnow_malware.yara

Ora lanciate questo comando per vedere se clamav li ha presi in carico:

clamscan --debug 2>&1 /dev/null | grep "loaded"

Dovrebbe dare un output del genere:

LibClamAV debug: /var/lib/clamav/sigwhitelist.ign2 loaded
LibClamAV debug: daily.info loaded
LibClamAV debug: daily.cfg loaded
LibClamAV debug: daily.idb loaded
LibClamAV debug: daily.pdb loaded
LibClamAV debug: daily.ndb loaded
LibClamAV debug: daily.ign loaded
LibClamAV debug: daily.crb loaded
LibClamAV debug: daily.cdb loaded
LibClamAV debug: daily.ldb loaded
LibClamAV debug: daily.hdb loaded
LibClamAV debug: daily.fp loaded
LibClamAV debug: daily.mdb loaded
LibClamAV debug: daily.wdb loaded
LibClamAV debug: daily.msb loaded
LibClamAV debug: daily.sfp loaded
LibClamAV debug: cli_loadftm: File type signature for HWP embedded OLE2 not loaded (required f-level: 82)
LibClamAV debug: cli_loadftm: File type signature for HWPML Document not loaded (required f-level: 82)
LibClamAV debug: cli_loadftm: File type signature for HWP3 Document not loaded (required f-level: 82)
LibClamAV debug: daily.ftm loaded
LibClamAV debug: daily.ign2 loaded
LibClamAV debug: daily.hsb loaded
LibClamAV debug: /var/lib/clamav/daily.cld loaded
LibClamAV debug: /var/lib/clamav/scam.ndb loaded
LibClamAV debug: bytecode.info loaded
LibClamAV debug: 3986218.cbc loaded
LibClamAV debug: 4306157.cbc loaded
LibClamAV debug: 3986289.cbc loaded
LibClamAV debug: 3986233.cbc loaded
LibClamAV debug: 3986223.cbc loaded
LibClamAV debug: 3986337.cbc loaded
LibClamAV debug: 3986310.cbc loaded
LibClamAV debug: 3986234.cbc loaded
LibClamAV debug: 3986212.cbc loaded
LibClamAV debug: 3986306.cbc loaded
LibClamAV debug: 3986230.cbc loaded
LibClamAV debug: 3986236.cbc loaded
LibClamAV debug: 3986185.cbc loaded
LibClamAV debug: 3986303.cbc loaded
LibClamAV debug: 3986222.cbc loaded
LibClamAV debug: 3986215.cbc loaded
LibClamAV debug: 3986187.cbc loaded
LibClamAV debug: 3986216.cbc loaded
LibClamAV debug: 3986305.cbc loaded
LibClamAV debug: 3986214.cbc loaded
LibClamAV debug: 4306126.cbc loaded
LibClamAV debug: 3986334.cbc loaded
LibClamAV debug: 3986220.cbc loaded
LibClamAV debug: 3986219.cbc loaded
LibClamAV debug: 3986259.cbc loaded
LibClamAV debug: 3986327.cbc loaded
LibClamAV debug: 3986322.cbc loaded
LibClamAV debug: 3986328.cbc loaded
LibClamAV debug: 3986206.cbc loaded
LibClamAV debug: 3986244.cbc loaded
LibClamAV debug: 3986221.cbc loaded
LibClamAV debug: 3986318.cbc loaded
LibClamAV debug: 3986283.cbc loaded
LibClamAV debug: 3986188.cbc loaded
LibClamAV debug: 3986301.cbc loaded
LibClamAV debug: 3986321.cbc loaded
LibClamAV debug: 3986232.cbc loaded
LibClamAV debug: 3986282.cbc loaded
LibClamAV debug: 3986229.cbc loaded
LibClamAV debug: 3986292.cbc loaded
LibClamAV debug: 3986242.cbc loaded
LibClamAV debug: 3986231.cbc loaded
LibClamAV debug: 3986326.cbc loaded
LibClamAV debug: 3986217.cbc loaded
LibClamAV debug: 3986235.cbc loaded
LibClamAV debug: 3986224.cbc loaded
LibClamAV debug: 3986249.cbc loaded
LibClamAV debug: /var/lib/clamav/bytecode.cld loaded
LibClamAV debug: /var/lib/clamav/bofhland_malware_URL.ndb loaded
LibClamAV debug: /var/lib/clamav/foxhole_filename.cdb loaded
LibClamAV debug: /var/lib/clamav/phishtank.ndb loaded
LibClamAV debug: /var/lib/clamav/winnow.attachments.hdb loaded
LibClamAV debug: load_oneyara: successfully loaded YARA.CryptoWall_Resume_phish
LibClamAV debug: load_oneyara: successfully loaded YARA.docx_macro
LibClamAV debug: load_oneyara: successfully loaded YARA.java_JSocket_20151217
LibClamAV debug: cli_loadyara: loaded 3 of 3 yara signatures from /var/lib/clamav/winnow_malware.yara
LibClamAV debug: /var/lib/clamav/winnow_malware.yara loaded
LibClamAV debug: /var/lib/clamav/junk.ndb loaded
LibClamAV debug: /var/lib/clamav/winnow_extended_malware.hdb loaded
LibClamAV debug: /var/lib/clamav/rogue.hdb loaded
LibClamAV debug: /var/lib/clamav/malicious_document.yar loaded
LibClamAV debug: /var/lib/clamav/rfxn.hdb loaded
LibClamAV debug: /var/lib/clamav/bofhland_cracked_URL.ndb loaded
LibClamAV debug: /var/lib/clamav/foxhole_generic.cdb loaded
LibClamAV debug: /var/lib/clamav/rfxn.ndb loaded
LibClamAV debug: /var/lib/clamav/winnow_bad_cw.hdb loaded
LibClamAV debug: /var/lib/clamav/hackingteam.hsb loaded
LibClamAV debug: /var/lib/clamav/spamattach.hdb loaded
LibClamAV debug: /var/lib/clamav/winnow_malware.hdb loaded
LibClamAV debug: /var/lib/clamav/jurlbl.ndb loaded
LibClamAV debug: load_oneyara: successfully loaded YARA.Sanesecurity_TestSig_Type4_Hdr_2
LibClamAV debug: load_oneyara: successfully loaded YARA.Sanesecurity_TestSig_Type3_Bdy_4
LibClamAV debug: load_oneyara: successfully loaded YARA.Sanesecurity_TestSig_Type4_Bdy_3
LibClamAV debug: load_oneyara: successfully loaded YARA.Sanesecurity_PhishingTestSig_1
LibClamAV debug: cli_loadyara: loaded 4 of 4 yara signatures from /var/lib/clamav/Sanesecurity_sigtest.yara
LibClamAV debug: /var/lib/clamav/Sanesecurity_sigtest.yara loaded
LibClamAV debug: /var/lib/clamav/malwarehash.hsb loaded
LibClamAV debug: main.info loaded
LibClamAV debug: main.hdb loaded
LibClamAV debug: main.hsb loaded
LibClamAV debug: main.mdb loaded
LibClamAV debug: main.msb loaded
LibClamAV debug: main.ndb loaded
LibClamAV debug: main.fp loaded
LibClamAV debug: main.sfp loaded
LibClamAV debug: main.crb loaded
LibClamAV debug: /var/lib/clamav/main.cvd loaded
LibClamAV debug: /var/lib/clamav/antidebug_antivm.yar loaded
LibClamAV debug: /var/lib/clamav/crdfam.clamav.hdb loaded
LibClamAV debug: cli_loadftm: File type signature for HWP embedded OLE2 not loaded (required f-level: 82)
LibClamAV debug: cli_loadftm: File type signature for HWPML Document not loaded (required f-level: 82)
LibClamAV debug: cli_loadftm: File type signature for HWP3 Document not loaded (required f-level: 82)
LibClamAV debug: /var/lib/clamav/sanesecurity.ftm loaded
LibClamAV debug: /var/lib/clamav/bofhland_phishing_URL.ndb loaded
LibClamAV debug: load_oneyara: successfully loaded YARA.Sanesecurity_Spam_test
LibClamAV debug: load_oneyara: successfully loaded YARA.Sanesecurity_Spam_pornspam
LibClamAV debug: cli_loadyara: loaded 2 of 2 yara signatures from /var/lib/clamav/Sanesecurity_spam.yara
LibClamAV debug: /var/lib/clamav/Sanesecurity_spam.yara loaded
LibClamAV debug: /var/lib/clamav/spamimg.hdb loaded
LibClamAV debug: /var/lib/clamav/winnow_malware_links.ndb loaded
LibClamAV debug: /var/lib/clamav/porcupine.hsb loaded
LibClamAV debug: /var/lib/clamav/blurl.ndb loaded
LibClamAV debug: /var/lib/clamav/porcupine.ndb loaded
LibClamAV debug: /var/lib/clamav/phish.ndb loaded
LibClamAV debug: /var/lib/clamav/bofhland_malware_attach.hdb loaded

Se è tutto ok possiamo finalizzare l’installazione aggiungendo lo script per aggiornarlo automaticamente e lo script per la rotazione dei log:

/usr/local/bin/clamav-unofficial-sigs.sh --install-cron
chmod 755 /etc/cron.d/clamav-unofficial-sigs
/usr/local/bin/clamav-unofficial-sigs.sh --install-logrotate

Perfetto, ora Clamav avrà più possibilità di intercettare malware nelle email.