Clamav: adding Sanesecurity signatures


#1

I’ve been wanting to boost anti-virus defences with Sanesecurity signatures for a good while but had concerns about clamav stability. With more recent versions and an influx of badness, I think it’s worth the risk - at least on a 2GB Symbiosis Stretch instance on light duties. I realise that some are philosophically and functionally opposed to running anti-virus on a server and there are certainly risks but so far, so good. YMMV. :wink:

With a conservative implementation, using services which are :-

  • free, including those via sign-up at securiteinfo (malwarepatrol_enabled="no")
  • categorised with a “LOW” false positive rating (the Sanesecurity/eXtremeSHOK default)
  • updated with the default schedule

… scanning exim’s reject* logs shows that detection has risen from 0-1 to around 30.

E.g:

Sanesecurity.Malware.27571.UNOFFICIAL(00000000000000000000000000000000:522) FOUND
Sanesecurity.Blurl.d8bc71.UNOFFICIAL(00000000000000000000000000000000:333) FOUND
Sanesecurity.Phishing.Fake.Coin.27521.UNOFFICIAL(00000000000000000000000000000000:2696) FOUND

To install, follow the instructions for Sanesecurity’s recommended script by eXtremeSHOK. It’s not actively maintained so it’s worth applying the following fix:

(And https://github.com/extremeshok/clamav-unofficial-sigs/pull/210 for a custom config dir).

Optionally, tweak the .conf file database definitions:

### MALWARE.EXPERT https://malware.expert/
# LOW
# MC: *** Set this LOW as per the sanesig website & config layout suggests ***
# malware.expert.hdb|MEDIUM     # statics MD5 pattern for files
malware.expert.hdb|LOW         # statics MD5 pattern for files 

… add add more recent yara updates if you’re running “MEDIUM”+…

declare -a yararulesproject_dbs=(
### Yara Rules https://github.com/Yara-Rules/rules
[...]
CVE_Rules/CVE-2015-5119.yar|MEDIUM # CVE 2015 5119
# MC: *** assume these newer ones are MEDIUM ***
CVE_Rules/CVE-2016-5195.yar|MEDIUM
CVE_Rules/CVE-2017-11882.yar|MEDIUM
CVE_Rules/CVE-2018-4878.yar|MEDIUM

There appears to be an issue with clamav 0.100+ on stretch which results in the following root email message:

/usr/local/sbin/clamav-unofficial-sigs.sh: line 2747: 18373 Aborted
$clamscan_bin --quiet -d "$work_dir_yararulesproject/$db_file" "$work_dir_work_configs/scan-test.txt" 2> /dev/null

& /var/log/clamav-unofficial-sigs/clamav-unofficial-sigs.log :

Dec 17 11:59:20 Testing updated yararulesproject database file: antidebug_antivm.yar
Dec 17 11:59:20 Clamscan reports yararulesproject antidebug_antivm.yar database integrity tested BAD
Dec 17 11:59:20 Removed invalid database: /var/lib/clamav-unofficial-sigs/dbs-yara/antidebug_antivm.yar

It seems relatively harmless on stretch, currently with clamav 0.100.2, and as yara rules are doing good work I’ve chosen not to disable them.

Good luck!


#2

Thanks for posting this.

I’ve seen logs for a few ClamAV installs, and the default virus signatures really don’t catch much - a couple of emails a day if you’re lucky. So, my view is that ClamAV isn’t worth having without some additional signatures. My previous place of work, a UK University, did use the SaneSecurity signatures. And we thought it was well worth it - given that we had little control of the client systems that were using our mail server.


#3

Yes, to side-track I’d have said the same about spamassassin’s bayes engine – it’s expensive and ran for years without triggering a score but it started producing shortly after SaneSig went live, when least needed :slight_smile: ! The default autolearning wasn’t workling at all here but some recent manual training may have helped.

Yes, all my clients are out of control. :slight_smile: