Obsolete Releases > SME 8.x Contribs
Ransomware/CTB-Locker ClamAV signature
guest22:
--- Quote from: Stefano on February 24, 2015, 03:07:29 PM ---yes.. sorry for the delay
you have to manually edit .conf file in /etc/clamav-unofficial-sigs (IIRC)
--- End quote ---
I think you are right. The RPM is being installed, but you have to incorporate various things into the config file to make the new data effective. That's all I could see.
Stefano:
ok..
first of all let's create a copy of the original .conf file
--- Code: ---cd /etc/clamav-unofficial-sigs
cp clamav-unofficial-sigs.conf clamav-unofficial-sigs.orig
--- End code ---
in the same directory, create a clamav-unofficial-sigs.conf.patch file with:
--- Code: ---nano clamav-unofficial-sigs.conf.patch
--- End code ---
and fill it with the following content:
--- Code: ---diff -Nur old/clamav-unofficial-sigs.conf new/clamav-unofficial-sigs.conf
--- old/clamav-unofficial-sigs.conf 2015-02-24 15:32:56.182269840 +0100
+++ new/clamav-unofficial-sigs.conf 2015-02-24 15:33:06.193721634 +0100
@@ -37,15 +37,15 @@
# Set the appropriate ClamD user and group accounts for your system.
# If you do not want the script to set user and group permissions on
# files and directories, comment the next two variables.
-clam_user="clam"
-clam_group="clam"
+clam_user="clamav"
+clam_group="clamav"
# Set path to ClamAV database files location. If unsure, check
# your clamd.conf file for the "DatabaseDirectory" path setting.
-clam_dbs="/var/lib/clamav"
+clam_dbs="/var/clamav"
# Set path to clamd.pid file (see clamd.conf for path location).
-clamd_pid="/var/run/clamav/clamd.pid"
+#clamd_pid="/var/run/clamav/clamd.pid"
# To enable "ham" (non-spam) directory scanning and removal of
# signatures that trigger on ham messages, uncomment the following
@@ -54,7 +54,7 @@
# If you would like to reload the clamd databases after an update,
# change the following variable to "yes".
-reload_dbs="no"
+reload_dbs="yes"
# Set the reload or restart option if the "reload_dbs" variable above
# is set to "yes" (only select 'ONE' of the following variables or the
@@ -76,7 +76,7 @@
# the script will still run). You will also need to set the correct
# path to your clamd socket file (if unsure of the path, check the
# "LocalSocket" setting in your clamd.conf file for socket location).
-#clamd_socket="/var/run/clamd.socket"
+clamd_socket="/var/clamav/clamd.socket"
# If you would like to attempt to restart ClamD if detected not running,
# uncomment the next 2 lines. Confirm the path to the "clamd_lock" file
--- End code ---
save and exit, then
--- Code: ---cd /etc/clamav-unofficial-sigs
patch clamav-unofficial-sigs.conf clamav-unofficial-sigs.conf.patch
--- End code ---
done :)
I tested a bit the patch, and it's working for me.. YMMV
take a look in /var/log/clamav-unofficial-sigs dir if everything is working fine
brianr:
--- Quote from: Knuddi on February 24, 2015, 02:58:46 PM ---@brianr,
Which other sources of signatures do you use?
--- End quote ---
No others (yet!)
swany:
I want block all listed file mask in mail attachment, i add to /var/clamav/my_base.cdb
ScanMailX.Blocked.Attached_Files.CL_TYPE_MAIL.js:CL_TYPE_MAIL:*:(?i)\.js$:*:*:*:*:*:*
ScanMailX.Blocked.Attached_Files.CL_TYPE_MAIL.exe:CL_TYPE_MAIL:*:(?i)\.exe$:*:*:*:*:*:*
ScanMailX.Blocked.Attached_Files.CL_TYPE_MAIL.dll:CL_TYPE_MAIL:*:(?i)\.dll$:*:*:*:*:*:*
ScanMailX.Blocked.Attached_Files.CL_TYPE_MAIL.vbs:CL_TYPE_MAIL:*:(?i)\.vbs$:*:*:*:*:*:*
ScanMailX.Blocked.Attached_Files.CL_TYPE_MAIL.pif:CL_TYPE_MAIL:*:(?i)\.pif$:*:*:*:*:*:*
ScanMailX.Blocked.Attached_Files.CL_TYPE_MAIL.com:CL_TYPE_MAIL:*:(?i)\.com$:*:*:*:*:*:*
ScanMailX.Blocked.Attached_Files:*:*:\.(ade|adp|bat|chm|cmd|com|cpl|exe|hta|ins|isp|js|jse|lib|lnk|mde|msc|msp|mst|pif|scr|sct|shb|sys|vb|vbe|vbs|)$:*:*:*:*:*:*
If i sent
АА file_name.js
it's BLOCKED
But if i sent
АА file_name.xlsx_ .js
it's OK
АА - non unicode simbols
Did someone help me?
Daniel B.:
Please open a new topic
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version