# This is property of eXtremeSHOK.com
# You are free to use, modify and distribute, however you may not remove this notice.
# Copyright (c) Adrian Jon Kriel :: admin@extremeshok.com
+# License: BSD (Berkeley Software Distribution)
##################
#
# Script updates can be found at: https://github.com/extremeshok/clamav-unofficial-sigs
-#
-# Originially based on:
-# Script provide by Bill Landry (unofficialsigs@gmail.com).
-#
-# License: BSD (Berkeley Software Distribution)
#
##################
#
-# NOT COMPATIBLE WITH VERSION 3.XX / 4.XX CONFIG
+# NOT COMPATIBLE WITH VERSION 3.XX / 4.XX CONFIG
+#
+################################################################################
+#
+# IT IS BETTER TO SET YOUR OPTIONS IN THE user.conf AS THIS MAKES UPDATES EASIER
+#
+# os.conf AND user.conf OVERRIDES THE OPTIONS IN THIS FILE
#
################################################################################
# change the following variable to "yes".
reload_dbs="yes"
+# Custom Command to do a full clamd reload, this is only used when reload_dbs is enabled
+clamd_reload_opt="clamdscan --reload"
+
# Top level working directory, script will attempt to create them.
work_dir="/var/lib/clamav-unofficial-sigs" #Top level working directory
# - 3. Login and navigate to your customer account : https://www.securiteinfo.com/clients/customers/account
# - 4. Click on the Setup tab
# - 5. You will need to get your unique identifier from one of the download links, they are individual for every user
-# - 5.1. The 128 character string is after the http://www.securiteinfo.com/get/signatures/
+# - 5.1. The 128 character string is after the http://www.securiteinfo.com/get/signatures/
# - 5.2. Example https://www.securiteinfo.com/get/signatures/your_unique_and_very_long_random_string_of_characters/securiteinfo.hdb
# Your 128 character authorisation signature would be : your_unique_and_very_long_random_string_of_characters
# - 6. Enter the authorisation signature into the config securiteinfo_authorisation_signature: replacing YOUR-SIGNATURE-NUMBER with your authorisation signature from the link
# ========================
# Set to no to disable an entire database, if the database is empty it will also be disabled.
sanesecurity_enabled="yes" # Sanesecurity
-securiteinfo_enabled="yes" # SecuriteInfo
+securiteinfo_enabled="yes" # SecuriteInfo
linuxmalwaredetect_enabled="yes" # Linux Malware Detect
malwarepatrol_enabled="yes" # Malware Patrol
yararulesproject_enabled="yes" # Yara-Rule Project, automatically disabled if clamav is older than 0.99
# The new and old database formats are supported for backwards compatibility
#
# New Format Usage:
-# new_example_dbs="
+# declare -a new_example_dbs=(
# file.name|RATING #description
-# "
-#
+# )
+#
# Rating (False Positive Rating)
-# valid ratings:
+# valid ratings:
# REQUIRED : always used
# LOW : used when the rating is low, medium and high
# MEDIUM : used when the rating is medium and high
# file.name #LOW description
# "
-# Default dbs rating
+# Default dbs rating
# valid rating: LOW, MEDIUM, HIGH
default_dbs_rating="LOW"
-# Per Database
+# Per Database
# These ratings will override the global rating for the specific database
# valid rating: LOW, MEDIUM, HIGH, DISABLED
#sanesecurity_dbs_rating=""
# Add or remove database file names between quote marks as needed. To
# disable usage of any of the Sanesecurity distributed database files
# shown, remove the database file name from the quoted section below.
-# Only databases defined as "low" risk have been enabled by default
-# for additional information about the database ratings, see:
+# Only databases defined as "low" risk have been enabled by default
+# for additional information about the database ratings, see:
# http://www.sanesecurity.com/clamav/databases.htm
# Only add signature databases here that are "distributed" by Sanesecuirty
# as defined at the URL shown above. Database distributed by others sources
# spelled correctly or you will experience issues when the script runs
# (hint: all rsync servers will fail to download signature updates).
-sanesecurity_dbs=" # BEGIN SANESECURITY DATABASE
+declare -a sanesecurity_dbs=( # BEGIN SANESECURITY DATABASE
### SANESECURITY http://sanesecurity.com/usage/signatures/
## REQUIRED, Do NOT disable
sanesecurity.ftm|REQUIRED # Message file types, for best performance
sigwhitelist.ign2|REQUIRED # Fast update file to whitelist any problem signatures
-## LOW
-junk.ndb|LOW # General high hitting junk, containing spam/phishing/lottery/jobs/419s etc
+# LOW
+junk.ndb|LOW # General high hitting junk, containing spam/phishing/lottery/jobs/419s etc
jurlbl.ndb|LOW # Junk Url based
-phish.ndb|LOW # Phishing
-rogue.hdb|LOW # Malware, Rogue anti-virus software and Fake codecs etc. Updated hourly to cover the latest malware threats
-scam.ndb|LOW # Spam/scams
-spamimg.hdb|LOW # Spam images
-spamattach.hdb|LOW # Spam Spammed attachments such as pdf/doc/rtf/zip
-blurl.ndb|LOW # Blacklisted full urls over the last 7 days, covering malware/spam/phishing. URLs added only when main signatures have failed to detect but are known to be "bad"
+phish.ndb|LOW # Phishing and Malware
+rogue.hdb|LOW # Malware, Rogue anti-virus software and Fake codecs etc. Updated hourly to cover the latest malware threats
+scam.ndb|LOW # Spam/scams
+spamimg.hdb|LOW # Spam images
+spamattach.hdb|LOW # Spam Spammed attachments such as pdf/doc/rtf/zips
+blurl.ndb|LOW # Blacklisted full urls over the last 7 days, covering malware/spam/phishing. URLs added only when main signatures have failed to detect but are known to be "bad"
malwarehash.hsb|LOW # Malware hashes without known Size
-## MEDIUM
+# MEDIUM
jurlbla.ndb|MEDIUM # Junk Url based autogenerated from various feeds
-lott.ndb|MEDIUM # Lottery
+lott.ndb|MEDIUM # Lottery
spam.ldb|MEDIUM # Spam detected using the new Logical Signature type
spear.ndb|MEDIUM # Spear phishing email addresses (autogenerated from data here)
-spearl.ndb|MEDIUM # Spear phishing urls (autogenerated from data here)
-badmacro.ndb|MEDIUM # Detect dangerous macros
+spearl.ndb|MEDIUM # Spear phishing urls (autogenerated from data here)
+badmacro.ndb|MEDIUM # Blocks dangerous macros embedded in Word/Excel/Xml/RTF/JS documents
+shelter.ldb|MEDIUM # Phishing and Malware
+
+### MALWARE.EXPERT https://malware.expert/
+# LOW
+malware.expert.hdb|MEDIUM # statics MD5 pattern for files
+# MEDIUM
+malware.expert.fp|MEDIUM # found to be false positive malware
+malware.expert.ldb|MEDIUM # which use multi-words search for malware in files
+malware.expert.ndb|MEDIUM # Generic Hex pattern PHP malware, which can cause false positive alarms
### FOXHOLE http://sanesecurity.com/foxhole-databases/
-## LOW
+# LOW
foxhole_generic.cdb|LOW # See Foxhole page for more details
foxhole_filename.cdb|LOW # See Foxhole page for more details
-## MEDIUM
+# MEDIUM
foxhole_js.cdb|MEDIUM # See Foxhole page for more details
-## HIGH
-foxhole_all.cdb|HIGH # See Foxhole page for more details
+foxhole_js.ndb|MEDIUM # See Foxhole page for more details
+# HIGH
+foxhole_all.cdb|HIGH # See Foxhole page for more details
+foxhole_all.ndb|HIGH # See Foxhole page for more details
+foxhole_mail.cdb|HIGH # block any mail that contains a possible dangerous attachments such as: js, jse, exe, bat, com, scr, uue, ace, pif, jar, gz, lnk, lzh.
### OITC http://www.oitc.com/winnow/clamsigs/index.html
-### Note: the two databases winnow_phish_complete.ndb and winnow_phish_complete_url.ndb should NOT be used together.
+### Note: the two databases winnow_phish_complete.ndb and winnow_phish_complete_url.ndb should NOT be used together.
# LOW
winnow_malware.hdb|LOW # Current virus, trojan and other malware not yet detected by ClamAV.
winnow_malware_links.ndb|LOW # Links to malware
-winnow_extended_malware.hdb|LOW # contain hand generated signatures for malware
+winnow_extended_malware.hdb|LOW # contain hand generated signatures for malware
winnow.attachments.hdb|LOW # Spammed attachments such as pdf/doc/rtf/zip as well as malware crypted configs
winnow_bad_cw.hdb|LOW # md5 hashes of malware attachments acquired directly from a group of botnets
-winnow_phish_complete_url.ndb|LOWMEDIUMONLY # Similar to winnow_phish_complete.ndb except that entire urls are used
+winnow_phish_complete_url.ndb|LOWMEDIUMONLY # Similar to winnow_phish_complete.ndb except that entire urls are used
# MEDIUM
winnow_spam_complete.ndb|MEDIUM # Signatures to detect fraud and other malicious spam
-winnow.complex.patterns.ldb|MEDIUM # contain hand generated signatures for malware and some egregious fraud
-winnow_extended_malware_links.ndb|MEDIUM # contain hand generated signatures for malware links
+winnow.complex.patterns.ldb|MEDIUM # contain hand generated signatures for malware and some egregious fraud
+winnow_extended_malware_links.ndb|MEDIUM # contain hand generated signatures for malware links
# HIGH
winnow_phish_complete.ndb|HIGH # Phishing and other malicious urls and compromised hosts **DO NOT USE WITH winnow_phish_complete_url**
### OITC YARA Format rules
### Note: Yara signatures require ClamAV 0.99 or newer to work
-winnow_malware.yara|LOW # detect spam
+winnow_malware.yara|LOW # detect spam
+
+### MiscreantPunch http://malwarefor.me/about/
+## MEDIUM
+MiscreantPunch099-Low.ldb|MEDIUM # ruleset contains comprehensive rules for detecting malicious or abnormal Macros, JS, HTA, HTML, XAP, JAR, SWF, and more.
+## HIGH
+MiscreantPunch099-INFO-Low.ldb|HIGH # ruleset provides context to various files. Info and Suspicious level signatures may inform analysts of potentially interesting conditions that exist within a document.
### SCAMNAILER http://www.scamnailer.info/
# MEDIUM
### BOFHLAND http://clamav.bofhland.org/
# LOW
-bofhland_cracked_URL.ndb|LOW # Spam URLs
-bofhland_malware_URL.ndb|LOW # Malware URLs
+bofhland_cracked_URL.ndb|LOW # Spam URLs
+bofhland_malware_URL.ndb|LOW # Malware URLs
bofhland_phishing_URL.ndb|LOW # Phishing URLs
bofhland_malware_attach.hdb|LOW # Malware Hashes
### RockSecurity http://rooksecurity.com/
-#LOW
-hackingteam.hsb|LOW # Hacking Team hashes
-
-### CRDF https://threatcenter.crdf.fr/
# LOW
-#crdfam.clamav.hdb|LOW # List of new threats detected by CRDF Anti Malware
+hackingteam.hsb|LOW # Hacking Team hashes based on work by rooksecurity.com
### Porcupine
# LOW
-porcupine.ndb|LOW # Brazilian e-mail phishing and malware signatures
-phishtank.ndb|LOW # Online and valid phishing urls from phishtank.com data feed
+porcupine.ndb|LOW # Brazilian e-mail phishing and malware signatures
+phishtank.ndb|LOW # Online and valid phishing urls from phishtank.com data feed
porcupine.hsb|LOW # Sha256 Hashes of VBS and JSE malware, kept for 7 days
### Sanesecurity YARA Format rules
### Note: Yara signatures require ClamAV 0.99 or newer to work
-Sanesecurity_sigtest.yara|LOW # Sanesecurity test signatures
-Sanesecurity_spam.yara|LOW # detect spam
+Sanesecurity_sigtest.yara|LOW # Sanesecurity test signatures
+Sanesecurity_spam.yara|LOW # Detects Spam emails
-" # END SANESECURITY DATABASES
+) # END SANESECURITY DATABASES
# ========================
# SecuriteInfo Database(s)
# Add or remove database file names between quote marks as needed. To
# disable any SecuriteInfo database downloads, remove the appropriate
# lines below.
-securiteinfo_dbs=" #START SECURITEINFO DATABASES
+declare -a securiteinfo_dbs=( #START SECURITEINFO DATABASES
### Securiteinfo https://www.securiteinfo.com/services/anti-spam-anti-virus/improve-detection-rate-of-zero-day-malwares-for-clamav.shtml
## REQUIRED, Do NOT disable
-securiteinfo.ign2|REQUIRED
+securiteinfo.ign2|REQUIRED # Signature Whitelist
# LOW
securiteinfo.hdb|LOW # Malwares in the Wild
-javascript.ndb|LOW # Malwares Javascript
-securiteinfohtml.hdb|LOW # Malwares HTML
+javascript.ndb|LOW # Malwares Javascript
+securiteinfohtml.hdb|LOW # Malwares HTML
securiteinfoascii.hdb|LOW # Text file malwares (Perl or shell scripts, bat files, exploits, ...)
-securiteinfopdf.hdb|LOW # Malwares PDF
+securiteinfopdf.hdb|LOW # Malwares PDF
securiteinfoandroid.hdb|LOW # Malwares Java/Android Dalvik
# HIGH
spam_marketing.ndb|HIGH # Spam Marketing / spammer blacklist
-" #END SECURITEINFO DATABASES
+) #END SECURITEINFO DATABASES
# ========================
# Linux Malware Detect Database(s)
# Add or remove database file names between quote marks as needed. To
# disable any SecuriteInfo database downloads, remove the appropriate
# lines below.
-linuxmalwaredetect_dbs="
+declare -a linuxmalwaredetect_dbs=(
### Linux Malware Detect https://www.rfxn.com/projects/linux-malware-detect/
# LOW
rfxn.ndb|LOW # HEX Malware detection signatures
rfxn.hdb|LOW # MD5 malware detection signatures
-" #END LINUXMALWAREDETECT DATABASES
+) #END LINUXMALWAREDETECT DATABASES
# ========================
# Yara Rules Project Database(s)
# Add or remove database file names between quote marks as needed. To
# disable any Yara Rule database downloads, remove the appropriate
# lines below.
-yararulesproject_dbs="
+declare -a yararulesproject_dbs=(
### Yara Rules https://github.com/Yara-Rules/rules
#
# Some rules are now in sub-directories. To reference a file in a sub-directory
# use subdir/file
# LOW
-email/EMAIL_Cryptowall.yar|LOW # CryptoWall Resume phish
-Antidebug_AntiVM/antidebug_antivm.yar|LOW # anti debug and anti virtualization techniques used by malware
+Antidebug_AntiVM/antidebug_antivm.yar|LOW # anti debug and anti virtualization techniques used by malware
Exploit-Kits/EK_Angler.yar|LOW # Angler Exploit Kit Redirector
Exploit-Kits/EK_Blackhole.yar|LOW # BlackHole2 Exploit Kit Detection
Exploit-Kits/EK_BleedingLife.yar|LOW # BleedingLife2 Exploit Kit Detection
# MEDIUM
Malicious_Documents/maldoc_somerules.yar|MEDIUM # documents with malicious code
Malicious_Documents/Maldoc_Hidden_PE_file.yar|MEDIUM # Detect a hidden PE file inside a sequence of numbers (comma separated)
-Packers/Javascript_exploit_and_obfuscation.yar|MEDIUM # JavaScript Obfuscation Detection
Packers/packer.yar|MEDIUM # well-known sofware packers
CVE_Rules/CVE-2010-0805.yar|MEDIUM # CVE 2010 0805
CVE_Rules/CVE-2010-0887.yar|MEDIUM # CVE 2010 0887
CVE_Rules/CVE-2013-0422.yar|MEDIUM # CVE 2013 0422
CVE_Rules/CVE-2015-5119.yar|MEDIUM # CVE 2015 5119
# HIGH
+Packers/Javascript_exploit_and_obfuscation.yar|HIGH # JavaScript Obfuscation Detection
Crypto/crypto.yar|HIGH # detect the existence of cryptographic algoritms
-" #END yararulesproject DATABASES
+) #END yararulesproject DATABASES
# =========================
# Additional signature databases
# format: PROTOCOL://URL-or-IP/PATH/TO/FILE-NAME (use a trailing "/" in
# place of the "FILE-NAME" to download all files from specified location,
# but this *ONLY* works for files downloaded via rsync). For non-rsync
-# downloads, wget and curl is used. For download protocols supported by
+# downloads, wget and curl is used. For download protocols supported by
# wget and curl, see "man wget" and "man curl".
# This also works well for locations that have many ClamAV
# servers that use 3rd party signature databases, as only one server need
# download the remote databases, and all others can update from the local
# mirrors copy. See format examples below. To use, remove the comments
# and examples shown and add your own sites between the quote marks.
-#additional_dbs="
+#declare -a additional_dbs=(
# rsync://192.168.1.50/new-db/sigs.hdb
# rsync://rsync.example.com/all-dbs/
# ftp://ftp.example.net/pub/sigs.ndb
# http://www.example.org/sigs.ldb
-#" #END ADDITIONAL DATABASES
+#) #END ADDITIONAL DATABASES
# ==================================================
# Command to do a full clamd service stop/start
#clamd_restart_opt="service clamd restart"
-# Custom Command to fo a full clamd reload, this defaults to "clamdscan --reload" when not set
-#clamd_reload_opt="clamdscan --reload"
-
# Custom Command Paths, these are detected with the which command when not set
#uname_bin="/usr/bin/uname"
#clamscan_bin="/usr/bin/clamscan"
#curl_bin="/usr/bin/curl"
#gpg_bin="/usr/bin/gpg"
+# GnuPG / Signature verification
+# To disable usage of gpg, set the following variable to "no".
+# If gpg_bin cannot be found, enable_gpg will automatically disable
+enable_gpg="yes"
+
# If running clamd in "LocalSocket" mode (*NOT* in TCP/IP mode), and
# either "SOcket Cat" (socat) or the "IO::Socket::UNIX" perl module
# are installed on the system, and you want to report whether clamd
# Always located inside the work_dir, do not add /
# Sub-directory names:
sanesecurity_dir="dbs-ss" # Sanesecurity sub-directory
-securiteinfo_dir="dbs-si" # SecuriteInfo sub-directory
-linuxmalwaredetect_dir="dbs-lmd" # Linux Malware Detect sub-directory
-malwarepatrol_dir="dbs-mbl" # MalwarePatrol sub-directory
-yararulesproject_dir="dbs-yara" # Yara-Rules sub-directory
+securiteinfo_dir="dbs-si" # SecuriteInfo sub-directory
+linuxmalwaredetect_dir="dbs-lmd" # Linux Malware Detect sub-directory
+malwarepatrol_dir="dbs-mbl" # MalwarePatrol sub-directory
+yararulesproject_dir="dbs-yara" # Yara-Rules sub-directory
work_dir_configs="configs" # Script configs sub-directory
gpg_dir="gpg-key" # Sanesecurity GPG Key sub-directory
pid_dir="pid" # User defined pid sub-directory
keep_db_backup="no"
# When a database integrity has tested BAD, the failed database will be removed.
-remove_bad_database="yes"
+remove_bad_database="yes"
# When a database is disabled we will remove the associated database files.
remove_disabled_databases="no" # Default is "no" since we are not a database managament tool by default.
# format of "hostname:port". For wget, also note the https and http
#rsync_proxy=""
#curl_proxy=""
-#wget_proxy_http="http://username:password@proxy_host:proxy_port"
-#wget_proxy_https="https://username:password@proxy_host:proxy_port"
+#wget_proxy_http="-e http_proxy=http://username:password@proxy_host:proxy_port"
+#wget_proxy_https="-e https_proxy=https://username:password@proxy_host:proxy_port"
# Custom Cron install settings, these are detected and only used if you want to override
#man_dir="" #default: /usr/share/man/man8
#man_filename="" #default: clamav-unofficial-sigs.8
-# Provided two variables that package and port maintainers can use in order to
+# Provided two variables that package and port maintainers can use in order to
# prevent the script from removing itself with the '-r' flag
-# If the script was installed via a package manager like yum, apt, pkg, etc.
+# If the script was installed via a package manager like yum, apt, pkg, etc.
# The script will instead provide feedback to the user about how to uninstall the package.
#pkg_mgr="" #the package manager name
#pkg_rm="" #the package manager command to remove the script
# ========================
# DO NOT EDIT !
-config_version="69"
+config_version="73"
# https://eXtremeSHOK.com ######################################################