[Feature Request] ClamAV - Unofficial free signatures updates to improve the detection rate?

[opnsenseuser]

Since ClamAV is not one of the best virus scanners I have read that there are sources that provide regular updates with better signatures and thus would significantly improve the recognition rate of ClamAV.

I have collected a few links to the best of my knowledge and belief, which could perhaps improve opnsense or the clamav virus protection. Maybe someone can take a closer look at the pages if he has time to guarantee that it could improve ClamAV reputably and in the long run. Unfortunately, I am not so well versed in the signatures of a virus scanner and can not judge that well if that would really pay off.

This is just an idea !. What do you think?

https://sanesecurity.com/
https://malware.expert/signatures/

[fichtner]

There's a package for these and we'd have to find a nice way to integrate/download them. Suffice to say some are free, but most are paid as well...

[opnsenseuser]

this is the location for the free sanesecurity signatur file server:
http://ftp.swin.edu.au/sanesecurity/

i got this from this posting:
https://forum.netgate.com/topic/102819/alternate-definitions-for-clamav/10

[opnsenseuser]

and this is the download location from malware expert:
DatabaseCustomURL http://cdn.malware.expert/malware.expert.ndb
DatabaseCustomURL http://cdn.malware.expert/malware.expert.hdb
DatabaseCustomURL http://cdn.malware.expert/malware.expert.ldb
DatabaseCustomURL http://cdn.malware.expert/malware.expert.fp

found here:
https://malware.expert/signatures/

[fabianfrz]

@fichtner the simplest way would be an (un)install button in the clamav plugin.

[opnsenseuser]

@fabianfrz I would test it immediately as soon as someone would implement it

[opnsenseuser]

@fichtner @fabianfrz Any news on this?

[fabianfrz]

No, I have not worked on it.

[mimugmail]

Regarding the sanesecurity there's already a ticket open where some guy wanted to tweak the script in order to work with OPNsense. No response yet ...

[opnsenseuser]

@mimugmail
wait a minute .... am I reading right or just dreaming?
Did you really do that now?

[mimugmail]

Seems to be fairly easy when you look at the PR ..

Tue Feb 12 15:43:55 2019 -> Received signal: wake up
Tue Feb 12 15:43:55 2019 -> ClamAV update process started at Tue Feb 12 15:43:55 2019
Tue Feb 12 15:43:55 2019 -> WARNING: Your ClamAV installation is OUTDATED!
Tue Feb 12 15:43:55 2019 -> WARNING: Local version: 0.100.2 Recommended version: 0.101.1
Tue Feb 12 15:43:55 2019 -> DON'T PANIC! Read https://www.clamav.net/documents/upgrading-clamav
Tue Feb 12 15:44:02 2019 -> malware.expert.ndb is up to date (version: custom database)
Tue Feb 12 15:44:36 2019 -> malware.expert.hdb is up to date (version: custom database)
Tue Feb 12 15:44:36 2019 -> malware.expert.ldb is up to date (version: custom database)
Tue Feb 12 15:44:43 2019 -> malware.expert.fp is up to date (version: custom database)
Tue Feb 12 15:45:44 2019 -> Downloading blurl.ndb [100%]
Tue Feb 12 15:45:45 2019 -> blurl.ndb updated (version: custom database, sigs: 17652)
Tue Feb 12 15:45:52 2019 -> Downloading jurlbla.ndb [100%]
Tue Feb 12 15:45:52 2019 -> jurlbla.ndb updated (version: custom database, sigs: 1691)
Tue Feb 12 15:45:54 2019 -> Downloading bofhland_phishing_URL.ndb [100%]
Tue Feb 12 15:45:54 2019 -> bofhland_phishing_URL.ndb updated (version: custom database, sigs: 137)
Tue Feb 12 15:45:56 2019 -> Downloading bofhland_malware_attach.hdb [100%]
Tue Feb 12 15:45:56 2019 -> bofhland_malware_attach.hdb updated (version: custom database, sigs: 1835)
Tue Feb 12 15:45:57 2019 -> Downloading bofhland_malware_URL.ndb [100%]
Tue Feb 12 15:45:57 2019 -> bofhland_malware_URL.ndb updated (version: custom database, sigs: 40)
Tue Feb 12 15:45:58 2019 -> Downloading bofhland_cracked_URL.ndb [100%]
Tue Feb 12 15:45:58 2019 -> bofhland_cracked_URL.ndb updated (version: custom database, sigs: 38)
Tue Feb 12 15:45:58 2019 -> main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)
Tue Feb 12 15:45:58 2019 -> daily.cld is up to date (version: 25358, sigs: 2245939, f-level: 63, builder: raynman)
Tue Feb 12 15:45:58 2019 -> bytecode.cld is up to date (version: 328, sigs: 94, f-level: 63, builder: neo)
Tue Feb 12 15:46:06 2019 -> Database updated (6833675 signatures) from database.clamav.net
Tue Feb 12 15:46:06 2019 -> Clamd successfully notified about the update.

[opnsenseuser]

@mimugmail I had also already thought about whether I try to implement the whole thing myself.
Now I do not need to think about it anymore and it is certainly better implemented than if I had tried.
thx a lot. great job double double 👍

[opnsenseuser]

[opnsenseuser]

@mimugmail can´t update patch using

opnsense-patch 612f20c

error:
fetch: https://github.com/opnsense/core/commit/612f20c.patch: Not Found

[fichtner]

You need the „-c plugins“ parameter...

…

On 14. Feb 2019, at 16:36, René ***@***.***> wrote: @mimugmail can´t update patch using opnsense-patch 612f20c error: fetch: https://github.com/opnsense/core/commit/612f20c.patch: Not Found — You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub, or mute the thread.

[opnsenseuser]

👍 works :-)

[opnsenseuser]

Does this message have to do with the new signatures?

[opnsenseuser]

@mimugmail

I do not know if we need the settings! but here is described what we should activate to ensure full functionality.

https://sanesecurity.com/support/signature-testing/

[opnsenseuser]

what I would suggest would be to be able to edit the urls to the database of the third party signatures, so that everyone can always independently change the urls or in the event of the case can correct or add as an additional option the own signatures from other databases.

[mimugmail]

Sounds very error prone imho

[opnsenseuser]

Ok
and the signature warning message i posted above?
Is this related to the new signatures ?

[opnsenseuser]

@mimugmail
i also did the three email tests without any luck.
https://sanesecurity.com/support/signature-testing/