747 lines
33 KiB
Plaintext
747 lines
33 KiB
Plaintext
# This file contains master configuration settings for clamav-unofficial-sigs.sh
|
|
################################################################################
|
|
# This is property of eXtremeSHOK.com
|
|
# You are free to use, modify and distribute, however you may not remove this notice.
|
|
# Copyright (c) Adrian Jon Kriel :: admin@extremeshok.com
|
|
# License: BSD (Berkeley Software Distribution)
|
|
################################################################################
|
|
#
|
|
# DO NOT EDIT THIS FILE !! DO NOT EDIT THIS FILE !! DO NOT EDIT THIS FILE !!
|
|
#
|
|
################################################################################
|
|
#
|
|
# SET YOUR CUSTOM OPTIONS AND SETTINGS IN THE user.conf
|
|
#
|
|
# os.conf (os.***.conf) AND user.conf OVERRIDES THE OPTIONS IN THIS FILE
|
|
#
|
|
################################################################################
|
|
|
|
# Edit the quoted variables below to meet your own particular needs
|
|
# and requirements, but do not remove the "quote" marks.
|
|
|
|
# Set the appropriate ClamD user and group accounts for your system.
|
|
# If you do not want the script to set user and group permissions on
|
|
# files and directories, comment the next two variables.
|
|
#clam_user="clamav"
|
|
#clam_group="clamav"
|
|
|
|
# If you do not want the script to change the file mode of all signature
|
|
# database files in the ClamAV working directory to 0644 (-rw-r--r--):
|
|
#
|
|
# owner: read, write
|
|
# group: read
|
|
# world: read
|
|
#
|
|
# as defined in the "clam_dbs" path variable below, then set the following
|
|
# "setmode" variable to "no".
|
|
setmode="yes"
|
|
|
|
# Set path to ClamAV database files location. If unsure, check
|
|
# your clamd.conf file for the "DatabaseDirectory" path setting.
|
|
clam_dbs="/var/lib/clamav"
|
|
|
|
# Set path to clamd.pid file (see clamd.conf for path location).
|
|
clamd_pid="/var/run/clamav/clamd.pid"
|
|
|
|
# To enable "ham" (non-spam) directory scanning and removal of
|
|
# signatures that trigger on ham messages, uncomment the following
|
|
# variable and set it to the appropriate ham message directory.
|
|
#ham_dir="/var/lib/clamav-unofficial-sigs/ham-test"
|
|
|
|
# If you would like to reload the clamd databases after an update,
|
|
# change the following variable to "yes".
|
|
reload_dbs="yes"
|
|
|
|
# Custom Command to do a full clamd reload, this is only used when reload_dbs is enabled
|
|
clamd_reload_opt="clamdscan --reload"
|
|
|
|
# Top level working directory, script will attempt to create them.
|
|
work_dir="/var/lib/clamav-unofficial-sigs" #Top level working directory
|
|
|
|
# Log update information to '$log_file_path/$log_file_name'.
|
|
logging_enabled="yes"
|
|
log_file_path="/var/log/clamav-unofficial-sigs"
|
|
log_file_name="clamav-unofficial-sigs.log"
|
|
## Use a program to log messages
|
|
#log_pipe_cmd="/usr/bin/logger -it 'clamav-unofficial-sigs'"
|
|
|
|
|
|
# =========================
|
|
# MalwarePatrol : https://www.malwarepatrol.net
|
|
# MalwarePatrol 2016 (free) clamav signatures
|
|
#
|
|
# 1. Sign up for an account : https://www.malwarepatrol.net/free-guard-upgrade-option/
|
|
# 2. You will recieve an email containing your password/receipt number
|
|
# 3. Login to your account at malwarePatrol
|
|
# 4. In My Accountpage, choose the ClamAV list you will download. Free subscribers only get ClamAV Basic, commercial subscribers have access to ClamAV Extended. Do not use the agressive lists.
|
|
# 5. In the download URL, you will see 3 parameters: receipt, product and list, enter them in the variables below.
|
|
|
|
malwarepatrol_receipt_code="YOUR-RECEIPT-NUMBER"
|
|
malwarepatrol_product_code="8"
|
|
malwarepatrol_list="clamav_basic" # clamav_basic or clamav_ext
|
|
# if the malwarepatrol_product_code is not 8,
|
|
# the malwarepatrol_free is set to no (non-free)
|
|
# set to no to enable the commercial subscription url,
|
|
malwarepatrol_free="yes"
|
|
malwarepatrol_db="malwarepatrol.db"
|
|
|
|
|
|
# =========================
|
|
# Malware Expert : https://www.Malware Expert
|
|
# Malware Expert 2020 (non-free) clamav signatures
|
|
malwareexpert_serial_key="YOUR-SERIAL-KEY"
|
|
|
|
# =========================
|
|
# SecuriteInfo : https://www.SecuriteInfo.com
|
|
# SecuriteInfo 2015 free clamav signatures
|
|
#
|
|
# Usage of SecuriteInfo 2015 free clamav signatures : https://www.securiteinfo.com
|
|
# - 1. Sign up for a free account : https://www.securiteinfo.com/clients/customers/signup
|
|
# - 2. You will recieve an email to activate your account and then a followup email with your login name
|
|
# - 3. Login and navigate to your customer account : https://www.securiteinfo.com/clients/customers/account
|
|
# - 4. Click on the Setup tab
|
|
# - 5. You will need to get your unique identifier from one of the download links, they are individual for every user
|
|
# - 5.1. The 128 character string is after the http://www.securiteinfo.com/get/signatures/
|
|
# - 5.2. Example https://www.securiteinfo.com/get/signatures/your_unique_and_very_long_random_string_of_characters/securiteinfo.hdb
|
|
# Your 128 character authorisation signature would be : your_unique_and_very_long_random_string_of_characters
|
|
# - 6. Enter the authorisation signature into the config securiteinfo_authorisation_signature: replacing YOUR-SIGNATURE-NUMBER with your authorisation signature from the link
|
|
|
|
securiteinfo_authorisation_signature="YOUR-SIGNATURE-NUMBER"
|
|
# Enable if you have a commercial/premium/non-free subscription
|
|
securiteinfo_premium="no"
|
|
|
|
|
|
# ========================
|
|
# Database provider update time
|
|
# ========================
|
|
# Since the database files are dynamically created, non default values can cause banning, change with caution
|
|
additional_update_hours="4" # Default is 4 hours (6 downloads daily).
|
|
interserver_update_hours="1" # Default is 2 hours (12 downloads daily).
|
|
linuxmalwaredetect_update_hours="6" # Default is 6 hours (4 downloads daily).
|
|
malwareexpert_update_hours="2" # Default is 2 hours (12 downloads daily).
|
|
malwarepatrol_update_hours="24" # Default is 24 hours (1 downloads daily).
|
|
sanesecurity_update_hours="2" # Default is 2 hours (12 downloads daily).
|
|
securiteinfo_premium_update_hours="1" # Default is 1 hours (24 downloads daily).
|
|
securiteinfo_update_hours="4" # Default is 4 hours (6 downloads daily).
|
|
urlhaus_update_hours="1" # Default is 1 hours (24 downloads daily).
|
|
yararulesproject_update_hours="24" # Default is 24 hours (1 downloads daily).
|
|
|
|
# ========================
|
|
# Enabled Databases
|
|
# ========================
|
|
# Set to no to disable an entire database, if the database is empty it will also be disabled.
|
|
additional_enabled="yes" # Additional Databases
|
|
interserver_enabled="yes" # interServer
|
|
linuxmalwaredetect_enabled="yes" # Linux Malware Detect
|
|
malwareexpert_enabled="yes" # Malware Expert
|
|
malwarepatrol_enabled="yes" # Malware Patrol
|
|
sanesecurity_enabled="yes" # Sanesecurity
|
|
securiteinfo_enabled="yes" # SecuriteInfo
|
|
urlhaus_enabled="yes" # urlhaus
|
|
yararulesproject_enabled="yes" # Yara-Rule Project, automatically disabled if clamav is older than 0.100 and enable_yararules is disabled
|
|
|
|
# Disabled by default
|
|
## Enabling this will also cause the yararulesproject to be enabled if they are det to enabled.
|
|
enable_yararules="yes" #Enables yararules in the various databases, automatically disabled if clamav is older than 0.100
|
|
|
|
# ========================
|
|
# eXtremeSHOK Database format
|
|
# ========================
|
|
# The new and old database formats are supported for backwards compatibility
|
|
#
|
|
# New Format Usage:
|
|
# declare -a new_example_dbs=(
|
|
# file.name|RATING #description
|
|
# )
|
|
#
|
|
# Rating (False Positive Rating)
|
|
# valid ratings:
|
|
# REQUIRED : always used
|
|
# LOW : used when the rating is low, medium and high
|
|
# MEDIUM : used when the rating is medium and high
|
|
# HIGH : used when the rating is high
|
|
# LOWONLY : used only when the rating is low
|
|
# MEDIUMONLY : used only when the rating is medium
|
|
# LOWMEDIUMONLY : used only when the rating is medium or low
|
|
# DISABLED : never used, will automatically remove the present file
|
|
#
|
|
# Old Format is still supported, requiring you to comment out files to disable them
|
|
# old_example_dbs="
|
|
# file.name #LOW description
|
|
# "
|
|
|
|
# Default dbs rating
|
|
# valid rating: LOW, MEDIUM, HIGH, DISABLE
|
|
default_dbs_rating="MEDIUM"
|
|
|
|
# Per Database
|
|
# These ratings will override the global rating for the specific database
|
|
# valid ratings: LOW | MEDIUM | HIGH | DISABLE
|
|
#linuxmalwaredetect_dbs_rating=""
|
|
#sanesecurity_dbs_rating=""
|
|
#securiteinfo_dbs_rating=""
|
|
#urlhaus_dbs_rating=""
|
|
#yararulesproject_dbs_rating=""
|
|
|
|
# ========================
|
|
# Sanesecurity Database(s)
|
|
# ========================
|
|
# Add or remove database file names between quote marks as needed. To
|
|
# disable usage of any of the Sanesecurity distributed database files
|
|
# shown, remove the database file name from the quoted section below.
|
|
# Only databases defined as "low" risk have been enabled by default
|
|
# for additional information about the database ratings, see:
|
|
# http://www.sanesecurity.com/clamav/databases.htm
|
|
# Only add signature databases here that are "distributed" by Sanesecuirty
|
|
# as defined at the URL shown above. Database distributed by others sources
|
|
# (e.g., SecuriteInfo & MalewarePatrol, can be added to other sections of
|
|
# this config file below). Finally, make sure that the database names are
|
|
# spelled correctly or you will experience issues when the script runs
|
|
# (hint: all rsync servers will fail to download signature updates).
|
|
|
|
declare -a sanesecurity_dbs=( # BEGIN SANESECURITY DATABASE
|
|
### SANESECURITY http://sanesecurity.com/usage/signatures/
|
|
## REQUIRED, Do NOT disable
|
|
sanesecurity.ftm|REQUIRED # Message file types, for best performance
|
|
sigwhitelist.ign2|REQUIRED # Fast update file to whitelist any problem signatures
|
|
# LOW
|
|
blurl.ndb|LOW # Blacklisted full urls over the last 7 days, covering malware/spam/phishing. URLs added only when main signatures have failed to detect but are known to be "bad"
|
|
junk.ndb|LOW # General high hitting junk, containing spam/phishing/lottery/jobs/419s etc
|
|
jurlbl.ndb|LOW # Junk Url based
|
|
malwarehash.hsb|LOW # Malware hashes without known Size
|
|
phish.ndb|LOW # Phishing and Malware
|
|
rogue.hdb|LOW # Malware, Rogue anti-virus software and Fake codecs etc. Updated hourly to cover the latest malware threats
|
|
scam.ndb|LOW # Spam/scams
|
|
spamattach.hdb|LOW # Spam Spammed attachments such as pdf/doc/rtf/zips
|
|
spamimg.hdb|LOW # Spam images
|
|
# MEDIUM
|
|
badmacro.ndb|MEDIUM # Blocks dangerous macros embedded in Word/Excel/Xml/RTF/JS documents
|
|
jurlbla.ndb|MEDIUM # Junk Url based autogenerated from various feeds
|
|
lott.ndb|MEDIUM # Lottery
|
|
shelter.ldb|MEDIUM # Phishing and Malware
|
|
spam.ldb|MEDIUM # Spam detected using the new Logical Signature type
|
|
spear.ndb|MEDIUM # Spear phishing email addresses (autogenerated from data here)
|
|
spearl.ndb|MEDIUM # Spear phishing urls (autogenerated from data here)
|
|
|
|
### FOXHOLE http://sanesecurity.com/foxhole-databases/
|
|
# LOW
|
|
foxhole_filename.cdb|LOW # See Foxhole page for more details
|
|
foxhole_generic.cdb|LOW # See Foxhole page for more details
|
|
# MEDIUM
|
|
foxhole_js.cdb|MEDIUM # See Foxhole page for more details
|
|
foxhole_js.ndb|MEDIUM # See Foxhole page for more details
|
|
# HIGH
|
|
foxhole_all.cdb|HIGH # See Foxhole page for more details
|
|
foxhole_all.ndb|HIGH # See Foxhole page for more details
|
|
foxhole_mail.cdb|HIGH # block any mail that contains a possible dangerous attachments such as: js, jse, exe, bat, com, scr, uue, ace, pif, jar, gz, lnk, lzh.
|
|
|
|
### OITC http://www.oitc.com/winnow/clamsigs/index.html
|
|
### Note: the two databases winnow_phish_complete.ndb and winnow_phish_complete_url.ndb should NOT be used together.
|
|
# LOW
|
|
winnow_bad_cw.hdb|LOW # md5 hashes of malware attachments acquired directly from a group of botnets
|
|
winnow_extended_malware.hdb|LOW # contain hand generated signatures for malware
|
|
winnow_malware_links.ndb|LOW # Links to malware
|
|
winnow_malware.hdb|LOW # Current virus, trojan and other malware not yet detected by ClamAV.
|
|
winnow_phish_complete_url.ndb|LOWMEDIUMONLY # Similar to winnow_phish_complete.ndb except that entire urls are used
|
|
winnow.attachments.hdb|LOW # Spammed attachments such as pdf/doc/rtf/zip as well as malware crypted configs
|
|
# MEDIUM
|
|
winnow_extended_malware_links.ndb|MEDIUM # contain hand generated signatures for malware links
|
|
winnow_spam_complete.ndb|MEDIUM # Signatures to detect fraud and other malicious spam
|
|
winnow.complex.patterns.ldb|MEDIUM # contain hand generated signatures for malware and some egregious fraud
|
|
# HIGH
|
|
winnow_phish_complete.ndb|HIGH # Phishing and other malicious urls and compromised hosts **DO NOT USE WITH winnow_phish_complete_url**
|
|
### OITC YARA Format rules
|
|
### Note: Yara signatures require ClamAV 0.100 or newer to work
|
|
winnow_malware.yara|DISABLED # Duplicated in EMAIL_Cryptowall.yar and no longer maintaned
|
|
|
|
### MiscreantPunch http://malwarefor.me/about/
|
|
## MEDIUM
|
|
MiscreantPunch099-Low.ldb|MEDIUM # ruleset contains comprehensive rules for detecting malicious or abnormal Macros, JS, HTA, HTML, XAP, JAR, SWF, and more.
|
|
## HIGH
|
|
MiscreantPunch099-INFO-Low.ldb|HIGH # ruleset provides context to various files. Info and Suspicious level signatures may inform analysts of potentially interesting conditions that exist within a document.
|
|
|
|
### SCAMNAILER http://www.scamnailer.info/
|
|
# MEDIUM
|
|
scamnailer.ndb|DISABLED # Spear phishing and other phishing emails, service has been discontinued https://github.com/extremeshok/clamav-unofficial-sigs/issues/365
|
|
|
|
### BOFHLAND http://clamav.bofhland.org/
|
|
# LOW
|
|
bofhland_cracked_URL.ndb|LOW # Spam URLs
|
|
bofhland_malware_attach.hdb|LOW # Malware Hashes
|
|
bofhland_malware_URL.ndb|LOW # Malware URLs
|
|
bofhland_phishing_URL.ndb|LOW # Phishing URLs
|
|
|
|
### RockSecurity http://rooksecurity.com/
|
|
# LOW
|
|
hackingteam.hsb|LOW # Hacking Team hashes based on work by rooksecurity.com
|
|
|
|
### Porcupine
|
|
# LOW
|
|
phishtank.ndb|LOW # Online and valid phishing urls from phishtank.com data feed
|
|
porcupine.hsb|LOW # Sha256 Hashes of VBS and JSE malware, kept for 7 days
|
|
porcupine.ndb|LOW # Brazilian e-mail phishing and malware signatures
|
|
|
|
### Sanesecurity YARA Format rules
|
|
### Note: Yara signatures require ClamAV 0.100 or newer to work
|
|
Sanesecurity_sigtest.yara|LOW # Sanesecurity test signatures
|
|
Sanesecurity_spam.yara|LOW # Detects Spam emails
|
|
|
|
) # END SANESECURITY DATABASES
|
|
|
|
# ========================
|
|
# SecuriteInfo Database(s)
|
|
# ========================
|
|
# Only active when you set your securiteinfo_authorisation_signature
|
|
# Add or remove database file names between quote marks as needed. To
|
|
# disable any SecuriteInfo database downloads, remove the appropriate
|
|
# lines below.
|
|
declare -a securiteinfo_dbs=( #START SECURITEINFO DATABASES
|
|
### Securiteinfo https://www.securiteinfo.com/services/anti-spam-anti-virus/improve-detection-rate-of-zero-day-malwares-for-clamav.shtml
|
|
## REQUIRED, Do NOT disable
|
|
securiteinfo.ign2|REQUIRED # Signature Whitelist
|
|
# LOW
|
|
javascript.ndb|LOW # Malwares Javascript
|
|
securiteinfo.hdb|LOW # Malwares younger than 3 years.
|
|
securiteinfoandroid.hdb|LOW # Malwares Java/Android Dalvik
|
|
securiteinfoascii.hdb|LOW # Text file malwares (Perl or shell scripts, bat files, exploits, ...)
|
|
securiteinfohtml.hdb|LOW # Malwares HTML
|
|
securiteinfoold.hdb|LOW # Malwares older than 3 years.
|
|
securiteinfopdf.hdb|LOW # Malwares PDF
|
|
# HIGH
|
|
spam_marketing.ndb|HIGH # Spam Marketing / spammer blacklist
|
|
) #END SECURITEINFO DATABASES
|
|
|
|
# SECURITEINFO PREMIUM (NON-FREE) DATABASES
|
|
declare -a securiteinfo_premium_dbs=( #START SECURITEINFO DATABASES
|
|
securiteinfo.mdb|LOW # 0-day Malwares
|
|
securiteinfo0hour.hdb|LOW # 0-Hour Malwares
|
|
) #END NON-FREE SECURITEINFO DATABASES
|
|
|
|
# ========================
|
|
# LinuxMalwareDetect Database(s)
|
|
# ========================
|
|
# Add or remove database file names between quote marks as needed. To
|
|
# disable any LinuxMalwareDetect database downloads, remove the appropriate
|
|
# lines below.
|
|
declare -a linuxmalwaredetect_dbs=(
|
|
### Linux Malware Detect https://www.rfxn.com/projects/linux-malware-detect/
|
|
# LOW
|
|
rfxn.ndb|LOW # HEX Malware detection signatures
|
|
rfxn.hdb|LOW # MD5 Malware detection signatures
|
|
rfxn.yara|LOW # Yara Malware detection signatures
|
|
) #END LINUXMALWAREDETECT DATABASES
|
|
|
|
# ========================
|
|
# interServer Database(s)
|
|
# ========================
|
|
# Add or remove database file names between quote marks as needed. To
|
|
# disable any Malware Expert database downloads, remove the appropriate
|
|
# lines below.
|
|
declare -a interserver_dbs=(
|
|
## REQUIRED, Do NOT disable
|
|
whitelist.fp|REQUIRED # found to be false positive malware
|
|
# LOW
|
|
interserver256.hdb|LOW # 100% known malware sha256 format
|
|
# MEDIUM
|
|
interservertopline.db|MEDIUM # inserts into files, manual cleaning HEX
|
|
# HIGH
|
|
shell.ldb|HIGH # 99.9% known malware using logical signatures
|
|
) #END Malware Expert DATABASES
|
|
|
|
# ========================
|
|
# Malware Expert Database(s)
|
|
# ========================
|
|
# Add or remove database file names between quote marks as needed. To
|
|
# disable any Malware Expert database downloads, remove the appropriate
|
|
# lines below.
|
|
declare -a malwareexpert_dbs=(
|
|
## REQUIRED, Do NOT disable
|
|
malware.expert.fp|REQUIRED # found to be false positive malware
|
|
# LOW
|
|
malware.expert.hdb|LOW # statics MD5 pattern for files
|
|
# MEDIUM
|
|
malware.expert.ldb|MEDIUM # which use multi-words search for malware in files
|
|
malware.expert.ndb|MEDIUM # Generic Hex pattern PHP malware, which can cause false positive alarms
|
|
) #END Malware Expert DATABASES
|
|
|
|
# ========================
|
|
# urlhaus Database(s)
|
|
# ========================
|
|
# Add or remove database file names between quote marks as needed. To
|
|
# disable any urlhaus database downloads, remove the appropriate
|
|
# lines below.
|
|
declare -a urlhaus_dbs=(
|
|
### urlhaus https://urlhaus.abuse.ch/browse/
|
|
# LOW
|
|
urlhaus.ndb|LOW # malicious URLs that are being used for malware distribution
|
|
) #END URLHAUS DATABASES
|
|
|
|
# ========================
|
|
# Yara Rules Project Database(s)
|
|
# ========================
|
|
# Add or remove database file names between quote marks as needed. To
|
|
# disable any Yara Rule database downloads, remove the appropriate
|
|
# lines below.
|
|
declare -a yararulesproject_dbs=(
|
|
### Yara Rules https://github.com/Yara-Rules/rules
|
|
#
|
|
# Some rules are now in sub-directories. To reference a file in a sub-directory
|
|
# use subdir/file
|
|
# LOW
|
|
# Anti debug and anti virtualization techniques used by malware
|
|
antidebug_antivm/antidebug_antivm.yar|DISABLED # (core dumped)
|
|
# Aimed toward the detection and existence of Exploit Kits.
|
|
exploit_kits/EK_Angler.yar|DISABLED # duplicated in rxfn.yara
|
|
exploit_kits/EK_Blackhole.yar|DISABLED # duplicated in rxfn.yara
|
|
exploit_kits/EK_BleedingLife.yar|LOW # duplicated in rxfn.yara
|
|
exploit_kits/EK_Crimepack.yar|DISABLED # duplicated in rxfn.yara
|
|
exploit_kits/EK_Eleonore.yar|DISABLED # duplicated in rxfn.yara
|
|
exploit_kits/EK_Fragus.yar|DISABLED # duplicated in rxfn.yara
|
|
exploit_kits/EK_Phoenix.yar|DISABLED # duplicated in rxfn.yara
|
|
exploit_kits/EK_Sakura.yar|DISABLED # duplicated in rxfn.yara
|
|
exploit_kits/EK_ZeroAcces.yar|DISABLED # duplicated in rxfn.yara
|
|
exploit_kits/EK_Zerox88.yar|DISABLED # duplicated in rxfn.yara
|
|
exploit_kits/EK_Zeus.yar|DISABLED # duplicated in rxfn.yara
|
|
#Identification of well-known webshells
|
|
webshells/WShell_APT_Laudanum.yar|DISABLED # duplicated in rxfn.yara
|
|
webshells/WShell_ASPXSpy.yar|LOW
|
|
webshells/WShell_Drupalgeddon2_icos.yar|LOW
|
|
webshells/WShell_PHP_Anuna.yar|DISABLED # duplicated in rxfn.yara
|
|
webshells/WShell_PHP_in_images.yar|DISABLED # duplicated in rxfn.yara
|
|
webshells/WShell_THOR_Webshells.yar|DISABLED # duplicated in rxfn.yara
|
|
webshells/Wshell_ChineseSpam.yar|DISABLED # duplicated in rxfn.yara
|
|
webshells/Wshell_fire2013.yar|DISABLED # duplicated in rxfn.yara
|
|
# MEDIUM
|
|
# Identification of specific Common Vulnerabilities and Exposures (CVEs)
|
|
cve_rules/CVE-2010-0805.yar|MEDIUM
|
|
cve_rules/CVE-2010-0887.yar|MEDIUM
|
|
cve_rules/CVE-2010-1297.yar|MEDIUM
|
|
cve_rules/CVE-2012-0158.yar|MEDIUM
|
|
cve_rules/CVE-2013-0074.yar|MEDIUM
|
|
cve_rules/CVE-2013-0422.yar|MEDIUM
|
|
cve_rules/CVE-2015-1701.yar|MEDIUM
|
|
cve_rules/CVE-2015-2426.yar|MEDIUM
|
|
cve_rules/CVE-2015-2545.yar|MEDIUM
|
|
cve_rules/CVE-2015-5119.yar|MEDIUM
|
|
cve_rules/CVE-2016-5195.yar|MEDIUM
|
|
cve_rules/CVE-2017-11882.yar|MEDIUM
|
|
cve_rules/CVE-2018-20250.yar|MEDIUM
|
|
cve_rules/CVE-2018-4878.yar|MEDIUM
|
|
# Identification of malicious e-mails.
|
|
email/bank_rule.yar|MEDIUM
|
|
email/EMAIL_Cryptowall.yar|MEDIUM
|
|
email/Email_fake_it_maintenance_bulletin.yar|MEDIUM
|
|
email/Email_quota_limit_warning.yar|MEDIUM
|
|
email/email_Ukraine_BE_powerattack.yar|MEDIUM
|
|
email/scam.yar|MEDIUM
|
|
# Detect well-known software packers, that can be used by malware to hide itself.
|
|
packers/JJencode.yar|DISABLED # Causes high CPU load with email attachments (images) https://github.com/extremeshok/clamav-unofficial-sigs/issues/362
|
|
# HIGH
|
|
# Used with documents to find if they have been crafted to leverage malicious code.
|
|
email/Email_generic_phishing.yar|HIGH
|
|
maldocs/Maldoc_APT_OLE_JSRat.yar|HIGH
|
|
maldocs/Maldoc_APT10_MenuPass.yar|HIGH
|
|
maldocs/Maldoc_APT19_CVE-2017-0199.yar|HIGH
|
|
maldocs/Maldoc_Contains_VBE_File.yar|HIGH
|
|
maldocs/Maldoc_CVE_2017_11882.yar|HIGH
|
|
maldocs/Maldoc_CVE_2017_8759.yar|HIGH
|
|
maldocs/Maldoc_CVE-2017-0199.yar|HIGH
|
|
maldocs/Maldoc_DDE.yar|HIGH
|
|
maldocs/Maldoc_Dridex.yar|HIGH
|
|
maldocs/Maldoc_hancitor_dropper.yar|HIGH
|
|
maldocs/Maldoc_Hidden_PE_file.yar|HIGH
|
|
maldocs/Maldoc_malrtf_ole2link.yar|HIGH
|
|
maldocs/Maldoc_MIME_ActiveMime_b64.yar|HIGH
|
|
maldocs/Maldoc_PDF.yar|HIGH
|
|
maldocs/Maldoc_PowerPointMouse.yar|HIGH
|
|
maldocs/maldoc_somerules.yar|HIGH
|
|
maldocs/Maldoc_Suspicious_OLE_target.yar|HIGH
|
|
maldocs/Maldoc_UserForm.yar|HIGH
|
|
maldocs/Maldoc_VBA_macro_code.yar|HIGH
|
|
maldocs/Maldoc_Word_2007_XML_Flat_OPC.yar|HIGH
|
|
# Yara Rules aimed to detect well-known software packers, that can be used by malware to hide itself.
|
|
packers/Javascript_exploit_and_obfuscation.yar|HIGH
|
|
# DISABLED
|
|
# NOT SUPPORTED OR CRASHING CLAMAV
|
|
email/attachment.yar|DISABLED # detects all emails with attachments
|
|
email/image.yar|DISABLED # detects all emails with images
|
|
email/urls.yar|DISABLED # detects all emails with urls
|
|
crypto/crypto_signatures.yar|DISABLED # detects all files which are encrypted
|
|
# These files use module includes not supported by ClamAV
|
|
packers/packer_compiler_signatures.yar|DISABLED
|
|
packers/packer.yar|DISABLED
|
|
packers/peid.yar|DISABLED
|
|
antidebug_antivm|DISABLED
|
|
) #END yararulesproject DATABASES
|
|
|
|
declare -a yararulesproject_dbs_catagories=(
|
|
#LOW
|
|
cve_rules|LOW
|
|
exploit_kits|LOW
|
|
malware|LOW
|
|
webshells|LOW
|
|
#MEDIUM
|
|
email|MEDIUM
|
|
maldocs|MEDIUM
|
|
# HIGH
|
|
capabilities|HIGH
|
|
crypto|HIGH
|
|
packers|HIGH
|
|
)
|
|
|
|
|
|
# =========================
|
|
# Additional signature databases
|
|
# =========================
|
|
# Additional signature databases can be specified here in the following
|
|
# format: PROTOCOL://URL-or-IP/PATH/TO/FILE-NAME (use a trailing "/" in
|
|
# place of the "FILE-NAME" to download all files from specified location,
|
|
# but this *ONLY* works for files downloaded via rsync). For non-rsync
|
|
# downloads, wget and curl is used. For download protocols supported by
|
|
# wget and curl, see "man wget" and "man curl".
|
|
# This also works well for locations that have many ClamAV
|
|
# servers that use 3rd party signature databases, as only one server need
|
|
# download the remote databases, and all others can update from the local
|
|
# mirrors copy. See format examples below. To use, remove the comments
|
|
# and examples shown and add your own sites between the quote marks.
|
|
#declare -a additional_dbs=(
|
|
# rsync://192.168.1.50/new-db/sigs.hdb
|
|
# rsync://rsync.example.com/all-dbs/
|
|
# ftp://ftp.example.net/pub/sigs.ndb
|
|
# http://www.example.org/sigs.ldb
|
|
#) #END ADDITIONAL DATABASES
|
|
|
|
# ==================================================
|
|
# ==================================================
|
|
# D E B U G O P T I O N S
|
|
# ==================================================
|
|
# ==================================================
|
|
|
|
# Enable debugging, will cause all options below to enable
|
|
debug="no"
|
|
|
|
# Causes the xshok_file_download function to be verbose, used for debugging
|
|
downloader_debug="no"
|
|
|
|
# Causes clamscan signature test errors to be vebose
|
|
clamscan_debug="no"
|
|
|
|
# Causes curl errors to be vebose
|
|
curl_debug="no"
|
|
|
|
# Causes wget errors to be vebose
|
|
wget_debug="no"
|
|
|
|
# Causes rsync errors to be vebose
|
|
rsync_debug="no"
|
|
|
|
# ==================================================
|
|
# ==================================================
|
|
# A D V A N C E D O P T I O N S
|
|
# ==================================================
|
|
# ==================================================
|
|
|
|
# Branch for update checking, default: master
|
|
git_branch="master"
|
|
|
|
# Enable support for script and master.conf upgrades
|
|
# enbles the --upgrade command line option
|
|
# packagers, if required please disable or set this option to no in the os.conf
|
|
allow_upgrades="yes"
|
|
|
|
# Enable support for script and master.conf update checks
|
|
# packagers, if required please disable or set this option to no in the os.conf
|
|
allow_update_checks="yes"
|
|
|
|
# How often the script should check for updates
|
|
update_check_hours="12"# Default is 12 hours (2 checks daily).
|
|
|
|
# Enable or disable download time randomization. This allows the script to
|
|
# be executed via cron, but the actual database file checking will pause
|
|
# for a random number of seconds between the "min" and "max" time settings
|
|
# specified below. This helps to more evenly distribute load on the host
|
|
# download sites. To disable, set the following variable to "no".
|
|
enable_random="yes"
|
|
|
|
# Enable to prevent issues with multiple instances running
|
|
# To disable, set the following variable to "no".
|
|
enable_locking="yes"
|
|
|
|
# If download time randomization is enabled above (enable_random="yes"),
|
|
# then set the min and max radomization time intervals (in seconds).
|
|
max_sleep_time="600" # Default maximum is 600 seconds (10 minutes).
|
|
min_sleep_time="60" # Default minimum is 60 seconds (1 minute).
|
|
|
|
# Command to do a full clamd service stop/start
|
|
#clamd_restart_opt="service clamd restart"
|
|
|
|
# Custom Command Paths, these are detected with the which command when not set
|
|
#clamscan_bin="/usr/bin/clamscan"
|
|
#curl_bin="/usr/bin/curl"
|
|
#gpg_bin="/usr/bin/gpg"
|
|
#rsync_bin="/usr/bin/rsync"
|
|
#tar_bin="/usr/bin/tar"
|
|
#uname_bin="/usr/bin/uname"
|
|
#wget_bin="/usr/bin/wget"
|
|
#dig_bin="usr/bin/dig"
|
|
#host_bin="/usr/bin/host"
|
|
|
|
# force wget, by default curl is used when curl and wget is present.
|
|
force_wget="no"
|
|
|
|
# force host, by default dig is used when dig and host is present.
|
|
force_host="no"
|
|
|
|
# GnuPG / Signature verification
|
|
# To disable usage of gpg, set the following variable to "no".
|
|
# If gpg_bin cannot be found, enable_gpg will automatically disable
|
|
enable_gpg="yes"
|
|
|
|
# If running clamd in "LocalSocket" mode (*NOT* in TCP/IP mode), and
|
|
# either "SOcket Cat" (socat) or the "IO::Socket::UNIX" perl module
|
|
# are installed on the system, and you want to report whether clamd
|
|
# is running or not, uncomment the "clamd_socket" variable below (you
|
|
# will be warned if neither socat nor IO::Socket::UNIX are found, but
|
|
# the script will still run). You will also need to set the correct
|
|
# path to your clamd socket file (if unsure of the path, check the
|
|
# "LocalSocket" setting in your clamd.conf file for socket location).
|
|
#clamd_socket="/tmp/clamd.socket"
|
|
|
|
# Set rsync connection and data transfer timeout limits in seconds.
|
|
# The defaults settings here are reasonable, only change if you are
|
|
# experiencing timeout issues.
|
|
rsync_connect_timeout="60"
|
|
rsync_max_time="180"
|
|
|
|
# HTTPS validation
|
|
# Uncomment to allow and ignore SSL errors leading to insecure transfers
|
|
# downloader_ignore_ssl_errors="yes" # Default is "no"
|
|
|
|
# Set downloader connection, data transfer timeout limits in seconds.
|
|
# The defaults settings here are reasonable, only change if you are
|
|
# experiencing timeout issues.
|
|
downloader_connect_timeout="60"
|
|
downloader_max_time="1800"
|
|
|
|
# Set downloader retry count for failed transfers
|
|
downloader_tries="5"
|
|
|
|
# Set working directory paths (edit to meet your own needs). If these
|
|
# directories do not exist, the script will attempt to create them.
|
|
# Always located inside the work_dir, do not add /
|
|
# Sub-directory names:
|
|
add_dir="dbs-add" # User defined databases sub-directory
|
|
gpg_dir="gpg-key" # Sanesecurity GPG Key sub-directory
|
|
interserver_dir="dbs-is" # interServer sub-directory
|
|
linuxmalwaredetect_dir="dbs-lmd" # Linux Malware Detect sub-directory
|
|
malwareexpert_dir="dbs-me" # Malware Expert sub-directory
|
|
malwarepatrol_dir="dbs-mbl" # MalwarePatrol sub-directory
|
|
pid_dir="pid" # User defined pid sub-directory
|
|
sanesecurity_dir="dbs-ss" # Sanesecurity sub-directory
|
|
securiteinfo_dir="dbs-si" # SecuriteInfo sub-directory
|
|
urlhaus_dir="dbs-uh" # urlhaus sub-directory
|
|
work_dir_configs="configs" # Script configs sub-directory
|
|
yararulesproject_dir="dbs-yara" # Yara-Rules sub-directory
|
|
|
|
# If you would like to make a backup copy of the current running database
|
|
# file before updating, leave the following variable set to "yes" and a
|
|
# backup copy of the file will be created in the production directory
|
|
# with -bak appended to the file name.
|
|
keep_db_backup="no"
|
|
|
|
# When a database integrity has tested BAD, the failed database will be removed.
|
|
remove_bad_database="yes"
|
|
|
|
# When a database is disabled we will remove the associated database files.
|
|
remove_disabled_databases="yes" # Default is "yes"
|
|
|
|
# Enable SELinux fixes, ie. running restorecon on the database files.
|
|
# **Run the following command as root to enable clamav selinux support**
|
|
# setsebool -P antivirus_can_scan_system true
|
|
#
|
|
selinux_fixes="no" # Default is "no" ignore ssl errors and warnings
|
|
|
|
# Proxy Support
|
|
# If necessary to proxy database downloads, define the rsync, curl, wget, dig, hosr proxy settings here.
|
|
#rsync_proxy="username:password@proxy_host:proxy_port"
|
|
# Define rsync to use netcat for socks tunnel
|
|
#rsync_connect_prog="nc -X 5 -x socksproxy_host:socksproxy_port %H 873"
|
|
#curl_proxy="--proxy http://username:password@proxy_host:proxy_port"
|
|
#wget_proxy="-e http_proxy=http://username:password@proxy_host:proxy_port -e https_proxy=https://username:password@proxy_host:proxy_port"
|
|
#dig_proxy="@proxy_host -p proxy_host:proxy_port"
|
|
#host_proxy="@proxy_host" #does not support port
|
|
|
|
# Custom Cron install settings, these are detected and only used if you want to override
|
|
# the automatic detection and generation of the values when not set, this is mainly to aid package maintainers
|
|
#cron_bash="" #default: detected with the which command
|
|
#cron_dir="" #default: /etc/cron.d
|
|
#cron_filename="" #default: clamav-unofficial-sigs
|
|
#cron_minute="" #default: random value between 0-59
|
|
#cron_script_full_path="" #default: detected to the fullpath of the script
|
|
#cron_sudo="no" #default no, yes will append sudo -u before the username
|
|
#cron_user="" #default: uses the clam_user
|
|
|
|
# Custom logrotate install settings, these are detected and only used if you want to override
|
|
# the automatic detection and generation of the values when not set, this is mainly to aid package maintainers
|
|
#logrotate_dir="" #default: /etc/logrotate.d
|
|
#logrotate_filename="" #default: clamav-unofficial-sigs
|
|
#logrotate_group="" #default: uses the clam_group
|
|
#logrotate_log_file_full_path="" #default: detected to the $log_file_path/$log_file_name
|
|
#logrotate_user="" #default: uses the clam_user
|
|
|
|
# Custom man install settings, these are detected and only used if you want to override
|
|
# the automatic detection and generation of the values when not set, this is mainly to aid package maintainers
|
|
#man_dir="" #default: /usr/share/man/man8
|
|
#man_filename="" #default: clamav-unofficial-sigs.8
|
|
|
|
# Provided two variables that package and port maintainers can use in order to
|
|
# prevent the script from removing itself with the '-r' flag
|
|
# If the script was installed via a package manager like yum, apt, pkg, etc.
|
|
# The script will instead provide feedback to the user about how to uninstall the package.
|
|
#pkg_mgr="" #the package manager name
|
|
#pkg_rm="" #the package manager command to remove the script
|
|
|
|
# Custom full working directory paths, these are detected and only used if you want to override
|
|
# the automatic detection and generation of the values when not set, this is mainly to aid package maintainers
|
|
#work_dir_add="" #default: uses work_dir/add_dir
|
|
#work_dir_gpg="" #default: uses work_dir/gpg_dir
|
|
#work_dir_interserver="" #default: uses work_dir/interserver_dir
|
|
#work_dir_linuxmalwaredetect="" #default: uses work_dir/linuxmalwaredetect_dir
|
|
#work_dir_malwareexpert="" #default: uses work_dir/malwareexpert_dir
|
|
#work_dir_malwarepatrol="" #default: uses work_dir/malwarepatrol_dir
|
|
#work_dir_pid="" #default: uses work_dir/pid_dir
|
|
#work_dir_sanesecurity="" #default: uses work_dir/sanesecurity_dir
|
|
#work_dir_securiteinfo="" #default: uses work_dir/securiteinfo_dir
|
|
#work_dir_urlhaus="" #default: uses work_dir/urlhaus_dir
|
|
#work_dir_work_configs="" #default: uses work_dir/work_dir_configs
|
|
#work_dir_yararulesproject="" #default: uses work_dir/yararulesproject_dir
|
|
|
|
# ========================
|
|
# After you have completed the configuration of this file, set the value to "yes"
|
|
user_configuration_complete="no"
|
|
|
|
# ========================
|
|
# DO NOT EDIT !
|
|
# Database provider URLs
|
|
interserver_url="https://sigs.interserver.net"
|
|
linuxmalwaredetect_sigpack_url="https://cdn.rfxn.com/downloads/maldet-sigpack.tgz"
|
|
linuxmalwaredetect_version_url="https://cdn.rfxn.com/downloads/maldet.sigs.ver"
|
|
malwareexpert_url="https://signatures.malware.expert"
|
|
malwarepatrol_url="https://lists.malwarepatrol.net/cgi/getfile"
|
|
sanesecurity_gpg_url="https://www.sanesecurity.com/publickey.gpg"
|
|
sanesecurity_url="rsync.sanesecurity.net"
|
|
securiteinfo_url="https://www.securiteinfo.com/get/signatures"
|
|
urlhaus_url="https://urlhaus.abuse.ch/downloads"
|
|
yararulesproject_url="https://raw.githubusercontent.com/Yara-Rules/rules/master"
|
|
|
|
# ========================
|
|
# DO NOT EDIT !
|
|
config_version="97"
|
|
|
|
################################################################################
|
|
#
|
|
# DO NOT EDIT THIS FILE !! DO NOT EDIT THIS FILE !! DO NOT EDIT THIS FILE !!
|
|
#
|
|
################################################################################
|
|
# https://eXtremeSHOK.com ######################################################
|