security/clamav: add third party signatures

[mimugmail]

Closes #1162

[opnsenseuser]

double 👍 -> i think one of the best improvements!! please, please merge!!!

[opnsenseuser]

[fabianfrz]

looks Ok but it may be a good idea to add a note about the license if available.
Checkboxes can be required since they are always checked or unchecked.

[opnsenseuser]

On their page, mailexpert and sanesecurity have described the instructions for the case of the false positives and what or how to solve them. do you think you can still build this into the current Version?

Tutorial for false positives mailexperts:

Whitelist specific signature
Create a file called local.ign2 or whitelist.ign2 in your ClamAV db directory. Add the signature names that you want whitelisted one per line at a time.

Example:
Malware.Expert.Generic.Eval.1

Whitelist files
Use the same name as the database in which the detection signatures exist. So if all signatures are in malware.expert.cld
The whitelisting file should be by the name malware.expert.fp and have this line (hash: size: random name) in the same dir as malware.expert.cld

5523530941c409b349ef40fa9415247e: 51204: Malware.Expert.Generic.Eval.1

Despite a BAD signature existing in the malware.expert.cld.it will just IGNORE it

See
https://malware.expert/signatures/

Tutorial false positives sanesecurity:

Locally whitelisting a false positive

While you wait for the false positive to be fixed, you can create your own local whitelist:

Example 1: Pdf.Exploit.CVE_2016_1091-2 is causing issues

echo “Pdf.Exploit.CVE_2016_1091-2” >> local_whitelist.ign2
place into your clamav database folder and then restart clamd

Example 2: Sanesecurity.Spam.10154.UNOFFICIAL is causing issues

echo “Sanesecurity.Spam.10154” >> local_whitelist.ign2
place into your clamav database folder and then restart clamd

See
https://sanesecurity.com/support/false-positives/

[opnsenseuser]

Lets make it Perfect 🥇

[opnsenseuser]

Mailexperts and sanesecurity use the same two files for whitelisting. The files have to be created in the clamav Database folder.

[opnsenseuser]

It would be best to have a selection box where the user could simply add the selected false positives via the "add to whitelist" Button. that would make it perfect. The feature does not even have pfsense in the clamav.

[mimugmail]

You mean a checkbox? This would mean all content of a file has to be loaded into the model to allow this. I'd not recommend this as the hoster of such a file could easily crash your config.xml when adding some megabytes of data.

[opnsenseuser]

@mimugmail what would you suggest?

[mimugmail]

merge to master, keep in dev, see how many FP's are coming. Then we'll see if it's worth the work to add a ignore for each file.

[opnsenseuser]

Ok 👍

[fichtner]

zap

[mimugmail]

Done, no idea why I always write persistent wrong :)

[fichtner]

Merged, thanks!

[fichtner]

It's a persistent issue for sure. :D

[opnsenseuser]

Just for your information! (Forum topic -tests)
https://forum.opnsense.org/index.php?topic=11629