Mailcow-dockerized: Clamav unofficial Signatures?
Would it be possible to add the unofficial ClamAV signatures to the scanner?
The standard ClamAV lets so many attachments pass which include virusses.
I had good experiences with these signatures in the past.
normanu
All 10 comments
I think you can easily add the new signatures in the file /opt/mailcow-dockerized/data/conf/clamav/freshclam.conf
lucianlazar1983
on 10 Oct 2018
I think you can easily add the new signatures in the file /opt/mailcow-dockerized/data/conf/clamav/freshclam.conf
You are right, never knew that worked aswell.
Always used the linux script for downloading the updates, thanks!
normanu
on 10 Oct 2018
@normanu would you mind explaining what exactly you did?
I, too, would like to improve the hit rate of clamav if possible.
Best regards,
Claudio
cklabautermann
on 10 Oct 2018
Hi Claudio @cklabautermann
Just add the following to your freshclam.conf in mailcow-dockerized/data/conf/clamav/freshclam.conf
oh and I can tell you it is already getting allot of virusses this morning which where going through every day.
DatabaseCustomURL http://www.securiteinfo.com/get/signatures/80774a371fbf14738737ecae076a9de3a4de6517688db84ddc71dce895304d1f3424c2276d6ed3fd633f406979802e864d353a65d714cfebe2f352bd4d4ec586/securiteinfo.hdb
DatabaseCustomURL http://www.securiteinfo.com/get/signatures/80774a371fbf14738737ecae076a9de3a4de6517688db84ddc71dce895304d1f3424c2276d6ed3fd633f406979802e864d353a65d714cfebe2f352bd4d4ec586/securiteinfo.ign2
DatabaseCustomURL http://www.securiteinfo.com/get/signatures/80774a371fbf14738737ecae076a9de3a4de6517688db84ddc71dce895304d1f3424c2276d6ed3fd633f406979802e864d353a65d714cfebe2f352bd4d4ec586/javascript.ndb
DatabaseCustomURL http://www.securiteinfo.com/get/signatures/80774a371fbf14738737ecae076a9de3a4de6517688db84ddc71dce895304d1f3424c2276d6ed3fd633f406979802e864d353a65d714cfebe2f352bd4d4ec586/spam_marketing.ndb
DatabaseCustomURL http://www.securiteinfo.com/get/signatures/80774a371fbf14738737ecae076a9de3a4de6517688db84ddc71dce895304d1f3424c2276d6ed3fd633f406979802e864d353a65d714cfebe2f352bd4d4ec586/securiteinfohtml.hdb
DatabaseCustomURL http://www.securiteinfo.com/get/signatures/80774a371fbf14738737ecae076a9de3a4de6517688db84ddc71dce895304d1f3424c2276d6ed3fd633f406979802e864d353a65d714cfebe2f352bd4d4ec586/securiteinfoascii.hdb
DatabaseCustomURL http://www.securiteinfo.com/get/signatures/80774a371fbf14738737ecae076a9de3a4de6517688db84ddc71dce895304d1f3424c2276d6ed3fd633f406979802e864d353a65d714cfebe2f352bd4d4ec586/securiteinfoandroid.hdb
DatabaseCustomURL http://www.securiteinfo.com/get/signatures/80774a371fbf14738737ecae076a9de3a4de6517688db84ddc71dce895304d1f3424c2276d6ed3fd633f406979802e864d353a65d714cfebe2f352bd4d4ec586/securiteinfoold.hdb
DatabaseCustomURL http://www.securiteinfo.com/get/signatures/80774a371fbf14738737ecae076a9de3a4de6517688db84ddc71dce895304d1f3424c2276d6ed3fd633f406979802e864d353a65d714cfebe2f352bd4d4ec586/securiteinfopdf.hdb
DatabaseCustomURL http://cdn.malware.expert/malware.expert.ndb
DatabaseCustomURL http://cdn.malware.expert/malware.expert.hdb
DatabaseCustomURL http://cdn.malware.expert/malware.expert.ldb
DatabaseCustomURL http://cdn.malware.expert/malware.expert.fp
# Sanesecurity + Foxhole
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/junk.ndb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/jurlbl.ndb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/phish.ndb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/rogue.ndb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/sanesecurity.ftm
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/sigwhitelist.ign2
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/scam.ndb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/spamimg.hdb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/spamattach.hdb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/blurl.ndb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/foxhole_generic.cdb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/foxhole_filename.cdb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/foxhole_js.cdb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/foxhole_js.ndb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/foxhole_all.cdb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/foxhole_all.ndb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/foxhole_mail.cdb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/malwarehash.hsb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/hackingteam.hsb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/badmacro.ndb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/shelter.ldb
# winnow
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/winnow_malware.hdb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/winnow_malware_links.ndb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/winnow_phish_complete_url.ndb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/winnow_extended_malware.hdb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/winnow.attachments.hdb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/winnow_bad_cw.hdb
# bofhland
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/bofhland_cracked_URL.ndb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/bofhland_malware_URL.ndb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/bofhland_phishing_URL.ndb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/bofhland_malware_attach.hdb
# Porcupine
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/porcupine.ndb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/phishtank.ndb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/porcupine.hsb
Thanks, @normanu !
cklabautermann
on 11 Oct 2018
Is there any downturn, adding those as default?
Adorfer
on 11 Oct 2018
i had to turn them off and manually delete the databases as the mail processing was failing.(700 emails in queue) I suppose it was due to the amount of rules loaded. Havent tested yet with only some of them, just added all and i had issues.
Sent from my iPhone
On 11 Oct 2018, at 16:29, Adorfer <[email protected]notifications@github.com> wrote:
Is there any downturn, adding those as default?
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHubhttps://github.com/mailcow/mailcow-dockerized/issues/1870#issuecomment-428955440, or mute the threadhttps://github.com/notifications/unsubscribe-auth/ADjiGN07834HxTiGpIRlWLloVcBxLJK4ks5uj0e0gaJpZM4XU0m3.
lucianlazar1983
on 11 Oct 2018
I wonder if/why
- Using unofficial signatures can have any security implications, especially when you fetch them without encryption.
- Unofficial signatures even exist, why doesn't ClamAV include them by default?
- What led to @ecoitsolutions having such problems. What if one of the above links is not reachable? Is there some kind of timeout? If the timeout is too long and too many can't be reached, will the timeout-iteration run for every mail? -> Huge bottleneck
Braintelligence
on 11 Oct 2018
@Braintelligence @3: i assume that it's not a curl-timeout, but more a RAM/IO-issue, to keep all those lists indexed.
Adorfer
on 11 Oct 2018
@Braintelligence @3: i assume that it's not a curl-timeout, but more a RAM/IO-issue, to keep all those lists indexed.
Yes you need a minimal of 8GB RAM.
@Adorfer yes there is a downturn, you can have false positives.
You can have a look here for the risks per rule, https://sanesecurity.com/usage/signatures/
normanu
on 11 Oct 2018
Related issues
bonanza123
·
3Comments
CrAazZyMaN21
·
3Comments
mritzmann
·
3Comments
lgleim
·
3Comments
poldixd
·
3Comments
Most helpful comment
Hi Claudio @cklabautermann
Just add the following to your freshclam.conf in mailcow-dockerized/data/conf/clamav/freshclam.conf
oh and I can tell you it is already getting allot of virusses this morning which where going through every day.