Topic: Anti Virus - Additional Signatures - HOW-TO still working?

[SchulzStefan]

During the last few months we see a lot of emails with M$-office attachments (your invoice, blabla) of unknown, but well faiked,  senders. Online-checking of this i.e. *.docs shows, that viruses are inside of macros are embedded. So the idea is to install additional antivirus signatures to - hopefully - block the emails.

https://wiki.contribs.org/Virus:Additional_Signatures

It seems the HOW-TO is outdated. I tried it to install, but got a lot of errors:

# ./sanesecurity-install.sh
sanesecurity-install.sh v0.3.1-1 - getting latest version of clamav-unofficial-sigs ...
--2016-02-01 22:11:48--  http://sourceforge.net/projects/unofficial-sigs/files/latest/download?source=files
Auflösen des Hostnamen »sourceforge.net«.... 216.34.181.60
Verbindungsaufbau zu sourceforge.net|216.34.181.60|:80... verbunden.
HTTP Anforderung gesendet, warte auf Antwort... 302 Found
Platz: http://downloads.sourceforge.net/project/unofficial-sigs/clamav-unofficial-sigs-3.7.2.tar.gz?r=&ts=1454361109&use_mirror=netix[folge]
--2016-02-01 22:11:49--  http://downloads.sourceforge.net/project/unofficial-sigs/clamav-unofficial-sigs-3.7.2.tar.gz?r=&ts=1454361109&use_mirror=netix
Auflösen des Hostnamen »downloads.sourceforge.net«.... 216.34.181.59
Verbindungsaufbau zu downloads.sourceforge.net|216.34.181.59|:80... verbunden.
HTTP Anforderung gesendet, warte auf Antwort... 302 Found
Platz: http://netix.dl.sourceforge.net/project/unofficial-sigs/clamav-unofficial-sigs-3.7.2.tar.gz[folge]
--2016-02-01 22:11:49--  http://netix.dl.sourceforge.net/project/unofficial-sigs/clamav-unofficial-sigs-3.7.2.tar.gz
Auflösen des Hostnamen »netix.dl.sourceforge.net«.... 87.121.121.2
Verbindungsaufbau zu netix.dl.sourceforge.net|87.121.121.2|:80... verbunden.
HTTP Anforderung gesendet, warte auf Antwort... 200 OK
Länge: 38549 (38K) [application/x-gzip]
In »»/tmp/sanesecurity-install.sh.5181/clamav-unofficial-sigs.tar.gz«« speichern.

100%[======================================>] 38.549      --.-K/s   in 0,07s   

2016-02-01 22:11:49 (570 KB/s) - »»/tmp/sanesecurity-install.sh.5181/clamav-unofficial-sigs.tar.gz«« gespeichert [38549/38549]

clamav-unofficial-sigs installed successfully
clamav database files provided by Sanesecurity will be updated within an hour,
 and continuously after that.

This seems to work.

But:

# /usr/sbin/clamav-unofficial-sigs.sh

Sanesecurity public GPG key successfully downloaded

Sanesecurity public GPG key successfully imported to custom keyring
====================
= ClamD is running =
====================

======================================================================
Sanesecurity Database & GPG Signature File Updates
======================================================================

Sanesecurity mirror site used:  46.21.115.195

Number of files: 46 (reg: 46)
Number of created files: 46 (reg: 46)
Number of regular files transferred: 46
Total file size: 29,908,665 bytes
Total transferred file size: 29,908,665 bytes
Literal data: 29,908,665 bytes
Matched data: 0 bytes
File list size: 1,518
File list generation time: 0.183 seconds
File list transfer time: 0.000 seconds
Total bytes sent: 908
Total bytes received: 4,897,304

sent 908 bytes  received 4,897,304 bytes  1,399,489.14 bytes/sec
total size is 29,908,665  speedup is 6.11

Testing updated Sanesecurity database file: blurl.ndb
Sanesecurity GPG Signature tested good on blurl.ndb database
Clamscan reports Sanesecurity blurl.ndb database integrity tested good
Successfully updated Sanesecurity production database file: blurl.ndb

Testing updated Sanesecurity database file: junk.ndb
Sanesecurity GPG Signature tested good on junk.ndb database
Clamscan reports Sanesecurity junk.ndb database integrity tested good
Successfully updated Sanesecurity production database file: junk.ndb

Testing updated Sanesecurity database file: jurlbl.ndb
Sanesecurity GPG Signature tested good on jurlbl.ndb database
Clamscan reports Sanesecurity jurlbl.ndb database integrity tested good
Successfully updated Sanesecurity production database file: jurlbl.ndb

Testing updated Sanesecurity database file: phish.ndb
Sanesecurity GPG Signature tested good on phish.ndb database
Clamscan reports Sanesecurity phish.ndb database integrity tested good
Successfully updated Sanesecurity production database file: phish.ndb

Testing updated Sanesecurity database file: rogue.hdb
Sanesecurity GPG Signature tested good on rogue.hdb database
Clamscan reports Sanesecurity rogue.hdb database integrity tested good
Successfully updated Sanesecurity production database file: rogue.hdb

Testing updated Sanesecurity database file: sanesecurity.ftm
Sanesecurity GPG Signature tested good on sanesecurity.ftm database
Clamscan reports Sanesecurity sanesecurity.ftm database integrity tested good
Successfully updated Sanesecurity production database file: sanesecurity.ftm

Testing updated Sanesecurity database file: scam.ndb
Sanesecurity GPG Signature tested good on scam.ndb database
Clamscan reports Sanesecurity scam.ndb database integrity tested good
Successfully updated Sanesecurity production database file: scam.ndb

Testing updated Sanesecurity database file: spamattach.hdb
Sanesecurity GPG Signature tested good on spamattach.hdb database
Clamscan reports Sanesecurity spamattach.hdb database integrity tested good
Successfully updated Sanesecurity production database file: spamattach.hdb

Testing updated Sanesecurity database file: spamimg.hdb
Sanesecurity GPG Signature tested good on spamimg.hdb database
Clamscan reports Sanesecurity spamimg.hdb database integrity tested good
Successfully updated Sanesecurity production database file: spamimg.hdb

Testing updated Sanesecurity database file: winnow.attachments.hdb
Sanesecurity GPG Signature tested good on winnow.attachments.hdb database
Clamscan reports Sanesecurity winnow.attachments.hdb database integrity tested good
Successfully updated Sanesecurity production database file: winnow.attachments.hdb

Testing updated Sanesecurity database file: winnow_bad_cw.hdb
Sanesecurity GPG Signature tested good on winnow_bad_cw.hdb database
Clamscan reports Sanesecurity winnow_bad_cw.hdb database integrity tested good
Successfully updated Sanesecurity production database file: winnow_bad_cw.hdb

Testing updated Sanesecurity database file: winnow_extended_malware.hdb
Sanesecurity GPG Signature tested good on winnow_extended_malware.hdb database
Clamscan reports Sanesecurity winnow_extended_malware.hdb database integrity tested good
Successfully updated Sanesecurity production database file: winnow_extended_malware.hdb

Testing updated Sanesecurity database file: winnow_malware.hdb
Sanesecurity GPG Signature tested good on winnow_malware.hdb database
Clamscan reports Sanesecurity winnow_malware.hdb database integrity tested good
Successfully updated Sanesecurity production database file: winnow_malware.hdb

Testing updated Sanesecurity database file: winnow_malware_links.ndb
Sanesecurity GPG Signature tested good on winnow_malware_links.ndb database
Clamscan reports Sanesecurity winnow_malware_links.ndb database integrity tested good
Successfully updated Sanesecurity production database file: winnow_malware_links.ndb

Testing updated Sanesecurity database file: doppelstern.hdb
Sanesecurity GPG Signature tested good on doppelstern.hdb database
Clamscan reports Sanesecurity doppelstern.hdb database integrity tested good
Successfully updated Sanesecurity production database file: doppelstern.hdb

Testing updated Sanesecurity database file: bofhland_cracked_URL.ndb
Sanesecurity GPG Signature tested good on bofhland_cracked_URL.ndb database
Clamscan reports Sanesecurity bofhland_cracked_URL.ndb database integrity tested good
Successfully updated Sanesecurity production database file: bofhland_cracked_URL.ndb

Testing updated Sanesecurity database file: bofhland_malware_attach.hdb
Sanesecurity GPG Signature tested good on bofhland_malware_attach.hdb database
Clamscan reports Sanesecurity bofhland_malware_attach.hdb database integrity tested good
Successfully updated Sanesecurity production database file: bofhland_malware_attach.hdb

Testing updated Sanesecurity database file: bofhland_malware_URL.ndb
Sanesecurity GPG Signature tested good on bofhland_malware_URL.ndb database
Clamscan reports Sanesecurity bofhland_malware_URL.ndb database integrity tested good
Successfully updated Sanesecurity production database file: bofhland_malware_URL.ndb

Testing updated Sanesecurity database file: bofhland_phishing_URL.ndb
Sanesecurity GPG Signature tested good on bofhland_phishing_URL.ndb database
Clamscan reports Sanesecurity bofhland_phishing_URL.ndb database integrity tested good
Successfully updated Sanesecurity production database file: bofhland_phishing_URL.ndb

Testing updated Sanesecurity database file: crdfam.clamav.hdb
Sanesecurity GPG Signature tested good on crdfam.clamav.hdb database
Clamscan reports Sanesecurity crdfam.clamav.hdb database integrity tested good
Successfully updated Sanesecurity production database file: crdfam.clamav.hdb

Testing updated Sanesecurity database file: phishtank.ndb
Sanesecurity GPG Signature tested good on phishtank.ndb database
Clamscan reports Sanesecurity phishtank.ndb database integrity tested good
Successfully updated Sanesecurity production database file: phishtank.ndb

Testing updated Sanesecurity database file: porcupine.ndb
Sanesecurity GPG Signature tested good on porcupine.ndb database
Clamscan reports Sanesecurity porcupine.ndb database integrity tested good
Successfully updated Sanesecurity production database file: porcupine.ndb

======================================================================
SecuriteInfo Database File Updates
======================================================================

Checking for updated SecuriteInfo database file: honeynet.hdb

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
134   268  134   268    0     0   2042      0 --:--:-- --:--:-- --:--:--  5702

Testing updated SecuriteInfo database file: honeynet.hdb
Clamscan reports SecuriteInfo honeynet.hdb database integrity tested BAD - SKIPPING
rsync: link_stat "/usr/unofficial-dbs/si-dbs/honeynet.hdb" failed: No such file or directory (2)
rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1165) [sender=3.1.1]
Failed to successfully update SecuriteInfo production database file: honeynet.hdb - SKIPPING

No updated SecuriteInfo honeynet.hdb database file found
---
Checking for updated SecuriteInfo database file: securiteinfo.hdb

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
136   272  136   272    0     0   2860      0 --:--:-- --:--:-- --:--:--  6325

Testing updated SecuriteInfo database file: securiteinfo.hdb
Clamscan reports SecuriteInfo securiteinfo.hdb database integrity tested BAD - SKIPPING
rsync: link_stat "/usr/unofficial-dbs/si-dbs/securiteinfo.hdb" failed: No such file or directory (2)
rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1165) [sender=3.1.1]
Failed to successfully update SecuriteInfo production database file: securiteinfo.hdb - SKIPPING

No updated SecuriteInfo securiteinfo.hdb database file found
---
Checking for updated SecuriteInfo database file: securiteinfobat.hdb

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
137   275  137   275    0     0   2748      0 --:--:-- --:--:-- --:--:--  5612

Testing updated SecuriteInfo database file: securiteinfobat.hdb
Clamscan reports SecuriteInfo securiteinfobat.hdb database integrity tested BAD - SKIPPING
rsync: link_stat "/usr/unofficial-dbs/si-dbs/securiteinfobat.hdb" failed: No such file or directory (2)
rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1165) [sender=3.1.1]
Failed to successfully update SecuriteInfo production database file: securiteinfobat.hdb - SKIPPING

No updated SecuriteInfo securiteinfobat.hdb database file found
---
Checking for updated SecuriteInfo database file: securiteinfodos.hdb

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
137   275  137   275    0     0   2464      0 --:--:-- --:--:-- --:--:--  5851

Testing updated SecuriteInfo database file: securiteinfodos.hdb
Clamscan reports SecuriteInfo securiteinfodos.hdb database integrity tested BAD - SKIPPING
rsync: link_stat "/usr/unofficial-dbs/si-dbs/securiteinfodos.hdb" failed: No such file or directory (2)
rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1165) [sender=3.1.1]
Failed to successfully update SecuriteInfo production database file: securiteinfodos.hdb - SKIPPING

No updated SecuriteInfo securiteinfodos.hdb database file found
---
Checking for updated SecuriteInfo database file: securiteinfoelf.hdb

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
137   275  137   275    0     0   2810      0 --:--:-- --:--:-- --:--:--  6111

Testing updated SecuriteInfo database file: securiteinfoelf.hdb
Clamscan reports SecuriteInfo securiteinfoelf.hdb database integrity tested BAD - SKIPPING
rsync: link_stat "/usr/unofficial-dbs/si-dbs/securiteinfoelf.hdb" failed: No such file or directory (2)
rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1165) [sender=3.1.1]
Failed to successfully update SecuriteInfo production database file: securiteinfoelf.hdb - SKIPPING

No updated SecuriteInfo securiteinfoelf.hdb database file found
---
Checking for updated SecuriteInfo database file: securiteinfohtml.hdb

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
138   276  138   276    0     0   2707      0 --:--:-- --:--:-- --:--:--  5750

Testing updated SecuriteInfo database file: securiteinfohtml.hdb
Clamscan reports SecuriteInfo securiteinfohtml.hdb database integrity tested BAD - SKIPPING
rsync: link_stat "/usr/unofficial-dbs/si-dbs/securiteinfohtml.hdb" failed: No such file or directory (2)
rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1165) [sender=3.1.1]
Failed to successfully update SecuriteInfo production database file: securiteinfohtml.hdb - SKIPPING

No updated SecuriteInfo securiteinfohtml.hdb database file found
---
Checking for updated SecuriteInfo database file: securiteinfooffice.hdb

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
139   278  139   278    0     0   2796      0 --:--:-- --:--:-- --:--:--  5914

Testing updated SecuriteInfo database file: securiteinfooffice.hdb
Clamscan reports SecuriteInfo securiteinfooffice.hdb database integrity tested BAD - SKIPPING
rsync: link_stat "/usr/unofficial-dbs/si-dbs/securiteinfooffice.hdb" failed: No such file or directory (2)
rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1165) [sender=3.1.1]
Failed to successfully update SecuriteInfo production database file: securiteinfooffice.hdb - SKIPPING

No updated SecuriteInfo securiteinfooffice.hdb database file found
---
Checking for updated SecuriteInfo database file: securiteinfopdf.hdb

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
137   275  137   275    0     0   2742      0 --:--:-- --:--:-- --:--:--  5978

Testing updated SecuriteInfo database file: securiteinfopdf.hdb
Clamscan reports SecuriteInfo securiteinfopdf.hdb database integrity tested BAD - SKIPPING
rsync: link_stat "/usr/unofficial-dbs/si-dbs/securiteinfopdf.hdb" failed: No such file or directory (2)
rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1165) [sender=3.1.1]
Failed to successfully update SecuriteInfo production database file: securiteinfopdf.hdb - SKIPPING

No updated SecuriteInfo securiteinfopdf.hdb database file found
---
Checking for updated SecuriteInfo database file: securiteinfosh.hdb

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
137   274  137   274    0     0   2488      0 --:--:-- --:--:-- --:--:--  5829

Testing updated SecuriteInfo database file: securiteinfosh.hdb
Clamscan reports SecuriteInfo securiteinfosh.hdb database integrity tested BAD - SKIPPING
rsync: link_stat "/usr/unofficial-dbs/si-dbs/securiteinfosh.hdb" failed: No such file or directory (2)
rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1165) [sender=3.1.1]
Failed to successfully update SecuriteInfo production database file: securiteinfosh.hdb - SKIPPING

No updated SecuriteInfo securiteinfosh.hdb database file found

======================================================================
MalwarePatrol mbl.ndb Database File Update
======================================================================

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0

Testing updated MalwarePatrol database file: mbl.ndb
Clamscan reports MalwarePatrol mbl.ndb database integrity tested BAD - SKIPPING

===============================================================
= Database reload has been disabled in the configuration file =
===============================================================

Lots of errors.

Directory /usr/unofficial-dbs/si-dbs/ is empty.

Or do I have something missed, and things are working well?

Is anybody working with this?

Thanks for any reply.
stefan

[Stefano]

mmmmmhh...

on the top of that page I read:

Note:
Please note that there now is a contrib for adding additional signatures. Please see Clamav_unofficial_sigs.

with a link that points to: https://wiki.contribs.org/Clamav_unofficial_sigs

I guess you missed it..

[SchulzStefan]

Ouch, you're right. I missed it. Sorry. I'm going to give it a try.

Thank you for your your hint.

[SchulzStefan]

Hmm, anyway:

clamav-unofficial-sigs.sh

Sanesecurity public GPG key successfully downloaded

Sanesecurity public GPG key successfully imported to custom keyring

======================================================================
Sanesecurity Database & GPG Signature File Updates
======================================================================

Sanesecurity mirror site used: ws3-170.freeformit.com 69.16.193.170

Number of files: 18 (reg: 18)
Number of created files: 18 (reg: 18)
Number of regular files transferred: 18
Total file size: 14,254,987 bytes
Total transferred file size: 14,254,987 bytes
Literal data: 14,254,987 bytes
Matched data: 0 bytes
File list size: 581
File list generation time: 0.215 seconds
File list transfer time: 0.000 seconds
Total bytes sent: 376
Total bytes received: 2,705,515

sent 376 bytes  received 2,705,515 bytes  491,980.18 bytes/sec
total size is 14,254,987  speedup is 5.27

Testing updated Sanesecurity database file: jurlbl.ndb
Sanesecurity GPG Signature tested good on jurlbl.ndb database
Clamscan reports Sanesecurity jurlbl.ndb database integrity tested good
Successfully updated Sanesecurity production database file: jurlbl.ndb

Testing updated Sanesecurity database file: scam.ndb
Sanesecurity GPG Signature tested good on scam.ndb database
Clamscan reports Sanesecurity scam.ndb database integrity tested good
Successfully updated Sanesecurity production database file: scam.ndb

Testing updated Sanesecurity database file: sanesecurity.ftm
Sanesecurity GPG Signature tested good on sanesecurity.ftm database
Clamscan reports Sanesecurity sanesecurity.ftm database integrity tested good
Successfully updated Sanesecurity production database file: sanesecurity.ftm

Testing updated Sanesecurity database file: winnow_malware.hdb
Sanesecurity GPG Signature tested good on winnow_malware.hdb database
Clamscan reports Sanesecurity winnow_malware.hdb database integrity tested good
Successfully updated Sanesecurity production database file: winnow_malware.hdb

Testing updated Sanesecurity database file: spamimg.hdb
Sanesecurity GPG Signature tested good on spamimg.hdb database
Clamscan reports Sanesecurity spamimg.hdb database integrity tested good
Successfully updated Sanesecurity production database file: spamimg.hdb

Testing updated Sanesecurity database file: junk.ndb
Sanesecurity GPG Signature tested good on junk.ndb database
Clamscan reports Sanesecurity junk.ndb database integrity tested good
Successfully updated Sanesecurity production database file: junk.ndb

Testing updated Sanesecurity database file: winnow_malware_links.ndb
Sanesecurity GPG Signature tested good on winnow_malware_links.ndb database
Clamscan reports Sanesecurity winnow_malware_links.ndb database integrity tested good
Successfully updated Sanesecurity production database file: winnow_malware_links.ndb

Testing updated Sanesecurity database file: rogue.hdb
Sanesecurity GPG Signature tested good on rogue.hdb database
Clamscan reports Sanesecurity rogue.hdb database integrity tested good
Successfully updated Sanesecurity production database file: rogue.hdb

Testing updated Sanesecurity database file: phish.ndb
Sanesecurity GPG Signature tested good on phish.ndb database
Clamscan reports Sanesecurity phish.ndb database integrity tested good
Successfully updated Sanesecurity production database file: phish.ndb

======================================================================
SecuriteInfo Database File Updates
======================================================================

Checking for updated SecuriteInfo database file: securiteinfosh.hdb

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
137   274  137   274    0     0    886      0 --:--:-- --:--:-- --:--:--  5829

Testing updated SecuriteInfo database file: securiteinfosh.hdb
Clamscan reports Sanesecurity securiteinfosh.hdb database integrity tested BAD - SKIPPING
rsync: link_stat "/var/lib/clamav-unofficial-sigs/si-dbs/securiteinfosh.hdb" failed: No such file or directory (2)
rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1165) [sender=3.1.1]
Failed to successfully update SecuriteInfo production database file: securiteinfosh.hdb - SKIPPING

No updated SecuriteInfo securiteinfosh.hdb database file found
---
Checking for updated SecuriteInfo database file: securiteinfopdf.hdb

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
137   275  137   275    0     0   2981      0 --:--:-- --:--:-- --:--:--  6111

Testing updated SecuriteInfo database file: securiteinfopdf.hdb
Clamscan reports Sanesecurity securiteinfopdf.hdb database integrity tested BAD - SKIPPING
rsync: link_stat "/var/lib/clamav-unofficial-sigs/si-dbs/securiteinfopdf.hdb" failed: No such file or directory (2)
rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1165) [sender=3.1.1]
Failed to successfully update SecuriteInfo production database file: securiteinfopdf.hdb - SKIPPING

No updated SecuriteInfo securiteinfopdf.hdb database file found
---
Checking for updated SecuriteInfo database file: securiteinfooffice.hdb

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
139   278  139   278    0     0   2840      0 --:--:-- --:--:-- --:--:--  5914

Testing updated SecuriteInfo database file: securiteinfooffice.hdb
Clamscan reports Sanesecurity securiteinfooffice.hdb database integrity tested BAD - SKIPPING
rsync: link_stat "/var/lib/clamav-unofficial-sigs/si-dbs/securiteinfooffice.hdb" failed: No such file or directory (2)
rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1165) [sender=3.1.1]
Failed to successfully update SecuriteInfo production database file: securiteinfooffice.hdb - SKIPPING

No updated SecuriteInfo securiteinfooffice.hdb database file found
---
Checking for updated SecuriteInfo database file: securiteinfobat.hdb

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
137   275  137   275    0     0   2720      0 --:--:-- --:--:-- --:--:--  5729

Testing updated SecuriteInfo database file: securiteinfobat.hdb
Clamscan reports Sanesecurity securiteinfobat.hdb database integrity tested BAD - SKIPPING
rsync: link_stat "/var/lib/clamav-unofficial-sigs/si-dbs/securiteinfobat.hdb" failed: No such file or directory (2)
rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1165) [sender=3.1.1]
Failed to successfully update SecuriteInfo production database file: securiteinfobat.hdb - SKIPPING

No updated SecuriteInfo securiteinfobat.hdb database file found
---
Checking for updated SecuriteInfo database file: honeynet.hdb

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
134   268  134   268    0     0   2824      0 --:--:-- --:--:-- --:--:--  6090

Testing updated SecuriteInfo database file: honeynet.hdb
Clamscan reports Sanesecurity honeynet.hdb database integrity tested BAD - SKIPPING
rsync: link_stat "/var/lib/clamav-unofficial-sigs/si-dbs/honeynet.hdb" failed: No such file or directory (2)
rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1165) [sender=3.1.1]
Failed to successfully update SecuriteInfo production database file: honeynet.hdb - SKIPPING

No updated SecuriteInfo honeynet.hdb database file found
---
Checking for updated SecuriteInfo database file: securiteinfoelf.hdb

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
137   275  137   275    0     0   2784      0 --:--:-- --:--:-- --:--:--  6395

Testing updated SecuriteInfo database file: securiteinfoelf.hdb
Clamscan reports Sanesecurity securiteinfoelf.hdb database integrity tested BAD - SKIPPING
rsync: link_stat "/var/lib/clamav-unofficial-sigs/si-dbs/securiteinfoelf.hdb" failed: No such file or directory (2)
rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1165) [sender=3.1.1]
Failed to successfully update SecuriteInfo production database file: securiteinfoelf.hdb - SKIPPING

No updated SecuriteInfo securiteinfoelf.hdb database file found
---
Checking for updated SecuriteInfo database file: securiteinfodos.hdb

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
137   275  137   275    0     0   2756      0 --:--:-- --:--:-- --:--:--  6111

Testing updated SecuriteInfo database file: securiteinfodos.hdb
Clamscan reports Sanesecurity securiteinfodos.hdb database integrity tested BAD - SKIPPING
rsync: link_stat "/var/lib/clamav-unofficial-sigs/si-dbs/securiteinfodos.hdb" failed: No such file or directory (2)
rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1165) [sender=3.1.1]
Failed to successfully update SecuriteInfo production database file: securiteinfodos.hdb - SKIPPING

No updated SecuriteInfo securiteinfodos.hdb database file found
---
Checking for updated SecuriteInfo database file: securiteinfo.hdb

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
136   272  136   272    0     0   2759      0 --:--:-- --:--:-- --:--:--  5666

Testing updated SecuriteInfo database file: securiteinfo.hdb
Clamscan reports Sanesecurity securiteinfo.hdb database integrity tested BAD - SKIPPING
rsync: link_stat "/var/lib/clamav-unofficial-sigs/si-dbs/securiteinfo.hdb" failed: No such file or directory (2)
rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1165) [sender=3.1.1]
Failed to successfully update SecuriteInfo production database file: securiteinfo.hdb - SKIPPING

No updated SecuriteInfo securiteinfo.hdb database file found
---
Checking for updated SecuriteInfo database file: securiteinfohtml.hdb

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
138   276  138   276    0     0   2778      0 --:--:-- --:--:-- --:--:--  5872

Testing updated SecuriteInfo database file: securiteinfohtml.hdb
Clamscan reports Sanesecurity securiteinfohtml.hdb database integrity tested BAD - SKIPPING
rsync: link_stat "/var/lib/clamav-unofficial-sigs/si-dbs/securiteinfohtml.hdb" failed: No such file or directory (2)
rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1165) [sender=3.1.1]
Failed to successfully update SecuriteInfo production database file: securiteinfohtml.hdb - SKIPPING

No updated SecuriteInfo securiteinfohtml.hdb database file found

======================================================================
MalwarePatrol mbl.ndb Database File Update
======================================================================

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0

Testing updated MalwarePatrol database file: mbl.ndb
Clamscan reports Sanesecurity mbl.ndb database integrity tested BAD - SKIPPING

======================================================================

=================================================
= Update(s) detected, reloaded ClamAV databases =
=================================================

I.e.:
Testing updated SecuriteInfo database file: securiteinfohtml.hdb
Clamscan reports Sanesecurity securiteinfohtml.hdb database integrity tested BAD - SKIPPING
rsync: link_stat "/var/lib/clamav-unofficial-sigs/si-dbs/securiteinfohtml.hdb" failed: No such file or directory (2)
rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1165) [sender=3.1.1]
Failed to successfully update SecuriteInfo production database file: securiteinfohtml.hdb - SKIPPING

Directory /var/lib/clamav-unofficial-sigs/si-dbs/ is empty. Does it have to be empty? Does it work - or not?

[SchulzStefan]

Contrib version is:

#clamav-unofficial-sigs.sh -v
clamav-unofficial-sigs.sh v3.7.1 (updated 2010-06-06)

Last version is:
clamav-unofficial-sigs-3.7.2

I'll try to figure out the differences.

[SchulzStefan]

contrib:

rpm -ql smeserver-clamav-unofficial-sigs

/*snip
/etc/e-smith/db/configuration/defaults/clamav-unofficial-sigs/honeynet.hdb
/etc/e-smith/db/configuration/defaults/clamav-unofficial-sigs/junk.ndb
/etc/e-smith/db/configuration/defaults/clamav-unofficial-sigs/jurlbl.ndb
/etc/e-smith/db/configuration/defaults/clamav-unofficial-sigs/mbl.ndb
/etc/e-smith/db/configuration/defaults/clamav-unofficial-sigs/phish.ndb
/etc/e-smith/db/configuration/defaults/clamav-unofficial-sigs/rogue.hdb
/etc/e-smith/db/configuration/defaults/clamav-unofficial-sigs/sanesecurity.ftm
/etc/e-smith/db/configuration/defaults/clamav-unofficial-sigs/scam.ndb
/etc/e-smith/db/configuration/defaults/clamav-unofficial-sigs/securiteinfo.hdb
/etc/e-smith/db/configuration/defaults/clamav-unofficial-sigs/securiteinfobat.hdb
/etc/e-smith/db/configuration/defaults/clamav-unofficial-sigs/securiteinfodos.hdb
/etc/e-smith/db/configuration/defaults/clamav-unofficial-sigs/securiteinfoelf.hdb
/etc/e-smith/db/configuration/defaults/clamav-unofficial-sigs/securiteinfohtml.hdb
/etc/e-smith/db/configuration/defaults/clamav-unofficial-sigs/securiteinfooffice.hdb
/etc/e-smith/db/configuration/defaults/clamav-unofficial-sigs/securiteinfopdf.hdb
/etc/e-smith/db/configuration/defaults/clamav-unofficial-sigs/securiteinfosh.hdb
/etc/e-smith/db/configuration/defaults/clamav-unofficial-sigs/spamimg.hdb
/etc/e-smith/db/configuration/defaults/clamav-unofficial-sigs/status
/etc/e-smith/db/configuration/defaults/clamav-unofficial-sigs/type
/etc/e-smith/db/configuration/defaults/clamav-unofficial-sigs/winnow_malware.hdb
/etc/e-smith/db/configuration/defaults/clamav-unofficial-sigs/winnow_malware_links.ndb
snip*/

clamav-unofficial-sigs-3.7.2:

# ========================
# Sanesecurity Database(s)
# ========================
# Add or remove database file names between quote marks as needed.  To
# disable usage of any of the Sanesecurity distributed database files
# shown, remove the database file name from the quoted section below.
# To disable usage of all Sanesecurity distributed databases, comment
# all of the quoted lines below.  Only databases defined as "low" risk
# have been enabled by default (for additional information about the
# database ratings, see: http://www.sanesecurity.com/clamav/databases.htm).
# Only add signature databases here that are "distributed" by Sanesecuirty
# as defined at the URL shown above.  Database distributed by others sources
# (e.g., SecuriteInfo & MalewarePatrol, can be added to other sections of
# this config file below).  Finally, make sure that the database names are
# spelled correctly or you will experience issues when the script runs
# (hint: all rsync servers will fail to download signature updates).
ss_dbs="
   blurl.ndb
   junk.ndb
   jurlbl.ndb
   phish.ndb
   rogue.hdb
   sanesecurity.ftm
   scam.ndb
   sigwhitelist.ign2
   spamattach.hdb
   spamimg.hdb
   winnow.attachments.hdb
   winnow_bad_cw.hdb
   winnow_extended_malware.hdb
   winnow_malware.hdb
   winnow_malware_links.ndb
   doppelstern.hdb
   bofhland_cracked_URL.ndb
   bofhland_malware_attach.hdb
   bofhland_malware_URL.ndb
   bofhland_phishing_URL.ndb
   crdfam.clamav.hdb
   phishtank.ndb
   porcupine.ndb
"

# ========================
# SecuriteInfo Database(s)
# ========================
# Add or remove database file names between quote marks as needed.  To
# disable any SecuriteInfo database downloads, remove the appropriate
# lines below.  To disable all SecuriteInfo database file downloads,
# comment all of the following lines.
si_dbs="
   honeynet.hdb
   securiteinfo.hdb
   securiteinfobat.hdb
   securiteinfodos.hdb
   securiteinfoelf.hdb
   securiteinfohtml.hdb
   securiteinfooffice.hdb
   securiteinfopdf.hdb
   securiteinfosh.hdb
"
# =========================
# MalwarePatrol Database(s)
# =========================
# Add or remove database file names between quote marks as needed.  To
# disable any of the MalwarePatrol database file downloads, remove the
# appropriate database file name lines below.  To disable MalwarePatrol
# database downloads, comment all of the following lines.
mbl_dbs="
   mbl.ndb
"

Few differences. I'll try and report.

[SchulzStefan]

CHANGELOG:

This file contains changes to the clamav-unofficial-sigs script written
by Bill Landry (unofficialsigs@gmail.com).  The script provides a simple
way to download, test, and use third-party ClamAV signature databases
provided by Sanesecurity, SecuriteInfo, MalwarePatrol, OITC, etc.

Version 3.7.2 (updated 2013-08-25)
   - Added Sanesecurity signature whitelist "sigwhitelist.ign2" file
     to the list of default databases in the config file.
   - Added "-w" flag to support adding signature whitelist entries in
     "my-whitelist.ign2" file in the newer ClamAV IGN2 format.  Do
     not manually add or remove whitelist entries from this file,
     the script will automatically remove whitelist entries when the
     offending signatures have been modified or removed from the
     third-party database.
   - DEPRECATED the "-b" (signature bypass) flag.  Although still
     supported, it is highly recommend that you instead use the new
     "-w" flag, which supports the newer ClamAV IGN2 signature
     whitelist format.
   - Anchored grep searches when using the "-b" flag in order to
     more exactly match signature searches.  Requested by Paul Wise.
   - Added rsync and curl timeout variables to the configuration
     file to allow the script user to define custom connect and
     overall download timeout values. Requested by Paul Wise.
   - Added a "setmode" variable to the script's configuration file to
     allow the script user to enable or disable the "chmod" command
     usage on the signature files and directory.  Requested by Paul Wise.
   - Added detail to the config file regarding correct file name
     spelling, adding only relevant signature file names to the
     appropriate sections of the config file, and not placing
     anything other than correctly spelled signature file names
     inside the quoted signature name sections of the config file.
   - Modified "add_dbs" section of the script to properly retrieve
     http downloaded signature database files on first-time run.
     Issue reported by Blaine Fleming.
   - Changed script database reporting to reflect the correct author.
   - Updated my contact and script download information in all files
     and updated "man" pages to reflect flag changes and additions.

I'm sorry, to update the contrib is beyond my knowledge. It would be nice if somebody could join in.

[SchulzStefan]

Should be moved to contribs now.

[SchulzStefan]

Googling around brings up:

http://lists.clamav.net/pipermail/clamav-users/2015-April/001452.html

and

http://lists.clamav.net/pipermail/clamav-users/2015-April/001459.html

which ends in:

http://clamav.securiteinfo.com/securiteinfohtml.hdb

Not sure about the conditions if signing a free account. My French is not good enough to understand whether I'm allowed to use it commercial or not.

finally:

https://www.securiteinfo.com/services/improve-detection-rate-of-zero-day-malwares-for-clamav.shtml

I'm going to follow this:

http://lists.clamav.net/pipermail/clamav-users/2015-April/001452.html

Maybe the maintainer of the contrib jumps on and push an update. With or without the securityinfo databases.

[SchulzStefan]

And:

http://lists.clamav.net/pipermail/clamav-users/2014-May/000348.html

ends up:

http://www.malware.com.br/open-source.shtml

Contrib should be updated. Opend a bug https://bugs.contribs.org/show_bug.cgi?id=9207.

[mauro]

Many of the additional signatures have changed the download URL a/o require you to sign in in order to get some key before downloading.
There is a new version of the script here
https://github.com/extremeshok/clamav-unofficial-sigs
which addresses these issues.
It could be taken as an example or, if the licensing permits, ported to SME.

[Stefano]

Hi mauro, thank you for your suggestion.

could you post your comment to the related bug too?
thank you

[mauro]

I just did 

[Stefano]

doh, didn't notice the email from bugzilla

thank you

[compdoc]

I've used unofficial sigs for a while, and switched to the extremeshok version several months ago because its not abandoned.

But emails with attached Word documents still get through. I actually had someone who opened the .doc and tried to enable the content as instructed in the attachment.

So, I looked for ways to block .doc and .docx attachments, however blocking documents with macros seems the best solution. This doesn't block documents in .zip files, but that's ok because when a user opens a .zip file, the zip program places temporary copies on the drive where the user's antivirus can see them.

I created this directory and file:

nano /etc/e-smith/templates-custom/etc/clamd.conf/25OLE2BlockMacros

Then paste this into the file:

OLE2BlockMacros yes

Save and exit. Then activate:

signal-event post-upgrade
signal-event reboot


I use spamfilter-stats-7.pl for daily reports, and it does show emails being rejected for OLE*