X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?p=clamav-unofficial-sigs.git;a=blobdiff_plain;f=master.conf;h=96cd82c0ccea3926eda8f37536339c453cc684f9;hp=b76163168b8f352f3bcd7602cdd12aa6ee9a4e3b;hb=HEAD;hpb=2ceeaf53bd40e221bc019f921260ac0d864dc5f3 diff --git a/master.conf b/master.conf index b761631..32de383 100644 --- a/master.conf +++ b/master.conf @@ -1,20 +1,18 @@ # This file contains master configuration settings for clamav-unofficial-sigs.sh -################### +################################################################################ # This is property of eXtremeSHOK.com # You are free to use, modify and distribute, however you may not remove this notice. # Copyright (c) Adrian Jon Kriel :: admin@extremeshok.com -################## +# License: BSD (Berkeley Software Distribution) +################################################################################ # -# Script updates can be found at: https://github.com/extremeshok/clamav-unofficial-sigs -# -# Originially based on: -# Script provide by Bill Landry (unofficialsigs@gmail.com). +# DO NOT EDIT THIS FILE !! DO NOT EDIT THIS FILE !! DO NOT EDIT THIS FILE !! # -# License: BSD (Berkeley Software Distribution) +################################################################################ # -################## +# SET YOUR CUSTOM OPTIONS AND SETTINGS IN THE user.conf # -# NOT COMPATIBLE WITH VERSION 3.XX / 4.XX CONFIG +# os.conf (os.***.conf) AND user.conf OVERRIDES THE OPTIONS IN THIS FILE # ################################################################################ @@ -54,6 +52,9 @@ clamd_pid="/var/run/clamav/clamd.pid" # change the following variable to "yes". reload_dbs="yes" +# Custom Command to do a full clamd reload, this is only used when reload_dbs is enabled +clamd_reload_opt="clamdscan --reload" + # Top level working directory, script will attempt to create them. work_dir="/var/lib/clamav-unofficial-sigs" #Top level working directory @@ -61,13 +62,15 @@ work_dir="/var/lib/clamav-unofficial-sigs" #Top level working directory logging_enabled="yes" log_file_path="/var/log/clamav-unofficial-sigs" log_file_name="clamav-unofficial-sigs.log" +## Use a program to log messages +#log_pipe_cmd="/usr/bin/logger -it 'clamav-unofficial-sigs'" # ========================= # MalwarePatrol : https://www.malwarepatrol.net # MalwarePatrol 2016 (free) clamav signatures # -# 1. Sign up for an account : https://www.malwarepatrol.net/signup-free.shtml +# 1. Sign up for an account : https://www.malwarepatrol.net/free-guard-upgrade-option/ # 2. You will recieve an email containing your password/receipt number # 3. Login to your account at malwarePatrol # 4. In My Accountpage, choose the ClamAV list you will download. Free subscribers only get ClamAV Basic, commercial subscribers have access to ClamAV Extended. Do not use the agressive lists. @@ -76,7 +79,9 @@ log_file_name="clamav-unofficial-sigs.log" malwarepatrol_receipt_code="YOUR-RECEIPT-NUMBER" malwarepatrol_product_code="8" malwarepatrol_list="clamav_basic" # clamav_basic or clamav_ext -# Set to no to enable the commercial subscription url. +# if the malwarepatrol_product_code is not 8, +# the malwarepatrol_free is set to no (non-free) +# set to no to enable the commercial subscription url, malwarepatrol_free="yes" # ========================= @@ -89,38 +94,41 @@ malwarepatrol_free="yes" # - 3. Login and navigate to your customer account : https://www.securiteinfo.com/clients/customers/account # - 4. Click on the Setup tab # - 5. You will need to get your unique identifier from one of the download links, they are individual for every user -# - 5.1. The 128 character string is after the http://www.securiteinfo.com/get/signatures/ +# - 5.1. The 128 character string is after the http://www.securiteinfo.com/get/signatures/ # - 5.2. Example https://www.securiteinfo.com/get/signatures/your_unique_and_very_long_random_string_of_characters/securiteinfo.hdb # Your 128 character authorisation signature would be : your_unique_and_very_long_random_string_of_characters # - 6. Enter the authorisation signature into the config securiteinfo_authorisation_signature: replacing YOUR-SIGNATURE-NUMBER with your authorisation signature from the link securiteinfo_authorisation_signature="YOUR-SIGNATURE-NUMBER" +securiteinfo_premium="no" # ======================== # Database provider update time # ======================== # Since the database files are dynamically created, non default values can cause banning, change with caution - -sanesecurity_update_hours="2" # Default is 2 hours (12 downloads daily). -securiteinfo_update_hours="4" # Default is 4 hours (6 downloads daily). +additional_update_hours="4" # Default is 4 hours (6 downloads daily). linuxmalwaredetect_update_hours="6" # Default is 6 hours (4 downloads daily). malwarepatrol_update_hours="24" # Default is 24 hours (1 downloads daily). +sanesecurity_update_hours="2" # Default is 2 hours (12 downloads daily). +securiteinfo_update_hours="4" # Default is 4 hours (6 downloads daily). +urlhaus_update_hours="0" # Default is 0 hours (Update constantly). yararulesproject_update_hours="24" # Default is 24 hours (1 downloads daily). -additional_update_hours="4" # Default is 4 hours (6 downloads daily). # ======================== # Enabled Databases # ======================== # Set to no to disable an entire database, if the database is empty it will also be disabled. -sanesecurity_enabled="yes" # Sanesecurity -securiteinfo_enabled="yes" # SecuriteInfo +additional_enabled="yes" # Additional Databases linuxmalwaredetect_enabled="yes" # Linux Malware Detect malwarepatrol_enabled="yes" # Malware Patrol -yararulesproject_enabled="yes" # Yara-Rule Project, automatically disabled if clamav is older than 0.99 -additional_enabled="yes" # Additional Databases +sanesecurity_enabled="yes" # Sanesecurity +securiteinfo_enabled="yes" # SecuriteInfo +urlhaus_enabled="yes" # urlhaus +yararulesproject_enabled="no" # Yara-Rule Project, automatically disabled if clamav is older than 0.100 and enable_yararules is disabled -## Disabling this will also cause the yararulesproject to be disabled. -enable_yararules="yes" #Enables yararules in the various databases, automatically disabled if clamav is older than 0.99 +# Disabled by default +## Enabling this will also cause the yararulesproject to be enabled if they are det to enabled. +enable_yararules="yes" #Enables yararules in the various databases, automatically disabled if clamav is older than 0.100 # ======================== # eXtremeSHOK Database format @@ -128,12 +136,12 @@ enable_yararules="yes" #Enables yararules in the various databases, automatica # The new and old database formats are supported for backwards compatibility # # New Format Usage: -# new_example_dbs=" +# declare -a new_example_dbs=( # file.name|RATING #description -# " -# +# ) +# # Rating (False Positive Rating) -# valid ratings: +# valid ratings: # REQUIRED : always used # LOW : used when the rating is low, medium and high # MEDIUM : used when the rating is medium and high @@ -148,16 +156,17 @@ enable_yararules="yes" #Enables yararules in the various databases, automatica # file.name #LOW description # " -# Default dbs rating +# Default dbs rating # valid rating: LOW, MEDIUM, HIGH -default_dbs_rating="LOW" +default_dbs_rating="MEDIUM" -# Per Database +# Per Database # These ratings will override the global rating for the specific database # valid rating: LOW, MEDIUM, HIGH, DISABLED +#linuxmalwaredetect_dbs_rating="" #sanesecurity_dbs_rating="" #securiteinfo_dbs_rating="" -#linuxmalwaredetect_dbs_rating="" +#urlhaus_dbs_rating="" #yararulesproject_dbs_rating="" # ======================== @@ -166,8 +175,8 @@ default_dbs_rating="LOW" # Add or remove database file names between quote marks as needed. To # disable usage of any of the Sanesecurity distributed database files # shown, remove the database file name from the quoted section below. -# Only databases defined as "low" risk have been enabled by default -# for additional information about the database ratings, see: +# Only databases defined as "low" risk have been enabled by default +# for additional information about the database ratings, see: # http://www.sanesecurity.com/clamav/databases.htm # Only add signature databases here that are "distributed" by Sanesecuirty # as defined at the URL shown above. Database distributed by others sources @@ -176,56 +185,74 @@ default_dbs_rating="LOW" # spelled correctly or you will experience issues when the script runs # (hint: all rsync servers will fail to download signature updates). -sanesecurity_dbs=" # BEGIN SANESECURITY DATABASE +declare -a sanesecurity_dbs=( # BEGIN SANESECURITY DATABASE ### SANESECURITY http://sanesecurity.com/usage/signatures/ ## REQUIRED, Do NOT disable sanesecurity.ftm|REQUIRED # Message file types, for best performance sigwhitelist.ign2|REQUIRED # Fast update file to whitelist any problem signatures -## LOW -junk.ndb|LOW # General high hitting junk, containing spam/phishing/lottery/jobs/419s etc +# LOW +blurl.ndb|LOW # Blacklisted full urls over the last 7 days, covering malware/spam/phishing. URLs added only when main signatures have failed to detect but are known to be "bad" +junk.ndb|LOW # General high hitting junk, containing spam/phishing/lottery/jobs/419s etc jurlbl.ndb|LOW # Junk Url based -phish.ndb|LOW # Phishing -rogue.hdb|LOW # Malware, Rogue anti-virus software and Fake codecs etc. Updated hourly to cover the latest malware threats -scam.ndb|LOW # Spam/scams -spamimg.hdb|LOW # Spam images -spamattach.hdb|LOW # Spam Spammed attachments such as pdf/doc/rtf/zip -blurl.ndb|LOW # Blacklisted full urls over the last 7 days, covering malware/spam/phishing. URLs added only when main signatures have failed to detect but are known to be "bad" malwarehash.hsb|LOW # Malware hashes without known Size -## MEDIUM +phish.ndb|LOW # Phishing and Malware +rogue.hdb|LOW # Malware, Rogue anti-virus software and Fake codecs etc. Updated hourly to cover the latest malware threats +scam.ndb|LOW # Spam/scams +spamattach.hdb|LOW # Spam Spammed attachments such as pdf/doc/rtf/zips +spamimg.hdb|LOW # Spam images +# MEDIUM +badmacro.ndb|MEDIUM # Blocks dangerous macros embedded in Word/Excel/Xml/RTF/JS documents jurlbla.ndb|MEDIUM # Junk Url based autogenerated from various feeds -lott.ndb|MEDIUM # Lottery +lott.ndb|MEDIUM # Lottery +shelter.ldb|MEDIUM # Phishing and Malware spam.ldb|MEDIUM # Spam detected using the new Logical Signature type spear.ndb|MEDIUM # Spear phishing email addresses (autogenerated from data here) -spearl.ndb|MEDIUM # Spear phishing urls (autogenerated from data here) -badmacro.ndb|MEDIUM # Detect dangerous macros +spearl.ndb|MEDIUM # Spear phishing urls (autogenerated from data here) + +### MALWARE.EXPERT https://malware.expert/ +# LOW +malware.expert.hdb|MEDIUM # statics MD5 pattern for files +# MEDIUM +malware.expert.fp|MEDIUM # found to be false positive malware +malware.expert.ldb|MEDIUM # which use multi-words search for malware in files +malware.expert.ndb|MEDIUM # Generic Hex pattern PHP malware, which can cause false positive alarms ### FOXHOLE http://sanesecurity.com/foxhole-databases/ -## LOW -foxhole_generic.cdb|LOW # See Foxhole page for more details +# LOW foxhole_filename.cdb|LOW # See Foxhole page for more details -## MEDIUM +foxhole_generic.cdb|LOW # See Foxhole page for more details +# MEDIUM foxhole_js.cdb|MEDIUM # See Foxhole page for more details -## HIGH -foxhole_all.cdb|HIGH # See Foxhole page for more details +foxhole_js.ndb|MEDIUM # See Foxhole page for more details +# HIGH +foxhole_all.cdb|HIGH # See Foxhole page for more details +foxhole_all.ndb|HIGH # See Foxhole page for more details +foxhole_mail.cdb|HIGH # block any mail that contains a possible dangerous attachments such as: js, jse, exe, bat, com, scr, uue, ace, pif, jar, gz, lnk, lzh. ### OITC http://www.oitc.com/winnow/clamsigs/index.html -### Note: the two databases winnow_phish_complete.ndb and winnow_phish_complete_url.ndb should NOT be used together. +### Note: the two databases winnow_phish_complete.ndb and winnow_phish_complete_url.ndb should NOT be used together. # LOW -winnow_malware.hdb|LOW # Current virus, trojan and other malware not yet detected by ClamAV. +winnow_bad_cw.hdb|LOW # md5 hashes of malware attachments acquired directly from a group of botnets +winnow_extended_malware.hdb|LOW # contain hand generated signatures for malware winnow_malware_links.ndb|LOW # Links to malware -winnow_extended_malware.hdb|LOW # contain hand generated signatures for malware +winnow_malware.hdb|LOW # Current virus, trojan and other malware not yet detected by ClamAV. +winnow_phish_complete_url.ndb|LOWMEDIUMONLY # Similar to winnow_phish_complete.ndb except that entire urls are used winnow.attachments.hdb|LOW # Spammed attachments such as pdf/doc/rtf/zip as well as malware crypted configs -winnow_bad_cw.hdb|LOW # md5 hashes of malware attachments acquired directly from a group of botnets -winnow_phish_complete_url.ndb|LOWMEDIUMONLY # Similar to winnow_phish_complete.ndb except that entire urls are used # MEDIUM +winnow_extended_malware_links.ndb|MEDIUM # contain hand generated signatures for malware links winnow_spam_complete.ndb|MEDIUM # Signatures to detect fraud and other malicious spam -winnow.complex.patterns.ldb|MEDIUM # contain hand generated signatures for malware and some egregious fraud -winnow_extended_malware_links.ndb|MEDIUM # contain hand generated signatures for malware links +winnow.complex.patterns.ldb|MEDIUM # contain hand generated signatures for malware and some egregious fraud # HIGH winnow_phish_complete.ndb|HIGH # Phishing and other malicious urls and compromised hosts **DO NOT USE WITH winnow_phish_complete_url** ### OITC YARA Format rules -### Note: Yara signatures require ClamAV 0.99 or newer to work -winnow_malware.yara|LOW # detect spam +### Note: Yara signatures require ClamAV 0.100 or newer to work +##winnow_malware.yara|LOW # detect spam + +### MiscreantPunch http://malwarefor.me/about/ +## MEDIUM +MiscreantPunch099-Low.ldb|MEDIUM # ruleset contains comprehensive rules for detecting malicious or abnormal Macros, JS, HTA, HTML, XAP, JAR, SWF, and more. +## HIGH +MiscreantPunch099-INFO-Low.ldb|HIGH # ruleset provides context to various files. Info and Suspicious level signatures may inform analysts of potentially interesting conditions that exist within a document. ### SCAMNAILER http://www.scamnailer.info/ # MEDIUM @@ -233,31 +260,27 @@ scamnailer.ndb|MEDIUM # Spear phishing and other phishing emails ### BOFHLAND http://clamav.bofhland.org/ # LOW -bofhland_cracked_URL.ndb|LOW # Spam URLs -bofhland_malware_URL.ndb|LOW # Malware URLs -bofhland_phishing_URL.ndb|LOW # Phishing URLs +bofhland_cracked_URL.ndb|LOW # Spam URLs bofhland_malware_attach.hdb|LOW # Malware Hashes +bofhland_malware_URL.ndb|LOW # Malware URLs +bofhland_phishing_URL.ndb|LOW # Phishing URLs ### RockSecurity http://rooksecurity.com/ -#LOW -hackingteam.hsb|LOW # Hacking Team hashes - -### CRDF https://threatcenter.crdf.fr/ # LOW -#crdfam.clamav.hdb|LOW # List of new threats detected by CRDF Anti Malware +hackingteam.hsb|LOW # Hacking Team hashes based on work by rooksecurity.com ### Porcupine # LOW -porcupine.ndb|LOW # Brazilian e-mail phishing and malware signatures -phishtank.ndb|LOW # Online and valid phishing urls from phishtank.com data feed +phishtank.ndb|LOW # Online and valid phishing urls from phishtank.com data feed porcupine.hsb|LOW # Sha256 Hashes of VBS and JSE malware, kept for 7 days +porcupine.ndb|LOW # Brazilian e-mail phishing and malware signatures ### Sanesecurity YARA Format rules -### Note: Yara signatures require ClamAV 0.99 or newer to work -Sanesecurity_sigtest.yara|LOW # Sanesecurity test signatures -Sanesecurity_spam.yara|LOW # detect spam +### Note: Yara signatures require ClamAV 0.100 or newer to work +Sanesecurity_sigtest.yara|LOW # Sanesecurity test signatures +Sanesecurity_spam.yara|LOW # Detects Spam emails -" # END SANESECURITY DATABASES +) # END SANESECURITY DATABASES # ======================== # SecuriteInfo Database(s) @@ -266,33 +289,52 @@ Sanesecurity_spam.yara|LOW # detect spam # Add or remove database file names between quote marks as needed. To # disable any SecuriteInfo database downloads, remove the appropriate # lines below. -securiteinfo_dbs=" #START SECURITEINFO DATABASES +declare -a securiteinfo_dbs=( #START SECURITEINFO DATABASES ### Securiteinfo https://www.securiteinfo.com/services/anti-spam-anti-virus/improve-detection-rate-of-zero-day-malwares-for-clamav.shtml ## REQUIRED, Do NOT disable -securiteinfo.ign2|REQUIRED +securiteinfo.ign2|REQUIRED # Signature Whitelist # LOW -securiteinfo.hdb|LOW # Malwares in the Wild -javascript.ndb|LOW # Malwares Javascript -securiteinfohtml.hdb|LOW # Malwares HTML -securiteinfoascii.hdb|LOW # Text file malwares (Perl or shell scripts, bat files, exploits, ...) -securiteinfopdf.hdb|LOW # Malwares PDF +javascript.ndb|LOW # Malwares Javascript +securiteinfo.hdb|LOW # Malwares younger than 3 years. securiteinfoandroid.hdb|LOW # Malwares Java/Android Dalvik +securiteinfoascii.hdb|LOW # Text file malwares (Perl or shell scripts, bat files, exploits, ...) +securiteinfohtml.hdb|LOW # Malwares HTML +securiteinfoold.hdb|LOW # Malwares older than 3 years. +securiteinfopdf.hdb|LOW # Malwares PDF # HIGH spam_marketing.ndb|HIGH # Spam Marketing / spammer blacklist -" #END SECURITEINFO DATABASES +) #END SECURITEINFO DATABASES +# NON-FREE DATABASES +declare -a securiteinfo_dbs_premium=( #START SECURITEINFO DATABASES +securiteinfo.mdb|LOW # 0-day Malwares +securiteinfo0hour.hdb|LOW # 0-Hour Malwares +) # ======================== -# Linux Malware Detect Database(s) +# LinuxMalwareDetect Database(s) # ======================== # Add or remove database file names between quote marks as needed. To -# disable any SecuriteInfo database downloads, remove the appropriate +# disable any LinuxMalwareDetect database downloads, remove the appropriate # lines below. -linuxmalwaredetect_dbs=" +declare -a linuxmalwaredetect_dbs=( ### Linux Malware Detect https://www.rfxn.com/projects/linux-malware-detect/ # LOW rfxn.ndb|LOW # HEX Malware detection signatures -rfxn.hdb|LOW # MD5 malware detection signatures -" #END LINUXMALWAREDETECT DATABASES +rfxn.hdb|LOW # MD5 Malware detection signatures +rfxn.yara|LOW # Yara Malware detection signatures +) #END LINUXMALWAREDETECT DATABASES + +# ======================== +# urlhaus Database(s) +# ======================== +# Add or remove database file names between quote marks as needed. To +# disable any urlhaus database downloads, remove the appropriate +# lines below. +declare -a urlhaus_dbs=( +### urlhaus https://urlhaus.abuse.ch/browse/ +# LOW +urlhaus.ndb|LOW # malicious URLs that are being used for malware distribution +) #END URLHAUS DATABASES # ======================== # Yara Rules Project Database(s) @@ -300,39 +342,113 @@ rfxn.hdb|LOW # MD5 malware detection signatures # Add or remove database file names between quote marks as needed. To # disable any Yara Rule database downloads, remove the appropriate # lines below. -yararulesproject_dbs=" +declare -a yararulesproject_dbs=( ### Yara Rules https://github.com/Yara-Rules/rules # # Some rules are now in sub-directories. To reference a file in a sub-directory # use subdir/file # LOW -email/EMAIL_Cryptowall.yar|LOW # CryptoWall Resume phish -Antidebug_AntiVM/antidebug_antivm.yar|LOW # anti debug and anti virtualization techniques used by malware -Exploit-Kits/EK_Angler.yar|LOW # Angler Exploit Kit Redirector -Exploit-Kits/EK_Blackhole.yar|LOW # BlackHole2 Exploit Kit Detection -Exploit-Kits/EK_BleedingLife.yar|LOW # BleedingLife2 Exploit Kit Detection -Exploit-Kits/EK_Crimepack.yar|LOW # CrimePack Exploit Kit Detection -Exploit-Kits/EK_Eleonore.yar|LOW # Eleonore Exploit Kit Detection -Exploit-Kits/EK_Fragus.yar|LOW # Fragus Exploit Kit Detection -Exploit-Kits/EK_Phoenix.yar|LOW # Phoenix Exploit Kit Detection -Exploit-Kits/EK_Sakura.yar|LOW # Sakura Exploit Kit Detection -Exploit-Kits/EK_ZeroAcces.yar|LOW # ZeroAccess Exploit Kit Detection -Exploit-Kits/EK_Zerox88.yar|LOW # 0x88 Exploit Kit Detection -Exploit-Kits/EK_Zeus.yar|LOW # Zeus Exploit Kit Detection +# Anti debug and anti virtualization techniques used by malware +antidebug_antivm/antidebug_antivm.yar|LOW +# Aimed toward the detection and existence of Exploit Kits. +#exploit_kits/EK_Angler.yar|LOW # duplicated in rxfn.yara +#exploit_kits/EK_Blackhole.yar|LOW # duplicated in rxfn.yara +exploit_kits/EK_BleedingLife.yar|LOW # duplicated in rxfn.yara +#exploit_kits/EK_Crimepack.yar|LOW # duplicated in rxfn.yara +#exploit_kits/EK_Eleonore.yar|LOW # duplicated in rxfn.yara +#exploit_kits/EK_Fragus.yar|LOW # duplicated in rxfn.yara +#exploit_kits/EK_Phoenix.yar|LOW # duplicated in rxfn.yara +#exploit_kits/EK_Sakura.yar|LOW # duplicated in rxfn.yara +#exploit_kits/EK_ZeroAcces.yar|LOW # duplicated in rxfn.yara +#exploit_kits/EK_Zerox88.yar|LOW # duplicated in rxfn.yara +#exploit_kits/EK_Zeus.yar|LOW # duplicated in rxfn.yara +# Identification of well-known webshells +#webshells/WShell_APT_Laudanum.yar|LOW # duplicated in rxfn.yara +webshells/WShell_ASPXSpy.yar|LOW +webshells/WShell_Drupalgeddon2_icos.yar|LOW +#webshells/WShell_PHP_Anuna.yar|LOW # duplicated in rxfn.yara +#webshells/WShell_PHP_in_images.yar|LOW # duplicated in rxfn.yara +#webshells/WShell_THOR_Webshells.yar|LOW # duplicated in rxfn.yara +#webshells/Wshell_ChineseSpam.yar|LOW # duplicated in rxfn.yara +#webshells/Wshell_fire2013.yar|LOW # duplicated in rxfn.yara # MEDIUM -Malicious_Documents/maldoc_somerules.yar|MEDIUM # documents with malicious code -Malicious_Documents/Maldoc_Hidden_PE_file.yar|MEDIUM # Detect a hidden PE file inside a sequence of numbers (comma separated) -Packers/Javascript_exploit_and_obfuscation.yar|MEDIUM # JavaScript Obfuscation Detection -Packers/packer.yar|MEDIUM # well-known sofware packers -CVE_Rules/CVE-2010-0805.yar|MEDIUM # CVE 2010 0805 -CVE_Rules/CVE-2010-0887.yar|MEDIUM # CVE 2010 0887 -CVE_Rules/CVE-2010-1297.yar|MEDIUM # CVE 2010 1297 -CVE_Rules/CVE-2013-0074.yar|MEDIUM # CVE 2013 0074 -CVE_Rules/CVE-2013-0422.yar|MEDIUM # CVE 2013 0422 -CVE_Rules/CVE-2015-5119.yar|MEDIUM # CVE 2015 5119 +# Identification of specific Common Vulnerabilities and Exposures (CVEs) +cve_rules/CVE-2010-0805.yar|MEDIUM +cve_rules/CVE-2010-0887.yar|MEDIUM +cve_rules/CVE-2010-1297.yar|MEDIUM +cve_rules/CVE-2012-0158.yar|MEDIUM +cve_rules/CVE-2013-0074.yar|MEDIUM +cve_rules/CVE-2013-0422.yar|MEDIUM +cve_rules/CVE-2015-1701.yar|MEDIUM +cve_rules/CVE-2015-2426.yar|MEDIUM +cve_rules/CVE-2015-2545.yar|MEDIUM +cve_rules/CVE-2015-5119.yar|MEDIUM +cve_rules/CVE-2016-5195.yar|MEDIUM +cve_rules/CVE-2017-11882.yar|MEDIUM +cve_rules/CVE-2018-20250.yar|MEDIUM +cve_rules/CVE-2018-4878.yar|MEDIUM +# Identification of malicious e-mails. +email/bank_rule.yar|MEDIUM +email/EMAIL_Cryptowall.yar|MEDIUM +email/Email_fake_it_maintenance_bulletin|MEDIUM +email/Email_generic_phishing|MEDIUM +email/Email_quota_limit_warning|MEDIUM +email/email_Ukraine_BE_powerattack.yar|MEDIUM +email/scam.yar|MEDIUM +# Detect well-known software packers, that can be used by malware to hide itself. +packers/JJencode.yar|MEDIUM +packers/packer_compiler_signatures.yar|MEDIUM +packers/packer.yar|MEDIUM +packers/peid.yar|MEDIUM # HIGH -Crypto/crypto.yar|HIGH # detect the existence of cryptographic algoritms -" #END yararulesproject DATABASES +# Used with documents to find if they have been crafted to leverage malicious code. +maldocs/Maldoc_APT_OLE_JSRat.yar|HIGH +maldocs/Maldoc_APT10_MenuPass.yar|HIGH +maldocs/Maldoc_APT19_CVE-2017-1099.yar|HIGH +maldocs/Maldoc_Contains_VBE_File.yar|HIGH +maldocs/Maldoc_CVE_2017_11882.yar|HIGH +maldocs/Maldoc_CVE_2017_8759.yar|HIGH +maldocs/Maldoc_CVE-2017-0199.yar|HIGH +maldocs/Maldoc_DDE.yar|HIGH +maldocs/Maldoc_Dridex.yar|HIGH +maldocs/Maldoc_hancitor_dropper|HIGH +maldocs/Maldoc_Hidden_PE_file.yar|HIGH +maldocs/Maldoc_malrtf_ole2link.yar|HIGH +maldocs/Maldoc_MIME_ActiveMime_b64.yar|HIGH +maldocs/Maldoc_PDF.yar|HIGH +maldocs/Maldoc_PowerPointMouse.yar|HIGH +maldocs/maldoc_somerules.yar|HIGH +maldocs/Maldoc_Suspicious_OLE_target.yar|HIGH +maldocs/Maldoc_UserForm.yar|HIGH +maldocs/Maldoc_VBA_macro_code.yar|HIGH +maldocs/Maldoc_Word_2007_XML_Flat_OPC.yar|HIGH +# Yara Rules aimed to detect well-known software packers, that can be used by malware to hide itself. +packers/Javascript_exploit_and_obfuscation.yar|HIGH +) #END yararulesproject DATABASES + +declare -a yararulesproject_dbs_blacklisted=( +email/attachment.yar # detects all emails with attachments +email/image.yar # detects all emails with images +email/urls.yar # detects all emails with urls +crypto/crypto_signatures.yar # detects all files which are encrypted +) + +declare -a yararulesproject_dbs_catagories=( +#LOW +antidebug_antivm|LOW +cve_rules|LOW +exploit_kits|LOW +malware|LOW +webshells|LOW +#MEDIUM +email|MEDIUM +maldocs|MEDIUM +# HIGH +capabilities|HIGH +crypto|HIGH +packers|HIGH +) + # ========================= # Additional signature databases @@ -341,20 +457,43 @@ Crypto/crypto.yar|HIGH # detect the existence of cryptographic algoritms # format: PROTOCOL://URL-or-IP/PATH/TO/FILE-NAME (use a trailing "/" in # place of the "FILE-NAME" to download all files from specified location, # but this *ONLY* works for files downloaded via rsync). For non-rsync -# downloads, wget and curl is used. For download protocols supported by +# downloads, wget and curl is used. For download protocols supported by # wget and curl, see "man wget" and "man curl". # This also works well for locations that have many ClamAV # servers that use 3rd party signature databases, as only one server need # download the remote databases, and all others can update from the local # mirrors copy. See format examples below. To use, remove the comments # and examples shown and add your own sites between the quote marks. -#additional_dbs=" +#declare -a additional_dbs=( # rsync://192.168.1.50/new-db/sigs.hdb # rsync://rsync.example.com/all-dbs/ # ftp://ftp.example.net/pub/sigs.ndb # http://www.example.org/sigs.ldb -#" #END ADDITIONAL DATABASES +#) #END ADDITIONAL DATABASES + +# ================================================== +# ================================================== +# D E B U G O P T I O N S +# ================================================== +# ================================================== +# Enable debugging, will cause all options below to enable +debug="no" + +# Causes the xshok_file_download function to be verbose, used for debugging +downloader_debug="no" + +# Causes clamscan signature test errors to be vebose +clamscan_debug="no" + +# Causes curl errors to be vebose +curl_debug="no" + +# Causes wget errors to be vebose +wget_debug="no" + +# Causes rsync errors to be vebose +rsync_debug="no" # ================================================== # ================================================== @@ -362,6 +501,21 @@ Crypto/crypto.yar|HIGH # detect the existence of cryptographic algoritms # ================================================== # ================================================== +# Branch for update checking, default: master +git_branch="master" + +# Enable support for script and master.conf upgrades +# enbles the --upgrade command line option +# packagers, if required please disable or set this option to no in the os.conf +allow_upgrades="yes" + +# Enable support for script and master.conf update checks +# packagers, if required please disable or set this option to no in the os.conf +allow_update_checks="yes" + +# How often the script should check for updates +update_check_hours="12"# Default is 12 hours (2 checks daily). + # Enable or disable download time randomization. This allows the script to # be executed via cron, but the actual database file checking will pause # for a random number of seconds between the "min" and "max" time settings @@ -375,22 +529,28 @@ enable_locking="yes" # If download time randomization is enabled above (enable_random="yes"), # then set the min and max radomization time intervals (in seconds). -min_sleep_time="60" # Default minimum is 60 seconds (1 minute). max_sleep_time="600" # Default maximum is 600 seconds (10 minutes). +min_sleep_time="60" # Default minimum is 60 seconds (1 minute). # Command to do a full clamd service stop/start #clamd_restart_opt="service clamd restart" -# Custom Command to fo a full clamd reload, this defaults to "clamdscan --reload" when not set -#clamd_reload_opt="clamdscan --reload" - # Custom Command Paths, these are detected with the which command when not set -#uname_bin="/usr/bin/uname" #clamscan_bin="/usr/bin/clamscan" -#rsync_bin="/usr/bin/rsync" -#wget_bin="/usr/bin/wget" #curl_bin="/usr/bin/curl" #gpg_bin="/usr/bin/gpg" +#rsync_bin="/usr/bin/rsync" +#tar_bin="/usr/bin/tar" +#uname_bin="/usr/bin/uname" +#wget_bin="/usr/bin/wget" + +# force wget, by default curl is used when curl and wget is present. +force_wget="no" + +# GnuPG / Signature verification +# To disable usage of gpg, set the following variable to "no". +# If gpg_bin cannot be found, enable_gpg will automatically disable +enable_gpg="yes" # If running clamd in "LocalSocket" mode (*NOT* in TCP/IP mode), and # either "SOcket Cat" (socat) or the "IO::Socket::UNIX" perl module @@ -415,24 +575,25 @@ downloader_ignore_ssl="yes" # Default is "yes" ignore ssl errors and warnings # The defaults settings here are reasonable, only change if you are # experiencing timeout issues. downloader_connect_timeout="60" -downloader_max_time="180" +downloader_max_time="1800" # Set downloader retry count for failed transfers -downloader_tries="3" +downloader_tries="5" # Set working directory paths (edit to meet your own needs). If these # directories do not exist, the script will attempt to create them. # Always located inside the work_dir, do not add / # Sub-directory names: -sanesecurity_dir="dbs-ss" # Sanesecurity sub-directory -securiteinfo_dir="dbs-si" # SecuriteInfo sub-directory -linuxmalwaredetect_dir="dbs-lmd" # Linux Malware Detect sub-directory -malwarepatrol_dir="dbs-mbl" # MalwarePatrol sub-directory -yararulesproject_dir="dbs-yara" # Yara-Rules sub-directory -work_dir_configs="configs" # Script configs sub-directory +add_dir="dbs-add" # User defined databases sub-directory gpg_dir="gpg-key" # Sanesecurity GPG Key sub-directory +linuxmalwaredetect_dir="dbs-lmd" # Linux Malware Detect sub-directory +malwarepatrol_dir="dbs-mbl" # MalwarePatrol sub-directory pid_dir="pid" # User defined pid sub-directory -add_dir="dbs-add" # User defined databases sub-directory +sanesecurity_dir="dbs-ss" # Sanesecurity sub-directory +securiteinfo_dir="dbs-si" # SecuriteInfo sub-directory +urlhausy_dir="dbs-uh" # urlhaus sub-directory +work_dir_configs="configs" # Script configs sub-directory +yararulesproject_dir="dbs-yara" # Yara-Rules sub-directory # If you would like to make a backup copy of the current running database # file before updating, leave the following variable set to "yes" and a @@ -441,7 +602,7 @@ add_dir="dbs-add" # User defined databases sub-directory keep_db_backup="no" # When a database integrity has tested BAD, the failed database will be removed. -remove_bad_database="yes" +remove_bad_database="yes" # When a database is disabled we will remove the associated database files. remove_disabled_databases="no" # Default is "no" since we are not a database managament tool by default. @@ -452,15 +613,13 @@ remove_disabled_databases="no" # Default is "no" since we are not a database man # selinux_fixes="no" # Default is "no" ignore ssl errors and warnings -# If necessary to proxy database downloads, define the rsync and/or wget -# proxy settings here. For rsync, the proxy must support connections to -# port 873. Both wget and rsync proxy setting need to be defined in the -# format of "hostname:port". For wget, also note the https and http -#rsync_proxy="" -#curl_proxy="" -#wget_proxy_http="http://username:password@proxy_host:proxy_port" -#wget_proxy_https="https://username:password@proxy_host:proxy_port" - +# Proxy Support +# If necessary to proxy database downloads, define the rsync, curl, wget, dig, hosr proxy settings here. +#rsync_proxy="username:password@proxy_host:proxy_port" +#curl_proxy="--proxy http://username:password@proxy_host:proxy_port" +#wget_proxy="-e http_proxy=http://username:password@proxy_host:proxy_port -e https_proxy=https://username:password@proxy_host:proxy_port" +#dig_proxy="@proxy_host -p proxy_host:proxy_port" +#host_proxy="@proxy_host" #does not support port # Custom Cron install settings, these are detected and only used if you want to override # the automatic detection and generation of the values when not set, this is mainly to aid package maintainers @@ -468,6 +627,7 @@ selinux_fixes="no" # Default is "no" ignore ssl errors and warnings #cron_filename="" #default: clamav-unofficial-sigs #cron_minute="" #default: random value between 0-59 #cron_user="" #default: uses the clam_user +#cron_sudo="no" #default no, yes will append sudo -u before the username #cron_bash="" #default: detected with the which command #cron_script_full_path="" #default: detected to the fullpath of the script @@ -484,24 +644,25 @@ selinux_fixes="no" # Default is "no" ignore ssl errors and warnings #man_dir="" #default: /usr/share/man/man8 #man_filename="" #default: clamav-unofficial-sigs.8 -# Provided two variables that package and port maintainers can use in order to +# Provided two variables that package and port maintainers can use in order to # prevent the script from removing itself with the '-r' flag -# If the script was installed via a package manager like yum, apt, pkg, etc. +# If the script was installed via a package manager like yum, apt, pkg, etc. # The script will instead provide feedback to the user about how to uninstall the package. #pkg_mgr="" #the package manager name #pkg_rm="" #the package manager command to remove the script # Custom full working directory paths, these are detected and only used if you want to override # the automatic detection and generation of the values when not set, this is mainly to aid package maintainers -#work_dir_sanesecurity="" #default: uses work_dir/sanesecurity_dir -#work_dir_securiteinfo="" #default: uses work_dir/securiteinfo_dir -#work_dir_linuxmalwaredetect="" #default: uses work_dir/linuxmalwaredetect_dir -#work_dir_malwarepatrol="" #default: uses work_dir/malwarepatrol_dir -#work_dir_yararulesproject="" #default: uses work_dir/yararulesproject_dir #work_dir_add="" #default: uses work_dir/add_dir -#work_dir_work_configs="" #default: uses work_dir/work_dir_configs #work_dir_gpg="" #default: uses work_dir/gpg_dir +#work_dir_linuxmalwaredetect="" #default: uses work_dir/linuxmalwaredetect_dir +#work_dir_malwarepatrol="" #default: uses work_dir/malwarepatrol_dir #work_dir_pid="" #default: uses work_dir/pid_dir +#work_dir_sanesecurity="" #default: uses work_dir/sanesecurity_dir +#work_dir_securiteinfo="" #default: uses work_dir/securiteinfo_dir +#work_dir_urlhaus="" #default: uses work_dir/urlhaus_dir +#work_dir_work_configs="" #default: uses work_dir/work_dir_configs +#work_dir_yararulesproject="" #default: uses work_dir/yararulesproject_dir # ======================== # After you have completed the configuration of this file, set the value to "yes" @@ -510,15 +671,22 @@ user_configuration_complete="no" # ======================== # DO NOT EDIT ! # Database provider URLs -sanesecurity_url="rsync.sanesecurity.net" +linuxmalwaredetect_sigpack_url="https://cdn.rfxn.com/downloads/maldet-sigpack.tgz" +linuxmalwaredetect_version_url="https://cdn.rfxn.com/downloads/maldet.sigs.ver" +malwarepatrol_url="https://lists.malwarepatrol.net/cgi/getfile" sanesecurity_gpg_url="http://www.sanesecurity.net/publickey.gpg" +sanesecurity_url="rsync.sanesecurity.net" securiteinfo_url="https://www.securiteinfo.com/get/signatures" -linuxmalwaredetect_url="http://cdn.rfxn.com/downloads" -malwarepatrol_url="https://lists.malwarepatrol.net/cgi/getfile" +urlhaus_url="https://urlhaus.abuse.ch/downloads" yararulesproject_url="https://raw.githubusercontent.com/Yara-Rules/rules/master" # ======================== # DO NOT EDIT ! -config_version="69" +config_version="91" +################################################################################ +# +# DO NOT EDIT THIS FILE !! DO NOT EDIT THIS FILE !! DO NOT EDIT THIS FILE !! +# +################################################################################ # https://eXtremeSHOK.com ######################################################