Home

Awesome

clamav-unofficial-sigs GitHub Release Issue Count

ClamAV Unofficial Signatures Updater

Maintained and provided by https://eXtremeSHOK.com

Description

The clamav-unofficial-sigs script provides a simple way to download, test, and update third-party signature databases provided by Sanesecurity, FOXHOLE, OITC, BOFHLAND, CRDF, Porcupine, Securiteinfo, MalwarePatrol, Yara-Rules Project, urlhaus, MalwareExpert, interServer etc. The script will also generate and install cron, logrotate, and man files.

Automated Testing and Linting

Checkout some of our other solutions: https://github.com/extremeshok?tab=repositories

Support / Suggestions / Comments

Please post them on the issue tracker: https://github.com/extremeshok/clamav-unofficial-sigs/issues

Submit Patches / Pull requests to the "dev" Branch

Required Ports / Firewall Exceptions

Supported Operating Systems

Debian, Ubuntu, Raspbian, CentOS (RHEL and clones), OpenBSD, FreeBSD, OpenSUSE, Archlinux, Mac OS X, Slackware, Solaris (Sun OS), pfSense, Zimbra and derivative systems

Quick Install and Upgrade Guide

https://github.com/extremeshok/clamav-unofficial-sigs/tree/master/INSTALL.md

Operating System Specific Install and Upgrade Guides

UPGRADE INSTRUCTIONS (version 7.0 +)

clamav-unofficial-sigs.sh --upgrade
clamav-unofficial-sigs.sh

FOR PACKAGE MAINTAINERS / PACKAGERS

Please use the included os.*.conf sample config file as a base for your os.conf, this will disable automatic updates, update notifications and the uninstallation feature. https://github.com/extremeshok/clamav-unofficial-sigs/tree/master/config/packaging

Always Run the script once as your superuser to set all the permissions and create the relevant directories

Advanced Config Overrides

Check if signature are being loaded

**Run the following command to display which signatures are being loaded by clamav

clamscan --debug 2>&1 /dev/null | grep "loaded"

SELinux cron permission fix

WARNING - Clamscan reports ________ database integrity tested BAD - SKIPPING

Run the following command to allow clamav selinux support setsebool -P antivirus_can_scan_system true

Yara Rule Support automatically enabled (as of April 2016)

Since usage yara rules requires clamav 0.100 or above, they will be automatically deactivated if your clamav is older than the required version

URLhaus Support (as of January 2020)

Usage of free URLhaus Database: https://urlhaus.abuse.ch

Yara-Rules Project Support (as of June 2015, updated January 2020)

Usage of free Yara-Rules Project: http://yararules.com

Current limitations of clamav support: http://blog.clamav.net/search/label/yara

interServer free database support (as of December 2020)

Usage of interServer: http://rbluri.interserver.net

malware.expert non-free database support (as of December 2020)

Usage of Malware Expert: https://www.malware.expert

  1. Sign up for an account: https://www.malware.expert
  2. You will receive an email containing your serial key
  3. Enter the serial key into the config malwareexpert_serial_key: replacing YOUR-SERIAL-KEY with your serial key from the email

MalwarePatrol free/delayed list support (as of May 2015)

Usage of MalwarePatrol 2015 free clamav signatures: https://www.malwarepatrol.net

  1. Sign up for a free account: https://www.malwarepatrol.net/free-guard-upgrade-option/
  2. You will receive an email containing your password/receipt number
  3. Enter the receipt number into the config malwarepatrol_receipt_code: replacing YOUR-RECEIPT-NUMBER with your receipt number from the email

SecuriteInfo Free/Delayed list support (as of June 2015)

Usage of SecuriteInfo 2015 free clamav signatures: https://www.securiteinfo.com

  1. Sign up for a free account: https://www.securiteinfo.com/clients/customers/signup
  2. You will receive an email to activate your account and then a followup email with your login name
  3. Login and navigate to your customer account: https://www.securiteinfo.com/clients/customers/account
  4. Click on the Setup tab
  5. You will need to get your unique identifier from one of the download links, they are individual for every user
    1. The 128 character string is after the http://www.securiteinfo.com/get/signatures/
    2. Example https://www.securiteinfo.com/get/signatures/your_unique_and_very_long_random_string_of_characters/securiteinfo.hdb Your 128 character authorisation signature would be: your_unique_and_very_long_random_string_of_characters
  6. Enter the authorisation signature into the config securiteinfo_authorisation_signature: replacing YOUR-SIGNATURE-NUMBER with your authorisation signature from the link

Linux Malware Detect support (as of May 2015, updated January 2020)

Usage of free Linux Malware Detect clamav signatures: https://www.rfxn.com/projects/linux-malware-detect/

If you want to add, report a missing one or have a problem with a database

Please post on the issue tracker: https://github.com/extremeshok/clamav-unofficial-sigs/issues

USAGE

Usage: clamav-unofficial-sigs.sh   [OPTION] [PATH|FILE]

-c, --config   Use a specific configuration file or directory
  eg: '-c /your/dir' or ' -c /your/file.name'  
  Note: If a directory is specified the directory must contain at least:  
  master.conf, os.conf or user.conf
  Default Directory: /etc/clamav-unofficial-sigs

-F, --force   Force all databases to be downloaded, could cause ip to be blocked

-h, --help   Display this script's help and usage information

-V, --version   Output script version and date information

-v, --verbose   Be verbose, enabled when not run under cron

-s, --silence   Only output error messages, enabled when run under cron

-d, --decode-sig   Decode a third-party signature either by signature name
  (eg: Sanesecurity.Junk.15248) or hexadecimal string.
  This flag will 'NOT' decode image signatures

-e, --encode-string   Hexadecimal encode an entire input string that can
  be used in any '*.ndb' signature database file

-f, --encode-formatted   Hexadecimal encode a formatted input string containing
  signature spacing fields '{}, (), *', without encoding
  the spacing fields, so that the encoded signature
  can be used in any '*.ndb' signature database file

-g, --gpg-verify   GPG verify a specific Sanesecurity database file
  eg: '-g filename.ext' (do not include file path)

-i, --information   Output system and configuration information for
  viewing or possible debugging purposes

-m, --make-database   Make a signature database from an ascii file containing
  data strings, with one data string per line.  Additional
  information is provided when using this flag

-t, --test-database   Clamscan integrity test a specific database file
  eg: '-t filename.ext' (do not include file path)

-o, --output-triggered   If HAM directory scanning is enabled in the script's
  configuration file, then output names of any third-party
  signatures that triggered during the HAM directory scan

-w, --whitelist <signature-name>   Adds a signature whitelist entry in the newer ClamAV IGN2
  format to 'my-whitelist.ign2' in order to temporarily resolve
  a false-positive issue with a specific third-party signature.
  Script added whitelist entries will automatically be removed
  if the original signature is either modified or removed from
  the third-party signature database

--check-clamav   If ClamD status check is enabled and the socket path is correctly
  specified then test to see if clamd is running or not

--upgrade   Upgrades this script and master.conf to the latest available version

--install-all   Install and generate the cron, logrotate and man files, autodetects the values
  based on your config files

--install-cron   Install and generate the cron file, autodetects the values
  based on your config files

--install-logrotate   Install and generate the logrotate file, autodetects the
  values based on your config files

--install-man   Install and generate the man file, autodetects the
  values based on your config files

--remove-script   Remove the clamav-unofficial-sigs script and all of
  its associated files and databases from the system

Change Log

Version 7.2.5 (20 March 2021)

Version 7.2.4 (17 March 2021)

Version 7.2.3 (17 March 2021)

Version 7.2.2 (20 December 2020)

Version 7.2.1 (13 December 2020)

Version 7.2 (07 December 2020)

Version 7.1 (Not Released)

Version 7.0.1

Version 7.0.0

Version 6.1.1

Version 6.1.0

Version 6.0.1

Version 6.0

Version 5.6.2

Version 5.6.1

Version 5.6

Version 5.4.1

Version 5.4

Version 5.3.2

Version 5.3.1

Version 5.3.0

Version 5.2.2

Version 5.2.1

Version 5.2.0

Version 5.1.1

Version 5.1.0

Version 5.0.6

Version 5.0.5

Version 5.0.4

Version 5.0.3

Version 5.0.2

Version 5.0.1

Version 5.0.0

Version 4.9.3

Version 4.9.2

Version 4.9.1

Version 4.9

Version 4.8

Version 4.7

Version 4.6.1

Version 4.6

Version 4.5.3

Version 4.5.2

Version 4.5.1

Version 4.5.0

Version 4.4.5

Version 4.4.4

Version 4.4.3

Version 4.4.2

Version 4.4.1

Version 4.4.0

Version 4.3.0

Version 4.2.0

Version 4.1.0

Version 4.0.0 (Released 9 May 2015)

Script updates can be found at

https://github.com/extremeshok/clamav-unofficial-sigs