Este post também está disponível em:
ClamAV AntiVirus is widely used on linux servers. It has an efficient antivirus engine to detect trojans, viruses, malware, phishing and other threats. By default, ClamAV provides some antivirus signatures that are updated through its standard repository, however, mainly on Web Servers, with PHP, Python etc… where all kinds of applications are installed, including WordPress, Joomla… or MailServers that receive phishing, viruses , trojans, in the most diverse files and formats, additional signatures are necessary for ClamAV.
On the Web there are several projects and sites that offer free or paid subscriptions to ClamAV, however it is very important to identify the quality of these subscriptions, it is quite common to find subscriptions that will generate what we call a “false positive”.
eXtremeSHOK through GitHub created a project named ClamAV-unofficial-sigs that gathers several trusted signatures, available on the web for ClamAV, keeping everything always up to date.
In addition to the signatures available through the project, we are going to add part of the trusted signatures that we use with our Linux Server Management clients.
Let’s go through the step-by-step guide for the correct installation and configuration of ClamAV-unofficial-sigs on CentOS and CloudLinux servers.
Install the epel-release repository
yum -y update yum -y install epel-release yum -y update
Check your firewall and open the ports if necessary:
rsync: TCP porta 873 wget/curl : TCP porta 443
Install ClamAV and components:
yum -y install clamav-server clamav-data clamav-update clamav-filesystem clamav clamav-scanner-systemd clamav-devel clamav-lib clamav-server-systemd
Configure SELinux to allow Clamav (If Selinux is enabled)
** Make sure Selinux is enabled. If it is disabled skip this step .
sestatus
If the result is enable, proceed (if disable, skip to ClamAV user):
setsebool -P antivirus_can_scan_system 1 setsebool -P clamd_use_jit 1
Create the group and user for ClamAV
groupadd clamav useradd -g clamav -s /bin/false -c "Clam AntiVirus" clamav
Create directory, change group and user to ClamAV
mkdir /var/clamav chown clamav.clamav /var/clamav
Removing Example
sed -i '/^Example$/d' /etc/clamd.d/scan.conf
Edit the scan.conf file
nano /etc/clamd.d/scan.conf
Find LocalSocket and replace with:
LocalSocket /var/run/clamd.scan/clamd.sock/g
Then in the linux shell paste the block below:
cat << EOF > /etc/tmpfiles.d/clamav.conf /var/run/clamd.scan 0755 clam clam EOF mv /usr/lib/systemd/system/clamd\@scan.service /usr/lib/systemd/system/clamd\@scan.old cat << EOF > /usr/lib/systemd/system/clamd\@scan.service # Run the clamd scanner [Unit] Description = clamd scanner (%i) daemon After = syslog.target nss-lookup.target network.target [Service] Type = simple ExecStart = /usr/sbin/clamd --foreground=yes Restart = on-failure IOSchedulingPriority = 7 CPUSchedulingPolicy = 5 Nice = 19 PrivateTmp = true MemoryLimit=500M CPUQuota=50% [Install] WantedBy = multi-user.target EOF systemctl daemon-reload
Configuring FreshClam, paste the block below:
sed -i '/^Example$/d' /etc/freshclam.conf sed -i '/REMOVE ME/d' /etc/sysconfig/freshclam cat << EOF > /usr/lib/systemd/system/clam-freshclam.service # Run the freshclam as daemon [Unit] Description = freshclam scanner After = network.target [Service] Type = forking ExecStart = /usr/bin/freshclam -d Restart = on-failure IOSchedulingPriority = 7 CPUSchedulingPolicy = 5 Nice = 19 PrivateTmp = true [Install] WantedBy = multi-user.target EOF systemctl daemon-reload freshclam systemctl enable clam-freshclam.service systemctl start clam-freshclam.service
Enable, Start and check if everything is ok with status:
systemctl enable clamd@scan systemctl start clamd@scan systemctl status clamd@scan
Installing Dependencies:
yum -y install bind-utils rsync
Installing clamav-unofficial-sigs :
mkdir -p /usr/local/sbin/ wget https://raw.githubusercontent.com/extremeshok/clamav-unofficial-sigs/master/clamav-unofficial-sigs.sh -O /usr/local/sbin/clamav-unofficial-sigs.sh; chmod 755 /usr/local/sbin/clamav-unofficial-sigs.sh mkdir -p /etc/clamav-unofficial-sigs/ wget https://raw.githubusercontent.com/extremeshok/clamav-unofficial-sigs/master/config/master.conf -O /etc/clamav-unofficial-sigs/master.conf wget https://raw.githubusercontent.com/extremeshok/clamav-unofficial-sigs/master/config/user.conf -O /etc/clamav-unofficial-sigs/user.conf
If your linux distribution is CentOS 7 or CloudLinux 7 copy and paste the instructions below:
os_conf="os.centos7-atomic.conf"
wget "https://raw.githubusercontent.com/extremeshok/clamav-unofficial-sigs/master/config/os/${os_conf}" -O /etc/clamav-unofficial-sigs/os.conf**Note: for other Linux distributions, access the link below, and under “Operating System Specific Install”, select the best option for your Linux. clamav-unofficial-sigs
Before moving on to the next step, sign up for two sites that offer excellent subscriptions to ClamAV.
1 – MalwarePatrol Free
Create your free account at: https://www.malwarepatrol.net/free-guard-upgrade-option/
Your browser will display “Password/Receipt:”
Save this information, we will need it in the next step.
2 – SecuriteInfo Free
Create your free account at: https://www.securiteinfo.com/clients/customers/signup
You will receive an email with a link to activate your account, after activation, you will receive another email with your username and password to login to the site.
Log in and go to: https://www.securiteinfo.com/clients/customers/account
Click on Setup tab, you will see a URL in front of DatabaseCustomURL
We need to find your individual identifier which is made up of a string of 128 characters.
In the url in front of DatabaseCustomURL copy the sequence after
https://www.securiteinfo.com/get/signatures/
until “/”
Save this information, we will use it in the next step.
The other repositories used by clamav-unofficial-sigs do not require registration, just for knowledge, I will quote them below:
Yara Rules: https://github.com/Yara-Rules/rules
Urlhaus: https://urlhaus.abuse.ch/
Linux Malware Detect Subscriptions: https://www.rfxn.com/projects/linux-malware-detect/
** There are many free signatures for ClamAV on the web, unfortunately many generate false positives in the detection of Virus/Malware. It is very important to verify in the community and other means the trust of these new signatures.
Let’s add two new additional signatures repositories for ClamAV in the configuration file that we will cover next.
MailOrder: https://www.mailborder.com/
MalwareExpert: https://malware.expert/
Signature configuration for Clamav:
Edit the user.conf file:
nano /etc/clamav-unofficial-sigs/user.conf
Locate and remove the # from the following lines:
securiteinfo_authorisation_signature="YOUR-SIGNATURE-NUMBER"
Replace YOUR-SIGNATURE-NUMBER with the 128-character code you saved by following the steps above in SecuriteInfo Free
Next we’ll add a few more signatures.
find and remove the # from the lines:
declare -a additional_dbs=( #ftp://ftp.example.net/pub/sigs.ndb #http://www.example.org/sigs.ldb )
delete the bold (gray) lines above and paste the content below:
http://cdn.malware.expert/malware.expert.ndb http://cdn.malware.expert/malware.expert.hdb http://cdn.malware.expert/malware.expert.ldb http://cdn.malware.expert/malware.expert.fp http://sigs.mailborder.com/sigwhitelist.ign2 http://sigs.mailborder.com/sanesecurity.ftm http://sigs.mailborder.com/junk.ndb http://sigs.mailborder.com/jurlbl.ndb http://sigs.mailborder.com/phish.ndb http://sigs.mailborder.com/rogue.hdb http://sigs.mailborder.com/scam.ndb http://sigs.mailborder.com/spamimg.hdb http://sigs.mailborder.com/spamattach.hdb http://sigs.mailborder.com/blurl.ndb http://sigs.mailborder.com/foxhole_generic.cdb http://sigs.mailborder.com/foxhole_filename.cdb http://sigs.mailborder.com/malwarehash.hsb http://sigs.mailborder.com/hackingteam.hsb http://sigs.mailborder.com/winnow_malware.hdb http://sigs.mailborder.com/winnow_malware_links.ndb http://sigs.mailborder.com/winnow_extended_malware.hdb http://sigs.mailborder.com/winnow.attachments.hdb http://sigs.mailborder.com/winnow_bad_cw.hdb http://sigs.mailborder.com/bofhland_cracked_URL.ndb http://sigs.mailborder.com/bofhland_malware_URL.ndb http://sigs.mailborder.com/bofhland_phishing_URL.ndb http://sigs.mailborder.com/bofhland_malware_attach.hdb http://sigs.mailborder.com/crdfam.clamav.hdb http://sigs.mailborder.com/porcupine.ndb http://sigs.mailborder.com/porcupine.hsb http://sigs.mailborder.com/spam.ldb http://sigs.mailborder.com/spear.ndb http://sigs.mailborder.com/spearl.ndb http://sigs.mailborder.com/foxhole_js.cdb
Run the Script below to download all signatures for the first time and finalize some settings. This process may take a while, wait until the end.
/usr/local/sbin/clamav-unofficial-sigs.sh --force
The following Script will install instructions to keep the system and signatures up to date:
/usr/local/sbin/clamav-unofficial-sigs.sh --install-cron
The following script will install instructions for logrotate for clamav-unofficial-sigs:
/usr/local/sbin/clamav-unofficial-sigs.sh --install-logrotate /usr/local/sbin/clamav-unofficial-sigs.sh --install-man
Final Note: Server Management HelpSysAdmin customers have these and many other trusted signatures for ClamAV.
