Enhancing ClamAV with Extra Signatures

We use ClamAV mainly for scanning incoming email for malware and phishing scams. ClamAV comes with a default database usually stored in /var/clamav or /var/lib/clamav . To get up-to-date malware definitions the following sources can be used:

Freshclam
The Freshclam binary should have been installed when you installed clamd and you should have a script /etc/cron.daily/freshclam which runs daily to update the clam definitions. If not, you could run freshclam or add a cronjob with:

/usr/bin/freshclam –quiet –datadir=”/var/clamav” –daemon-notify=”/etc/clamd.conf”

ClamNailer
The definitions from ScamNailer are aimed at stopping Spear Phishing attacks. There are definitions for SpamAssassin and Clam. Set up a cronjob to retrieve the defintion at http://www.mailscanner.eu/scamnailer.ndb There is a download which includes a Perl script for this purpose and you can run it e.g. every 4 hours as follows:

33 1-23/4 * * * /path/to/ClamNailer-1.01.pl > /var/log/clamav-ClamNailer.log

ClamAV Unoffical Sigs
Download the Update script (and config file) from http://sourceforge.net/projects/unofficial-sigs/
Amend the configuration file /etc/clamav-unofficial-sigs.conf and set the ss_dbs variable to include all the sources you want to use (depending on how aggressive you want to be – we had a few false positives in jurlbla.ndb):

ss_dbs=”
   junk.ndb
   jurlbl.ndb
   INetMsg-SpamDomains-2w.ndb
   phish.ndb
   rogue.hdb
   sanesecurity.ftm
   scam.ndb
   spamimg.hdb
   winnow_malware.hdb
   winnow_malware_links.ndb
   lott.ndb
   spam.ldb
   spear.ndb
   winnow_phish_complete.ndb
” 

Then on the final line set:

user_configuration_complete=”yes”

Set up a cronjob to run the script:

/usr/local/bin/clamav-unofficial-sigs.sh -c /etc/clamav-unofficial-sigs.conf > /var/log/clamav-unofficial-sigs.log 2>&1

MSRBL
The MSRBL definitions are probably included in your clamav-unoffical-sigs script but can be run seperately if desired.
The MSRBL definitions can be used by running a shell script like the following, periodically as a cronjob:

#!/bin/bash
# Info at http://www.msrbl.com
PATH_TO_CLAM_DB=/var/clamav
rsync rsync://rsync.mirror.msrbl.com/msrbl/MSRBL-Images-FULL-SoN.hdb $PATH_TO_CLAM_DB/MSRBL-Images-FULL-SoN.hdb
rsync rsync://rsync.mirror.msrbl.com/msrbl/MSRBL-Images-3M-R-SoN.hdb $PATH_TO_CLAM_DB/MSRBL-Images-3M-R-SoN.hdb
rsync rsync://rsync.mirror.msrbl.com/msrbl/MSRBL-Images-1M-R-SoN.hdb $PATH_TO_CLAM_DB/MSRBL-Images-1M-R-SoN.hdb
rsync rsync://rsync.mirror.msrbl.com/msrbl/MSRBL-SPAM-CR.ndb $PATH_TO_CLAM_DB/MSRBL-SPAM-CR.ndb
rsync rsync://rsync.mirror.msrbl.com/msrbl/MSRBL-SPAM.ndb $PATH_TO_CLAM_DB/MSRBL-SPAM.ndb
/etc/init.d/clamd reload

The following example will run this every 3 hours:

18 1-23/3 * * * /path/to/clam-update-MSRBL.sh > /var/log/clam-update-MSRBL.log

Atomic
Atomic Secured Linux offers some 30-day old signatures freely (up-to-date signatures require a subscription)
Create a script to download the database from:

http://downloads.prometheus-group.com/delayed/clamav/clamav/ASL-h.ndb

An example script might be:

#!/bin/bash
cd /var/clamav
wget http://downloads.prometheus-group.com/delayed/clamav/clamav/ASL-h.ndb
/etc/init.d/clamd reload

Then schedule it as a cron job.

40 7 * * * /root/scripts/getAtomicClamDefinition.sh > /var/log/getAtomicClamDefinition.log