ClamAV AntiVirus is widely used on linux servers. It has an efficient antivirus engine to detect trojans, viruses, malware, phishing and other threats. By default, ClamAV provides some antivirus signatures that are updated through its standard repository, however, mainly on Web Servers, with PHP, Python etc… where all kinds of applications are installed, including WordPress, Joomla… or MailServers that receive phishing, viruses , trojans, in the most diverse files and formats, additional signatures are necessary for ClamAV.
On the Web there are several projects and sites that offer free or paid subscriptions to ClamAV, however it is very important to identify the quality of these subscriptions, it is quite common to find subscriptions that will generate what we call a “false positive”.
eXtremeSHOK through GitHub created a project named ClamAV-unofficial-sigs that gathers several trusted signatures, available on the web for ClamAV, keeping everything always up to date.
In addition to the signatures available through the project, we are going to add part of the trusted signatures that we use with our Linux Server Management clients.
Let’s go through the step-by-step guide for the correct installation and configuration of ClamAV-unofficial-sigs on CentOS and CloudLinux servers.
Install the epel-release repository
Check your firewall and open the ports if necessary:
Install ClamAV and components:
Configure SELinux to allow Clamav (If Selinux is enabled)
** Make sure Selinux is enabled. If it is disabled skip this step .
If the result is enable, proceed (if disable, skip to ClamAV user):
Create the group and user for ClamAV
Create directory, change group and user to ClamAV
Removing Example
Edit the scan.conf file
Find LocalSocket and replace with:
Then in the linux shell paste the block below:
Configuring FreshClam, paste the block below:
Enable, Start and check if everything is ok with status:
Installing Dependencies:
Installing clamav-unofficial-sigs :
If your linux distribution is CentOS 7 or CloudLinux 7 copy and paste the instructions below:
**Note: for other Linux distributions, access the link below, and under “Operating System Specific Install”, select the best option for your Linux. clamav-unofficial-sigs
Before moving on to the next step, sign up for two sites that offer excellent subscriptions to ClamAV.
1 – MalwarePatrol Free
Create your free account at: https://www.malwarepatrol.net/free-guard-upgrade-option/
Your browser will display “Password/Receipt:”
Save this information, we will need it in the next step.
2 – SecuriteInfo Free
Create your free account at: https://www.securiteinfo.com/clients/customers/signup
You will receive an email with a link to activate your account, after activation, you will receive another email with your username and password to login to the site.
Log in and go to: https://www.securiteinfo.com/clients/customers/account
Click on Setup tab, you will see a URL in front of DatabaseCustomURL
We need to find your individual identifier which is made up of a string of 128 characters.
In the url in front of DatabaseCustomURL copy the sequence after
https://www.securiteinfo.com/get/signatures/
until “/”
Save this information, we will use it in the next step.
The other repositories used by clamav-unofficial-sigs do not require registration, just for knowledge, I will quote them below:
Yara Rules: https://github.com/Yara-Rules/rules
Urlhaus: https://urlhaus.abuse.ch/
Linux Malware Detect Subscriptions: https://www.rfxn.com/projects/linux-malware-detect/
** There are many free signatures for ClamAV on the web, unfortunately many generate false positives in the detection of Virus/Malware. It is very important to verify in the community and other means the trust of these new signatures.
Let’s add two new additional signatures repositories for ClamAV in the configuration file that we will cover next.
MailOrder: https://www.mailborder.com/
MalwareExpert: https://malware.expert/
Signature configuration for Clamav:
Edit the user.conf file:
Locate and remove the # from the following lines:
Replace YOUR-SIGNATURE-NUMBER with the 128-character code you saved by following the steps above in SecuriteInfo Free
Next we’ll add a few more signatures.
find and remove the # from the lines:
delete the bold (gray) lines above and paste the content below:
Run the Script below to download all signatures for the first time and finalize some settings. This process may take a while, wait until the end.
The following Script will install instructions to keep the system and signatures up to date:
The following script will install instructions for logrotate for clamav-unofficial-sigs:
Final Note: Server Management HelpSysAdmin customers have these and many other trusted signatures for ClamAV.