How can I install third party unofficial signatures for ClamAV to improve the virus detection rate?

Enabling ClamAV Third Party Signatures

The clamav-unofficial-sigs script provides a simple way to download, test, and update third-party signature databases provided by Sanesecurity, FOXHOLE, OITC, Scamnailer, BOFHLAND, CRDF, Porcupine, Yara-Rules Project, etc. The clamav-unofficial-sigs script will also generate and install cron, logrotate, and man files. See: clamav-unofficial-sigs for more information.

Important
• Rysnc requires that port 873 TCP OUT be opened if you are using a firewall. It must be opened in order to use the script.
• The ClamAV daemon will use over 1GB RAM when enabling the all the signatures together.
• The new signatures will be downloaded to the /var/lib/clamav directory.

Centos/RHEL/CloudLinux/AlmaLinux

There are packages in the EPEL repo that make it easy to install the third party signatures. Signatures will be updated automatically using a cron that the package installs.

yum install rsync wget unzip bind-utils clamav-unofficial-sigs 

// the master config file is located at 
/etc/clamav-unofficial-sigs/master.conf

// the user config file is located at (use the user.conf as it will override the master.conf maintaining any changes).
/etc/clamav-unofficial-sigs/user.conf

// run the command once to test (run as root)
/usr/sbin/clamav-unofficial-sigs.sh

// you can view the log using the command
tail -f /var/log/clamav-unofficial-sigs/clamav-unofficial-sigs.log

You should see the new signatures downloaded to the /var/lib/clamav directory.

Debian/Ubuntu

There are no up-to-date packages for Debian/Ubuntu so we must install it manually.

apt-get install rsync wget unzip dnsutils
wget https://github.com/extremeshok/clamav-unofficial-sigs/archive/master.zip
unzip master.zip
cd clamav-unofficial-sigs-master/
cp -f clamav-unofficial-sigs.sh /usr/local/bin/
chmod 755 /usr/local/bin/clamav-unofficial-sigs.sh
mkdir /etc/clamav-unofficial-sigs/
cp -r config/* /etc/clamav-unofficial-sigs/
cd /etc/clamav-unofficial-sigs/

// Copy /etc/clamav-unofficial-sigs/os/os.your-distro.conf to the parent directory as /etc/clamav-unofficial-sigs/os.conf where your-distro is your distribution and version e.g.
cp /etc/clamav-unofficial-sigs/os/os.ubuntu.conf /etc/clamav-unofficial-sigs/os.conf   

Edit the file /etc/clamav-unofficial-sigs/user.conf and uncomment your user config options making sure to set default_dbs_rating to LOW, MEDIUM, or HIGH and uncomment the user_configuration_complete
option after you are done.

# Default dbs rating 
# valid rating: LOW, MEDIUM, HIGH
default_dbs_rating="MEDIUM"

# Uncomment the following line to enable the script
user_configuration_complete="yes"

Run the script once as your superuser to set all the permissions and create the relevant directories:

/usr/local/bin/clamav-unofficial-sigs.sh --force

Install the cron, log rotate and man pages:

/usr/local/bin/clamav-unofficial-sigs.sh --install-cron
/usr/local/bin/clamav-unofficial-sigs.sh --install-logrotate
/usr/local/bin/clamav-unofficial-sigs.sh --install-man

You should see the new signatures downloaded to the /var/lib/clamav directory.

Signatures Requiring Registration:

MalwarePatrol and Interserver
- We do not recommend using MalwarePatrol or Interserver signatures due to the high number of false positives from those signature providers.

 

  • unofficial, signatures
  • 1 Users Found This Useful
Was this answer helpful?

Related Articles

How can I fix the daily cron error: /etc/cron.daily/maldet: line 69: [: ==: unary operator expected?

There is a bug in the Linux Malware Detect v1.6.4 daily cron script. You can fix the error by...

How can I view what SpamAssassin rules were matched by a message?

Go to Warden -> Settings -> Filter Settings and change the Log template option from short...

How do I fix the error: Mysql Server has gone away?

When looking at the mail log of the server you see this log entry from Amavis: Aug 3 01:00:20...

What changes does Warden make to the postfix configuration files to enable Amavis?

Important Warden will configure postfix differently depending if you selected to install the...

How hard is it to uninstall if I do not require Warden Anti-spam and Virus Protection any more?

Uninstalling Warden is as easy as going to Extensions -> My Extensions -> Warden Anti-spam...