ClamAV Sanesec

1. # This file contains user configuration settings for clamav-unofficial-sigs.sh
2. ###################
3. # This is property of eXtremeSHOK.com
4. # You are free to use, modify and distribute, however you may not remove this notice.
5. # Copyright (c) Adrian Jon Kriel :: admin@extremeshok.com
6. ##################
7. #
8. # Script updates can be found at: https://github.com/extremeshok/clamav-unofficial-sigs
9. #
10. # Originially based on:
11. # Script provide by Bill Landry (unofficialsigs@gmail.com).
12. #
13. # License: BSD (Berkeley Software Distribution)
14. #
15. ##################
16. #
17. # NOT COMPATIBLE WITH VERSION 3.XX CONFIG
18. #
19. ################################################################################
20.  
21. # Edit the quoted variables below to meet your own particular needs
22. # and requirements, but do not remove the "quote" marks.
23.  
24. # Set the appropriate ClamD user and group accounts for your system.
25. # If you do not want the script to set user and group permissions on
26. # files and directories, comment the next two variables.
27. # RHEL/CentOS
28. #clam_user="clam"
29. #clam_group="clam"
30.  
31. # Debian/Ubuntu
32. clam_user="clamav"
33. clam_group="clamav"
34.  
35. # If you do not want the script to change the file mode of all signature
36. # database files in the ClamAV working directory to 0644 (-rw-r--r--):
37. #
38. # owner: read, write
39. # group: read
40. # world: read
41. #
42. # as defined in the "clam_dbs" path variable below, then set the following
43. # "setmode" variable to "no".
44. setmode="yes"
45.  
46. # Set path to ClamAV database files location. If unsure, check
47. # your clamd.conf file for the "DatabaseDirectory" path setting.
48. clam_dbs="/var/lib/clamav"
49.  
50. # Set path to clamd.pid file (see clamd.conf for path location).
51. clamd_pid="/var/run/clamav/clamd.pid"
52. #clamd_pid="/var/run/clamd.pid"
53.  
54. # To enable "ham" (non-spam) directory scanning and removal of
55. # signatures that trigger on ham messages, uncomment the following
56. # variable and set it to the appropriate ham message directory.
57. #ham_dir="/var/lib/clamav-unofficial-sigs/ham-test"
58.  
59. # If you would like to reload the clamd databases after an update,
60. # change the following variable to "yes".
61. reload_dbs="yes"
62.  
63. # Top level working directory, script will attempt to create them.
64. work_dir="/var/lib/clamav-unofficial-sigs" #Top level working directory
65.  
66. # Log update information to '$log_file_path/$log_file_name'.
67. enable_logging="yes"
68. log_file_path="/var/log/clamav-unofficial-sigs"
69. log_file_name="clamav-unofficial-sigs.log"
70.  
71.  
72. # =========================
73. # MalwarePatrol : https://www.malwarepatrol.net
74. # MalwarePatrol 2015 free clamav signatures
75. #
76. # 1. Sign up for a free account : https://www.malwarepatrol.net/signup-free.shtml
77. # 2. You will recieve an email containing your password/receipt number
78. # 3. Enter the receipt number into the config: replacing YOUR-RECEIPT-NUMBER with your receipt number from the email
79.  
80. #malwarepatrol_receipt_code="YOUR-RECEIPT-NUMBER"
81. # Set to no to enable the commercial subscription url.
82. #malwarepatrol_free="yes"
83.  
84. # =========================
85. # SecuriteInfo : https://www.SecuriteInfo.com
86. # SecuriteInfo 2015 free clamav signatures
87. #
88. #Usage of SecuriteInfo 2015 free clamav signatures : https://www.securiteinfo.com
89. # - 1. Sign up for a free account : https://www.securiteinfo.com/clients/customers/signup
90. # - 2. You will recieve an email to activate your account and then a followup email with your login name
91. # - 3. Login and navigate to your customer account : https://www.securiteinfo.com/clients/customers/account
92. # - 4. Click on the Setup tab
93. # - 5. You will need to get your unique identifier from one of the download links, they are individual for every user
94. # - 5.1. The 128 character string is after the http://www.securiteinfo.com/get/signatures/
95. # - 5.2. Example https://www.securiteinfo.com/get/signatures/your_unique_and_very_long_random_string_of_characters/securiteinfo.hdb
96. # Your 128 character authorisation signature would be : your_unique_and_very_long_random_string_of_characters
97. # - 6. Enter the authorisation signature into the config securiteinfo_authorisation_signature: replacing YOUR-SIGNATURE-NUMBER with your authorisation signature from the link
98.  
99. securiteinfo_authorisation_signature="YOUR-SIGNATURE-NUMBER"
100.  
101. # ========================
102. # Database provider update time
103. # ========================
104. # Since the database files are dynamically created, non default values can cause banning, change with caution
105.  
106. securiteinfo_update_hours="4" # Default is 4 hours (6 downloads daily).
107. linuxmalwaredetect_update_hours="6" # Default is 6 hours (4 downloads daily).
108. #malwarepatrol_update_hours="24" # Default is 24 hours (1 downloads daily).
109. yararules_update_hours="24" # Default is 24 hours (1 downloads daily).
110.  
111. # ========================
112. # Enabled Databases
113. # ========================
114. # Set to no to disable an entire database.
115. sanesecurity_enabled="yes" # Sanesecurity
116. securiteinfo_enabled="yes" # SecuriteInfo
117. linuxmalwaredetect_enabled="yes" # Linux Malware Detect
118. malwarepatrol_enabled="no" # Malware Patrol
119. yararules_enabled="no" # Yara-Rule Project, requires clamAV 0.99+
120.  
121. # ========================
122. # Sanesecurity Database(s)
123. # ========================
124. # Add or remove database file names between quote marks as needed. To
125. # disable usage of any of the Sanesecurity distributed database files
126. # shown, remove the database file name from the quoted section below.
127. # Only databases defined as "low" risk have been enabled by default
128. # for additional information about the database ratings, see:
129. # http://www.sanesecurity.com/clamav/databases.htm
130. # Only add signature databases here that are "distributed" by Sanesecuirty
131. # as defined at the URL shown above. Database distributed by others sources
132. # (e.g., SecuriteInfo & MalewarePatrol, can be added to other sections of
133. # this config file below). Finally, make sure that the database names are
134. # spelled correctly or you will experience issues when the script runs
135. # (hint: all rsync servers will fail to download signature updates).
136.  
137. sanesecurity_dbs=" # BEGIN SANESECURITY DATABASE
138. ### SANESECURITY http://sanesecurity.com/usage/signatures/
139. ## REQUIRED, Do NOT disable
140. sanesecurity.ftm #REQUIRED Message file types, for best performance
141. sigwhitelist.ign2 #REQUIRED Fast update file to whitelist any problem signatures
142. ## LOW
143. junk.ndb #LOW General high hitting junk, containing spam/phishing/lottery/jobs/419s etc
144. jurlbl.ndb #LOW Junk Url based
145. phish.ndb #LOW Phishing
146. rogue.hdb #LOW Malware, Rogue anti-virus software and Fake codecs etc. Updated hourly to cover the latest malware threats
147. scam.ndb #LOW Spam/scams
148. spamimg.hdb #LOW Spam images
149. spamattach.hdb #LOW Spam Spammed attachments such as pdf/doc/rtf/zip
150. blurl.ndb #LOW Blacklisted full urls over the last 7 days, covering malware/spam/phishing. URLs added only when main signatures have failed to detect but are known to be "bad"
151. ## MED
152. #spear.ndb #MED Spear phishing email addresses (autogenerated from data here)
153. #lott.ndb #MED Lottery
154. #spam.ldb #MED Spam detected using the new Logical Signature type
155. #spearl.ndb #MED Spear phishing urls (autogenerated from data here)
156. #jurlbla.ndb #MED Junk Url based autogenerated from various feeds
157. #badmacro.ndb #MED Detect dangerous macros
158.  
159. ### FOXHOLE http://sanesecurity.com/foxhole-databases/
160. ## LOW
161. malwarehash.hsb #LOW Malware hashes without known Size
162. ## MED
163. #foxhole_generic.cdb #MED See Foxhole page for more details
164. #foxhole_filename.cdb #MED See Foxhole page for more details
165. ## HIGH
166. #foxhole_all.cdb #HIGH See Foxhole page for more details
167.  
168. ### OITC http://www.oitc.com/winnow/clamsigs/index.html
169. ### Note: the two databases winnow_phish_complete.ndb and winnow_phish_complete_url.ndb should NOT be used together.
170. # LOW
171. winnow.attachments.hdb #LOW Spammed attachments such as pdf/doc/rtf/zip
172. winnow_malware.hdb #LOW Current virus, trojan and other malware not yet detected by ClamAV.
173. winnow_malware_links.ndb #LOW Links to malware
174. winnow_extended_malware.hdb #LOW contain hand generated signatures for malware
175. winnow_bad_cw.hdb #LOW md5 hashes of malware attachments acquired directly from a group of botnets
176. # MED
177. #winnow_phish_complete_url.ndb #Med Similar to winnow_phish_complete.ndb except that entire urls are used
178. #winnow.complex.patterns.ldb #MED contain hand generated signatures for malware and some egregious fraud
179. #winnow_extended_malware_links.ndb #MED contain hand generated signatures for malware links
180. #winnow_spam_complete.ndb #MED Signatures to detect fraud and other malicious spam
181. # HIGH
182. #winnow_phish_complete.ndb #HIGH Phishing and other malicious urls and compromised hosts **DO NOT USE WITH winnow_phish_complete_url**
183.  
184. ### SCAMNAILER http://www.scamnailer.info/
185. # MED
186. #scamnailer.ndb #MED Spear phishing and other phishing emails
187.  
188. ### BOFHLAND http://clamav.bofhland.org/
189. # LOW
190. bofhland_cracked_URL.ndb #LOW Spam URLs
191. bofhland_malware_URL.ndb #LOW Malware URLs
192. bofhland_phishing_URL.ndb #LOW Phishing URLs
193. bofhland_malware_attach.hdb #LOW Malware Hashes
194.  
195. ### RockSecurity http://rooksecurity.com/
196. #LOW
197. hackingteam.hsb #LOW Hacking Team hashes
198.  
199. ### CRDF https://threatcenter.crdf.fr/
200. # LOW
201. crdfam.clamav.hdb #LOW List of new threats detected by CRDF Anti Malware
202.  
203. ### Porcupine
204. # LOW
205. porcupine.ndb #LOW Brazilian e-mail phishing and malware signatures
206. phishtank.ndb #LOW Online and valid phishing urls from phishtank.com data feed
207. porcupine.hsb #LOW Sha256 Hashes of VBS and JSE malware, kept for 7 days
208.  
209. ### Sanesecurity YARA Format rules
210. ### Note: Yara signatures require ClamAV 0.99 or newer to work
211. #Sanesecurity_sigtest.yara #LOW Sanesecurity test signatures
212. #Sanesecurity_spam.yara #LOW detect spam
213.  
214. " # END SANESECURITY DATABASES
215.  
216. # ========================
217. # SecuriteInfo Database(s)
218. # ========================
219. # Only active when you set your securiteinfo_authorisation_signature
220. # Add or remove database file names between quote marks as needed. To
221. # disable any SecuriteInfo database downloads, remove the appropriate
222. # lines below.
223. securiteinfo_dbs="
224. ### Securiteinfo https://www.securiteinfo.com/services/improve-detection-rate-of-zero-day-malwares-for-clamav.shtml
225. ## REQUIRED, Do NOT disable
226. securiteinfo.ign2
227. # LOW
228. securiteinfo.hdb #LOW Malwares in the Wild
229. javascript.ndb #LOW Malwares Javascript
230. securiteinfohtml.hdb #LOW Malwares HTML
231. securiteinfoascii.hdb #LOW Text file malwares (Perl or shell scripts, bat files, exploits, ...)
232. securiteinfopdf.hdb #LOW Malwares PDF
233. # HIGH
234. #spam_marketing.ndb #HIGH Spam Marketing / spammer blacklist
235. " #END SECURITEINFO DATABASES
236.  
237. # ========================
238. # Linux Malware Detect Database(s)
239. # ========================
240. # Add or remove database file names between quote marks as needed. To
241. # disable any SecuriteInfo database downloads, remove the appropriate
242. # lines below.
243. linuxmalwaredetect_dbs="
244. ### Linux Malware Detect https://www.rfxn.com/projects/linux-malware-detect/
245. # LOW
246. rfxn.ndb #LOW HEX Malware detection signatures
247. rfxn.hdb #LOW MD5 malware detection signatures
248. " #END LINUXMALWAREDETECT DATABASES
249.  
250. # =========================
251. # MalwarePatrol Database
252. # =========================
253. # Only active when you set your malwarepatrol_receipt_code
254. ## REQUIRED, Do NOT disable
255. malwarepatrol_db="malwarepatrol.db" #LOW URLs containing of Viruses, Trojans, Worms, or Malware
256.  
257. # ========================
258. # Yara Rules Project Database(s)
259. # ========================
260. # Add or remove database file names between quote marks as needed. To
261. # disable any Yara Rule database downloads, remove the appropriate
262. # lines below.
263. yararules_dbs="
264. ### Yara Rules https://github.com/Yara-Rules/rules
265. #
266. # Some rules are now in sub-directories. To reference a file in a sub-directory
267. # use subdir/file
268. # LOW
269. antidebug_antivm.yar #LOW anti debug and anti virtualization techniques used by malware
270. Malicious_Documents/malicious_document.yar #LOW documents with malicious code
271. # MED
272. #packer.yar #MED well-known sofware packers
273. # HIGH
274. #crypto.yar #HIGH detect the existence of cryptographic algoritms
275. " #END YARARULES DATABASES
276.  
277.  
278. # =========================
279. # Additional signature databases
280. # =========================
281. # Additional signature databases can be specified here in the following
282. # format: PROTOCOL://URL-or-IP/PATH/TO/FILE-NAME (use a trailing "/" in
283. # place of the "FILE-NAME" to download all files from specified location,
284. # but this *ONLY* works for files downloaded via rsync). For non-rsync
285. # downloads, curl is used. For download protocols supported by curl, see
286. # "man curl". This also works well for locations that have many ClamAV
287. # servers that use 3rd party signature databases, as only one server need
288. # download the remote databases, and all others can update from the local
289. # mirrors copy. See format examples below. To use, remove the comments
290. # and examples shown and add your own sites between the quote marks.
291. #add_dbs="
292. # rsync://192.168.1.50/new-db/sigs.hdb
293. # rsync://rsync.example.com/all-dbs/
294. # ftp://ftp.example.net/pub/sigs.ndb
295. # http://www.example.org/sigs.ldb
296. #" #END ADDITIONAL DATABASES
297.  
298.  
299.  
300.  
301. # ==================================================
302. # ==================================================
303. # A D V A N C E D O P T I O N S
304. # ==================================================
305. # ==================================================
306.  
307. # Enable or disable download time randomization. This allows the script to
308. # be executed via cron, but the actual database file checking will pause
309. # for a random number of seconds between the "min" and "max" time settings
310. # specified below. This helps to more evenly distribute load on the host
311. # download sites. To disable, set the following variable to "no".
312. enable_random="yes"
313.  
314. # If download time randomization is enabled above (enable_random="yes"),
315. # then set the min and max radomization time intervals (in seconds).
316. min_sleep_time="60" # Default minimum is 60 seconds (1 minute).
317. max_sleep_time="600" # Default maximum is 600 seconds (10 minutes).
318.  
319. # Set the clamd_restart_opt if the "reload_dbs" variable above is set
320. # Command to do a full clamd service stop/start
321. # RHEL/CentOS
322. #clamd_restart_opt="service clamd restart"
323. # Debian/Ubuntu
324. clamd_restart_opt="service clamav-daemon restart"
325.  
326. # If running clamd in "LocalSocket" mode (*NOT* in TCP/IP mode), and
327. # either "SOcket Cat" (socat) or the "IO::Socket::UNIX" perl module
328. # are installed on the system, and you want to report whether clamd
329. # is running or not, uncomment the "clamd_socket" variable below (you
330. # will be warned if neither socat nor IO::Socket::UNIX are found, but
331. # the script will still run). You will also need to set the correct
332. # path to your clamd socket file (if unsure of the path, check the
333. # "LocalSocket" setting in your clamd.conf file for socket location).
334. #clamd_socket="/tmp/clamd.socket"
335. #clamd_socket="/var/run/clamd.socket"
336. # Debian/Ubuntu
337. clamd_socket="/var/run/clamav/clamd.ctl"
338.  
339. # If you would like to attempt to restart ClamD if detected not running,
340. # uncomment the next 2 lines. Enter the clamd service stop and start command
341. # for your particular distro for the "start_clamd" "stop_clamd" variables
342. # (the sample start command shown below should work for most linux distros).
343. # NOTE: these 2 variables are dependant on the "clamd_socket" variable
344. # shown above - if not enabled, then the following 2 variables will be
345. # ignored, whether enabled or not.
346. #clamd_start="service clamd start"
347. #clamd_stop="service clamd stop"
348.  
349. # Set rsync connection and data transfer timeout limits in seconds.
350. # The defaults settings here are reasonable, only change if you are
351. # experiencing timeout issues.
352. rsync_connect_timeout="30"
353. rsync_max_time="90"
354.  
355. # Set curl connection and data transfer timeout limits in seconds.
356. # The defaults settings here are reasonable, only change if you are
357. # experiencing timeout issues.
358. curl_connect_timeout="30"
359. curl_max_time="90"
360.  
361. # Set working directory paths (edit to meet your own needs). If these
362. # directories do not exist, the script will attempt to create them.
363. # Sub-directory names:
364. sanesecurity_dir="$work_dir/dbs-ss" # Sanesecurity sub-directory
365. securiteinfo_dir="$work_dir/dbs-si" # SecuriteInfo sub-directory
366. linuxmalwaredetect_dir="$work_dir/dbs-lmd" # Linux Malware Detect sub-directory
367. malwarepatrol_dir="$work_dir/dbs-mbl" # MalwarePatrol sub-directory
368. yararules_dir="$work_dir/dbs-yara" # Yara-Rules sub-directory
369. config_dir="$work_dir/configs" # Script configs sub-directory
370. gpg_dir="$work_dir/gpg-key" # Sanesecurity GPG Key sub-directory
371. add_dir="$work_dir/dbs-add" # User defined databases sub-directory
372.  
373. # If you would like to make a backup copy of the current running database
374. # file before updating, leave the following variable set to "yes" and a
375. # backup copy of the file will be created in the production directory
376. # with -bak appended to the file name.
377. keep_db_backup="no"
378.  
379. # If you want to silence the information reported by curl, rsync, gpg
380. # or the general script comments, change the following variables to
381. # "yes". If all variables are set to "yes", the script will output
382. # nothing except error conditions.
383. silence_ssl="yes" # Default is "yes" ignore ssl errors and warnings
384. curl_silence="yes" # Default is "no" to report curl statistics
385. rsync_silence="yes" # Default is "no" to report rsync statistics
386. gpg_silence="yes" # Default is "no" to report gpg signature status
387. comment_silence="yes" # Default is "no" to report script comments
388.  
389. # If necessary to proxy database downloads, define the rsync and/or curl
390. # proxy settings here. For rsync, the proxy must support connections to
391. # port 873. Both curl and rsync proxy setting need to be defined in the
392. # format of "hostname:port". For curl, also note the -x and -U flags,
393. # which must be set as "-x hostname:port" and "-U username:password".
394. rsync_proxy=""
395. curl_proxy=""
396.  
397. # After you have completed the configuration of this file, set the
398. user_configuration_complete="yes"
399.  
400. # ========================
401. # Database provider URLs, do not edit.
402. sanesecurity_url="rsync.sanesecurity.net"
403. sanesecurity_gpg_url="http://www.sanesecurity.net/publickey.gpg"
404. securiteinfo_url="https://www.securiteinfo.com/get/signatures/"
405. linuxmalwaredetect_url="http://cdn.rfxn.com/downloads/"
406. malwarepatrol_free_url="https://lists.malwarepatrol.net/cgi/getfile?product=8&list=clamav_basic"
407. malwarepatrol_subscription_url="https://lists.malwarepatrol.net/cgi/getfile?product=15&list=clamav_basic"
408.  
409. yararules_url="https://raw.githubusercontent.com/Yara-Rules/rules/master/"
410.  
411. # ========================
412. # do not edit
413. config_version="53"
414.  
415. # https://eXtremeSHOK.com ##############################################################