Clamav: adding Sanesecurity signatures


#1

I’ve been wanting to boost anti-virus defences with Sanesecurity signatures for a good while but had concerns about clamav stability. With more recent versions and an influx of badness, I think it’s worth the risk - at least on a 2GB Symbiosis Stretch instance on light duties. I realise that some are philosophically and functionally opposed to running anti-virus on a server and there are certainly risks but so far, so good. YMMV. :wink:

With a conservative implementation, using services which are :-

  • free, including those via sign-up at securiteinfo (malwarepatrol_enabled="no")
  • categorised with a “LOW” false positive rating (the Sanesecurity/eXtremeSHOK default)
  • updated with the default schedule

… scanning exim’s reject* logs shows that detection has risen from 0-1 to around 30.

E.g:

Sanesecurity.Malware.27571.UNOFFICIAL(00000000000000000000000000000000:522) FOUND
Sanesecurity.Blurl.d8bc71.UNOFFICIAL(00000000000000000000000000000000:333) FOUND
Sanesecurity.Phishing.Fake.Coin.27521.UNOFFICIAL(00000000000000000000000000000000:2696) FOUND

To install, follow the instructions for Sanesecurity’s recommended script by eXtremeSHOK. It’s not actively maintained so it’s worth applying the following fix:

(And https://github.com/extremeshok/clamav-unofficial-sigs/pull/210 for a custom config dir).

Optionally, tweak the .conf file database definitions:

### MALWARE.EXPERT https://malware.expert/
# LOW
# MC: *** Set this LOW as per the sanesig website & config layout suggests ***
# malware.expert.hdb|MEDIUM     # statics MD5 pattern for files
malware.expert.hdb|LOW         # statics MD5 pattern for files 

… add add more recent yara updates if you’re running “MEDIUM”+…

declare -a yararulesproject_dbs=(
### Yara Rules https://github.com/Yara-Rules/rules
[...]
CVE_Rules/CVE-2015-5119.yar|MEDIUM # CVE 2015 5119
# MC: *** assume these newer ones are MEDIUM ***
CVE_Rules/CVE-2016-5195.yar|MEDIUM
CVE_Rules/CVE-2017-11882.yar|MEDIUM
CVE_Rules/CVE-2018-4878.yar|MEDIUM

There appears to be an issue with clamav 0.100+ on stretch which results in the following root email message:

/usr/local/sbin/clamav-unofficial-sigs.sh: line 2747: 18373 Aborted
$clamscan_bin --quiet -d "$work_dir_yararulesproject/$db_file" "$work_dir_work_configs/scan-test.txt" 2> /dev/null

& /var/log/clamav-unofficial-sigs/clamav-unofficial-sigs.log :

Dec 17 11:59:20 Testing updated yararulesproject database file: antidebug_antivm.yar
Dec 17 11:59:20 Clamscan reports yararulesproject antidebug_antivm.yar database integrity tested BAD
Dec 17 11:59:20 Removed invalid database: /var/lib/clamav-unofficial-sigs/dbs-yara/antidebug_antivm.yar

It seems relatively harmless on stretch, currently with clamav 0.100.2, and as yara rules are doing good work I’ve chosen not to disable them.

Good luck!


DKIM permission denied
#2

Thanks for posting this.

I’ve seen logs for a few ClamAV installs, and the default virus signatures really don’t catch much - a couple of emails a day if you’re lucky. So, my view is that ClamAV isn’t worth having without some additional signatures. My previous place of work, a UK University, did use the SaneSecurity signatures. And we thought it was well worth it - given that we had little control of the client systems that were using our mail server.


#3

Yes, to side-track I’d have said the same about spamassassin’s bayes engine – it’s expensive and ran for years without triggering a score but it started producing shortly after SaneSig went live, when least needed :slight_smile: ! The default autolearning wasn’t workling at all here but some recent manual training may have helped.

Yes, all my clients are out of control. :slight_smile:


#4

A late update: it looks like I was wrong about the yara rules clash – an exim paniclog pointed at a memory problem after a few days so I disabled the components and it’s been all-good since.

admin@vm1:~$ /srv/.all-sites/utils/rblinfo

   17 rbl services configured (non-spamhaus might 'tag')
   13 rbl services show log rejection messages

  service                         sites     rejections
--------------------------------------------------------
  zen.spamhaus.org                   29            620
  truncate.gbudb.net                 18             79
  all.s5h.net                        12             62
  b.barracudacentral.org             18             50
  ubl.unsubscore.com                 14             25
  all.bl.blocklist.de                14             13
  all.spamrats.com                   11             12
  hostkarma.junkemailfilter.com      15             11
  dbl.spamhaus.org                   18              7
  dnsbl.dronebl.org                  12              7
  bl.spamcop.net                     14              3
  dyna.spamrats.com                   5              2
  multi.uribl.com                    18              1
  bl.mailspike.net                   16              0
  rhsbl.sorbs.net                    10              0
  noptr.spamrats.com                  5              0
  dnsbl.sorbs.net                     1              0
  TOTAL                               -            892
--------------------------------------------------------
  spamassassin                       29             24
  clamav                             29             45
--------------------------------------------------------
  v20180729 : ~0.18s