X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?p=clamav-unofficial-sigs.git;a=blobdiff_plain;f=master.conf;fp=master.conf;h=96cd82c0ccea3926eda8f37536339c453cc684f9;hp=b76163168b8f352f3bcd7602cdd12aa6ee9a4e3b;hb=3e3d14786094ce1193b2a6062a9d13226c68d4d4;hpb=2de844a2b195cd9d9c824e1220a0e5b54bd7ea57 diff --git a/master.conf b/master.conf index b761631..96cd82c 100644 --- a/master.conf +++ b/master.conf @@ -3,18 +3,20 @@ # This is property of eXtremeSHOK.com # You are free to use, modify and distribute, however you may not remove this notice. # Copyright (c) Adrian Jon Kriel :: admin@extremeshok.com +# License: BSD (Berkeley Software Distribution) ################## # # Script updates can be found at: https://github.com/extremeshok/clamav-unofficial-sigs -# -# Originially based on: -# Script provide by Bill Landry (unofficialsigs@gmail.com). -# -# License: BSD (Berkeley Software Distribution) # ################## # -# NOT COMPATIBLE WITH VERSION 3.XX / 4.XX CONFIG +# NOT COMPATIBLE WITH VERSION 3.XX / 4.XX CONFIG +# +################################################################################ +# +# IT IS BETTER TO SET YOUR OPTIONS IN THE user.conf AS THIS MAKES UPDATES EASIER +# +# os.conf AND user.conf OVERRIDES THE OPTIONS IN THIS FILE # ################################################################################ @@ -54,6 +56,9 @@ clamd_pid="/var/run/clamav/clamd.pid" # change the following variable to "yes". reload_dbs="yes" +# Custom Command to do a full clamd reload, this is only used when reload_dbs is enabled +clamd_reload_opt="clamdscan --reload" + # Top level working directory, script will attempt to create them. work_dir="/var/lib/clamav-unofficial-sigs" #Top level working directory @@ -89,7 +94,7 @@ malwarepatrol_free="yes" # - 3. Login and navigate to your customer account : https://www.securiteinfo.com/clients/customers/account # - 4. Click on the Setup tab # - 5. You will need to get your unique identifier from one of the download links, they are individual for every user -# - 5.1. The 128 character string is after the http://www.securiteinfo.com/get/signatures/ +# - 5.1. The 128 character string is after the http://www.securiteinfo.com/get/signatures/ # - 5.2. Example https://www.securiteinfo.com/get/signatures/your_unique_and_very_long_random_string_of_characters/securiteinfo.hdb # Your 128 character authorisation signature would be : your_unique_and_very_long_random_string_of_characters # - 6. Enter the authorisation signature into the config securiteinfo_authorisation_signature: replacing YOUR-SIGNATURE-NUMBER with your authorisation signature from the link @@ -113,7 +118,7 @@ additional_update_hours="4" # Default is 4 hours (6 downloads daily). # ======================== # Set to no to disable an entire database, if the database is empty it will also be disabled. sanesecurity_enabled="yes" # Sanesecurity -securiteinfo_enabled="yes" # SecuriteInfo +securiteinfo_enabled="yes" # SecuriteInfo linuxmalwaredetect_enabled="yes" # Linux Malware Detect malwarepatrol_enabled="yes" # Malware Patrol yararulesproject_enabled="yes" # Yara-Rule Project, automatically disabled if clamav is older than 0.99 @@ -128,12 +133,12 @@ enable_yararules="yes" #Enables yararules in the various databases, automatica # The new and old database formats are supported for backwards compatibility # # New Format Usage: -# new_example_dbs=" +# declare -a new_example_dbs=( # file.name|RATING #description -# " -# +# ) +# # Rating (False Positive Rating) -# valid ratings: +# valid ratings: # REQUIRED : always used # LOW : used when the rating is low, medium and high # MEDIUM : used when the rating is medium and high @@ -148,11 +153,11 @@ enable_yararules="yes" #Enables yararules in the various databases, automatica # file.name #LOW description # " -# Default dbs rating +# Default dbs rating # valid rating: LOW, MEDIUM, HIGH default_dbs_rating="LOW" -# Per Database +# Per Database # These ratings will override the global rating for the specific database # valid rating: LOW, MEDIUM, HIGH, DISABLED #sanesecurity_dbs_rating="" @@ -166,8 +171,8 @@ default_dbs_rating="LOW" # Add or remove database file names between quote marks as needed. To # disable usage of any of the Sanesecurity distributed database files # shown, remove the database file name from the quoted section below. -# Only databases defined as "low" risk have been enabled by default -# for additional information about the database ratings, see: +# Only databases defined as "low" risk have been enabled by default +# for additional information about the database ratings, see: # http://www.sanesecurity.com/clamav/databases.htm # Only add signature databases here that are "distributed" by Sanesecuirty # as defined at the URL shown above. Database distributed by others sources @@ -176,56 +181,74 @@ default_dbs_rating="LOW" # spelled correctly or you will experience issues when the script runs # (hint: all rsync servers will fail to download signature updates). -sanesecurity_dbs=" # BEGIN SANESECURITY DATABASE +declare -a sanesecurity_dbs=( # BEGIN SANESECURITY DATABASE ### SANESECURITY http://sanesecurity.com/usage/signatures/ ## REQUIRED, Do NOT disable sanesecurity.ftm|REQUIRED # Message file types, for best performance sigwhitelist.ign2|REQUIRED # Fast update file to whitelist any problem signatures -## LOW -junk.ndb|LOW # General high hitting junk, containing spam/phishing/lottery/jobs/419s etc +# LOW +junk.ndb|LOW # General high hitting junk, containing spam/phishing/lottery/jobs/419s etc jurlbl.ndb|LOW # Junk Url based -phish.ndb|LOW # Phishing -rogue.hdb|LOW # Malware, Rogue anti-virus software and Fake codecs etc. Updated hourly to cover the latest malware threats -scam.ndb|LOW # Spam/scams -spamimg.hdb|LOW # Spam images -spamattach.hdb|LOW # Spam Spammed attachments such as pdf/doc/rtf/zip -blurl.ndb|LOW # Blacklisted full urls over the last 7 days, covering malware/spam/phishing. URLs added only when main signatures have failed to detect but are known to be "bad" +phish.ndb|LOW # Phishing and Malware +rogue.hdb|LOW # Malware, Rogue anti-virus software and Fake codecs etc. Updated hourly to cover the latest malware threats +scam.ndb|LOW # Spam/scams +spamimg.hdb|LOW # Spam images +spamattach.hdb|LOW # Spam Spammed attachments such as pdf/doc/rtf/zips +blurl.ndb|LOW # Blacklisted full urls over the last 7 days, covering malware/spam/phishing. URLs added only when main signatures have failed to detect but are known to be "bad" malwarehash.hsb|LOW # Malware hashes without known Size -## MEDIUM +# MEDIUM jurlbla.ndb|MEDIUM # Junk Url based autogenerated from various feeds -lott.ndb|MEDIUM # Lottery +lott.ndb|MEDIUM # Lottery spam.ldb|MEDIUM # Spam detected using the new Logical Signature type spear.ndb|MEDIUM # Spear phishing email addresses (autogenerated from data here) -spearl.ndb|MEDIUM # Spear phishing urls (autogenerated from data here) -badmacro.ndb|MEDIUM # Detect dangerous macros +spearl.ndb|MEDIUM # Spear phishing urls (autogenerated from data here) +badmacro.ndb|MEDIUM # Blocks dangerous macros embedded in Word/Excel/Xml/RTF/JS documents +shelter.ldb|MEDIUM # Phishing and Malware + +### MALWARE.EXPERT https://malware.expert/ +# LOW +malware.expert.hdb|MEDIUM # statics MD5 pattern for files +# MEDIUM +malware.expert.fp|MEDIUM # found to be false positive malware +malware.expert.ldb|MEDIUM # which use multi-words search for malware in files +malware.expert.ndb|MEDIUM # Generic Hex pattern PHP malware, which can cause false positive alarms ### FOXHOLE http://sanesecurity.com/foxhole-databases/ -## LOW +# LOW foxhole_generic.cdb|LOW # See Foxhole page for more details foxhole_filename.cdb|LOW # See Foxhole page for more details -## MEDIUM +# MEDIUM foxhole_js.cdb|MEDIUM # See Foxhole page for more details -## HIGH -foxhole_all.cdb|HIGH # See Foxhole page for more details +foxhole_js.ndb|MEDIUM # See Foxhole page for more details +# HIGH +foxhole_all.cdb|HIGH # See Foxhole page for more details +foxhole_all.ndb|HIGH # See Foxhole page for more details +foxhole_mail.cdb|HIGH # block any mail that contains a possible dangerous attachments such as: js, jse, exe, bat, com, scr, uue, ace, pif, jar, gz, lnk, lzh. ### OITC http://www.oitc.com/winnow/clamsigs/index.html -### Note: the two databases winnow_phish_complete.ndb and winnow_phish_complete_url.ndb should NOT be used together. +### Note: the two databases winnow_phish_complete.ndb and winnow_phish_complete_url.ndb should NOT be used together. # LOW winnow_malware.hdb|LOW # Current virus, trojan and other malware not yet detected by ClamAV. winnow_malware_links.ndb|LOW # Links to malware -winnow_extended_malware.hdb|LOW # contain hand generated signatures for malware +winnow_extended_malware.hdb|LOW # contain hand generated signatures for malware winnow.attachments.hdb|LOW # Spammed attachments such as pdf/doc/rtf/zip as well as malware crypted configs winnow_bad_cw.hdb|LOW # md5 hashes of malware attachments acquired directly from a group of botnets -winnow_phish_complete_url.ndb|LOWMEDIUMONLY # Similar to winnow_phish_complete.ndb except that entire urls are used +winnow_phish_complete_url.ndb|LOWMEDIUMONLY # Similar to winnow_phish_complete.ndb except that entire urls are used # MEDIUM winnow_spam_complete.ndb|MEDIUM # Signatures to detect fraud and other malicious spam -winnow.complex.patterns.ldb|MEDIUM # contain hand generated signatures for malware and some egregious fraud -winnow_extended_malware_links.ndb|MEDIUM # contain hand generated signatures for malware links +winnow.complex.patterns.ldb|MEDIUM # contain hand generated signatures for malware and some egregious fraud +winnow_extended_malware_links.ndb|MEDIUM # contain hand generated signatures for malware links # HIGH winnow_phish_complete.ndb|HIGH # Phishing and other malicious urls and compromised hosts **DO NOT USE WITH winnow_phish_complete_url** ### OITC YARA Format rules ### Note: Yara signatures require ClamAV 0.99 or newer to work -winnow_malware.yara|LOW # detect spam +winnow_malware.yara|LOW # detect spam + +### MiscreantPunch http://malwarefor.me/about/ +## MEDIUM +MiscreantPunch099-Low.ldb|MEDIUM # ruleset contains comprehensive rules for detecting malicious or abnormal Macros, JS, HTA, HTML, XAP, JAR, SWF, and more. +## HIGH +MiscreantPunch099-INFO-Low.ldb|HIGH # ruleset provides context to various files. Info and Suspicious level signatures may inform analysts of potentially interesting conditions that exist within a document. ### SCAMNAILER http://www.scamnailer.info/ # MEDIUM @@ -233,31 +256,27 @@ scamnailer.ndb|MEDIUM # Spear phishing and other phishing emails ### BOFHLAND http://clamav.bofhland.org/ # LOW -bofhland_cracked_URL.ndb|LOW # Spam URLs -bofhland_malware_URL.ndb|LOW # Malware URLs +bofhland_cracked_URL.ndb|LOW # Spam URLs +bofhland_malware_URL.ndb|LOW # Malware URLs bofhland_phishing_URL.ndb|LOW # Phishing URLs bofhland_malware_attach.hdb|LOW # Malware Hashes ### RockSecurity http://rooksecurity.com/ -#LOW -hackingteam.hsb|LOW # Hacking Team hashes - -### CRDF https://threatcenter.crdf.fr/ # LOW -#crdfam.clamav.hdb|LOW # List of new threats detected by CRDF Anti Malware +hackingteam.hsb|LOW # Hacking Team hashes based on work by rooksecurity.com ### Porcupine # LOW -porcupine.ndb|LOW # Brazilian e-mail phishing and malware signatures -phishtank.ndb|LOW # Online and valid phishing urls from phishtank.com data feed +porcupine.ndb|LOW # Brazilian e-mail phishing and malware signatures +phishtank.ndb|LOW # Online and valid phishing urls from phishtank.com data feed porcupine.hsb|LOW # Sha256 Hashes of VBS and JSE malware, kept for 7 days ### Sanesecurity YARA Format rules ### Note: Yara signatures require ClamAV 0.99 or newer to work -Sanesecurity_sigtest.yara|LOW # Sanesecurity test signatures -Sanesecurity_spam.yara|LOW # detect spam +Sanesecurity_sigtest.yara|LOW # Sanesecurity test signatures +Sanesecurity_spam.yara|LOW # Detects Spam emails -" # END SANESECURITY DATABASES +) # END SANESECURITY DATABASES # ======================== # SecuriteInfo Database(s) @@ -266,20 +285,20 @@ Sanesecurity_spam.yara|LOW # detect spam # Add or remove database file names between quote marks as needed. To # disable any SecuriteInfo database downloads, remove the appropriate # lines below. -securiteinfo_dbs=" #START SECURITEINFO DATABASES +declare -a securiteinfo_dbs=( #START SECURITEINFO DATABASES ### Securiteinfo https://www.securiteinfo.com/services/anti-spam-anti-virus/improve-detection-rate-of-zero-day-malwares-for-clamav.shtml ## REQUIRED, Do NOT disable -securiteinfo.ign2|REQUIRED +securiteinfo.ign2|REQUIRED # Signature Whitelist # LOW securiteinfo.hdb|LOW # Malwares in the Wild -javascript.ndb|LOW # Malwares Javascript -securiteinfohtml.hdb|LOW # Malwares HTML +javascript.ndb|LOW # Malwares Javascript +securiteinfohtml.hdb|LOW # Malwares HTML securiteinfoascii.hdb|LOW # Text file malwares (Perl or shell scripts, bat files, exploits, ...) -securiteinfopdf.hdb|LOW # Malwares PDF +securiteinfopdf.hdb|LOW # Malwares PDF securiteinfoandroid.hdb|LOW # Malwares Java/Android Dalvik # HIGH spam_marketing.ndb|HIGH # Spam Marketing / spammer blacklist -" #END SECURITEINFO DATABASES +) #END SECURITEINFO DATABASES # ======================== # Linux Malware Detect Database(s) @@ -287,12 +306,12 @@ spam_marketing.ndb|HIGH # Spam Marketing / spammer blacklist # Add or remove database file names between quote marks as needed. To # disable any SecuriteInfo database downloads, remove the appropriate # lines below. -linuxmalwaredetect_dbs=" +declare -a linuxmalwaredetect_dbs=( ### Linux Malware Detect https://www.rfxn.com/projects/linux-malware-detect/ # LOW rfxn.ndb|LOW # HEX Malware detection signatures rfxn.hdb|LOW # MD5 malware detection signatures -" #END LINUXMALWAREDETECT DATABASES +) #END LINUXMALWAREDETECT DATABASES # ======================== # Yara Rules Project Database(s) @@ -300,14 +319,13 @@ rfxn.hdb|LOW # MD5 malware detection signatures # Add or remove database file names between quote marks as needed. To # disable any Yara Rule database downloads, remove the appropriate # lines below. -yararulesproject_dbs=" +declare -a yararulesproject_dbs=( ### Yara Rules https://github.com/Yara-Rules/rules # # Some rules are now in sub-directories. To reference a file in a sub-directory # use subdir/file # LOW -email/EMAIL_Cryptowall.yar|LOW # CryptoWall Resume phish -Antidebug_AntiVM/antidebug_antivm.yar|LOW # anti debug and anti virtualization techniques used by malware +Antidebug_AntiVM/antidebug_antivm.yar|LOW # anti debug and anti virtualization techniques used by malware Exploit-Kits/EK_Angler.yar|LOW # Angler Exploit Kit Redirector Exploit-Kits/EK_Blackhole.yar|LOW # BlackHole2 Exploit Kit Detection Exploit-Kits/EK_BleedingLife.yar|LOW # BleedingLife2 Exploit Kit Detection @@ -322,7 +340,6 @@ Exploit-Kits/EK_Zeus.yar|LOW # Zeus Exploit Kit Detection # MEDIUM Malicious_Documents/maldoc_somerules.yar|MEDIUM # documents with malicious code Malicious_Documents/Maldoc_Hidden_PE_file.yar|MEDIUM # Detect a hidden PE file inside a sequence of numbers (comma separated) -Packers/Javascript_exploit_and_obfuscation.yar|MEDIUM # JavaScript Obfuscation Detection Packers/packer.yar|MEDIUM # well-known sofware packers CVE_Rules/CVE-2010-0805.yar|MEDIUM # CVE 2010 0805 CVE_Rules/CVE-2010-0887.yar|MEDIUM # CVE 2010 0887 @@ -331,8 +348,9 @@ CVE_Rules/CVE-2013-0074.yar|MEDIUM # CVE 2013 0074 CVE_Rules/CVE-2013-0422.yar|MEDIUM # CVE 2013 0422 CVE_Rules/CVE-2015-5119.yar|MEDIUM # CVE 2015 5119 # HIGH +Packers/Javascript_exploit_and_obfuscation.yar|HIGH # JavaScript Obfuscation Detection Crypto/crypto.yar|HIGH # detect the existence of cryptographic algoritms -" #END yararulesproject DATABASES +) #END yararulesproject DATABASES # ========================= # Additional signature databases @@ -341,19 +359,19 @@ Crypto/crypto.yar|HIGH # detect the existence of cryptographic algoritms # format: PROTOCOL://URL-or-IP/PATH/TO/FILE-NAME (use a trailing "/" in # place of the "FILE-NAME" to download all files from specified location, # but this *ONLY* works for files downloaded via rsync). For non-rsync -# downloads, wget and curl is used. For download protocols supported by +# downloads, wget and curl is used. For download protocols supported by # wget and curl, see "man wget" and "man curl". # This also works well for locations that have many ClamAV # servers that use 3rd party signature databases, as only one server need # download the remote databases, and all others can update from the local # mirrors copy. See format examples below. To use, remove the comments # and examples shown and add your own sites between the quote marks. -#additional_dbs=" +#declare -a additional_dbs=( # rsync://192.168.1.50/new-db/sigs.hdb # rsync://rsync.example.com/all-dbs/ # ftp://ftp.example.net/pub/sigs.ndb # http://www.example.org/sigs.ldb -#" #END ADDITIONAL DATABASES +#) #END ADDITIONAL DATABASES # ================================================== @@ -381,9 +399,6 @@ max_sleep_time="600" # Default maximum is 600 seconds (10 minutes). # Command to do a full clamd service stop/start #clamd_restart_opt="service clamd restart" -# Custom Command to fo a full clamd reload, this defaults to "clamdscan --reload" when not set -#clamd_reload_opt="clamdscan --reload" - # Custom Command Paths, these are detected with the which command when not set #uname_bin="/usr/bin/uname" #clamscan_bin="/usr/bin/clamscan" @@ -392,6 +407,11 @@ max_sleep_time="600" # Default maximum is 600 seconds (10 minutes). #curl_bin="/usr/bin/curl" #gpg_bin="/usr/bin/gpg" +# GnuPG / Signature verification +# To disable usage of gpg, set the following variable to "no". +# If gpg_bin cannot be found, enable_gpg will automatically disable +enable_gpg="yes" + # If running clamd in "LocalSocket" mode (*NOT* in TCP/IP mode), and # either "SOcket Cat" (socat) or the "IO::Socket::UNIX" perl module # are installed on the system, and you want to report whether clamd @@ -425,10 +445,10 @@ downloader_tries="3" # Always located inside the work_dir, do not add / # Sub-directory names: sanesecurity_dir="dbs-ss" # Sanesecurity sub-directory -securiteinfo_dir="dbs-si" # SecuriteInfo sub-directory -linuxmalwaredetect_dir="dbs-lmd" # Linux Malware Detect sub-directory -malwarepatrol_dir="dbs-mbl" # MalwarePatrol sub-directory -yararulesproject_dir="dbs-yara" # Yara-Rules sub-directory +securiteinfo_dir="dbs-si" # SecuriteInfo sub-directory +linuxmalwaredetect_dir="dbs-lmd" # Linux Malware Detect sub-directory +malwarepatrol_dir="dbs-mbl" # MalwarePatrol sub-directory +yararulesproject_dir="dbs-yara" # Yara-Rules sub-directory work_dir_configs="configs" # Script configs sub-directory gpg_dir="gpg-key" # Sanesecurity GPG Key sub-directory pid_dir="pid" # User defined pid sub-directory @@ -441,7 +461,7 @@ add_dir="dbs-add" # User defined databases sub-directory keep_db_backup="no" # When a database integrity has tested BAD, the failed database will be removed. -remove_bad_database="yes" +remove_bad_database="yes" # When a database is disabled we will remove the associated database files. remove_disabled_databases="no" # Default is "no" since we are not a database managament tool by default. @@ -458,8 +478,8 @@ selinux_fixes="no" # Default is "no" ignore ssl errors and warnings # format of "hostname:port". For wget, also note the https and http #rsync_proxy="" #curl_proxy="" -#wget_proxy_http="http://username:password@proxy_host:proxy_port" -#wget_proxy_https="https://username:password@proxy_host:proxy_port" +#wget_proxy_http="-e http_proxy=http://username:password@proxy_host:proxy_port" +#wget_proxy_https="-e https_proxy=https://username:password@proxy_host:proxy_port" # Custom Cron install settings, these are detected and only used if you want to override @@ -484,9 +504,9 @@ selinux_fixes="no" # Default is "no" ignore ssl errors and warnings #man_dir="" #default: /usr/share/man/man8 #man_filename="" #default: clamav-unofficial-sigs.8 -# Provided two variables that package and port maintainers can use in order to +# Provided two variables that package and port maintainers can use in order to # prevent the script from removing itself with the '-r' flag -# If the script was installed via a package manager like yum, apt, pkg, etc. +# If the script was installed via a package manager like yum, apt, pkg, etc. # The script will instead provide feedback to the user about how to uninstall the package. #pkg_mgr="" #the package manager name #pkg_rm="" #the package manager command to remove the script @@ -519,6 +539,6 @@ yararulesproject_url="https://raw.githubusercontent.com/Yara-Rules/rules/master" # ======================== # DO NOT EDIT ! -config_version="69" +config_version="73" # https://eXtremeSHOK.com ######################################################