Clamav: adding Sanesecurity signatures


I’ve been wanting to boost anti-virus defences with Sanesecurity signatures for a good while but had concerns about clamav stability. With more recent versions and an influx of badness, I think it’s worth the risk - at least on a 2GB Symbiosis Stretch instance on light duties. I realise that some are philosophically and functionally opposed to running anti-virus on a server and there are certainly risks but so far, so good. YMMV. :wink:

With a conservative implementation, using services which are :-

  • free, including those via sign-up at securiteinfo (malwarepatrol_enabled="no")
  • categorised with a “LOW” false positive rating (the Sanesecurity/eXtremeSHOK default)
  • updated with the default schedule

… scanning exim’s reject* logs shows that detection has risen from 0-1 to around 30.


Sanesecurity.Malware.27571.UNOFFICIAL(00000000000000000000000000000000:522) FOUND
Sanesecurity.Blurl.d8bc71.UNOFFICIAL(00000000000000000000000000000000:333) FOUND
Sanesecurity.Phishing.Fake.Coin.27521.UNOFFICIAL(00000000000000000000000000000000:2696) FOUND

To install, follow the instructions for Sanesecurity’s recommended script by eXtremeSHOK. It’s not actively maintained so it’s worth applying the following fix:

(And for a custom config dir).

Optionally, tweak the .conf file database definitions:

# MC: *** Set this LOW as per the sanesig website & config layout suggests ***
#|MEDIUM     # statics MD5 pattern for files|LOW         # statics MD5 pattern for files 

… add add more recent yara updates if you’re running “MEDIUM”+…

declare -a yararulesproject_dbs=(
### Yara Rules
CVE_Rules/CVE-2015-5119.yar|MEDIUM # CVE 2015 5119
# MC: *** assume these newer ones are MEDIUM ***

There appears to be an issue with clamav 0.100+ on stretch which results in the following root email message:

/usr/local/sbin/ line 2747: 18373 Aborted
$clamscan_bin --quiet -d "$work_dir_yararulesproject/$db_file" "$work_dir_work_configs/scan-test.txt" 2> /dev/null

& /var/log/clamav-unofficial-sigs/clamav-unofficial-sigs.log :

Dec 17 11:59:20 Testing updated yararulesproject database file: antidebug_antivm.yar
Dec 17 11:59:20 Clamscan reports yararulesproject antidebug_antivm.yar database integrity tested BAD
Dec 17 11:59:20 Removed invalid database: /var/lib/clamav-unofficial-sigs/dbs-yara/antidebug_antivm.yar

It seems relatively harmless on stretch, currently with clamav 0.100.2, and as yara rules are doing good work I’ve chosen not to disable them.

Good luck!

DKIM permission denied

Thanks for posting this.

I’ve seen logs for a few ClamAV installs, and the default virus signatures really don’t catch much - a couple of emails a day if you’re lucky. So, my view is that ClamAV isn’t worth having without some additional signatures. My previous place of work, a UK University, did use the SaneSecurity signatures. And we thought it was well worth it - given that we had little control of the client systems that were using our mail server.


Yes, to side-track I’d have said the same about spamassassin’s bayes engine – it’s expensive and ran for years without triggering a score but it started producing shortly after SaneSig went live, when least needed :slight_smile: ! The default autolearning wasn’t workling at all here but some recent manual training may have helped.

Yes, all my clients are out of control. :slight_smile:


A late update: it looks like I was wrong about the yara rules clash – an exim paniclog pointed at a memory problem after a few days so I disabled the components and it’s been all-good since.

admin@vm1:~$ /srv/.all-sites/utils/rblinfo

   17 rbl services configured (non-spamhaus might 'tag')
   13 rbl services show log rejection messages

  service                         sites     rejections
--------------------------------------------------------                   29            620                 18             79                        12             62             18             50                 14             25                14             13                   11             12      15             11                   18              7                  12              7                     14              3                   5              2                    18              1                   16              0                    10              0                  5              0                     1              0
  TOTAL                               -            892
  spamassassin                       29             24
  clamav                             29             45
  v20180729 : ~0.18s