-
-
Notifications
You must be signed in to change notification settings - Fork 117
/
master.conf
746 lines (661 loc) · 33.1 KB
/
master.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
# This file contains master configuration settings for clamav-unofficial-sigs.sh
################################################################################
# This is property of eXtremeSHOK.com
# You are free to use, modify and distribute, however you may not remove this notice.
# Copyright (c) Adrian Jon Kriel :: admin@extremeshok.com
# License: BSD (Berkeley Software Distribution)
################################################################################
#
# DO NOT EDIT THIS FILE !! DO NOT EDIT THIS FILE !! DO NOT EDIT THIS FILE !!
#
################################################################################
#
# SET YOUR CUSTOM OPTIONS AND SETTINGS IN THE user.conf
#
# os.conf (os.***.conf) AND user.conf OVERRIDES THE OPTIONS IN THIS FILE
#
################################################################################
# Edit the quoted variables below to meet your own particular needs
# and requirements, but do not remove the "quote" marks.
# Set the appropriate ClamD user and group accounts for your system.
# If you do not want the script to set user and group permissions on
# files and directories, comment the next two variables.
#clam_user="clamav"
#clam_group="clamav"
# If you do not want the script to change the file mode of all signature
# database files in the ClamAV working directory to 0644 (-rw-r--r--):
#
# owner: read, write
# group: read
# world: read
#
# as defined in the "clam_dbs" path variable below, then set the following
# "setmode" variable to "no".
setmode="yes"
# Set path to ClamAV database files location. If unsure, check
# your clamd.conf file for the "DatabaseDirectory" path setting.
clam_dbs="/var/lib/clamav"
# Set path to clamd.pid file (see clamd.conf for path location).
clamd_pid="/var/run/clamav/clamd.pid"
# To enable "ham" (non-spam) directory scanning and removal of
# signatures that trigger on ham messages, uncomment the following
# variable and set it to the appropriate ham message directory.
#ham_dir="/var/lib/clamav-unofficial-sigs/ham-test"
# If you would like to reload the clamd databases after an update,
# change the following variable to "yes".
reload_dbs="yes"
# Custom Command to do a full clamd reload, this is only used when reload_dbs is enabled
clamd_reload_opt="clamdscan --reload"
# Top level working directory, script will attempt to create them.
work_dir="/var/lib/clamav-unofficial-sigs" #Top level working directory
# Log update information to '$log_file_path/$log_file_name'.
logging_enabled="yes"
log_file_path="/var/log/clamav-unofficial-sigs"
log_file_name="clamav-unofficial-sigs.log"
## Use a program to log messages
#log_pipe_cmd="/usr/bin/logger -it 'clamav-unofficial-sigs'"
# =========================
# MalwarePatrol : https://www.malwarepatrol.net
# MalwarePatrol 2016 (free) clamav signatures
#
# 1. Sign up for an account : https://www.malwarepatrol.net/free-guard-upgrade-option/
# 2. You will recieve an email containing your password/receipt number
# 3. Login to your account at malwarePatrol
# 4. In My Accountpage, choose the ClamAV list you will download. Free subscribers only get ClamAV Basic, commercial subscribers have access to ClamAV Extended. Do not use the agressive lists.
# 5. In the download URL, you will see 3 parameters: receipt, product and list, enter them in the variables below.
malwarepatrol_receipt_code="YOUR-RECEIPT-NUMBER"
malwarepatrol_product_code="8"
malwarepatrol_list="clamav_basic" # clamav_basic or clamav_ext
# if the malwarepatrol_product_code is not 8,
# the malwarepatrol_free is set to no (non-free)
# set to no to enable the commercial subscription url,
malwarepatrol_free="yes"
malwarepatrol_db="malwarepatrol.db"
# =========================
# Malware Expert : https://www.Malware Expert
# Malware Expert 2020 (non-free) clamav signatures
malwareexpert_serial_key="YOUR-SERIAL-KEY"
# =========================
# SecuriteInfo : https://www.SecuriteInfo.com
# SecuriteInfo 2015 free clamav signatures
#
# Usage of SecuriteInfo 2015 free clamav signatures : https://www.securiteinfo.com
# - 1. Sign up for a free account : https://www.securiteinfo.com/clients/customers/signup
# - 2. You will recieve an email to activate your account and then a followup email with your login name
# - 3. Login and navigate to your customer account : https://www.securiteinfo.com/clients/customers/account
# - 4. Click on the Setup tab
# - 5. You will need to get your unique identifier from one of the download links, they are individual for every user
# - 5.1. The 128 character string is after the http://www.securiteinfo.com/get/signatures/
# - 5.2. Example https://www.securiteinfo.com/get/signatures/your_unique_and_very_long_random_string_of_characters/securiteinfo.hdb
# Your 128 character authorisation signature would be : your_unique_and_very_long_random_string_of_characters
# - 6. Enter the authorisation signature into the config securiteinfo_authorisation_signature: replacing YOUR-SIGNATURE-NUMBER with your authorisation signature from the link
securiteinfo_authorisation_signature="YOUR-SIGNATURE-NUMBER"
# Enable if you have a commercial/premium/non-free subscription
securiteinfo_premium="no"
# ========================
# Database provider update time
# ========================
# Since the database files are dynamically created, non default values can cause banning, change with caution
additional_update_hours="4" # Default is 4 hours (6 downloads daily).
interserver_update_hours="1" # Default is 2 hours (12 downloads daily).
linuxmalwaredetect_update_hours="6" # Default is 6 hours (4 downloads daily).
malwareexpert_update_hours="2" # Default is 2 hours (12 downloads daily).
malwarepatrol_update_hours="24" # Default is 24 hours (1 downloads daily).
sanesecurity_update_hours="2" # Default is 2 hours (12 downloads daily).
securiteinfo_premium_update_hours="1" # Default is 1 hours (24 downloads daily).
securiteinfo_update_hours="4" # Default is 4 hours (6 downloads daily).
urlhaus_update_hours="1" # Default is 1 hours (24 downloads daily).
yararulesproject_update_hours="24" # Default is 24 hours (1 downloads daily).
# ========================
# Enabled Databases
# ========================
# Set to no to disable an entire database, if the database is empty it will also be disabled.
additional_enabled="yes" # Additional Databases
interserver_enabled="yes" # interServer
linuxmalwaredetect_enabled="yes" # Linux Malware Detect
malwareexpert_enabled="yes" # Malware Expert
malwarepatrol_enabled="yes" # Malware Patrol
sanesecurity_enabled="yes" # Sanesecurity
securiteinfo_enabled="yes" # SecuriteInfo
urlhaus_enabled="yes" # urlhaus
yararulesproject_enabled="yes" # Yara-Rule Project, automatically disabled if clamav is older than 0.100 and enable_yararules is disabled
# Disabled by default
## Enabling this will also cause the yararulesproject to be enabled if they are det to enabled.
enable_yararules="yes" #Enables yararules in the various databases, automatically disabled if clamav is older than 0.100
# ========================
# eXtremeSHOK Database format
# ========================
# The new and old database formats are supported for backwards compatibility
#
# New Format Usage:
# declare -a new_example_dbs=(
# file.name|RATING #description
# )
#
# Rating (False Positive Rating)
# valid ratings:
# REQUIRED : always used
# LOW : used when the rating is low, medium and high
# MEDIUM : used when the rating is medium and high
# HIGH : used when the rating is high
# LOWONLY : used only when the rating is low
# MEDIUMONLY : used only when the rating is medium
# LOWMEDIUMONLY : used only when the rating is medium or low
# DISABLED : never used, will automatically remove the present file
#
# Old Format is still supported, requiring you to comment out files to disable them
# old_example_dbs="
# file.name #LOW description
# "
# Default dbs rating
# valid rating: LOW, MEDIUM, HIGH, DISABLE
default_dbs_rating="MEDIUM"
# Per Database
# These ratings will override the global rating for the specific database
# valid ratings: LOW | MEDIUM | HIGH | DISABLE
#linuxmalwaredetect_dbs_rating=""
#sanesecurity_dbs_rating=""
#securiteinfo_dbs_rating=""
#urlhaus_dbs_rating=""
#yararulesproject_dbs_rating=""
# ========================
# Sanesecurity Database(s)
# ========================
# Add or remove database file names between quote marks as needed. To
# disable usage of any of the Sanesecurity distributed database files
# shown, remove the database file name from the quoted section below.
# Only databases defined as "low" risk have been enabled by default
# for additional information about the database ratings, see:
# http://www.sanesecurity.com/clamav/databases.htm
# Only add signature databases here that are "distributed" by Sanesecuirty
# as defined at the URL shown above. Database distributed by others sources
# (e.g., SecuriteInfo & MalewarePatrol, can be added to other sections of
# this config file below). Finally, make sure that the database names are
# spelled correctly or you will experience issues when the script runs
# (hint: all rsync servers will fail to download signature updates).
declare -a sanesecurity_dbs=( # BEGIN SANESECURITY DATABASE
### SANESECURITY http://sanesecurity.com/usage/signatures/
## REQUIRED, Do NOT disable
sanesecurity.ftm|REQUIRED # Message file types, for best performance
sigwhitelist.ign2|REQUIRED # Fast update file to whitelist any problem signatures
# LOW
blurl.ndb|LOW # Blacklisted full urls over the last 7 days, covering malware/spam/phishing. URLs added only when main signatures have failed to detect but are known to be "bad"
junk.ndb|LOW # General high hitting junk, containing spam/phishing/lottery/jobs/419s etc
jurlbl.ndb|LOW # Junk Url based
malwarehash.hsb|LOW # Malware hashes without known Size
phish.ndb|LOW # Phishing and Malware
rogue.hdb|LOW # Malware, Rogue anti-virus software and Fake codecs etc. Updated hourly to cover the latest malware threats
scam.ndb|LOW # Spam/scams
spamattach.hdb|LOW # Spam Spammed attachments such as pdf/doc/rtf/zips
spamimg.hdb|LOW # Spam images
# MEDIUM
badmacro.ndb|MEDIUM # Blocks dangerous macros embedded in Word/Excel/Xml/RTF/JS documents
jurlbla.ndb|MEDIUM # Junk Url based autogenerated from various feeds
lott.ndb|MEDIUM # Lottery
shelter.ldb|MEDIUM # Phishing and Malware
spam.ldb|MEDIUM # Spam detected using the new Logical Signature type
spear.ndb|MEDIUM # Spear phishing email addresses (autogenerated from data here)
spearl.ndb|MEDIUM # Spear phishing urls (autogenerated from data here)
### FOXHOLE http://sanesecurity.com/foxhole-databases/
# LOW
foxhole_filename.cdb|LOW # See Foxhole page for more details
foxhole_generic.cdb|LOW # See Foxhole page for more details
# MEDIUM
foxhole_js.cdb|MEDIUM # See Foxhole page for more details
foxhole_js.ndb|MEDIUM # See Foxhole page for more details
# HIGH
foxhole_all.cdb|HIGH # See Foxhole page for more details
foxhole_all.ndb|HIGH # See Foxhole page for more details
foxhole_mail.cdb|HIGH # block any mail that contains a possible dangerous attachments such as: js, jse, exe, bat, com, scr, uue, ace, pif, jar, gz, lnk, lzh.
### OITC http://www.oitc.com/winnow/clamsigs/index.html
### Note: the two databases winnow_phish_complete.ndb and winnow_phish_complete_url.ndb should NOT be used together.
# LOW
winnow_bad_cw.hdb|LOW # md5 hashes of malware attachments acquired directly from a group of botnets
winnow_extended_malware.hdb|LOW # contain hand generated signatures for malware
winnow_malware_links.ndb|LOW # Links to malware
winnow_malware.hdb|LOW # Current virus, trojan and other malware not yet detected by ClamAV.
winnow_phish_complete_url.ndb|LOWMEDIUMONLY # Similar to winnow_phish_complete.ndb except that entire urls are used
winnow.attachments.hdb|LOW # Spammed attachments such as pdf/doc/rtf/zip as well as malware crypted configs
# MEDIUM
winnow_extended_malware_links.ndb|MEDIUM # contain hand generated signatures for malware links
winnow_spam_complete.ndb|MEDIUM # Signatures to detect fraud and other malicious spam
winnow.complex.patterns.ldb|MEDIUM # contain hand generated signatures for malware and some egregious fraud
# HIGH
winnow_phish_complete.ndb|HIGH # Phishing and other malicious urls and compromised hosts **DO NOT USE WITH winnow_phish_complete_url**
### OITC YARA Format rules
### Note: Yara signatures require ClamAV 0.100 or newer to work
winnow_malware.yara|DISABLED # Duplicated in EMAIL_Cryptowall.yar and no longer maintaned
### MiscreantPunch http://malwarefor.me/about/
## MEDIUM
MiscreantPunch099-Low.ldb|MEDIUM # ruleset contains comprehensive rules for detecting malicious or abnormal Macros, JS, HTA, HTML, XAP, JAR, SWF, and more.
## HIGH
MiscreantPunch099-INFO-Low.ldb|HIGH # ruleset provides context to various files. Info and Suspicious level signatures may inform analysts of potentially interesting conditions that exist within a document.
### SCAMNAILER http://www.scamnailer.info/
# MEDIUM
scamnailer.ndb|DISABLED # Spear phishing and other phishing emails, service has been discontinued https://github.com/extremeshok/clamav-unofficial-sigs/issues/365
### BOFHLAND http://clamav.bofhland.org/
# LOW
bofhland_cracked_URL.ndb|LOW # Spam URLs
bofhland_malware_attach.hdb|LOW # Malware Hashes
bofhland_malware_URL.ndb|LOW # Malware URLs
bofhland_phishing_URL.ndb|LOW # Phishing URLs
### RockSecurity http://rooksecurity.com/
# LOW
hackingteam.hsb|LOW # Hacking Team hashes based on work by rooksecurity.com
### Porcupine
# LOW
phishtank.ndb|LOW # Online and valid phishing urls from phishtank.com data feed
porcupine.hsb|LOW # Sha256 Hashes of VBS and JSE malware, kept for 7 days
porcupine.ndb|LOW # Brazilian e-mail phishing and malware signatures
### Sanesecurity YARA Format rules
### Note: Yara signatures require ClamAV 0.100 or newer to work
Sanesecurity_sigtest.yara|LOW # Sanesecurity test signatures
Sanesecurity_spam.yara|LOW # Detects Spam emails
) # END SANESECURITY DATABASES
# ========================
# SecuriteInfo Database(s)
# ========================
# Only active when you set your securiteinfo_authorisation_signature
# Add or remove database file names between quote marks as needed. To
# disable any SecuriteInfo database downloads, remove the appropriate
# lines below.
declare -a securiteinfo_dbs=( #START SECURITEINFO DATABASES
### Securiteinfo https://www.securiteinfo.com/services/anti-spam-anti-virus/improve-detection-rate-of-zero-day-malwares-for-clamav.shtml
## REQUIRED, Do NOT disable
securiteinfo.ign2|REQUIRED # Signature Whitelist
# LOW
javascript.ndb|LOW # Malwares Javascript
securiteinfo.hdb|LOW # Malwares younger than 3 years.
securiteinfoandroid.hdb|LOW # Malwares Java/Android Dalvik
securiteinfoascii.hdb|LOW # Text file malwares (Perl or shell scripts, bat files, exploits, ...)
securiteinfohtml.hdb|LOW # Malwares HTML
securiteinfoold.hdb|LOW # Malwares older than 3 years.
securiteinfopdf.hdb|LOW # Malwares PDF
# HIGH
spam_marketing.ndb|HIGH # Spam Marketing / spammer blacklist
) #END SECURITEINFO DATABASES
# SECURITEINFO PREMIUM (NON-FREE) DATABASES
declare -a securiteinfo_premium_dbs=( #START SECURITEINFO DATABASES
securiteinfo.mdb|LOW # 0-day Malwares
securiteinfo0hour.hdb|LOW # 0-Hour Malwares
) #END NON-FREE SECURITEINFO DATABASES
# ========================
# LinuxMalwareDetect Database(s)
# ========================
# Add or remove database file names between quote marks as needed. To
# disable any LinuxMalwareDetect database downloads, remove the appropriate
# lines below.
declare -a linuxmalwaredetect_dbs=(
### Linux Malware Detect https://www.rfxn.com/projects/linux-malware-detect/
# LOW
rfxn.ndb|LOW # HEX Malware detection signatures
rfxn.hdb|LOW # MD5 Malware detection signatures
rfxn.yara|LOW # Yara Malware detection signatures
) #END LINUXMALWAREDETECT DATABASES
# ========================
# interServer Database(s)
# ========================
# Add or remove database file names between quote marks as needed. To
# disable any Malware Expert database downloads, remove the appropriate
# lines below.
declare -a interserver_dbs=(
## REQUIRED, Do NOT disable
whitelist.fp|REQUIRED # found to be false positive malware
# LOW
interserver256.hdb|LOW # 100% known malware sha256 format
# MEDIUM
interservertopline.db|MEDIUM # inserts into files, manual cleaning HEX
# HIGH
shell.ldb|HIGH # 99.9% known malware using logical signatures
) #END Malware Expert DATABASES
# ========================
# Malware Expert Database(s)
# ========================
# Add or remove database file names between quote marks as needed. To
# disable any Malware Expert database downloads, remove the appropriate
# lines below.
declare -a malwareexpert_dbs=(
## REQUIRED, Do NOT disable
malware.expert.fp|REQUIRED # found to be false positive malware
# LOW
malware.expert.hdb|LOW # statics MD5 pattern for files
# MEDIUM
malware.expert.ldb|MEDIUM # which use multi-words search for malware in files
malware.expert.ndb|MEDIUM # Generic Hex pattern PHP malware, which can cause false positive alarms
) #END Malware Expert DATABASES
# ========================
# urlhaus Database(s)
# ========================
# Add or remove database file names between quote marks as needed. To
# disable any urlhaus database downloads, remove the appropriate
# lines below.
declare -a urlhaus_dbs=(
### urlhaus https://urlhaus.abuse.ch/browse/
# LOW
urlhaus.ndb|LOW # malicious URLs that are being used for malware distribution
) #END URLHAUS DATABASES
# ========================
# Yara Rules Project Database(s)
# ========================
# Add or remove database file names between quote marks as needed. To
# disable any Yara Rule database downloads, remove the appropriate
# lines below.
declare -a yararulesproject_dbs=(
### Yara Rules https://github.com/Yara-Rules/rules
#
# Some rules are now in sub-directories. To reference a file in a sub-directory
# use subdir/file
# LOW
# Anti debug and anti virtualization techniques used by malware
antidebug_antivm/antidebug_antivm.yar|DISABLED # (core dumped)
# Aimed toward the detection and existence of Exploit Kits.
exploit_kits/EK_Angler.yar|DISABLED # duplicated in rxfn.yara
exploit_kits/EK_Blackhole.yar|DISABLED # duplicated in rxfn.yara
exploit_kits/EK_BleedingLife.yar|LOW # duplicated in rxfn.yara
exploit_kits/EK_Crimepack.yar|DISABLED # duplicated in rxfn.yara
exploit_kits/EK_Eleonore.yar|DISABLED # duplicated in rxfn.yara
exploit_kits/EK_Fragus.yar|DISABLED # duplicated in rxfn.yara
exploit_kits/EK_Phoenix.yar|DISABLED # duplicated in rxfn.yara
exploit_kits/EK_Sakura.yar|DISABLED # duplicated in rxfn.yara
exploit_kits/EK_ZeroAcces.yar|DISABLED # duplicated in rxfn.yara
exploit_kits/EK_Zerox88.yar|DISABLED # duplicated in rxfn.yara
exploit_kits/EK_Zeus.yar|DISABLED # duplicated in rxfn.yara
#Identification of well-known webshells
webshells/WShell_APT_Laudanum.yar|DISABLED # duplicated in rxfn.yara
webshells/WShell_ASPXSpy.yar|LOW
webshells/WShell_Drupalgeddon2_icos.yar|LOW
webshells/WShell_PHP_Anuna.yar|DISABLED # duplicated in rxfn.yara
webshells/WShell_PHP_in_images.yar|DISABLED # duplicated in rxfn.yara
webshells/WShell_THOR_Webshells.yar|DISABLED # duplicated in rxfn.yara
webshells/Wshell_ChineseSpam.yar|DISABLED # duplicated in rxfn.yara
webshells/Wshell_fire2013.yar|DISABLED # duplicated in rxfn.yara
# MEDIUM
# Identification of specific Common Vulnerabilities and Exposures (CVEs)
cve_rules/CVE-2010-0805.yar|MEDIUM
cve_rules/CVE-2010-0887.yar|MEDIUM
cve_rules/CVE-2010-1297.yar|MEDIUM
cve_rules/CVE-2012-0158.yar|MEDIUM
cve_rules/CVE-2013-0074.yar|MEDIUM
cve_rules/CVE-2013-0422.yar|MEDIUM
cve_rules/CVE-2015-1701.yar|MEDIUM
cve_rules/CVE-2015-2426.yar|MEDIUM
cve_rules/CVE-2015-2545.yar|MEDIUM
cve_rules/CVE-2015-5119.yar|MEDIUM
cve_rules/CVE-2016-5195.yar|MEDIUM
cve_rules/CVE-2017-11882.yar|MEDIUM
cve_rules/CVE-2018-20250.yar|MEDIUM
cve_rules/CVE-2018-4878.yar|MEDIUM
# Identification of malicious e-mails.
email/bank_rule.yar|MEDIUM
email/EMAIL_Cryptowall.yar|MEDIUM
email/Email_fake_it_maintenance_bulletin.yar|MEDIUM
email/Email_quota_limit_warning.yar|MEDIUM
email/email_Ukraine_BE_powerattack.yar|MEDIUM
email/scam.yar|MEDIUM
# Detect well-known software packers, that can be used by malware to hide itself.
packers/JJencode.yar|DISABLED # Causes high CPU load with email attachments (images) https://github.com/extremeshok/clamav-unofficial-sigs/issues/362
# HIGH
# Used with documents to find if they have been crafted to leverage malicious code.
email/Email_generic_phishing.yar|HIGH
maldocs/Maldoc_APT_OLE_JSRat.yar|HIGH
maldocs/Maldoc_APT10_MenuPass.yar|HIGH
maldocs/Maldoc_APT19_CVE-2017-0199.yar|HIGH
maldocs/Maldoc_Contains_VBE_File.yar|HIGH
maldocs/Maldoc_CVE_2017_11882.yar|HIGH
maldocs/Maldoc_CVE_2017_8759.yar|HIGH
maldocs/Maldoc_CVE-2017-0199.yar|HIGH
maldocs/Maldoc_DDE.yar|HIGH
maldocs/Maldoc_Dridex.yar|HIGH
maldocs/Maldoc_hancitor_dropper.yar|HIGH
maldocs/Maldoc_Hidden_PE_file.yar|HIGH
maldocs/Maldoc_malrtf_ole2link.yar|HIGH
maldocs/Maldoc_MIME_ActiveMime_b64.yar|HIGH
maldocs/Maldoc_PDF.yar|HIGH
maldocs/Maldoc_PowerPointMouse.yar|HIGH
maldocs/maldoc_somerules.yar|HIGH
maldocs/Maldoc_Suspicious_OLE_target.yar|HIGH
maldocs/Maldoc_UserForm.yar|HIGH
maldocs/Maldoc_VBA_macro_code.yar|HIGH
maldocs/Maldoc_Word_2007_XML_Flat_OPC.yar|HIGH
# Yara Rules aimed to detect well-known software packers, that can be used by malware to hide itself.
packers/Javascript_exploit_and_obfuscation.yar|HIGH
# DISABLED
# NOT SUPPORTED OR CRASHING CLAMAV
email/attachment.yar|DISABLED # detects all emails with attachments
email/image.yar|DISABLED # detects all emails with images
email/urls.yar|DISABLED # detects all emails with urls
crypto/crypto_signatures.yar|DISABLED # detects all files which are encrypted
# These files use module includes not supported by ClamAV
packers/packer_compiler_signatures.yar|DISABLED
packers/packer.yar|DISABLED
packers/peid.yar|DISABLED
antidebug_antivm|DISABLED
) #END yararulesproject DATABASES
declare -a yararulesproject_dbs_catagories=(
#LOW
cve_rules|LOW
exploit_kits|LOW
malware|LOW
webshells|LOW
#MEDIUM
email|MEDIUM
maldocs|MEDIUM
# HIGH
capabilities|HIGH
crypto|HIGH
packers|HIGH
)
# =========================
# Additional signature databases
# =========================
# Additional signature databases can be specified here in the following
# format: PROTOCOL://URL-or-IP/PATH/TO/FILE-NAME (use a trailing "/" in
# place of the "FILE-NAME" to download all files from specified location,
# but this *ONLY* works for files downloaded via rsync). For non-rsync
# downloads, wget and curl is used. For download protocols supported by
# wget and curl, see "man wget" and "man curl".
# This also works well for locations that have many ClamAV
# servers that use 3rd party signature databases, as only one server need
# download the remote databases, and all others can update from the local
# mirrors copy. See format examples below. To use, remove the comments
# and examples shown and add your own sites between the quote marks.
#declare -a additional_dbs=(
# rsync://192.168.1.50/new-db/sigs.hdb
# rsync://rsync.example.com/all-dbs/
# ftp://ftp.example.net/pub/sigs.ndb
# http://www.example.org/sigs.ldb
#) #END ADDITIONAL DATABASES
# ==================================================
# ==================================================
# D E B U G O P T I O N S
# ==================================================
# ==================================================
# Enable debugging, will cause all options below to enable
debug="no"
# Causes the xshok_file_download function to be verbose, used for debugging
downloader_debug="no"
# Causes clamscan signature test errors to be vebose
clamscan_debug="no"
# Causes curl errors to be vebose
curl_debug="no"
# Causes wget errors to be vebose
wget_debug="no"
# Causes rsync errors to be vebose
rsync_debug="no"
# ==================================================
# ==================================================
# A D V A N C E D O P T I O N S
# ==================================================
# ==================================================
# Branch for update checking, default: master
git_branch="master"
# Enable support for script and master.conf upgrades
# enbles the --upgrade command line option
# packagers, if required please disable or set this option to no in the os.conf
allow_upgrades="yes"
# Enable support for script and master.conf update checks
# packagers, if required please disable or set this option to no in the os.conf
allow_update_checks="yes"
# How often the script should check for updates
update_check_hours="12"# Default is 12 hours (2 checks daily).
# Enable or disable download time randomization. This allows the script to
# be executed via cron, but the actual database file checking will pause
# for a random number of seconds between the "min" and "max" time settings
# specified below. This helps to more evenly distribute load on the host
# download sites. To disable, set the following variable to "no".
enable_random="yes"
# Enable to prevent issues with multiple instances running
# To disable, set the following variable to "no".
enable_locking="yes"
# If download time randomization is enabled above (enable_random="yes"),
# then set the min and max radomization time intervals (in seconds).
max_sleep_time="600" # Default maximum is 600 seconds (10 minutes).
min_sleep_time="60" # Default minimum is 60 seconds (1 minute).
# Command to do a full clamd service stop/start
#clamd_restart_opt="service clamd restart"
# Custom Command Paths, these are detected with the which command when not set
#clamscan_bin="/usr/bin/clamscan"
#curl_bin="/usr/bin/curl"
#gpg_bin="/usr/bin/gpg"
#rsync_bin="/usr/bin/rsync"
#tar_bin="/usr/bin/tar"
#uname_bin="/usr/bin/uname"
#wget_bin="/usr/bin/wget"
#dig_bin="usr/bin/dig"
#host_bin="/usr/bin/host"
# force wget, by default curl is used when curl and wget is present.
force_wget="no"
# force host, by default dig is used when dig and host is present.
force_host="no"
# GnuPG / Signature verification
# To disable usage of gpg, set the following variable to "no".
# If gpg_bin cannot be found, enable_gpg will automatically disable
enable_gpg="yes"
# If running clamd in "LocalSocket" mode (*NOT* in TCP/IP mode), and
# either "SOcket Cat" (socat) or the "IO::Socket::UNIX" perl module
# are installed on the system, and you want to report whether clamd
# is running or not, uncomment the "clamd_socket" variable below (you
# will be warned if neither socat nor IO::Socket::UNIX are found, but
# the script will still run). You will also need to set the correct
# path to your clamd socket file (if unsure of the path, check the
# "LocalSocket" setting in your clamd.conf file for socket location).
#clamd_socket="/tmp/clamd.socket"
# Set rsync connection and data transfer timeout limits in seconds.
# The defaults settings here are reasonable, only change if you are
# experiencing timeout issues.
rsync_connect_timeout="60"
rsync_max_time="180"
# HTTPS validation
# Uncomment to allow and ignore SSL errors leading to insecure transfers
# downloader_ignore_ssl_errors="yes" # Default is "no"
# Set downloader connection, data transfer timeout limits in seconds.
# The defaults settings here are reasonable, only change if you are
# experiencing timeout issues.
downloader_connect_timeout="60"
downloader_max_time="1800"
# Set downloader retry count for failed transfers
downloader_tries="5"
# Set working directory paths (edit to meet your own needs). If these
# directories do not exist, the script will attempt to create them.
# Always located inside the work_dir, do not add /
# Sub-directory names:
add_dir="dbs-add" # User defined databases sub-directory
gpg_dir="gpg-key" # Sanesecurity GPG Key sub-directory
interserver_dir="dbs-is" # interServer sub-directory
linuxmalwaredetect_dir="dbs-lmd" # Linux Malware Detect sub-directory
malwareexpert_dir="dbs-me" # Malware Expert sub-directory
malwarepatrol_dir="dbs-mbl" # MalwarePatrol sub-directory
pid_dir="pid" # User defined pid sub-directory
sanesecurity_dir="dbs-ss" # Sanesecurity sub-directory
securiteinfo_dir="dbs-si" # SecuriteInfo sub-directory
urlhaus_dir="dbs-uh" # urlhaus sub-directory
work_dir_configs="configs" # Script configs sub-directory
yararulesproject_dir="dbs-yara" # Yara-Rules sub-directory
# If you would like to make a backup copy of the current running database
# file before updating, leave the following variable set to "yes" and a
# backup copy of the file will be created in the production directory
# with -bak appended to the file name.
keep_db_backup="no"
# When a database integrity has tested BAD, the failed database will be removed.
remove_bad_database="yes"
# When a database is disabled we will remove the associated database files.
remove_disabled_databases="yes" # Default is "yes"
# Enable SELinux fixes, ie. running restorecon on the database files.
# **Run the following command as root to enable clamav selinux support**
# setsebool -P antivirus_can_scan_system true
#
selinux_fixes="no" # Default is "no" ignore ssl errors and warnings
# Proxy Support
# If necessary to proxy database downloads, define the rsync, curl, wget, dig, hosr proxy settings here.
#rsync_proxy="username:password@proxy_host:proxy_port"
# Define rsync to use netcat for socks tunnel
#rsync_connect_prog="nc -X 5 -x socksproxy_host:socksproxy_port %H 873"
#curl_proxy="--proxy http://username:password@proxy_host:proxy_port"
#wget_proxy="-e http_proxy=http://username:password@proxy_host:proxy_port -e https_proxy=https://username:password@proxy_host:proxy_port"
#dig_proxy="@proxy_host -p proxy_host:proxy_port"
#host_proxy="@proxy_host" #does not support port
# Custom Cron install settings, these are detected and only used if you want to override
# the automatic detection and generation of the values when not set, this is mainly to aid package maintainers
#cron_bash="" #default: detected with the which command
#cron_dir="" #default: /etc/cron.d
#cron_filename="" #default: clamav-unofficial-sigs
#cron_minute="" #default: random value between 0-59
#cron_script_full_path="" #default: detected to the fullpath of the script
#cron_sudo="no" #default no, yes will append sudo -u before the username
#cron_user="" #default: uses the clam_user
# Custom logrotate install settings, these are detected and only used if you want to override
# the automatic detection and generation of the values when not set, this is mainly to aid package maintainers
#logrotate_dir="" #default: /etc/logrotate.d
#logrotate_filename="" #default: clamav-unofficial-sigs
#logrotate_group="" #default: uses the clam_group
#logrotate_log_file_full_path="" #default: detected to the $log_file_path/$log_file_name
#logrotate_user="" #default: uses the clam_user
# Custom man install settings, these are detected and only used if you want to override
# the automatic detection and generation of the values when not set, this is mainly to aid package maintainers
#man_dir="" #default: /usr/share/man/man8
#man_filename="" #default: clamav-unofficial-sigs.8
# Provided two variables that package and port maintainers can use in order to
# prevent the script from removing itself with the '-r' flag
# If the script was installed via a package manager like yum, apt, pkg, etc.
# The script will instead provide feedback to the user about how to uninstall the package.
#pkg_mgr="" #the package manager name
#pkg_rm="" #the package manager command to remove the script
# Custom full working directory paths, these are detected and only used if you want to override
# the automatic detection and generation of the values when not set, this is mainly to aid package maintainers
#work_dir_add="" #default: uses work_dir/add_dir
#work_dir_gpg="" #default: uses work_dir/gpg_dir
#work_dir_interserver="" #default: uses work_dir/interserver_dir
#work_dir_linuxmalwaredetect="" #default: uses work_dir/linuxmalwaredetect_dir
#work_dir_malwareexpert="" #default: uses work_dir/malwareexpert_dir
#work_dir_malwarepatrol="" #default: uses work_dir/malwarepatrol_dir
#work_dir_pid="" #default: uses work_dir/pid_dir
#work_dir_sanesecurity="" #default: uses work_dir/sanesecurity_dir
#work_dir_securiteinfo="" #default: uses work_dir/securiteinfo_dir
#work_dir_urlhaus="" #default: uses work_dir/urlhaus_dir
#work_dir_work_configs="" #default: uses work_dir/work_dir_configs
#work_dir_yararulesproject="" #default: uses work_dir/yararulesproject_dir
# ========================
# After you have completed the configuration of this file, set the value to "yes"
user_configuration_complete="no"
# ========================
# DO NOT EDIT !
# Database provider URLs
interserver_url="https://sigs.interserver.net"
linuxmalwaredetect_sigpack_url="https://cdn.rfxn.com/downloads/maldet-sigpack.tgz"
linuxmalwaredetect_version_url="https://cdn.rfxn.com/downloads/maldet.sigs.ver"
malwareexpert_url="https://signatures.malware.expert"
malwarepatrol_url="https://lists.malwarepatrol.net/cgi/getfile"
sanesecurity_gpg_url="https://www.sanesecurity.com/publickey.gpg"
sanesecurity_url="rsync.sanesecurity.net"
securiteinfo_url="https://www.securiteinfo.com/get/signatures"
urlhaus_url="https://urlhaus.abuse.ch/downloads"
yararulesproject_url="https://raw.githubusercontent.com/Yara-Rules/rules/master"
# ========================
# DO NOT EDIT !
config_version="97"
################################################################################
#
# DO NOT EDIT THIS FILE !! DO NOT EDIT THIS FILE !! DO NOT EDIT THIS FILE !!
#
################################################################################
# https://eXtremeSHOK.com ######################################################