Clamav: adding Sanesecurity signatures


I’ve been wanting to boost anti-virus defences with Sanesecurity signatures for a good while but had concerns about clamav stability. With more recent versions and an influx of badness, I think it’s worth the risk - at least on a 2GB Symbiosis Stretch instance on light duties. I realise that some are philosophically and functionally opposed to running anti-virus on a server and there are certainly risks but so far, so good. YMMV. :wink:

With a conservative implementation, using services which are :-

  • free, including those via sign-up at securiteinfo (malwarepatrol_enabled="no")
  • categorised with a “LOW” false positive rating (the Sanesecurity/eXtremeSHOK default)
  • updated with the default schedule

… scanning exim’s reject* logs shows that detection has risen from 0-1 to around 30.


Sanesecurity.Malware.27571.UNOFFICIAL(00000000000000000000000000000000:522) FOUND
Sanesecurity.Blurl.d8bc71.UNOFFICIAL(00000000000000000000000000000000:333) FOUND
Sanesecurity.Phishing.Fake.Coin.27521.UNOFFICIAL(00000000000000000000000000000000:2696) FOUND

To install, follow the instructions for Sanesecurity’s recommended script by eXtremeSHOK. It’s not actively maintained so it’s worth applying the following fix:

(And for a custom config dir).

Optionally, tweak the .conf file database definitions:

# MC: *** Set this LOW as per the sanesig website & config layout suggests ***
#|MEDIUM     # statics MD5 pattern for files|LOW         # statics MD5 pattern for files 

… add add more recent yara updates if you’re running “MEDIUM”+…

declare -a yararulesproject_dbs=(
### Yara Rules
CVE_Rules/CVE-2015-5119.yar|MEDIUM # CVE 2015 5119
# MC: *** assume these newer ones are MEDIUM ***

There appears to be an issue with clamav 0.100+ on stretch which results in the following root email message:

/usr/local/sbin/ line 2747: 18373 Aborted
$clamscan_bin --quiet -d "$work_dir_yararulesproject/$db_file" "$work_dir_work_configs/scan-test.txt" 2> /dev/null

& /var/log/clamav-unofficial-sigs/clamav-unofficial-sigs.log :

Dec 17 11:59:20 Testing updated yararulesproject database file: antidebug_antivm.yar
Dec 17 11:59:20 Clamscan reports yararulesproject antidebug_antivm.yar database integrity tested BAD
Dec 17 11:59:20 Removed invalid database: /var/lib/clamav-unofficial-sigs/dbs-yara/antidebug_antivm.yar

It seems relatively harmless on stretch, currently with clamav 0.100.2, and as yara rules are doing good work I’ve chosen not to disable them.

Good luck!


Thanks for posting this.

I’ve seen logs for a few ClamAV installs, and the default virus signatures really don’t catch much - a couple of emails a day if you’re lucky. So, my view is that ClamAV isn’t worth having without some additional signatures. My previous place of work, a UK University, did use the SaneSecurity signatures. And we thought it was well worth it - given that we had little control of the client systems that were using our mail server.


Yes, to side-track I’d have said the same about spamassassin’s bayes engine – it’s expensive and ran for years without triggering a score but it started producing shortly after SaneSig went live, when least needed :slight_smile: ! The default autolearning wasn’t workling at all here but some recent manual training may have helped.

Yes, all my clients are out of control. :slight_smile: