Molti malware e virus non vengono intercettati da amavis/clamav, per aggiungere ulteriori definizioni ci viene in aiuto uno script molto utile e ben fatto su github https://github.com/extremeshok/clamav-unofficial-sigs che ci consente di aggiungere diverse definizioni aggiuntive presenti gratuitamente su internet.
Scaricate il master.zip dal github:
cd /opt wget https://github.com/extremeshok/clamav-unofficial-sigs/archive/master.zip unzip master.zip cd clamav-unofficial-sigs-master/ cp clamav-unofficial-sigs.sh /usr/local/bin/ chmod 755 /usr/local/bin/clamav-unofficial-sigs.sh mkdir /etc/clamav-unofficial-sigs/ cd config/ cp * /etc/clamav-unofficial-sigs/ mkdir /var/log/clamav-unofficial-sigs/ cd /etc/clamav-unofficial-sigs/ mv os.debian8.conf os.conf
Ora editate il file os.conf e commentate clamd_pid=”/var/run/clamd.pid” e de-commentate clamd_socket=”/var/run/clamav/clamd.ctl”, salvate e chiudete.
Editate user.conf e de-commentate la riga user_configuration_complete=”yes”, salvate e chiudete.
Ok adesso siete pronti per lanciarlo la prima  /usr/local/bin/clamav-unofficial-sigs.sh
vedrete che scaricherà diversi db di definizioni e nella /var/lib/clamav trovetere tutte le definizioni aggiuntive con i permessi corretti:
-rw-r--r-- 1 clamav clamav 47260 mag 13 10:18 antidebug_antivm.yar -rw-r--r-- 1 clamav clamav 288262 mag 13 09:55 blurl.ndb -rw-r--r-- 1 clamav clamav 1740 mag 13 09:48 bofhland_cracked_URL.ndb -rw-r--r-- 1 clamav clamav 99837 mag 13 09:48 bofhland_malware_attach.hdb -rw-r--r-- 1 clamav clamav 4832 mag 13 09:48 bofhland_malware_URL.ndb -rw-r--r-- 1 clamav clamav 6216 mag 13 09:48 bofhland_phishing_URL.ndb -rw-r--r-- 1 clamav clamav 378368 apr 15 21:35 bytecode.cld -rw-r--r-- 1 clamav clamav 417603 mag 13 09:48 crdfam.clamav.hdb -rw-r--r-- 1 clamav clamav 10137088 mag 13 08:18 daily.cld -rw-r--r-- 1 clamav clamav 25780 mag 12 10:53 foxhole_filename.cdb -rw-r--r-- 1 clamav clamav 44147 mar 25 19:53 foxhole_generic.cdb -rw-r--r-- 1 clamav clamav 48176 ago 5 2015 hackingteam.hsb -rw-r--r-- 1 clamav clamav 6595967 mag 11 09:54 junk.ndb -rw-r--r-- 1 clamav clamav 1687824 mag 13 09:55 jurlbl.ndb -rw-r--r-- 1 clamav clamav 109143933 mar 29 17:19 main.cvd -rw-r--r-- 1 clamav clamav 8376 mag 13 10:18 malicious_document.yar -rw-r--r-- 1 clamav clamav 9460 feb 19 2015 malwarehash.hsb -rw-r--r-- 1 clamav clamav 1040 mag 13 10:18 mirrors.dat -rw-r--r-- 1 clamav clamav 3859098 mag 11 21:14 phish.ndb -rw-r--r-- 1 clamav clamav 5055292 mag 13 09:46 phishtank.ndb -rw-r--r-- 1 clamav clamav 56820 mag 13 09:46 porcupine.hsb -rw-r--r-- 1 clamav clamav 298884 mag 13 09:46 porcupine.ndb -rw-r--r-- 1 clamav clamav 598699 apr 6 03:48 rfxn.hdb -rw-r--r-- 1 clamav clamav 437666 apr 6 03:48 rfxn.ndb -rw-r--r-- 1 clamav clamav 3203193 mag 12 16:56 rogue.hdb -rw-r--r-- 1 clamav clamav 11102 mar 9 09:56 sanesecurity.ftm -rw-r--r-- 1 clamav clamav 1462 lug 1 2015 Sanesecurity_sigtest.yara -rw-r--r-- 1 clamav clamav 1233 feb 22 13:21 Sanesecurity_spam.yara -rw-r--r-- 1 clamav clamav 1881431 apr 21 09:58 scam.ndb -rw-r--r-- 1 clamav clamav 6679 apr 6 13:55 sigwhitelist.ign2 -rw-r--r-- 1 clamav clamav 199 apr 6 16:55 spamattach.hdb -rw-r--r-- 1 clamav clamav 671 apr 18 17:57 spamimg.hdb -rw-r--r-- 1 clamav clamav 526635 mag 12 09:14 winnow.attachments.hdb -rw-r--r-- 1 clamav clamav 66 mag 12 09:14 winnow_bad_cw.hdb -rw-r--r-- 1 clamav clamav 107753 mag 12 09:14 winnow_extended_malware.hdb -rw-r--r-- 1 clamav clamav 165256 mag 12 09:14 winnow_malware.hdb -rw-r--r-- 1 clamav clamav 632292 mag 12 09:14 winnow_malware_links.ndb -rw-r--r-- 1 clamav clamav 1584 mag 12 09:14 winnow_malware.yara
Ora lanciate questo comando per vedere se clamav li ha presi in carico:
clamscan --debug 2>&1 /dev/null | grep "loaded"
Dovrebbe dare un output del genere:
LibClamAV debug: /var/lib/clamav/sigwhitelist.ign2 loaded LibClamAV debug: daily.info loaded LibClamAV debug: daily.cfg loaded LibClamAV debug: daily.idb loaded LibClamAV debug: daily.pdb loaded LibClamAV debug: daily.ndb loaded LibClamAV debug: daily.ign loaded LibClamAV debug: daily.crb loaded LibClamAV debug: daily.cdb loaded LibClamAV debug: daily.ldb loaded LibClamAV debug: daily.hdb loaded LibClamAV debug: daily.fp loaded LibClamAV debug: daily.mdb loaded LibClamAV debug: daily.wdb loaded LibClamAV debug: daily.msb loaded LibClamAV debug: daily.sfp loaded LibClamAV debug: cli_loadftm: File type signature for HWP embedded OLE2 not loaded (required f-level: 82) LibClamAV debug: cli_loadftm: File type signature for HWPML Document not loaded (required f-level: 82) LibClamAV debug: cli_loadftm: File type signature for HWP3 Document not loaded (required f-level: 82) LibClamAV debug: daily.ftm loaded LibClamAV debug: daily.ign2 loaded LibClamAV debug: daily.hsb loaded LibClamAV debug: /var/lib/clamav/daily.cld loaded LibClamAV debug: /var/lib/clamav/scam.ndb loaded LibClamAV debug: bytecode.info loaded LibClamAV debug: 3986218.cbc loaded LibClamAV debug: 4306157.cbc loaded LibClamAV debug: 3986289.cbc loaded LibClamAV debug: 3986233.cbc loaded LibClamAV debug: 3986223.cbc loaded LibClamAV debug: 3986337.cbc loaded LibClamAV debug: 3986310.cbc loaded LibClamAV debug: 3986234.cbc loaded LibClamAV debug: 3986212.cbc loaded LibClamAV debug: 3986306.cbc loaded LibClamAV debug: 3986230.cbc loaded LibClamAV debug: 3986236.cbc loaded LibClamAV debug: 3986185.cbc loaded LibClamAV debug: 3986303.cbc loaded LibClamAV debug: 3986222.cbc loaded LibClamAV debug: 3986215.cbc loaded LibClamAV debug: 3986187.cbc loaded LibClamAV debug: 3986216.cbc loaded LibClamAV debug: 3986305.cbc loaded LibClamAV debug: 3986214.cbc loaded LibClamAV debug: 4306126.cbc loaded LibClamAV debug: 3986334.cbc loaded LibClamAV debug: 3986220.cbc loaded LibClamAV debug: 3986219.cbc loaded LibClamAV debug: 3986259.cbc loaded LibClamAV debug: 3986327.cbc loaded LibClamAV debug: 3986322.cbc loaded LibClamAV debug: 3986328.cbc loaded LibClamAV debug: 3986206.cbc loaded LibClamAV debug: 3986244.cbc loaded LibClamAV debug: 3986221.cbc loaded LibClamAV debug: 3986318.cbc loaded LibClamAV debug: 3986283.cbc loaded LibClamAV debug: 3986188.cbc loaded LibClamAV debug: 3986301.cbc loaded LibClamAV debug: 3986321.cbc loaded LibClamAV debug: 3986232.cbc loaded LibClamAV debug: 3986282.cbc loaded LibClamAV debug: 3986229.cbc loaded LibClamAV debug: 3986292.cbc loaded LibClamAV debug: 3986242.cbc loaded LibClamAV debug: 3986231.cbc loaded LibClamAV debug: 3986326.cbc loaded LibClamAV debug: 3986217.cbc loaded LibClamAV debug: 3986235.cbc loaded LibClamAV debug: 3986224.cbc loaded LibClamAV debug: 3986249.cbc loaded LibClamAV debug: /var/lib/clamav/bytecode.cld loaded LibClamAV debug: /var/lib/clamav/bofhland_malware_URL.ndb loaded LibClamAV debug: /var/lib/clamav/foxhole_filename.cdb loaded LibClamAV debug: /var/lib/clamav/phishtank.ndb loaded LibClamAV debug: /var/lib/clamav/winnow.attachments.hdb loaded LibClamAV debug: load_oneyara: successfully loaded YARA.CryptoWall_Resume_phish LibClamAV debug: load_oneyara: successfully loaded YARA.docx_macro LibClamAV debug: load_oneyara: successfully loaded YARA.java_JSocket_20151217 LibClamAV debug: cli_loadyara: loaded 3 of 3 yara signatures from /var/lib/clamav/winnow_malware.yara LibClamAV debug: /var/lib/clamav/winnow_malware.yara loaded LibClamAV debug: /var/lib/clamav/junk.ndb loaded LibClamAV debug: /var/lib/clamav/winnow_extended_malware.hdb loaded LibClamAV debug: /var/lib/clamav/rogue.hdb loaded LibClamAV debug: /var/lib/clamav/malicious_document.yar loaded LibClamAV debug: /var/lib/clamav/rfxn.hdb loaded LibClamAV debug: /var/lib/clamav/bofhland_cracked_URL.ndb loaded LibClamAV debug: /var/lib/clamav/foxhole_generic.cdb loaded LibClamAV debug: /var/lib/clamav/rfxn.ndb loaded LibClamAV debug: /var/lib/clamav/winnow_bad_cw.hdb loaded LibClamAV debug: /var/lib/clamav/hackingteam.hsb loaded LibClamAV debug: /var/lib/clamav/spamattach.hdb loaded LibClamAV debug: /var/lib/clamav/winnow_malware.hdb loaded LibClamAV debug: /var/lib/clamav/jurlbl.ndb loaded LibClamAV debug: load_oneyara: successfully loaded YARA.Sanesecurity_TestSig_Type4_Hdr_2 LibClamAV debug: load_oneyara: successfully loaded YARA.Sanesecurity_TestSig_Type3_Bdy_4 LibClamAV debug: load_oneyara: successfully loaded YARA.Sanesecurity_TestSig_Type4_Bdy_3 LibClamAV debug: load_oneyara: successfully loaded YARA.Sanesecurity_PhishingTestSig_1 LibClamAV debug: cli_loadyara: loaded 4 of 4 yara signatures from /var/lib/clamav/Sanesecurity_sigtest.yara LibClamAV debug: /var/lib/clamav/Sanesecurity_sigtest.yara loaded LibClamAV debug: /var/lib/clamav/malwarehash.hsb loaded LibClamAV debug: main.info loaded LibClamAV debug: main.hdb loaded LibClamAV debug: main.hsb loaded LibClamAV debug: main.mdb loaded LibClamAV debug: main.msb loaded LibClamAV debug: main.ndb loaded LibClamAV debug: main.fp loaded LibClamAV debug: main.sfp loaded LibClamAV debug: main.crb loaded LibClamAV debug: /var/lib/clamav/main.cvd loaded LibClamAV debug: /var/lib/clamav/antidebug_antivm.yar loaded LibClamAV debug: /var/lib/clamav/crdfam.clamav.hdb loaded LibClamAV debug: cli_loadftm: File type signature for HWP embedded OLE2 not loaded (required f-level: 82) LibClamAV debug: cli_loadftm: File type signature for HWPML Document not loaded (required f-level: 82) LibClamAV debug: cli_loadftm: File type signature for HWP3 Document not loaded (required f-level: 82) LibClamAV debug: /var/lib/clamav/sanesecurity.ftm loaded LibClamAV debug: /var/lib/clamav/bofhland_phishing_URL.ndb loaded LibClamAV debug: load_oneyara: successfully loaded YARA.Sanesecurity_Spam_test LibClamAV debug: load_oneyara: successfully loaded YARA.Sanesecurity_Spam_pornspam LibClamAV debug: cli_loadyara: loaded 2 of 2 yara signatures from /var/lib/clamav/Sanesecurity_spam.yara LibClamAV debug: /var/lib/clamav/Sanesecurity_spam.yara loaded LibClamAV debug: /var/lib/clamav/spamimg.hdb loaded LibClamAV debug: /var/lib/clamav/winnow_malware_links.ndb loaded LibClamAV debug: /var/lib/clamav/porcupine.hsb loaded LibClamAV debug: /var/lib/clamav/blurl.ndb loaded LibClamAV debug: /var/lib/clamav/porcupine.ndb loaded LibClamAV debug: /var/lib/clamav/phish.ndb loaded LibClamAV debug: /var/lib/clamav/bofhland_malware_attach.hdb loaded
Se è tutto ok possiamo finalizzare l’installazione aggiungendo lo script per aggiornarlo automaticamente e lo script per la rotazione dei log:
/usr/local/bin/clamav-unofficial-sigs.sh --install-cron chmod 755 /etc/cron.d/clamav-unofficial-sigs /usr/local/bin/clamav-unofficial-sigs.sh --install-logrotate
Perfetto, ora Clamav avrà più possibilità di intercettare malware nelle email.
L’ho trovato sul blog di un mio amico che leggo assiduamente, qualcuno ha avuto l’idea brillante di fare i peluche raffigurano fedelmente i microbi e i virus. Se andate sul sito trovate la foto al microscopio del virus in questione e il suo peluche relativo.