Difference between revisions of "Virus:Additional Signatures"

From SME Server
Jump to navigationJump to search
m
 
(17 intermediate revisions by 4 users not shown)
Line 1: Line 1:
 +
{{Level|Medium}}
 +
{{Note box|Please note that there now is a contrib for adding additional signatures. Please see [[Clamav_unofficial_sigs]].}}
 +
 
==Anti Virus - Additional Signatures==
 
==Anti Virus - Additional Signatures==
 
===Introduction===
 
===Introduction===
Line 10: Line 13:
  
 
In order to use these additional databases with your ClamAV installation you need to download them and add them to ClamAV. There is a script package from Sane Security which can be used to download and install the databases, and their addition provide 1,000's of new signatures for ClamAV to work with.
 
In order to use these additional databases with your ClamAV installation you need to download them and add them to ClamAV. There is a script package from Sane Security which can be used to download and install the databases, and their addition provide 1,000's of new signatures for ClamAV to work with.
 +
 +
{{Note box|Please be aware that these additional signatures can in rare cases contain false positives causing good emails to be caught. This has only been noticed once in 18 months for some hours though.}}
  
 
===Installation===
 
===Installation===
Line 21: Line 26:
 
  # Copyright (C) 2009 Eric Shubert <ejs@shubes.net>
 
  # Copyright (C) 2009 Eric Shubert <ejs@shubes.net>
 
  ########################################################################
 
  ########################################################################
 +
#  8/23/12 Changed WEB_LOC to sourceforge host
 
  #  4/30/10 Amendments to install on SME Server - commented with SME
 
  #  4/30/10 Amendments to install on SME Server - commented with SME
 
  #  9/25/09 Totally refactored by Eric Shubert <ejs@shubes.net>
 
  #  9/25/09 Totally refactored by Eric Shubert <ejs@shubes.net>
 
  #  3/22/09 Originally Written by Jake Vickers <jake@qmailtoaster.com>
 
  #  3/22/09 Originally Written by Jake Vickers <jake@qmailtoaster.com>
 
  #
 
  #
  WEB_LOC=http://www.inetmsg.com/pub
+
  WEB_LOC=http://sourceforge.net/projects/unofficial-sigs/files/latest/download?source=files
 
  PKG_NAME=clamav-unofficial-sigs
 
  PKG_NAME=clamav-unofficial-sigs
 
  PKG_TGZ=$PKG_NAME.tar.gz
 
  PKG_TGZ=$PKG_NAME.tar.gz
Line 44: Line 50:
 
  # remove files from previous version
 
  # remove files from previous version
 
  # SME - changed cron job from .sh to .cron, added removal of .sh script and redundant dbs
 
  # SME - changed cron job from .sh to .cron, added removal of .sh script and redundant dbs
  rm -rf       /etc/unofficial-clamav-sigs.conf \
+
  rm -rf /etc/unofficial-clamav-sigs.conf \
 
   /etc/cron.hourly/unofficial-clamav-sigs.cron \
 
   /etc/cron.hourly/unofficial-clamav-sigs.cron \
 
   /usr/unofficial-dbs \
 
   /usr/unofficial-dbs \
Line 69: Line 75:
 
  echo "$me $myver - getting latest version of $PKG_NAME ..."
 
  echo "$me $myver - getting latest version of $PKG_NAME ..."
 
   
 
   
  wget -O $TEMP_DIR/$PKG_TGZ $WEB_LOC/$PKG_TGZ
+
  wget -O $TEMP_DIR/$PKG_TGZ $WEB_LOC
 
   
 
   
 
  if [ "$?" != "0" ]; then
 
  if [ "$?" != "0" ]; then
Line 119: Line 125:
 
     > /etc/cron.d/$PKG_NAME-cron
 
     > /etc/cron.d/$PKG_NAME-cron
 
  # SME - added redirect stdout to null device and stderr to stdout so we only get error output from cron job
 
  # SME - added redirect stdout to null device and stderr to stdout so we only get error output from cron job
  echo -e "\n25 * * * * root /usr/sbin/$PKG_NAME.sh -c /etc/$PKG_NAME.conf >/dev/null 2>&1" \
+
  echo -e "\n25 * * * * root /usr/sbin/$PKG_NAME.sh >/dev/null 2>&1" \
 
     >>/etc/cron.d/$PKG_NAME-cron
 
     >>/etc/cron.d/$PKG_NAME-cron
 
   
 
   
Line 161: Line 167:
  
 
  ./sanesecurity-install.sh
 
  ./sanesecurity-install.sh
 +
 +
{{Note box|The script above uses TCP 873 as its destination port when downloading signature, please ensure that this port is open when your SME server is behind the firewall.}}
  
 
Run the Sane Security script for the first time to download the databases and check it works
 
Run the Sane Security script for the first time to download the databases and check it works
Line 173: Line 181:
 
Having installed the Sane Security package as above, it will operate as follows.
 
Having installed the Sane Security package as above, it will operate as follows.
  
* A cron job will run every hour and instigate the ''clamav-unofficial-sigs.sh'' script
+
* A cron job (''/etc/cron.d/clamav-unofficial-sigs-cron'') will run once every hour and instigate the ''/use/sbin/clamav-unofficial-sigs.sh'' script
* The script will download the additional databases and add them to the ''/var/clamav'' directory
+
* The script will read the configuration settings in ''/etc/clamav-unofficial-sigs.conf''
 +
* The additional databases will be downloaded to ''/usr/unofficial_dbs'' and then added to the ''/var/clamav'' directory
 
* ClamAV will reload all its databases from ''/var/clamav'' every 30 minutes by default
 
* ClamAV will reload all its databases from ''/var/clamav'' every 30 minutes by default
 +
 +
All the files (apart from the cron job and downloaded databases) are in ''/opt/sanesecurity'' and soft linked to the main directories.
 +
 +
The ''sanesecurity-install.sh'' script used above can be run again if the Sane Security package of scripts etc is updated. Current version is 3.7 (April 2010). This assumes that nothing significant changes with regard to how the package needs to be installed.
 +
{{Note box|Running ''sanesecurity-install.sh'' again will download the latest Sane Security .tar.gz package and unpack/install it. This will overwrite the existing files, including ''/etc/clamav-unofficial-sigs.conf'' and any manual adjustments you may have made to the list of databases you want to be downloaded}}
 +
 +
===Documentation===
 +
Documentation including a Change Log can be found in ''/opt/sanesecurity/doc'' as well as
 +
 +
man clamav-unofficial-sigs
  
 
===Signature Databases===
 
===Signature Databases===
Line 185: Line 204:
 
{{Note box|If removing databases from the download lists, don't forget to also delete them from ''/var/clamav'' and ''/usr/unofficial_dbs'' if they have been downloaded previously and exist}}
 
{{Note box|If removing databases from the download lists, don't forget to also delete them from ''/var/clamav'' and ''/usr/unofficial_dbs'' if they have been downloaded previously and exist}}
 
{{Note box | Adding unofficial signatures increases memory usage. To increase the ''clamd'' memory limit try setting ''MemLimit'' to a value greater than 300000000 (see [http://wiki.contribs.org/DB_Variables_Configuration#Clam_AntiVirus_.28clamav.29 here] for reference). Since clamav-0.96 and smeserver-clamav-2.0.0-8 the default ''MemLimit'' for ''clamd'' has been 600000000 and should be sufficient. }}
 
{{Note box | Adding unofficial signatures increases memory usage. To increase the ''clamd'' memory limit try setting ''MemLimit'' to a value greater than 300000000 (see [http://wiki.contribs.org/DB_Variables_Configuration#Clam_AntiVirus_.28clamav.29 here] for reference). Since clamav-0.96 and smeserver-clamav-2.0.0-8 the default ''MemLimit'' for ''clamd'' has been 600000000 and should be sufficient. }}
 +
 +
===Uninstall===
 +
Log in to a console shell as ''root''
 +
 +
Create and edit a new file. Add the following
 +
 +
rm -f /etc/cron.d/clamav-unoffical-sigs-cron
 +
rm -fr /opt/sanesecurity \
 +
  /usr/unofficial-dbs
 +
rm -f /var/log/clamav/unofficial-sigs* \
 +
  /var/clamav/*.ndb \
 +
  /var/clamav/*.ldb \
 +
  /var/clamav/*.ftm \
 +
  /var/clamav/*.hdb
 +
signal-event clamav-update
 +
 +
Save the file as ''sanesecurity-uninstall.sh''
 +
 +
chmod 755 sanesecurity-uninstall.sh
 +
 +
Now run the script. This will delete all the Sane Security package files, downloaded databases and directories
 +
 +
./sanesecurity-uninstall.sh
  
 
===Old Installation Notes===
 
===Old Installation Notes===
A previous installation of the Sane Security scripts was provided for SME by swerts-knudsen.dk, and the installation notes for this are reproduced below for completion. This is for version 2.4 of the scripts however, whereas the current version installed as above is 3.7 (April 2010)
+
A previous installation of the Sane Security scripts was provided for SME by [[User:Knuddi|Jesper Knudsen]] from [http://smeoptimizer.swerts-knudsen.dk/  SME Optimizer], and the installation notes for this are reproduced below for completeness. This is for version 2.4 of the scripts however, whereas the current version installed as above is 3.7 (April 2010)
  
 
''Installation''
 
''Installation''
Line 213: Line 255:
  
 
See also http://forums.contribs.org/index.php/topic,45872.0.html
 
See also http://forums.contribs.org/index.php/topic,45872.0.html
 +
 +
See forum announcement of this Howto for further comments at http://forums.contribs.org/index.php/topic,45915.0.html
  
 
Installation script originally produced by QmailToaster Plus - see http://qtp.qmailtoaster.com
 
Installation script originally produced by QmailToaster Plus - see http://qtp.qmailtoaster.com
  
[[Category:Howto]]
+
----
 +
[[Category:Howto]][[Category:Mail]][[Category:Administration:Content Spam Virus Blocking]][[Category:Security]]

Latest revision as of 08:47, 13 April 2016

PythonIcon.png Skill level: Medium
The instructions on this page require a basic knowledge of linux.


Important.png Note:
Please note that there now is a contrib for adding additional signatures. Please see Clamav_unofficial_sigs.


Anti Virus - Additional Signatures

Introduction

SME Server uses Clam AntiVirus (http://www.clamav.net) as the default and built-in anti virus engine.

By default this system will automatically get virus signature updates from the clamav database. Other people and organizations have developed additional signatures which can be used with ClamAV. These include

In order to use these additional databases with your ClamAV installation you need to download them and add them to ClamAV. There is a script package from Sane Security which can be used to download and install the databases, and their addition provide 1,000's of new signatures for ClamAV to work with.


Important.png Note:
Please be aware that these additional signatures can in rare cases contain false positives causing good emails to be caught. This has only been noticed once in 18 months for some hours though.


Installation

Log in to a console shell as root

Create and edit a new file. Add the following

#!/bin/sh
# script to install Bill Landry's <bill at inetmsg dot com> scripts
# for maintaining Sanesecurity signatures for clamav
# Copyright (C) 2009 Eric Shubert <ejs@shubes.net>
########################################################################
#  8/23/12 Changed WEB_LOC to sourceforge host
#  4/30/10 Amendments to install on SME Server - commented with SME
#  9/25/09 Totally refactored by Eric Shubert <ejs@shubes.net>
#  3/22/09 Originally Written by Jake Vickers <jake@qmailtoaster.com>
#
WEB_LOC=http://sourceforge.net/projects/unofficial-sigs/files/latest/download?source=files
PKG_NAME=clamav-unofficial-sigs
PKG_TGZ=$PKG_NAME.tar.gz
# SME = changed variable name throughout and directory name
SANE_DIR=/opt/sanesecurity

########################################################################
# initialization processing
#
a1_initialization(){

# Make sure we're root
if [ "$UID" != "0" ]; then
  echo "Error: You are not logged in as root, please su -"
  exit 1
fi 

# remove files from previous version
# SME - changed cron job from .sh to .cron, added removal of .sh script and redundant dbs
rm -rf /etc/unofficial-clamav-sigs.conf \
 /etc/cron.hourly/unofficial-clamav-sigs.cron \
 /usr/unofficial-dbs \
 /usr/bin/unofficial-clamav-sigs.sh \
 /var/clamav/*.ndb \
 /var/clamav/*.ldb \
 /var/clamav/*.ftm \
 /var/clamav/*.hdb 

# set a temp directory for the tar file. $$ is the current shell ID.
TEMP_DIR=$(tempfile 2>/dev/null) || TEMP_DIR=/tmp/$me.$$ 

# make sure the temp directory is deleted when we're done
trap "rm -rf $TEMP_DIR" 0 1 2 5 15
}

###################################################################
## download and unpack current package
#
a3_download_unpack(){

rm -rf $TEMP_DIR
mkdir -p $TEMP_DIR
echo "$me $myver - getting latest version of $PKG_NAME ..."

wget -O $TEMP_DIR/$PKG_TGZ $WEB_LOC

if [ "$?" != "0" ]; then
  echo "$me - unable to reach $WEB_LOC/$PKG_TGZ, please try again later."
  exit 1
fi

tar -xz -C $TEMP_DIR -f $TEMP_DIR/$PKG_TGZ
}

###################################################################
## install the package files
#
a5_install_files(){

# SME - Added make directories
mkdir -p $SANE_DIR/bin
mkdir -p $SANE_DIR/etc
mkdir -p $SANE_DIR/man

# install the shell script
cp $TEMP_DIR/$PKG_NAME-*/$PKG_NAME.sh $SANE_DIR/bin/$PKG_NAME.sh
chmod 755 $SANE_DIR/bin/$PKG_NAME.sh
ln -sf ../..$SANE_DIR/bin/$PKG_NAME.sh /usr/sbin/$PKG_NAME.sh

# install the configuration file
# SME - removed substitutions for clamd reload - reload_opt and reload_dbs
# SME - removed substitution to change default dbs download directory
# SME - added substitution to set clamd_socket location
# SME - removed substitution to silence information output - but see cron job below

cat $TEMP_DIR/$PKG_NAME-*/$PKG_NAME.conf | sed \
    -e "s|/var/lib/clamav|/var/clamav|" \
    -e "/#clamd_socket=/aclamd_socket=\"/var/clamav/clamd.socket\"" \
    -e "s|enable_logging=\"no\"|enable_logging=\"yes\"|" \
    -e "s|log_file_path=\"/var/log\"|log_file_path=\"/var/log/clamav\"|" \
    -e "s|log_file_name=\"clamav-unofficial|log_file_name=\"unofficial|" \
    -e "s|configuration_complete=\"no\"|configuration_complete=\"yes\"|" \
    > $SANE_DIR/etc/$PKG_NAME.conf
ln -sf ../..$SANE_DIR/etc/$PKG_NAME.conf /etc/$PKG_NAME.conf

# install the man page
gzip $TEMP_DIR/$PKG_NAME-*/$PKG_NAME.8
cp $TEMP_DIR/$PKG_NAME-*/$PKG_NAME.8.gz $SANE_DIR/man/$PKG_NAME.8.gz
ln -sf ../../../..$SANE_DIR/man/$PKG_NAME.8.gz /usr/share/man/man8/$PKG_NAME.8.gz

# install the cron job (cannot symlink cron jobs)
grep "^#" $TEMP_DIR/$PKG_NAME-*/$PKG_NAME-cron \
    > /etc/cron.d/$PKG_NAME-cron
# SME - added redirect stdout to null device and stderr to stdout so we only get error output from cron job
echo -e "\n25 * * * * root /usr/sbin/$PKG_NAME.sh >/dev/null 2>&1" \
    >>/etc/cron.d/$PKG_NAME-cron

# install the logrotate spec
cat $TEMP_DIR/$PKG_NAME-*/$PKG_NAME-logrotate | sed \
    -e "s|clamav-unofficial|clamav/unofficial|" \
    > $SANE_DIR/etc/$PKG_NAME-logrotate
ln -sf ../..$SANE_DIR/etc/$PKG_NAME-logrotate /etc/logrotate.d/$PKG_NAME-logrotate

# install documentation files
# SME - removed superfluous $PKG_NAME sub-directory below $SANE_DIR/doc
mkdir -p $SANE_DIR/doc
mv $TEMP_DIR/$PKG_NAME-*/CHANGELOG $SANE_DIR/doc/CHANGELOG
mv $TEMP_DIR/$PKG_NAME-*/INSTALL   $SANE_DIR/doc/INSTALL
mv $TEMP_DIR/$PKG_NAME-*/LICENSE   $SANE_DIR/doc/LICENSE
mv $TEMP_DIR/$PKG_NAME-*/README    $SANE_DIR/doc/README
}

###################################################################
## main script execution begins here
#
me=${0##*/}
myver=v0.3.1-1 

a1_initialization

a3_download_unpack

a5_install_files

echo "$PKG_NAME installed successfully"
echo "clamav database files provided by Sanesecurity will be updated within an hour,"
echo " and continuously after that."
exit 0

Save the file as sanesecurity-install.sh

chmod 755 sanesecurity-install.sh

Now run the script. This will download the Sane Security package and install it for SME Server

./sanesecurity-install.sh


Important.png Note:
The script above uses TCP 873 as its destination port when downloading signature, please ensure that this port is open when your SME server is behind the firewall.


Run the Sane Security script for the first time to download the databases and check it works

/usr/sbin/clamav-unofficial-sigs.sh

If you want to immediately reload ClamAV to include the additional databases

signal-event clamav-update

Operation

Having installed the Sane Security package as above, it will operate as follows.

  • A cron job (/etc/cron.d/clamav-unofficial-sigs-cron) will run once every hour and instigate the /use/sbin/clamav-unofficial-sigs.sh script
  • The script will read the configuration settings in /etc/clamav-unofficial-sigs.conf
  • The additional databases will be downloaded to /usr/unofficial_dbs and then added to the /var/clamav directory
  • ClamAV will reload all its databases from /var/clamav every 30 minutes by default

All the files (apart from the cron job and downloaded databases) are in /opt/sanesecurity and soft linked to the main directories.

The sanesecurity-install.sh script used above can be run again if the Sane Security package of scripts etc is updated. Current version is 3.7 (April 2010). This assumes that nothing significant changes with regard to how the package needs to be installed.

Important.png Note:
Running sanesecurity-install.sh again will download the latest Sane Security .tar.gz package and unpack/install it. This will overwrite the existing files, including /etc/clamav-unofficial-sigs.conf and any manual adjustments you may have made to the list of databases you want to be downloaded


Documentation

Documentation including a Change Log can be found in /opt/sanesecurity/doc as well as

man clamav-unofficial-sigs

Signature Databases

The additional databases to be downloaded and installed by the clamav-unofficial-sigs.sh script are controlled by the configuration file /etc/clamav-unofficial-sigs.conf

A default set of databases are defined for download. There are additional databases that can also be added to the list, or some or all of the defaults can be excluded. The configuration file is commented in this regard and gives an indication of the risk of false positives from the non-default databases.

To amend the databases you require, edit /etc/clamav-unofficial-sigs.conf and add or remove the database names as instructed.

Important.png Note:
If removing databases from the download lists, don't forget to also delete them from /var/clamav and /usr/unofficial_dbs if they have been downloaded previously and exist


Important.png Note:
Adding unofficial signatures increases memory usage. To increase the clamd memory limit try setting MemLimit to a value greater than 300000000 (see here for reference). Since clamav-0.96 and smeserver-clamav-2.0.0-8 the default MemLimit for clamd has been 600000000 and should be sufficient.


Uninstall

Log in to a console shell as root

Create and edit a new file. Add the following

rm -f /etc/cron.d/clamav-unoffical-sigs-cron
rm -fr /opt/sanesecurity \
  /usr/unofficial-dbs
rm -f /var/log/clamav/unofficial-sigs* \
  /var/clamav/*.ndb \
  /var/clamav/*.ldb \
  /var/clamav/*.ftm \
  /var/clamav/*.hdb 
signal-event clamav-update

Save the file as sanesecurity-uninstall.sh

chmod 755 sanesecurity-uninstall.sh

Now run the script. This will delete all the Sane Security package files, downloaded databases and directories

./sanesecurity-uninstall.sh

Old Installation Notes

A previous installation of the Sane Security scripts was provided for SME by Jesper Knudsen from SME Optimizer, and the installation notes for this are reproduced below for completeness. This is for version 2.4 of the scripts however, whereas the current version installed as above is 3.7 (April 2010)

Installation

cd /etc
wget http://sme.swerts-knudsen.dk/downloads/unofficial-clamav-sigs-2.4/unofficial-clamav-sigs.conf
cd /etc/cron.hourly
wget http://sme.swerts-knudsen.dk/downloads/unofficial-clamav-sigs-2.4/unofficial-clamav-sigs.cron
chmod +x unofficial-clamav-sigs.cron
cd /usr/bin
wget http://sme.swerts-knudsen.dk/downloads/unofficial-clamav-sigs-2.4/unofficial-clamav-sigs.sh
chmod +x unofficial-clamav-sigs.sh

When you run it manually the first time it will complain about missing GPG keys - Just run it again.

./unofficial-clamav-sigs.sh

ClamAV will by default reload its databases every 1800 secs (30mins) but you can force a reload with:

signal-event email-update

References

See original forum post http://forums.contribs.org/index.php?topic=37861.0

See also http://forums.contribs.org/index.php/topic,45872.0.html

See forum announcement of this Howto for further comments at http://forums.contribs.org/index.php/topic,45915.0.html

Installation script originally produced by QmailToaster Plus - see http://qtp.qmailtoaster.com