Topic: [Tutorial] Increasing ClamAV effectiveness
Edit: Currently tested and working on iredmail 1.3.1 under Ubuntu 20.01
As you probably know, Clamav is fine as an AV but is not on-par with paid commercial product and sometime viruses can slip through.
There is a way to add custom signatures (Databases) that are maintained by 3rd parties to clam to increase detection rate on viruses and 0-days. This tutorial is how to configure this.
The folks over at SaneSecurity are kind enough to host a bunch of different signatures that can be used with clam. Please do not abuse this service and consider making a donation.
They do offer a script to automatically configure everything but I don't recommend it since it might break your installation.
All the signatures can be found here. I've created this tutorial using the main ones. Feel free to modify/remove or use different signatures.
First, make sure your clamav is setup correctly. Edit the file /etc/clamav/clamd.conf and make sure OfficialDatabaseOnly is set to false
If not then change it and restart clamav
service clamav restartThen we need to use freshclam to automatically download the third party databases. Open the following file /etc/clamav/freshclam.conf and add this at the end:
# Sanesecurity + Foxhole
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/junk.ndb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/jurlbl.ndb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/phish.ndb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/rogue.hdb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/sanesecurity.ftm
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/sigwhitelist.ign2
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/scam.ndb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/spamimg.hdb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/spamattach.hdb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/blurl.ndb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/foxhole_generic.cdb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/foxhole_filename.cdb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/foxhole_js.cdb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/foxhole_js.ndb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/foxhole_all.cdb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/foxhole_all.ndb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/foxhole_mail.cdb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/malwarehash.hsb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/hackingteam.hsb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/badmacro.ndb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/shelter.ldb
# winnow
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/winnow_malware.hdb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/winnow_malware_links.ndb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/winnow_phish_complete_url.ndb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/winnow_extended_malware.hdb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/winnow.attachments.hdb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/winnow_bad_cw.hdb
# Malware.expert
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/malware.expert.hdb
# bofhland
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/bofhland_cracked_URL.ndb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/bofhland_malware_URL.ndb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/bofhland_phishing_URL.ndb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/bofhland_malware_attach.hdb
# Porcupine
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/porcupine.ndb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/phishtank.ndb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/porcupine.hsbYou then need to restart freshclam
service clamav-freshclam restartTo make sure the databases were downloaded check your logs in /var/log/clamav/freshclam.log.
You should not have any errors before continuing.
We need to tell amavis to pass the whole message to clam so it could also scan things like the subject.
To do so, open the following file:
/etc/amavis/conf.d/50-user
and find the following lines:
@keep_decoded_original_maps = (new_RE(
# let virus scanner (clamav) see full original message (can be slow)
# this setting is required if we're going to use third-party clamav
# signatures. for example, Sanesecurity signatures.
# FYI: http://sanesecurity.com/support/signature-testing/
#qr'^MAIL$',
qr'^MAIL-UNDECIPHERABLE$', # same as ^MAIL$ if mail is undecipherable
qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
#qr'^Zip archive data', # don't trust Archive::Zip
));You need to uncomment the following line so just remove the '#' before:
#qr'^MAIL$', Clam will now detect everything based on our custom signature. The issue is that right now it will not know what to do with it since some signatures are spam, malware or even whitelist. Still in the same file:
/etc/amavis/conf.d/50-user
check if virus_name_to_spam_score_maps already exist. If not add the following before @av_scanners
# Mark Spam/Virus with third-party clamav signatures: SaneSecurity.
# *) The order matters, first match wins. Set to 'undef' to keep as infected
# *) Anything declared as undefined will be marked as a virus
@virus_name_to_spam_score_maps =(new_RE(
# SaneSecurity + Foxhole
[ qr'^Sanesecurity\.(Malware|Badmacro|Foxhole|Rogue|Trojan)\.' => undef ],
[ qr'^Sanesecurity\.MalwareHash\.' => undef ],
[ qr'^Sanesecurity.TestSig_' => undef ],
[ qr'^Sanesecurity\.' => 0.1 ],
# winnow
[ qr'^winnow\.(Exploit|Trojan|malware)\.' => undef ],
[ qr'^winnow\.(botnet|compromised|trojan)' => undef ],
[ qr'^winnow\.(exe|ms|JS)\.' => undef ],
[ qr'^winnow\.phish\.' => 3.0 ],
[ qr'^winnow\.' => 0.1 ],
# bofhland
[ qr'^Bofhland\.Malware\.' => undef ],
[ qr'^BofhlandMWFile' => undef ],
[ qr'^Bofhland\.Phishing\.' => 3.0 ],
[ qr'^Bofhland\.' => 0.1 ],
# porcupine.ndb
[ qr'^Porcupine\.(Malware|Trojan)\.' => undef ],
[ qr'^Porcupine\.(Junk|Spammer)\.' => 3.0 ],
[ qr'^Porcupine\.Phishing\.' => 3.0 ],
[ qr'^Porcupine\.' => 0.01 ],
# phishtank.ndb
[ qr'^PhishTank\.Phishing\.' => 3.0 ],
# SecuriteInfo
[ qr'^SecuriteInfo\.com\.Spammer\.' => 3.0 ],
# Others
[ qr'^Structured\.(SSN|CreditCardNumber)\b' => 0.1 ],
[ qr'^(Heuristics\.)?Phishing\.' => 0.1 ],
[ qr'^(Email|HTML)\.Phishing\.(?!.*Sanesecurity)' => 0.1 ],
[ qr'^Email\.Spam\.Bounce(\.[^., ]*)*\.Sanesecurity\.' => 0 ],
[ qr'^Email\.Spammail\b' => 0.1 ],
[ qr'^MSRBL-(Images|SPAM)\b' => 0.1 ],
[ qr'^VX\.Honeypot-SecuriteInfo\.com\.Joke' => 0.1 ],
[ qr'^VX\.not-virus_(Hoax|Joke)\..*-SecuriteInfo\.com(\.|\z)' => 0.1 ],
[ qr'^Email\.Spam.*-SecuriteInfo\.com(\.|\z)' => 0.1 ],
[ qr'^Safebrowsing\.' => 0.1 ],
[ qr'^INetMsg\.SpamDomain' => 0.1 ],
[ qr'^Doppelstern\.(Spam|Scam|Phishing|Junk|Lott|Loan)'=> 0.1 ],
[ qr'^ScamNailer\.' => 0.1 ],
[ qr'^HTML/Bankish' => 0.1 ],
[ qr'(-)?SecuriteInfo\.com(\.|\z)' => undef ],
[ qr'^MBL_NA\.UNOFFICIAL' => 0.1 ],
[ qr'^MBL_' => undef ],
));Note: I'm setting the spam score to 30 to make sure they are set to spam even if they have other valid scores. Anything declared as undefined will be marked as a virus
To apply everything we need to restart amavis
service amavis restartThat's it !
To test everything, follow the instructions here. All 3 tests should be marked as Viruses if everything was done correctly.
----
Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.
