I’ve been wanting to boost anti-virus defences with Sanesecurity signatures for a good while but had concerns about clamav stability. With more recent versions and an influx of badness, I think it’s worth the risk - at least on a 2GB Symbiosis Stretch instance on light duties. I realise that some are philosophically and functionally opposed to running anti-virus on a server and there are certainly risks but so far, so good. YMMV.
With a conservative implementation, using services which are :-
- free, including those via sign-up at securiteinfo (
- categorised with a “LOW” false positive rating (the Sanesecurity/eXtremeSHOK default)
- updated with the default schedule
… scanning exim’s reject* logs shows that detection has risen from 0-1 to around 30.
Sanesecurity.Malware.27571.UNOFFICIAL(00000000000000000000000000000000:522) FOUND Sanesecurity.Blurl.d8bc71.UNOFFICIAL(00000000000000000000000000000000:333) FOUND Sanesecurity.Phishing.Fake.Coin.27521.UNOFFICIAL(00000000000000000000000000000000:2696) FOUND
To install, follow the instructions for Sanesecurity’s recommended script by eXtremeSHOK. It’s not actively maintained so it’s worth applying the following fix:
(And https://github.com/extremeshok/clamav-unofficial-sigs/pull/210 for a custom config dir).
Optionally, tweak the .conf file database definitions:
### MALWARE.EXPERT https://malware.expert/ # LOW # MC: *** Set this LOW as per the sanesig website & config layout suggests *** # malware.expert.hdb|MEDIUM # statics MD5 pattern for files malware.expert.hdb|LOW # statics MD5 pattern for files
… add add more recent yara updates if you’re running “MEDIUM”+…
declare -a yararulesproject_dbs=( ### Yara Rules https://github.com/Yara-Rules/rules [...] CVE_Rules/CVE-2015-5119.yar|MEDIUM # CVE 2015 5119 # MC: *** assume these newer ones are MEDIUM *** CVE_Rules/CVE-2016-5195.yar|MEDIUM CVE_Rules/CVE-2017-11882.yar|MEDIUM CVE_Rules/CVE-2018-4878.yar|MEDIUM
There appears to be an issue with clamav 0.100+ on stretch which results in the following root email message:
/usr/local/sbin/clamav-unofficial-sigs.sh: line 2747: 18373 Aborted $clamscan_bin --quiet -d "$work_dir_yararulesproject/$db_file" "$work_dir_work_configs/scan-test.txt" 2> /dev/null
Dec 17 11:59:20 Testing updated yararulesproject database file: antidebug_antivm.yar Dec 17 11:59:20 Clamscan reports yararulesproject antidebug_antivm.yar database integrity tested BAD Dec 17 11:59:20 Removed invalid database: /var/lib/clamav-unofficial-sigs/dbs-yara/antidebug_antivm.yar
It seems relatively harmless on stretch, currently with clamav 0.100.2, and as yara rules are doing good work I’ve chosen not to disable them.