X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?p=clamav-unofficial-sigs.git;a=blobdiff_plain;f=master.conf;fp=master.conf;h=32de3830344fcd615852e3ff1abc8d7b483d8368;hp=96cd82c0ccea3926eda8f37536339c453cc684f9;hb=a09d9b77973bb4793263abe449a5426b805db8ce;hpb=db4315e882b5a3ee30e8a8b3cd1d6e6cd9b16b73 diff --git a/master.conf b/master.conf index 96cd82c..32de383 100644 --- a/master.conf +++ b/master.conf @@ -1,22 +1,18 @@ # This file contains master configuration settings for clamav-unofficial-sigs.sh -################### +################################################################################ # This is property of eXtremeSHOK.com # You are free to use, modify and distribute, however you may not remove this notice. # Copyright (c) Adrian Jon Kriel :: admin@extremeshok.com # License: BSD (Berkeley Software Distribution) -################## -# -# Script updates can be found at: https://github.com/extremeshok/clamav-unofficial-sigs -# -################## +################################################################################ # -# NOT COMPATIBLE WITH VERSION 3.XX / 4.XX CONFIG +# DO NOT EDIT THIS FILE !! DO NOT EDIT THIS FILE !! DO NOT EDIT THIS FILE !! # ################################################################################ # -# IT IS BETTER TO SET YOUR OPTIONS IN THE user.conf AS THIS MAKES UPDATES EASIER +# SET YOUR CUSTOM OPTIONS AND SETTINGS IN THE user.conf # -# os.conf AND user.conf OVERRIDES THE OPTIONS IN THIS FILE +# os.conf (os.***.conf) AND user.conf OVERRIDES THE OPTIONS IN THIS FILE # ################################################################################ @@ -66,13 +62,15 @@ work_dir="/var/lib/clamav-unofficial-sigs" #Top level working directory logging_enabled="yes" log_file_path="/var/log/clamav-unofficial-sigs" log_file_name="clamav-unofficial-sigs.log" +## Use a program to log messages +#log_pipe_cmd="/usr/bin/logger -it 'clamav-unofficial-sigs'" # ========================= # MalwarePatrol : https://www.malwarepatrol.net # MalwarePatrol 2016 (free) clamav signatures # -# 1. Sign up for an account : https://www.malwarepatrol.net/signup-free.shtml +# 1. Sign up for an account : https://www.malwarepatrol.net/free-guard-upgrade-option/ # 2. You will recieve an email containing your password/receipt number # 3. Login to your account at malwarePatrol # 4. In My Accountpage, choose the ClamAV list you will download. Free subscribers only get ClamAV Basic, commercial subscribers have access to ClamAV Extended. Do not use the agressive lists. @@ -81,7 +79,9 @@ log_file_name="clamav-unofficial-sigs.log" malwarepatrol_receipt_code="YOUR-RECEIPT-NUMBER" malwarepatrol_product_code="8" malwarepatrol_list="clamav_basic" # clamav_basic or clamav_ext -# Set to no to enable the commercial subscription url. +# if the malwarepatrol_product_code is not 8, +# the malwarepatrol_free is set to no (non-free) +# set to no to enable the commercial subscription url, malwarepatrol_free="yes" # ========================= @@ -100,32 +100,35 @@ malwarepatrol_free="yes" # - 6. Enter the authorisation signature into the config securiteinfo_authorisation_signature: replacing YOUR-SIGNATURE-NUMBER with your authorisation signature from the link securiteinfo_authorisation_signature="YOUR-SIGNATURE-NUMBER" +securiteinfo_premium="no" # ======================== # Database provider update time # ======================== # Since the database files are dynamically created, non default values can cause banning, change with caution - -sanesecurity_update_hours="2" # Default is 2 hours (12 downloads daily). -securiteinfo_update_hours="4" # Default is 4 hours (6 downloads daily). +additional_update_hours="4" # Default is 4 hours (6 downloads daily). linuxmalwaredetect_update_hours="6" # Default is 6 hours (4 downloads daily). malwarepatrol_update_hours="24" # Default is 24 hours (1 downloads daily). +sanesecurity_update_hours="2" # Default is 2 hours (12 downloads daily). +securiteinfo_update_hours="4" # Default is 4 hours (6 downloads daily). +urlhaus_update_hours="0" # Default is 0 hours (Update constantly). yararulesproject_update_hours="24" # Default is 24 hours (1 downloads daily). -additional_update_hours="4" # Default is 4 hours (6 downloads daily). # ======================== # Enabled Databases # ======================== # Set to no to disable an entire database, if the database is empty it will also be disabled. -sanesecurity_enabled="yes" # Sanesecurity -securiteinfo_enabled="yes" # SecuriteInfo +additional_enabled="yes" # Additional Databases linuxmalwaredetect_enabled="yes" # Linux Malware Detect malwarepatrol_enabled="yes" # Malware Patrol -yararulesproject_enabled="yes" # Yara-Rule Project, automatically disabled if clamav is older than 0.99 -additional_enabled="yes" # Additional Databases +sanesecurity_enabled="yes" # Sanesecurity +securiteinfo_enabled="yes" # SecuriteInfo +urlhaus_enabled="yes" # urlhaus +yararulesproject_enabled="no" # Yara-Rule Project, automatically disabled if clamav is older than 0.100 and enable_yararules is disabled -## Disabling this will also cause the yararulesproject to be disabled. -enable_yararules="yes" #Enables yararules in the various databases, automatically disabled if clamav is older than 0.99 +# Disabled by default +## Enabling this will also cause the yararulesproject to be enabled if they are det to enabled. +enable_yararules="yes" #Enables yararules in the various databases, automatically disabled if clamav is older than 0.100 # ======================== # eXtremeSHOK Database format @@ -155,14 +158,15 @@ enable_yararules="yes" #Enables yararules in the various databases, automatica # Default dbs rating # valid rating: LOW, MEDIUM, HIGH -default_dbs_rating="LOW" +default_dbs_rating="MEDIUM" # Per Database # These ratings will override the global rating for the specific database # valid rating: LOW, MEDIUM, HIGH, DISABLED +#linuxmalwaredetect_dbs_rating="" #sanesecurity_dbs_rating="" #securiteinfo_dbs_rating="" -#linuxmalwaredetect_dbs_rating="" +#urlhaus_dbs_rating="" #yararulesproject_dbs_rating="" # ======================== @@ -187,23 +191,23 @@ declare -a sanesecurity_dbs=( # BEGIN SANESECURITY DATABASE sanesecurity.ftm|REQUIRED # Message file types, for best performance sigwhitelist.ign2|REQUIRED # Fast update file to whitelist any problem signatures # LOW +blurl.ndb|LOW # Blacklisted full urls over the last 7 days, covering malware/spam/phishing. URLs added only when main signatures have failed to detect but are known to be "bad" junk.ndb|LOW # General high hitting junk, containing spam/phishing/lottery/jobs/419s etc jurlbl.ndb|LOW # Junk Url based +malwarehash.hsb|LOW # Malware hashes without known Size phish.ndb|LOW # Phishing and Malware rogue.hdb|LOW # Malware, Rogue anti-virus software and Fake codecs etc. Updated hourly to cover the latest malware threats scam.ndb|LOW # Spam/scams -spamimg.hdb|LOW # Spam images spamattach.hdb|LOW # Spam Spammed attachments such as pdf/doc/rtf/zips -blurl.ndb|LOW # Blacklisted full urls over the last 7 days, covering malware/spam/phishing. URLs added only when main signatures have failed to detect but are known to be "bad" -malwarehash.hsb|LOW # Malware hashes without known Size +spamimg.hdb|LOW # Spam images # MEDIUM +badmacro.ndb|MEDIUM # Blocks dangerous macros embedded in Word/Excel/Xml/RTF/JS documents jurlbla.ndb|MEDIUM # Junk Url based autogenerated from various feeds lott.ndb|MEDIUM # Lottery +shelter.ldb|MEDIUM # Phishing and Malware spam.ldb|MEDIUM # Spam detected using the new Logical Signature type spear.ndb|MEDIUM # Spear phishing email addresses (autogenerated from data here) spearl.ndb|MEDIUM # Spear phishing urls (autogenerated from data here) -badmacro.ndb|MEDIUM # Blocks dangerous macros embedded in Word/Excel/Xml/RTF/JS documents -shelter.ldb|MEDIUM # Phishing and Malware ### MALWARE.EXPERT https://malware.expert/ # LOW @@ -215,8 +219,8 @@ malware.expert.ndb|MEDIUM # Generic Hex pattern PHP malware, which can cause fa ### FOXHOLE http://sanesecurity.com/foxhole-databases/ # LOW -foxhole_generic.cdb|LOW # See Foxhole page for more details foxhole_filename.cdb|LOW # See Foxhole page for more details +foxhole_generic.cdb|LOW # See Foxhole page for more details # MEDIUM foxhole_js.cdb|MEDIUM # See Foxhole page for more details foxhole_js.ndb|MEDIUM # See Foxhole page for more details @@ -228,21 +232,21 @@ foxhole_mail.cdb|HIGH # block any mail that contains a possible dangerous attach ### OITC http://www.oitc.com/winnow/clamsigs/index.html ### Note: the two databases winnow_phish_complete.ndb and winnow_phish_complete_url.ndb should NOT be used together. # LOW -winnow_malware.hdb|LOW # Current virus, trojan and other malware not yet detected by ClamAV. -winnow_malware_links.ndb|LOW # Links to malware -winnow_extended_malware.hdb|LOW # contain hand generated signatures for malware -winnow.attachments.hdb|LOW # Spammed attachments such as pdf/doc/rtf/zip as well as malware crypted configs winnow_bad_cw.hdb|LOW # md5 hashes of malware attachments acquired directly from a group of botnets +winnow_extended_malware.hdb|LOW # contain hand generated signatures for malware +winnow_malware_links.ndb|LOW # Links to malware +winnow_malware.hdb|LOW # Current virus, trojan and other malware not yet detected by ClamAV. winnow_phish_complete_url.ndb|LOWMEDIUMONLY # Similar to winnow_phish_complete.ndb except that entire urls are used +winnow.attachments.hdb|LOW # Spammed attachments such as pdf/doc/rtf/zip as well as malware crypted configs # MEDIUM +winnow_extended_malware_links.ndb|MEDIUM # contain hand generated signatures for malware links winnow_spam_complete.ndb|MEDIUM # Signatures to detect fraud and other malicious spam winnow.complex.patterns.ldb|MEDIUM # contain hand generated signatures for malware and some egregious fraud -winnow_extended_malware_links.ndb|MEDIUM # contain hand generated signatures for malware links # HIGH winnow_phish_complete.ndb|HIGH # Phishing and other malicious urls and compromised hosts **DO NOT USE WITH winnow_phish_complete_url** ### OITC YARA Format rules -### Note: Yara signatures require ClamAV 0.99 or newer to work -winnow_malware.yara|LOW # detect spam +### Note: Yara signatures require ClamAV 0.100 or newer to work +##winnow_malware.yara|LOW # detect spam ### MiscreantPunch http://malwarefor.me/about/ ## MEDIUM @@ -257,9 +261,9 @@ scamnailer.ndb|MEDIUM # Spear phishing and other phishing emails ### BOFHLAND http://clamav.bofhland.org/ # LOW bofhland_cracked_URL.ndb|LOW # Spam URLs +bofhland_malware_attach.hdb|LOW # Malware Hashes bofhland_malware_URL.ndb|LOW # Malware URLs bofhland_phishing_URL.ndb|LOW # Phishing URLs -bofhland_malware_attach.hdb|LOW # Malware Hashes ### RockSecurity http://rooksecurity.com/ # LOW @@ -267,12 +271,12 @@ hackingteam.hsb|LOW # Hacking Team hashes based on work by rooksecurity.com ### Porcupine # LOW -porcupine.ndb|LOW # Brazilian e-mail phishing and malware signatures phishtank.ndb|LOW # Online and valid phishing urls from phishtank.com data feed porcupine.hsb|LOW # Sha256 Hashes of VBS and JSE malware, kept for 7 days +porcupine.ndb|LOW # Brazilian e-mail phishing and malware signatures ### Sanesecurity YARA Format rules -### Note: Yara signatures require ClamAV 0.99 or newer to work +### Note: Yara signatures require ClamAV 0.100 or newer to work Sanesecurity_sigtest.yara|LOW # Sanesecurity test signatures Sanesecurity_spam.yara|LOW # Detects Spam emails @@ -290,30 +294,49 @@ declare -a securiteinfo_dbs=( #START SECURITEINFO DATABASES ## REQUIRED, Do NOT disable securiteinfo.ign2|REQUIRED # Signature Whitelist # LOW -securiteinfo.hdb|LOW # Malwares in the Wild javascript.ndb|LOW # Malwares Javascript -securiteinfohtml.hdb|LOW # Malwares HTML +securiteinfo.hdb|LOW # Malwares younger than 3 years. +securiteinfoandroid.hdb|LOW # Malwares Java/Android Dalvik securiteinfoascii.hdb|LOW # Text file malwares (Perl or shell scripts, bat files, exploits, ...) +securiteinfohtml.hdb|LOW # Malwares HTML +securiteinfoold.hdb|LOW # Malwares older than 3 years. securiteinfopdf.hdb|LOW # Malwares PDF -securiteinfoandroid.hdb|LOW # Malwares Java/Android Dalvik # HIGH spam_marketing.ndb|HIGH # Spam Marketing / spammer blacklist ) #END SECURITEINFO DATABASES +# NON-FREE DATABASES +declare -a securiteinfo_dbs_premium=( #START SECURITEINFO DATABASES +securiteinfo.mdb|LOW # 0-day Malwares +securiteinfo0hour.hdb|LOW # 0-Hour Malwares +) # ======================== -# Linux Malware Detect Database(s) +# LinuxMalwareDetect Database(s) # ======================== # Add or remove database file names between quote marks as needed. To -# disable any SecuriteInfo database downloads, remove the appropriate +# disable any LinuxMalwareDetect database downloads, remove the appropriate # lines below. declare -a linuxmalwaredetect_dbs=( ### Linux Malware Detect https://www.rfxn.com/projects/linux-malware-detect/ # LOW rfxn.ndb|LOW # HEX Malware detection signatures -rfxn.hdb|LOW # MD5 malware detection signatures +rfxn.hdb|LOW # MD5 Malware detection signatures +rfxn.yara|LOW # Yara Malware detection signatures ) #END LINUXMALWAREDETECT DATABASES # ======================== +# urlhaus Database(s) +# ======================== +# Add or remove database file names between quote marks as needed. To +# disable any urlhaus database downloads, remove the appropriate +# lines below. +declare -a urlhaus_dbs=( +### urlhaus https://urlhaus.abuse.ch/browse/ +# LOW +urlhaus.ndb|LOW # malicious URLs that are being used for malware distribution +) #END URLHAUS DATABASES + +# ======================== # Yara Rules Project Database(s) # ======================== # Add or remove database file names between quote marks as needed. To @@ -325,33 +348,108 @@ declare -a yararulesproject_dbs=( # Some rules are now in sub-directories. To reference a file in a sub-directory # use subdir/file # LOW -Antidebug_AntiVM/antidebug_antivm.yar|LOW # anti debug and anti virtualization techniques used by malware -Exploit-Kits/EK_Angler.yar|LOW # Angler Exploit Kit Redirector -Exploit-Kits/EK_Blackhole.yar|LOW # BlackHole2 Exploit Kit Detection -Exploit-Kits/EK_BleedingLife.yar|LOW # BleedingLife2 Exploit Kit Detection -Exploit-Kits/EK_Crimepack.yar|LOW # CrimePack Exploit Kit Detection -Exploit-Kits/EK_Eleonore.yar|LOW # Eleonore Exploit Kit Detection -Exploit-Kits/EK_Fragus.yar|LOW # Fragus Exploit Kit Detection -Exploit-Kits/EK_Phoenix.yar|LOW # Phoenix Exploit Kit Detection -Exploit-Kits/EK_Sakura.yar|LOW # Sakura Exploit Kit Detection -Exploit-Kits/EK_ZeroAcces.yar|LOW # ZeroAccess Exploit Kit Detection -Exploit-Kits/EK_Zerox88.yar|LOW # 0x88 Exploit Kit Detection -Exploit-Kits/EK_Zeus.yar|LOW # Zeus Exploit Kit Detection +# Anti debug and anti virtualization techniques used by malware +antidebug_antivm/antidebug_antivm.yar|LOW +# Aimed toward the detection and existence of Exploit Kits. +#exploit_kits/EK_Angler.yar|LOW # duplicated in rxfn.yara +#exploit_kits/EK_Blackhole.yar|LOW # duplicated in rxfn.yara +exploit_kits/EK_BleedingLife.yar|LOW # duplicated in rxfn.yara +#exploit_kits/EK_Crimepack.yar|LOW # duplicated in rxfn.yara +#exploit_kits/EK_Eleonore.yar|LOW # duplicated in rxfn.yara +#exploit_kits/EK_Fragus.yar|LOW # duplicated in rxfn.yara +#exploit_kits/EK_Phoenix.yar|LOW # duplicated in rxfn.yara +#exploit_kits/EK_Sakura.yar|LOW # duplicated in rxfn.yara +#exploit_kits/EK_ZeroAcces.yar|LOW # duplicated in rxfn.yara +#exploit_kits/EK_Zerox88.yar|LOW # duplicated in rxfn.yara +#exploit_kits/EK_Zeus.yar|LOW # duplicated in rxfn.yara +# Identification of well-known webshells +#webshells/WShell_APT_Laudanum.yar|LOW # duplicated in rxfn.yara +webshells/WShell_ASPXSpy.yar|LOW +webshells/WShell_Drupalgeddon2_icos.yar|LOW +#webshells/WShell_PHP_Anuna.yar|LOW # duplicated in rxfn.yara +#webshells/WShell_PHP_in_images.yar|LOW # duplicated in rxfn.yara +#webshells/WShell_THOR_Webshells.yar|LOW # duplicated in rxfn.yara +#webshells/Wshell_ChineseSpam.yar|LOW # duplicated in rxfn.yara +#webshells/Wshell_fire2013.yar|LOW # duplicated in rxfn.yara # MEDIUM -Malicious_Documents/maldoc_somerules.yar|MEDIUM # documents with malicious code -Malicious_Documents/Maldoc_Hidden_PE_file.yar|MEDIUM # Detect a hidden PE file inside a sequence of numbers (comma separated) -Packers/packer.yar|MEDIUM # well-known sofware packers -CVE_Rules/CVE-2010-0805.yar|MEDIUM # CVE 2010 0805 -CVE_Rules/CVE-2010-0887.yar|MEDIUM # CVE 2010 0887 -CVE_Rules/CVE-2010-1297.yar|MEDIUM # CVE 2010 1297 -CVE_Rules/CVE-2013-0074.yar|MEDIUM # CVE 2013 0074 -CVE_Rules/CVE-2013-0422.yar|MEDIUM # CVE 2013 0422 -CVE_Rules/CVE-2015-5119.yar|MEDIUM # CVE 2015 5119 +# Identification of specific Common Vulnerabilities and Exposures (CVEs) +cve_rules/CVE-2010-0805.yar|MEDIUM +cve_rules/CVE-2010-0887.yar|MEDIUM +cve_rules/CVE-2010-1297.yar|MEDIUM +cve_rules/CVE-2012-0158.yar|MEDIUM +cve_rules/CVE-2013-0074.yar|MEDIUM +cve_rules/CVE-2013-0422.yar|MEDIUM +cve_rules/CVE-2015-1701.yar|MEDIUM +cve_rules/CVE-2015-2426.yar|MEDIUM +cve_rules/CVE-2015-2545.yar|MEDIUM +cve_rules/CVE-2015-5119.yar|MEDIUM +cve_rules/CVE-2016-5195.yar|MEDIUM +cve_rules/CVE-2017-11882.yar|MEDIUM +cve_rules/CVE-2018-20250.yar|MEDIUM +cve_rules/CVE-2018-4878.yar|MEDIUM +# Identification of malicious e-mails. +email/bank_rule.yar|MEDIUM +email/EMAIL_Cryptowall.yar|MEDIUM +email/Email_fake_it_maintenance_bulletin|MEDIUM +email/Email_generic_phishing|MEDIUM +email/Email_quota_limit_warning|MEDIUM +email/email_Ukraine_BE_powerattack.yar|MEDIUM +email/scam.yar|MEDIUM +# Detect well-known software packers, that can be used by malware to hide itself. +packers/JJencode.yar|MEDIUM +packers/packer_compiler_signatures.yar|MEDIUM +packers/packer.yar|MEDIUM +packers/peid.yar|MEDIUM # HIGH -Packers/Javascript_exploit_and_obfuscation.yar|HIGH # JavaScript Obfuscation Detection -Crypto/crypto.yar|HIGH # detect the existence of cryptographic algoritms +# Used with documents to find if they have been crafted to leverage malicious code. +maldocs/Maldoc_APT_OLE_JSRat.yar|HIGH +maldocs/Maldoc_APT10_MenuPass.yar|HIGH +maldocs/Maldoc_APT19_CVE-2017-1099.yar|HIGH +maldocs/Maldoc_Contains_VBE_File.yar|HIGH +maldocs/Maldoc_CVE_2017_11882.yar|HIGH +maldocs/Maldoc_CVE_2017_8759.yar|HIGH +maldocs/Maldoc_CVE-2017-0199.yar|HIGH +maldocs/Maldoc_DDE.yar|HIGH +maldocs/Maldoc_Dridex.yar|HIGH +maldocs/Maldoc_hancitor_dropper|HIGH +maldocs/Maldoc_Hidden_PE_file.yar|HIGH +maldocs/Maldoc_malrtf_ole2link.yar|HIGH +maldocs/Maldoc_MIME_ActiveMime_b64.yar|HIGH +maldocs/Maldoc_PDF.yar|HIGH +maldocs/Maldoc_PowerPointMouse.yar|HIGH +maldocs/maldoc_somerules.yar|HIGH +maldocs/Maldoc_Suspicious_OLE_target.yar|HIGH +maldocs/Maldoc_UserForm.yar|HIGH +maldocs/Maldoc_VBA_macro_code.yar|HIGH +maldocs/Maldoc_Word_2007_XML_Flat_OPC.yar|HIGH +# Yara Rules aimed to detect well-known software packers, that can be used by malware to hide itself. +packers/Javascript_exploit_and_obfuscation.yar|HIGH ) #END yararulesproject DATABASES +declare -a yararulesproject_dbs_blacklisted=( +email/attachment.yar # detects all emails with attachments +email/image.yar # detects all emails with images +email/urls.yar # detects all emails with urls +crypto/crypto_signatures.yar # detects all files which are encrypted +) + +declare -a yararulesproject_dbs_catagories=( +#LOW +antidebug_antivm|LOW +cve_rules|LOW +exploit_kits|LOW +malware|LOW +webshells|LOW +#MEDIUM +email|MEDIUM +maldocs|MEDIUM +# HIGH +capabilities|HIGH +crypto|HIGH +packers|HIGH +) + + # ========================= # Additional signature databases # ========================= @@ -373,6 +471,29 @@ Crypto/crypto.yar|HIGH # detect the existence of cryptographic algoritms # http://www.example.org/sigs.ldb #) #END ADDITIONAL DATABASES +# ================================================== +# ================================================== +# D E B U G O P T I O N S +# ================================================== +# ================================================== + +# Enable debugging, will cause all options below to enable +debug="no" + +# Causes the xshok_file_download function to be verbose, used for debugging +downloader_debug="no" + +# Causes clamscan signature test errors to be vebose +clamscan_debug="no" + +# Causes curl errors to be vebose +curl_debug="no" + +# Causes wget errors to be vebose +wget_debug="no" + +# Causes rsync errors to be vebose +rsync_debug="no" # ================================================== # ================================================== @@ -380,6 +501,21 @@ Crypto/crypto.yar|HIGH # detect the existence of cryptographic algoritms # ================================================== # ================================================== +# Branch for update checking, default: master +git_branch="master" + +# Enable support for script and master.conf upgrades +# enbles the --upgrade command line option +# packagers, if required please disable or set this option to no in the os.conf +allow_upgrades="yes" + +# Enable support for script and master.conf update checks +# packagers, if required please disable or set this option to no in the os.conf +allow_update_checks="yes" + +# How often the script should check for updates +update_check_hours="12"# Default is 12 hours (2 checks daily). + # Enable or disable download time randomization. This allows the script to # be executed via cron, but the actual database file checking will pause # for a random number of seconds between the "min" and "max" time settings @@ -393,19 +529,23 @@ enable_locking="yes" # If download time randomization is enabled above (enable_random="yes"), # then set the min and max radomization time intervals (in seconds). -min_sleep_time="60" # Default minimum is 60 seconds (1 minute). max_sleep_time="600" # Default maximum is 600 seconds (10 minutes). +min_sleep_time="60" # Default minimum is 60 seconds (1 minute). # Command to do a full clamd service stop/start #clamd_restart_opt="service clamd restart" # Custom Command Paths, these are detected with the which command when not set -#uname_bin="/usr/bin/uname" #clamscan_bin="/usr/bin/clamscan" -#rsync_bin="/usr/bin/rsync" -#wget_bin="/usr/bin/wget" #curl_bin="/usr/bin/curl" #gpg_bin="/usr/bin/gpg" +#rsync_bin="/usr/bin/rsync" +#tar_bin="/usr/bin/tar" +#uname_bin="/usr/bin/uname" +#wget_bin="/usr/bin/wget" + +# force wget, by default curl is used when curl and wget is present. +force_wget="no" # GnuPG / Signature verification # To disable usage of gpg, set the following variable to "no". @@ -435,24 +575,25 @@ downloader_ignore_ssl="yes" # Default is "yes" ignore ssl errors and warnings # The defaults settings here are reasonable, only change if you are # experiencing timeout issues. downloader_connect_timeout="60" -downloader_max_time="180" +downloader_max_time="1800" # Set downloader retry count for failed transfers -downloader_tries="3" +downloader_tries="5" # Set working directory paths (edit to meet your own needs). If these # directories do not exist, the script will attempt to create them. # Always located inside the work_dir, do not add / # Sub-directory names: -sanesecurity_dir="dbs-ss" # Sanesecurity sub-directory -securiteinfo_dir="dbs-si" # SecuriteInfo sub-directory +add_dir="dbs-add" # User defined databases sub-directory +gpg_dir="gpg-key" # Sanesecurity GPG Key sub-directory linuxmalwaredetect_dir="dbs-lmd" # Linux Malware Detect sub-directory malwarepatrol_dir="dbs-mbl" # MalwarePatrol sub-directory -yararulesproject_dir="dbs-yara" # Yara-Rules sub-directory -work_dir_configs="configs" # Script configs sub-directory -gpg_dir="gpg-key" # Sanesecurity GPG Key sub-directory pid_dir="pid" # User defined pid sub-directory -add_dir="dbs-add" # User defined databases sub-directory +sanesecurity_dir="dbs-ss" # Sanesecurity sub-directory +securiteinfo_dir="dbs-si" # SecuriteInfo sub-directory +urlhausy_dir="dbs-uh" # urlhaus sub-directory +work_dir_configs="configs" # Script configs sub-directory +yararulesproject_dir="dbs-yara" # Yara-Rules sub-directory # If you would like to make a backup copy of the current running database # file before updating, leave the following variable set to "yes" and a @@ -472,15 +613,13 @@ remove_disabled_databases="no" # Default is "no" since we are not a database man # selinux_fixes="no" # Default is "no" ignore ssl errors and warnings -# If necessary to proxy database downloads, define the rsync and/or wget -# proxy settings here. For rsync, the proxy must support connections to -# port 873. Both wget and rsync proxy setting need to be defined in the -# format of "hostname:port". For wget, also note the https and http -#rsync_proxy="" -#curl_proxy="" -#wget_proxy_http="-e http_proxy=http://username:password@proxy_host:proxy_port" -#wget_proxy_https="-e https_proxy=https://username:password@proxy_host:proxy_port" - +# Proxy Support +# If necessary to proxy database downloads, define the rsync, curl, wget, dig, hosr proxy settings here. +#rsync_proxy="username:password@proxy_host:proxy_port" +#curl_proxy="--proxy http://username:password@proxy_host:proxy_port" +#wget_proxy="-e http_proxy=http://username:password@proxy_host:proxy_port -e https_proxy=https://username:password@proxy_host:proxy_port" +#dig_proxy="@proxy_host -p proxy_host:proxy_port" +#host_proxy="@proxy_host" #does not support port # Custom Cron install settings, these are detected and only used if you want to override # the automatic detection and generation of the values when not set, this is mainly to aid package maintainers @@ -488,6 +627,7 @@ selinux_fixes="no" # Default is "no" ignore ssl errors and warnings #cron_filename="" #default: clamav-unofficial-sigs #cron_minute="" #default: random value between 0-59 #cron_user="" #default: uses the clam_user +#cron_sudo="no" #default no, yes will append sudo -u before the username #cron_bash="" #default: detected with the which command #cron_script_full_path="" #default: detected to the fullpath of the script @@ -513,15 +653,16 @@ selinux_fixes="no" # Default is "no" ignore ssl errors and warnings # Custom full working directory paths, these are detected and only used if you want to override # the automatic detection and generation of the values when not set, this is mainly to aid package maintainers -#work_dir_sanesecurity="" #default: uses work_dir/sanesecurity_dir -#work_dir_securiteinfo="" #default: uses work_dir/securiteinfo_dir -#work_dir_linuxmalwaredetect="" #default: uses work_dir/linuxmalwaredetect_dir -#work_dir_malwarepatrol="" #default: uses work_dir/malwarepatrol_dir -#work_dir_yararulesproject="" #default: uses work_dir/yararulesproject_dir #work_dir_add="" #default: uses work_dir/add_dir -#work_dir_work_configs="" #default: uses work_dir/work_dir_configs #work_dir_gpg="" #default: uses work_dir/gpg_dir +#work_dir_linuxmalwaredetect="" #default: uses work_dir/linuxmalwaredetect_dir +#work_dir_malwarepatrol="" #default: uses work_dir/malwarepatrol_dir #work_dir_pid="" #default: uses work_dir/pid_dir +#work_dir_sanesecurity="" #default: uses work_dir/sanesecurity_dir +#work_dir_securiteinfo="" #default: uses work_dir/securiteinfo_dir +#work_dir_urlhaus="" #default: uses work_dir/urlhaus_dir +#work_dir_work_configs="" #default: uses work_dir/work_dir_configs +#work_dir_yararulesproject="" #default: uses work_dir/yararulesproject_dir # ======================== # After you have completed the configuration of this file, set the value to "yes" @@ -530,15 +671,22 @@ user_configuration_complete="no" # ======================== # DO NOT EDIT ! # Database provider URLs -sanesecurity_url="rsync.sanesecurity.net" +linuxmalwaredetect_sigpack_url="https://cdn.rfxn.com/downloads/maldet-sigpack.tgz" +linuxmalwaredetect_version_url="https://cdn.rfxn.com/downloads/maldet.sigs.ver" +malwarepatrol_url="https://lists.malwarepatrol.net/cgi/getfile" sanesecurity_gpg_url="http://www.sanesecurity.net/publickey.gpg" +sanesecurity_url="rsync.sanesecurity.net" securiteinfo_url="https://www.securiteinfo.com/get/signatures" -linuxmalwaredetect_url="http://cdn.rfxn.com/downloads" -malwarepatrol_url="https://lists.malwarepatrol.net/cgi/getfile" +urlhaus_url="https://urlhaus.abuse.ch/downloads" yararulesproject_url="https://raw.githubusercontent.com/Yara-Rules/rules/master" # ======================== # DO NOT EDIT ! -config_version="73" +config_version="91" +################################################################################ +# +# DO NOT EDIT THIS FILE !! DO NOT EDIT THIS FILE !! DO NOT EDIT THIS FILE !! +# +################################################################################ # https://eXtremeSHOK.com ######################################################