Koozali.org: home of the SME Server
Obsolete Releases => SME 7.x Contribs => Topic started by: william_syd on July 21, 2007, 03:12:28 PM
-
Anybody using the signatures from...
http://sanesecurity.co.uk/clamav/
-
I have manually added the Phishing Signatures today to see how they perform.
Being a linux newbie I wasn't entirely sure whether to have a go with the auto update script and take my life in my hands on a production server since I don't have a spare box for testing. So played safe.
On a side note, I did try and enter phishing signatures manually before finding / implementing the sanesecurity list but couldn't get ClamAV to match them to the emails for some reason beyond me although it was reading the database.
-
If you look at the DB then it seem pretty old = outdated. I am not so sure that it has real value anymore. Without having tried then I think the database from http://www.malware.com.br/ is more up-to-date even though it is a malware DB.
-
Hi
I'm using signatures from sanesecurity on 5 of my servers.. nothing to say, they work..
Ciao
Stefano
-
Interesting - and they catch something that SpamAssassin/ClamAV would not catch on their own?
Have you used both the Scam and the Phishing signatures? What about the MSRBL signatures for images and Spam?
-
Well I have now also downloaded and installed the various signatures and clam seems to understand them. The download script from the sanesecurity.com site seem to work well with my SME 7.3 after a minor modification.
Micro Howto:
cd /etc/cron.daily
wget http://www.sanesecurity.com/clamav/update_sanesecurity.txt
mv update_sanesecurity.txt update_sanesecurity.sh
chmod +x update_sanesecurity.sh
You need to make a small manual modification. Find the line:
unprivileged_user=${sigfile_owner_and_group%:*}
and comment it out:
# unprivileged_user=${sigfile_owner_and_group%:*}
You can now run it the first with debug enabled to see that all is OK:
./update_sanesecurity.sh -d
Your output should look something like this (even though yours will hopefully be updated)
[root@maildk cron.daily]# ./update_sanesecurity.sh -d
update_sanesecurity: [debug] Debug mode is ON
update_sanesecurity: [debug] Starting.
update_sanesecurity: [debug] Created temporary directory: '/tmp/update_sanesecurity.OmA30589'
update_sanesecurity: [debug] Checking for ClamAV database directory...
update_sanesecurity: [debug] Found ClamAV database directory: /var/clamav
update_sanesecurity: [debug] PHISH_SIGS : http://www.sanesecurity.com/clamav/phishsigs/phish.ndb.gz
update_sanesecurity: [debug] SCAM_SIGS : http://www.sanesecurity.com/clamav/scamsigs/scam.ndb.gz
update_sanesecurity: [debug] SPAM_SIGS : rsync://rsync.mirror.msrbl.com/msrbl/MSRBL-SPAM.ndb
update_sanesecurity: [debug] IMAGE_SIGS : rsync://rsync.mirror.msrbl.com/msrbl/MSRBL-Images.hdb
update_sanesecurity: [debug] ClamScan : /usr/bin/clamscan
update_sanesecurity: [debug] CURL : /usr/bin/curl
update_sanesecurity: [debug] GunZip : /bin/gunzip
update_sanesecurity: [debug] RSync : /usr/bin/rsync
update_sanesecurity: [debug] ClamAV db dir : /var/clamav
update_sanesecurity: [debug] temp dir : /tmp/update_sanesecurity.OmA30589
update_sanesecurity: [debug] Created temporary directory: '/tmp/update_sanesecurity.jqP30690'
update_sanesecurity: [debug] Checking for ClamAV database directory...
update_sanesecurity: [debug] Found ClamAV database directory: /var/clamav
update_sanesecurity: [debug] Checking for newer version of '/var/clamav/scam.ndb.gz'
update_sanesecurity: [info] '/var/clamav/scam.ndb.gz' was NOT updated
update_sanesecurity: [info] '/var/clamav/scam.ndb' was NOT updated
update_sanesecurity: [debug] Checking for newer version of '/var/clamav/phish.ndb.gz'
update_sanesecurity: [info] '/var/clamav/phish.ndb.gz' was NOT updated
update_sanesecurity: [info] '/var/clamav/phish.ndb' was NOT updated
update_sanesecurity: [debug] Checking for newer version of '/var/clamav/MSRBL-SPAM.ndb'
update_sanesecurity: [info] '/var/clamav/MSRBL-SPAM.ndb' was NOT updated
update_sanesecurity: [debug] Checking for newer version of '/var/clamav/MSRBL-Images.hdb'
update_sanesecurity: [info] '/var/clamav/MSRBL-Images.hdb' was NOT updated
update_sanesecurity: [debug] Exiting.
-
Thanks Knuddi, much appreciated for the howto. :pint:
I will give it a whirl.
Edit:
Works Perfect :-P
-
I think the HowTo is missing 1 element.
signal-event email-update
I couldn't get it working till I restarted ClamAV.
After this it recognized the test-signatures right away.
-
That is true - otherwise it will be reload the database and recognize the new signatures after the default 30mins.
-
Hi Kanuddi and thanks for your how to.
I think this is a valuable piece for a how to or extend the "email" page.
Can you have the rights to add content at the wiki? Because this information will be lost inside the deep of history.
-
Jesper,
I also think it's important this end up in the wiki. In not even 12 hours on my relaxed home-server with max 25 (valid) e-mails a day I already see in the unjunkmgr 2 e-mails that have been intercepted by this procedure.
For me this was a very nice addition and should maybe be default on every server.
Harro
-
For me this was a very nice addition and should maybe be default on every server.
If you think so please motivate it in the bugtracker in the New Feature Request category please.
-
I have updated the script to now also download signatures from:
http://www.securiteinfo.com/services/clamav_unofficial_malwares_signatures.shtml
I have placed an updated script here for now (will get moving on the wiki later)
http://sme.swerts-knudsen.com/downloads/update_sanesecurity
-
Added this small howto in the wiki:
http://wiki.contribs.org/Email#Anti_Virus
-
Added this small howto in the wiki:
http://wiki.contribs.org/Email#Anti_Virus
Thanks Knuddi!
-
The various locations for these signatures have changed and I have there updated the script needed to download. See:
http://wiki.contribs.org/Email#Anti_Virus
Make sure to remove the old script /etc/cron.daily/update_sanesecurity as it is no longer needed.
Enjoy,
Jesper