From 2ceeaf53bd40e221bc019f921260ac0d864dc5f3 Mon Sep 17 00:00:00 2001 From: Ivan Rako Date: Fri, 22 Jul 2016 12:18:00 +0200 Subject: [PATCH] inicijalna verzija --- README.md | 557 +++++++++ clamav-unofficial-sigs | 3090 ++++++++++++++++++++++++++++++++++++++++++++++ clamav-unofficial-sigs.8 | 75 ++ debian/changelog | 158 +++ debian/compat | 1 + debian/control | 28 + debian/copyright | 34 + debian/cron.d | 6 + debian/dirs | 5 + debian/docs | 1 + debian/install | 4 + debian/logrotate | 11 + debian/manpages | 1 + debian/postinst | 10 + debian/preinst | 17 + debian/rules | 3 + master.conf | 524 ++++++++ os.conf | 38 + user.conf | 49 + 19 files changed, 4612 insertions(+) create mode 100644 README.md create mode 100755 clamav-unofficial-sigs create mode 100644 clamav-unofficial-sigs.8 create mode 100644 debian/changelog create mode 100644 debian/compat create mode 100644 debian/control create mode 100644 debian/copyright create mode 100644 debian/cron.d create mode 100644 debian/dirs create mode 100644 debian/docs create mode 100644 debian/install create mode 100644 debian/logrotate create mode 100644 debian/manpages create mode 100644 debian/postinst create mode 100644 debian/preinst create mode 100755 debian/rules create mode 100644 master.conf create mode 100644 os.conf create mode 100644 user.conf diff --git a/README.md b/README.md new file mode 100644 index 0000000..3e21ade --- /dev/null +++ b/README.md @@ -0,0 +1,557 @@ +# clamav-unofficial-sigs [![Build Status](https://travis-ci.org/extremeshok/clamav-unofficial-sigs.svg?branch=master)](https://travis-ci.org/extremeshok/clamav-unofficial-sigs) [![GitHub Release](https://img.shields.io/github/release/extremeshok/clamav-unofficial-sigs.svg?label=Latest)](https://github.com/extremeshok/clamav-unofficial-sigs/releases/latest) + +[![Code Climate](https://codeclimate.com/github/extremeshok/clamav-unofficial-sigs/badges/gpa.svg)](https://codeclimate.com/github/extremeshok/clamav-unofficial-sigs) +[![Test Coverage](https://codeclimate.com/github/extremeshok/clamav-unofficial-sigs/badges/coverage.svg)](https://codeclimate.com/github/extremeshok/clamav-unofficial-sigs/coverage) +[![Issue Count](https://codeclimate.com/github/extremeshok/clamav-unofficial-sigs/badges/issue_count.svg)](https://codeclimate.com/github/extremeshok/clamav-unofficial-sigs) + + +ClamAV Unofficial Signatures Updater + +Github fork of the sourceforge hosted and non maintained utility. + +## Maintained and provided by https://eXtremeSHOK.com + +## Description +The clamav-unofficial-sigs script provides a simple way to download, test, and update third-party signature databases provided by Sanesecurity, FOXHOLE, OITC, Scamnailer, BOFHLAND, CRDF, Porcupine, Securiteinfo, MalwarePatrol, Yara-Rules Project, etc. The script will also generate and install cron, logrotate, and man files. + +#### Try our custom spamassasin plugin: https://github.com/extremeshok/spamassassin-extremeshok_fromreplyto + +### Support / Suggestions / Comments +Please post them on the issue tracker : https://github.com/extremeshok/clamav-unofficial-sigs/issues + +### Submit Patches / Pull requests to the "Dev" Branch + +### Required Ports / Firewall Exceptions +* rsync: TCP port 873 +* wget/curl : TCP port 443 + +### Supported Operating Systems +Debian, Ubuntu, Raspbian, CentOS (RHEL and clones), OpenBSD, FreeBSD, OpenSUSE, Archlinux, Mac OS X, Slackware, Solaris (Sun OS) and derivative systems + +### Quick Install Guide +* Download the files to /tmp/ +* Copy clamav-unofficial-sigs.sh to /usr/local/bin/ +* Set 755 permissions on /usr/local/bin/clamav-unofficial-sigs.sh +* Make the directory /etc/clamav-unofficial-sigs/ +* Copy the contents of config/ into /etc/clamav-unofficial-sigs/ +* Make the directory /var/log/clamav-unofficial-sigs/ +* Rename the your os.your-distro.conf to os.conf, where your-distro is your distribution +* Set your user config options in the configs /etc/clamav-unofficial-sigs/user.conf +* Run the script with --install-cron to install the cron file +* Run the script with --install-logrotate to install the logrotate file +* Run the script with --install-man to install the man file + +### First Usage +* Run the script once as your superuser to set all the permissions and create the relevant directories + +### Systemd +* Copy the contents of systemd/ into to /etc/systemd/ + +### Advanced Config Overrides +* Default configs are loaded in the following order if they exist: +* master.conf -> os.conf -> user.conf or your-specified.config +* user.conf will override os.conf and master.conf, os.conf will override master.conf +* A minimum of 1 config is required. +* Specifying a config on the command line (-c | --config) will override the loading of the default configs + +#### Check if signature are being loaded +**Run the following command to display which signatures are being loaded by clamav + +```clamscan --debug 2>&1 /dev/null | grep "loaded"``` + +#### SELinux cron permission fix +> WARNING - Clamscan reports ________ database integrity tested BAD - SKIPPING + +**Run the following command to allow clamav selinux support** + +```setsebool -P antivirus_can_scan_system true``` + +### Yara Rule Support automatically enabled (as of April 2016) +Since usage yara rules requires clamav 0.99 or above, they will be automatically deactivated if your clamav is older than the required version + +### Yara-Rules Project Support (as of June 2015) +Usage of free Yara-Rules Project: http://yararules.com +- Enabled by default + +Current limitations of clamav support : http://blog.clamav.net/search/label/yara + +### MalwarePatrol Free/Delayed list support (as of May 2015) +Usage of MalwarePatrol 2015 free clamav signatures : https://www.malwarepatrol.net + - 1. Sign up for a free account : https://www.malwarepatrol.net/signup-free.shtml + - 2. You will recieve an email containing your password/receipt number + - 3. Enter the receipt number into the config malwarepatrol_receipt_code: replacing YOUR-RECEIPT-NUMBER with your receipt number from the email + +### SecuriteInfo Free/Delayed list support (as of June 2015) +Usage of SecuriteInfo 2015 free clamav signatures : https://www.securiteinfo.com + - 1. Sign up for a free account : https://www.securiteinfo.com/clients/customers/signup + - 2. You will recieve an email to activate your account and then a followup email with your login name + - 3. Login and navigate to your customer account : https://www.securiteinfo.com/clients/customers/account + - 4. Click on the Setup tab + - 5. You will need to get your unique identifier from one of the download links, they are individual for every user + - 5.1. The 128 character string is after the http://www.securiteinfo.com/get/signatures/ + - 5.2. Example https://www.securiteinfo.com/get/signatures/your_unique_and_very_long_random_string_of_characters/securiteinfo.hdb + Your 128 character authorisation signature would be : your_unique_and_very_long_random_string_of_characters + - 6. Enter the authorisation signature into the config securiteinfo_authorisation_signature: replacing YOUR-SIGNATURE-NUMBER with your authorisation signature from the link + +### Linux Malware Detect support (as of May 2015) +Usage of free Linux Malware Detect clamav signatures: https://www.rfxn.com/projects/linux-malware-detect/ + - Enabled by default, no configuration required + +## Change Log + +### Version 5.4.1 (updated 2016-06-20) + - eXtremeSHOK.com Maintenance + - Disable installation when either pkg_mgr or pkg_rm is defined. + - Minor refactoring + - Update master.conf with the new Yara-rules project file names + - Incremented the config to version 69 + +### Version 5.4 + - eXtremeSHOK.com Maintenance + - Added Solaris 10 and 11 configs + - When under Solaris we define our own which function + - Define grep_bin variable, use gnu grep on sun os + - Fallback to gpg2 if gpg not found, + - Added support for csw gnupg on solaris + - Trap the keyboard interrupt (ctrl+c) and gracefully exit + - Added CentOS 7 Atomic config @deajan + - Minor refactoring and removing of unused variables + - Removed CRDF signatures as per Sanesecurity #124 + - Added more Yara rule project Rules + - Incremented the config to version 68 + +### Version 5.3.2 + - eXtremeSHOK.com Maintenance + - Bug Fix: Additional Databases not downloading + - Added sanesecurity_update_hours option to limit updating to once every 2 hours + - Added additional_update_hours option to limit updating to once every 4 hours + - Refactor Additional Database File Update code + - Updated osx config with correct group for homebrew + +### Version 5.3.1 + - eXtremeSHOK.com Maintenance + - Bug Fix: for GPG Signature test FAILED by @DamianoBianchi + - Remove unused $GETOPT + - Refactor clamscan_integrity_test_specific_database_file (--test-database) + - Refactor gpg_verify_specific_sanesecurity_database_file (--gpg-verify) + - Big fix: missing $pid_dir + +### Version 5.3.0 + - eXtremeSHOK.com Maintenance + - Major change: Updated to use new database structure, now allows all low/medium/high databases to be enabled or disabled. + - Major change: curl replaced with wget (will fallback to curl is wget is not installed) + - Major change: script now functions correctly as the clamav user when started under cron + - Added fallback to curl if wget is not available + - Added locking (Enable pid file to prevent issues with multiple instances) + - Added retries to fetching downloads + - Code refactor: if wget repaced with if $? -ne 0 + - Enhancement: Verify the clam_user and clam_group actually exists on the system + - Added function : xshok_user_group_exists, to check if a specific user and group exists + - Bug Fix: setmode only if is root + - Bug Fix: eval not working on certain systems + - Bug fix: rsync output not correctly silenced + - Code refactor: remove legacy `..` with $(...) + - Code refactor: replace [ ... -a ... ] with [ ... ] && [ ... ] + - Code refactor: replace [ ... -o ... ] with [ ... ] || [ ... ] + - Code refactor: replace cat "..." with done < ... from loops + - Code refactor: convert for loops using files to while loops + - Code refactor: read replaced with read -r + - Code refactor: added cd ... || exit , to handle a failed cd + - Code refactor: double quoted all varibles + - Code refactor: refactor all "ls" iterations to use globs + - Defined missing uname_bin variable + - Added function xshok_database + - Set minimum config required to 65 + - Bump config to 65 + +### Version 5.2.2 + - eXtremeSHOK.com Maintenance + - Added --install-all Install and generate the cron, logroate and man files, autodetects the values $oft based on your config files + - Added functions: xshok_prompt_confirm, xshok_is_file, xshok_is_subdir + - Replaced Y/N prompts with xshok_prompt_confirm + - Bug Fix for disabled databases being removed when the remove_disabled_databases is set to NO (default) + - Added more warnings to remove_script and made it double confirmed + - Remove_script will only remove work_dir if its a sub directory + - Remove_script will only remove files if they are files + - Removed -r switch, --remove-script needs to be used instead of both -r and --remove-script + - Fixed: remove_script not removing logrotate file, cron file, man file + +### Version 5.2.1 + - eXtremeSHOK.com Maintenance + - Minor bugfix for Sanesecurity_sigtest.yara Sanesecurity_spam.yara files being removed incorrectly + - Minor fix: yararulesproject_enabled not yararulesproject_enable + +### Version 5.2.0 + - eXtremeSHOK.com Maintenance + - Refactor some functions + - Added --install-man this will automatically generate and install the man (help) file + - Yararules and yararulesproject enabled by default + - Added clamav version detection to automatically disable yararules and yararulesproject if the current clamav version does not support them + - Database files ending with .yar/.yara/.yararules will automatically be disabled from the database if yara rules are not supported + - Script options are added to the man file + - Fixed hardcoded logrotate and cron in remove_script + - Fixed incorrectly assigned logrotate varibles in install-logrotate + - Config added info for port/package maintainers regarding: pkg_mgr and pkg_rm + - Removed pkg_mgr and pkg_rm from freebsd and openbsd os configs + - Allow overriding of all the individual workdirs, this is mainly to aid package maintainers + - Rename sanesecurity_dir to work_dir_sanesecurity, securiteinfo_dir to work_dir_securiteinfo, malwarepatrol_dir to work_dir_malwarepatrol, yararules_dir to work_dir_yararules, add_dir to work_dir_add, gpg_dir to work_dir_gpg, work_dir_configs to work_dir_work_configs + - Rename yararules_enabled to yararulesproject_enabled + - Rename all yararules to yararulesproject + - Fix to prevent disabled databases processing certian things which will not be used as they are disabled + - Set minimum config required to 62 + - Bump config to 62 + +### Version 5.1.1 + - eXtremeSHOK.com Maintenance + - Added OS X and openbsd configs + - Fixed host fallback sed issues by @MichaelKuch + - Suppress most error messages of chmod and chown + - check permissions before chmod + - Added the config option remove_disabled_databases # Default is "no", if enabled when a database is disabled we will remove the associated database files. + - Added function xshok_mkdir_ownership + - Do not set permissions of the log, cron and logrotate dirs + - Fix: fallback for missing gpg -r option on OS X + - Update sanesecurity signatures + - Bump config to 61 + +### Version 5.1.0 + - eXtremeSHOK.com Maintenance + - Added --install-cron this will automatically generate and install the cron file + - Added --install-logrotate this will automatically generate and install the logrotate file + - Change official URL of SecuriteInfo signatures + - Added a new database (securiteinfoandroid.hdb) for SecuriteInfo + - Remove database files after disabling a database group by @reneschuster + - Updated Gentoo OS config by @orlitzky + - Regroup functiuons + - Increase travis-ci code testing + - Set minimum config required to 60 + - Bump config to 60 + +### Version 5.0.6 + - eXtremeSHOK.com Maintenance + - Updated winnow databases as per information from Tom @ OITC + - Bump config to 58 + +### Version 5.0.5 + - eXtremeSHOK.com Maintenance + - Add support for specifying a custom config dir or file with (--config) -c option + - Removed default_config + - Added travis-ci build testing + - Updates to the help and usage display + - Added sanity testing of sanesecurity_dbs, securiteinfo_dbs, linuxmalwaredetect_dbs, yararules_dbs, add_dbs + - Added function xshok_array_count + - Prevent some issues with an incomplete or only a user.conf being loaded + - Added fallback to host if dig returns no records + - Check there are Sanesecurity mirror ips before we attempt to rsync + - Important binaries have been aliased (clamscan, rsync, curl, gpg) and allow their paths to be overridden + - Added sanity checks to make sure the binaries and workdir is defined + - Custom Binary Paths added to the config (clamscan_bin, rsync_bin, curl_bin, gpg_bin) + - Bump config to 57 + - Added initial centos6 + cpanel os config + - Bugfix Only start logging once all the configs have been loaded + - Rename $version to script_version + - Default malwarePatrol to the free version + - Added script version checks + +### Version 5.0.4 + - eXtremeSHOK.com Maintenance + - Added/Updated OS configs: CentOS 7, FreeBSD, Slackware + - Added clamd_reload_opt to fix issues with centos7 conf + - Fix --remove-script should call remove_script() function by @IdahoPL + - Add OS specific settings to logrotate + - Increased default timeout values + - Attempt to Silence more output + - Create the log_file_path directory before we touch the file. + - Updated config file to remove the $work_dir varible from dir names + - Remove trailing / from directory names + - Initial support for Travis-Ci testing + - Fixed config option enable_logging -> logging_enabled + - Config updated to 56 due to changes + +### Version 5.0.3 + - eXtremeSHOK.com Maintenance + - Added OS configs: OpenSUSE, Archlinux, Gentoo, Raspbian, FreeBSD + - Fixed config option enable_logging -> logging_enabled + +### Version 5.0.2 + - eXtremeSHOK.com Maintenance + - Detect if the entire script is available/complete + - Fix for Missing space between "] + +### Version 5.0.1 + - eXtremeSHOK.com Maintenance + - Disable logging if the log file is not writable. + - Do not attempt to log before a config is loaded + +### Version 5.0.0 + - eXtremeSHOK.com Maintenance + - Added porcupine.hsb : Sha256 Hashes of VBS and JSE malware Database from sanesecurity + - Fix for missing $ for clamd_pid an incorrect variable definition + - Fixes for not removing dirs by @msapiro + - Updates to account for changed names and addition of sub-directories for Yara-Rules by @msapiro + - Use MD5 with MalwarePatrol by @olivier2557 + - Suppress the header and config loading message if running via cron + - Added systemd files by @falon + - Added config option remove_bad_database, a database with a BAD integrity check will be removed + - Fixed broken whitelisting of malwarepatrol signatures + - Replaced Version command option -v with -V + - Added command option -v (--verbose) to force verbose output + - Removed config options: silence_ssl, curl_silence, rsync_silence, gpg_silence, comment_silence + - Added ignore_ssl option to supress ssl errors and warnings, ie operate in insecure mode. + - Replaced test-database command option -s with -t + - Replaced output-triggered command option -t with -o + - Added command option -s (--silence) to force silenced output + - Default verbose for terminal and silence for cron + - Added RHEL/Centos 7 config settings + - Added short option (-F) to Force all databases to be downloaded, could cause ip to be blocked" + - Fixed removal of failed databases, disbale with option "remove_bad_database" + - Removed config options: clamd_start, clamd_stop + - Full rewrite of the config handling, master.conf -> os.conf -> user.conf or your-specified.config + - Configs loaded from the /etc/clamav-unofficial-sigs dir + - Added various os.conf files to ease setup + - Added selinux_fixes config option, this will run restorecon on the database files + - minor code refactoring and reindenting + +### Version 4.9.3 + - eXtremeSHOK.com Maintenance + - Various Bug Fixes + - Last release of 4.x.x base + - minor code refactoring + +### Version 4.9.2 + - eXtremeSHOK.com Maintenance + - Added function xshok_check_s2 to prevent possible errors with -c and no configfile path + - minor code refactoring + +### Version 4.9.1 + - eXtremeSHOK.com Maintenance + - OS X compatibility fix by stewardle + - missing $ in $yararules_enabled + +### Version 4.9 + - eXtremeSHOK.com Maintenance + - Code Refactoring + - New function clamscan_reload_dbs, will first try and reload the clam database, if reload fails will restart clamd + - Added Function xshok_pretty_echo_and_log, far easier and cleaner way to output and log information + - Removed functions comment, log + - Removed config option reload_opt + - Added config option clamd_restart_opt + - Added support for # characters in config values, ie malwarepatrol subscription key contains a # + - Minor formatting and code consitency changes + - 10% Smaller script size + - Config updated to 53 due to changes + +### Version 4.8 + - eXtremeSHOK.com Maintenance + - Added long option (--force) to Force all databases to be downloaded, could cause ip to be blocked" + - added config option: malwarepatrol_free="yes", set to "no" to enable commercial subscription url + - added support for commercial malwarepatrol subscription + - Grammar fix in config + - SELINUX cronjob fix added to readme + - Corrects tput warning when used without TERM (like in cron) + - Config updated to 52 due to changes + +### Version 4.7 + - eXtremeSHOK.com Maintenance + - Code Refactoring + - Complete rewrite of the main case selector (program options) + - Added long options (--decode-sig, --encode-string, --encode-formatted, --gpg-verify, --information, --make-database, --remove-script, --test-database, --output-triggered) + - Replaced clamd-status.sh with --check-clamav + - Removed CHANGELOG, changelog has been replaced by this part of the readme and the git commit log. + - Config updated to 51 due to changes + +### Version 4.6.1 + - eXtremeSHOK.com Maintenance + - Code Refactoring + - Added generic options (--help --version --config) + - Correctly handle generic options before the main case selector + - Sanitize the config before the main case selector (option) + - Rewrite and formatting of the usage options + - Removed the version information code as this is always printed + +### Version 4.6 + - eXtremeSHOK.com Maintenance + - Code Refactoring + - Removed custom config forced to use the same filename as the default config + - Change file checks from exists to exists and is readable + - Removed legacy config checks + - Full support for custom config files for all tasks + - Removed function: no_default_config + +### Version 4.5.3 + - eXtremeSHOK.com Maintenance + - badmacro.ndb rule support for sanesecurity + - Sanesecurity_sigtest.yara rule support for sanesecurity + - Sanesecurity_spam.yara rule support for sanesecurity + - Changed required_config_version to minimum_required_config_version + - Script now supports a minimum config version to allow for out of sync config and script versions + +### Version 4.5.2 + - eXtremeSHOK.com Maintenance + - hackingteam.hsb rule support for sanesecurity + +### Version 4.5.1 + - eXtremeSHOK.com Maintenance + - Beta YARA rule support for sanesecurity + - Config updated to 4.8 due to changes + - Bugfix "securiteinfo_enabled" should be "$securiteinfo_enabled" + +### Version 4.5.0 + - eXtremeSHOK.com Maintenance + - Initial YARA rule support for sanesecurity + - Added Yara-Rules project Database + - Added config option to quickly enable/disable an entire database + - Config updated to 4.7 due to changes + - Note: Yara rules require clamav 0.99+ + - Bugfix removed unused linuxmalwaredetect_authorisation_signature varible from script + +### Version 4.4.5 + - eXtremeSHOK.com Maintenance + - Updated SecuriteInfo setup instructions + +### Version 4.4.4 + - eXtremeSHOK.com Maintenance + - Committed patch-1 by SecuriteInfo (clean up of SecuriteInfo databases) + - Fixed double $surl_insecure + +### Version 4.4.3 + - eXtremeSHOK.com Maintenance + - Bugfix for SecuriteInfo not downloading by Colin Waring + - Default will now silence ssl errors caused by ssl certificate errors + - Config updated to 4.6 due to new varible: silence_ssl + +### Version 4.4.2 + - eXtremeSHOK.com Maintenance + - Improved config error checking + - Config updated to 4.5, due to invalid default dbs-si value + - Fix debug varible being present + - Bug fix for ubuntu 14.04 with sed being aliased + - Explicitly set bash as the shell + +### Version 4.4.1 + - eXtremeSHOK.com Maintenance + - Added error checking to detect if the config could be broken. + +### Version 4.4.0 + - eXtremeSHOK.com Maintenance + - Code refactoring: + - Added full support for Linux Malware Detect clamav databases + - Config updated to 4.4 + +### Version 4.3.0 + - eXtremeSHOK.com Maintenance + - Code refactoring: group and move functions to top of script + - Complete rewrite of securiteinfo support, full support for Free/Delayed clamav by securiteinfo.com ;-P + Note: securite info requires you to create a free account and add your authorisation code to the config. + - Config updated to 4.3 + - Restructured Config + +### Version 4.2.0 + - eXtremeSHOK.com Maintenance + - Replace annoying si_ , mbl_, ss_ with actual names ie. securiteinfo_ malwarepatrol_ sanesecurity_ + - Complete rewrite of malwarepatrol support, full support for Free/Delayed clamav ;-P + Note: malware patrol requires you to create a free account and add your "purchase" code to the config. + - More fixes to config prasing and stripping of comments and whitespace + - Code refactoring: remove empty commands: echo "" and comment "" + - Config version detection and enforcing + +### Version 4.1.0 + - eXtremeSHOK.com Maintenance + - Fix on default enable of foxhole medium and High false positive sources + - grammatical corrections to some comments and log output + - sig-boundary patch by Alan Stern + - create intermediate monitor-ign-old.txt to prevent reading and writing of local.ign by Alan Stern + +### Version 4.0.0 + - eXtremeSHOK.com Maintenance + - Enabled all low false positive sources by default + - Added all Sanesecurity database files + - Disabled all med/high false positive sources by default + - Set default configs to work out of the box on a centos system + - Silence cron job + - Set correct paths throughout the script + - Updated Installation Instructions + - Updated Paths for removal + - Updated Default locations to reflect installation instructions + - Fix: correctly remove comments and blanklines from config before eval + - Remove: invalid config values (eg. EXPORT path) + - Fix: correctly check if rsync was successful + +## USAGE + +Usage: clamav-unofficial-sigs.sh [OPTION] [PATH|FILE] + +-c, --config Use a specific configuration file or directory + eg: '-c /your/dir' or ' -c /your/file.name' + Note: If a directory is specified the directory must contain atleast: + master.conf, os.conf or user.conf + Default Directory: /etc/clamav-unofficial-sigs + +-F, --force Force all databases to be downloaded, could cause ip to be blocked + +-h, --help Display this script's help and usage information + +-V, --version Output script version and date information + +-v, --verbose Be verbose, enabled when not run under cron + +-s, --silence Only output error messages, enabled when run under cron + +-d, --decode-sig Decode a third-party signature either by signature name + (eg: Sanesecurity.Junk.15248) or hexadecimal string. + This flag will 'NOT' decode image signatures + +-e, --encode-string Hexadecimal encode an entire input string that can + be used in any '*.ndb' signature database file + +-f, --encode-formatted Hexadecimal encode a formatted input string containing + signature spacing fields '{}, (), *', without encoding + the spacing fields, so that the encoded signature + can be used in any '*.ndb' signature database file + +-g, --gpg-verify GPG verify a specific Sanesecurity database file + eg: '-g filename.ext' (do not include file path) + +-i, --information Output system and configuration information for + viewing or possible debugging purposes + +-m, --make-database Make a signature database from an ascii file containing + data strings, with one data string per line. Additional + information is provided when using this flag + +-t, --test-database Clamscan integrity test a specific database file + eg: '-t filename.ext' (do not include file path) + +-o, --output-triggered If HAM directory scanning is enabled in the script's + configuration file, then output names of any third-party + signatures that triggered during the HAM directory scan + +-w, --whitelist Adds a signature whitelist entry in the newer ClamAV IGN2 + format to 'my-whitelist.ign2' in order to temporarily resolve + a false-positive issue with a specific third-party signature. + Script added whitelist entries will automatically be removed + if the original signature is either modified or removed from + the third-party signature database + +--check-clamav If ClamD status check is enabled and the socket path is correctly + specifiedthen test to see if clamd is running or not + +--install-all Install and generate the cron, logroate and man files, autodetects the values + based on your config files + +--install-cron Install and generate the cron file, autodetects the values + based on your config files + +--install-logrotate Install and generate the logrotate file, autodetects the + values based on your config files + +--install-man Install and generate the man file, autodetects the + values based on your config files + +--remove-script Remove the clamav-unofficial-sigs script and all of + its associated files and databases from the system + +## Script updates can be found at: +### https://github.com/extremeshok/clamav-unofficial-sigs + +Original Script can be found at: http://sourceforge.net/projects/unofficial-sigs diff --git a/clamav-unofficial-sigs b/clamav-unofficial-sigs new file mode 100755 index 0000000..f6b8e8b --- /dev/null +++ b/clamav-unofficial-sigs @@ -0,0 +1,3090 @@ +#!/bin/bash +################################################################################ +# This is property of eXtremeSHOK.com +# You are free to use, modify and distribute, however you may not remove this notice. +# Copyright (c) Adrian Jon Kriel :: admin@extremeshok.com +################################################################################ +# +# Script updates can be found at: https://github.com/extremeshok/clamav-unofficial-sigs +# +# Originially based on: +# Script provide by Bill Landry (unofficialsigs@gmail.com). +# +# License: BSD (Berkeley Software Distribution) +# +################################################################################ +# +# THERE ARE NO USER CONFIGURABLE OPTIONS IN THIS SCRIPT +# ALL CONFIGURATION OPTIONS ARE LOCATED IN THE INCLUDED CONFIGURATION FILE +# +################################################################################ + +################################################################################ + + ###### ####### # # ####### ####### ####### ###### ### ####### + # # # # ## # # # # # # # # # + # # # # # # # # # # # # # # # + # # # # # # # # # # ##### # # # # + # # # # # # # # # # # # # # # + # # # # # ## # # # # # # # # + ###### ####### # # ####### # ####### ###### ### # + +################################################################################ + +# Detect to make sure the entire script is avilable, fail if the script is missing contents +if [ ! "$( tail -1 "$0" | head -1 | cut -c1-7 )" == "exit \$?" ] ; then + echo "FATAL ERROR: Script is incomplete, please redownload" + exit 1 +fi + +# trap the keyboard interrupt (ctrl+c) +trap xshok_control_c SIGINT + +################################################################################ +# HELPER FUNCTIONS +################################################################################ + +# Function to support user config settings for applying file and directory access permissions. +function perms () { + if [ -n "$clam_user" ] && [ -n "$clam_group" ] ; then + "${@:-}" + fi +} + +# Function to prompt a user if they should complete an action with Y or N +# usage: xshok_prompt_confirm +# if xshok_prompt_confirm; then +# xshok_prompt_confirm && echo "accepted" +# xshok_prompt_confirm && echo "yes" || echo "no" +function xshok_prompt_confirm () { #optional_message + message="${1:-Are you sure?}" + while true; do + read -r -p "$message [y/N]" response "$pidfile" + if [ $? -ne 0 ] ; then + xshok_pretty_echo_and_log "ERROR: Could not create PID file: $pidfile" + exit 1 + fi + else + xshok_pretty_echo_and_log "ERROR: Missing value for option" "=" + exit 1 + fi +} + +# Function to intercept ctrl+c and calls the cleanup function +function xshok_control_c () { + echo -en "\n" + xshok_pretty_echo_and_log "--------------| Exiting ... Please wait |--------------" "-" + xshok_cleanup + exit $? +} + +# cleanup function +function xshok_cleanup () { + #wait for all processes to end + wait + xshok_pretty_echo_and_log " Powered By https://eXtremeSHOK.com " "#" + return $? +} + +# Function to check if the current running user is the root user, otherwise return false +function xshok_is_root () { + if [ "$(uname -s)" = "SunOS" ] ; then + id_bin="/usr/xpg4/bin/id" + else + id_bin="$(which id)" + fi + if [ "$($id_bin -u)" = 0 ] ; then + return 0 ; + else + return 1 ; #not root + fi +} + +# Function to check if its a file, otherwise return false +function xshok_is_file () { #"filepath" + filepath="$1" + if [ -f "${filepath}" ] ; then + return 0 ; + else + return 1 ; #not a file + fi +} + +# Function to check if filepath is a subdir, otherwise return false +# Usage: xshok_is_subdir "filepath" +# xshok_is_subdir "/root/" - false +# xshok_is_subdir "/usr/local/etc" && echo "yes" - yes +function xshok_is_subdir () { #filepath + filepath=$(echo "$1" | sed 's:/*$::') + if [ -d "$filepath" ] ; then + res="${filepath//[^\/]}" + if [ "${#res}" -gt 1 ] ; then + return 0 ; + else + return 1 ; #not a subdir + fi + else + return 1 ; #not a dir + fi +} + +# Function to create a dir and set the ownership +function xshok_mkdir_ownership () { #"path" + if [ "$1" ] ; then + mkdir -p "$1" 2>/dev/null + if [ $? -ne 0 ] ; then + xshok_pretty_echo_and_log "ERROR: Could not create directory: $1" + exit 1 + fi + perms chown -f "$clam_user:$clam_group" "$1" > /dev/null 2>&1 + else + xshok_pretty_echo_and_log "ERROR: Missing value for option" "=" + exit 1 + fi +} + +# Function to check if a user and group exists on the system otherwise return false +# Usage: +# xshok_is_subdir "username" && echo "user found" || echo "no" +# xshok_is_subdir "username" "groupname" && echo "user and group found" || echo "no" +function xshok_user_group_exists () { #"username" "groupname" + if [ "$(uname -s)" = "SunOS" ] ; then + id_bin="/usr/xpg4/bin/id" + else + id_bin="$(which id)" + fi + if [ "$1" ] ; then + $id_bin -u "$1" > /dev/null 2>&1 + if [ $? -eq 0 ]; then + if [ "$2" ] ; then + $id_bin -g "$2" > /dev/null 2>&1 + if [ $? -eq 0 ]; then + return 0 ; #user and group exists + else + return 1 ; #group does NOT exist + fi + else + return 0 ; #user exists + fi + else + return 1 ; #user does NOT exist + fi + else + xshok_pretty_echo_and_log "ERROR: Missing value for option" "=" + exit 1 + fi +} + +# Function to handle comments with/out borders and logging. +# Usage: +# pretty_echo_and_log "one" +# one +# pretty_echo_and_log "two" "-" +# --- +# two +# --- +# pretty_echo_and_log "three" "=" "8" +# ======== +# three +# ======== +# pretty_echo_and_log "" "/\" "7" +# /\/\/\/\/\/\ +#type: e = error, w= warning "" +function xshok_pretty_echo_and_log () { #"string" "repeating" "count" "type" + # handle comments + if [ "$comment_silence" = "no" ] ; then + if [ "${#@}" = "1" ] ; then + echo "$1" + else + myvar="" + if [ -n "$3" ] ; then + mycount="$3" + else + mycount="${#1}" + fi + for (( n = 0; n < mycount; n++ )) ; do + myvar="$myvar$2" + done + if [ "$1" != "" ] ; then + echo -e "$myvar\n$1\n$myvar" + else + echo -e "$myvar" + fi + fi + fi + + # handle logging + if [ "$enable_log" == "yes" ] ; then + if [ ! -e "$log_file_path/$log_file_name" ] ; then + #xshok_mkdir_ownership "$log_file_path" + mkdir -p "$log_file_path" + touch "$log_file_path/$log_file_name" 2>/dev/null + perms chown -f "$clam_user:$clam_group" "$log_file_path/$log_file_name" + fi + if [ ! -w "$log_file_path/$log_file_name" ] ; then + echo "Warning: Logging Disabled, as file not writable: $log_file_path/$log_file_name" + enable_log="no" + else + echo "$(date "+%b %d %T")" "$1" >> "$log_file_path/$log_file_name" + fi + fi +} + +# function to check if the $2 value is not null and does not start with - +function xshok_check_s2 () { #value1 #value2 + if [ "$1" ] ; then + if [[ "$1" =~ ^-.* ]] ; then + xshok_pretty_echo_and_log "ERROR: Missing value for option or value begins with -" "=" + exit 1 + fi + else + xshok_pretty_echo_and_log "ERROR: Missing value for option" "=" + exit 1 + fi +} + +# function to count array elements and output the total element count +# required due to compound array assignment +# Usage: +# array=("one" "two" "three") +# xshok_array_count $array +# 3 +function xshok_array_count () { #array + k_array=( "$@" ) + if [ -n "${k_array[*]}" ] ; then + i="0" + for k in "${k_array[@]}" ; do + let i=$i+1; + done + echo "$i" + else + echo "0" + fi +} +# function to auto update +function xshok_auto_update() { #version + xshok_pretty_echo_and_log "Performing automatic update..." + + # Download new version + echo -n "Downloading latest version..." + if ! wget --quiet --output-document="$0.tmp" $UPDATE_BASE/$SELF ; then + echo "Failed: Error while trying to wget new version!" + echo "File requested: $UPDATE_BASE/$SELF" + exit 1 + fi + echo "Done." + + # Copy over modes from old version + OCTAL_MODE=$(stat -c '%a' $SELF) + if ! chmod $OCTAL_MODE "$0.tmp" ; then + echo "Failed: Error while trying to set mode on $0.tmp." + exit 1 + fi + + # Generate the update script + cat > xshok_update_script.sh << EOF +#!/bin/bash +# Overwrite old file with new +if mv "$0.tmp" "$0"; then + echo "Done. Update complete." + rm \$0 +else + echo "Failed! The update was not completed." +fi +EOF + + + echo -n "Inserting update process..." + + #replaced with $0, so code will update and then call itself with the same parameters it had + #exec /bin/bash xshok_update_script.sh + exec "$0" "$@" +} + +#function to handle list of database files +function clamav_files () { + echo "$clam_dbs/$db" >> "$current_tmp" + if [ "$keep_db_backup" = "yes" ] ; then + echo "$clam_dbs/$db-bak" >> "$current_tmp" + fi +} + +# Function to manage the databases and allow multi-dimensions as well as global overrides +# since the datbases are basically a multi-dimentional associative arrays in bash +# ratings: LOW| MEDIUM| HIGH| REQUIRED| LOWONLY| MEDIUMONLY| LOWMEDIUMONLY | MEDIUMHIGHONLY | HIGHONLY| DISABLED +function xshok_database () { #database #rating + + # assign + current_dbs="$1" + current_rating="$2" + # zero + new_dbs="" + + if [ -n "$current_dbs" ] ; then + if [ "$(xshok_array_count "$current_dbs")" -ge "1" ] ; then + for db_name in $current_dbs ; do + #checks + if [ "$enable_yararules" == "no" ] ; then #yararules are disabled + if [[ "$db_name" = *".yar"* ]] ; then # if it's the value you want to delete + continue # skip to the next value + fi + fi + if [ "$current_rating" == "" ] ; then #yararules are disabled + new_dbs="$new_dbs $db_name" + else + if [[ ! "$db_name" = *"|"* ]] ; then # this old format + new_dbs="$new_dbs $db_name" + else + db_name_rating=$(echo "$db_name" | cut -d "|" -f2) + db_name=$(echo "$db_name" | cut -d "|" -f1) + + if [ "$db_name_rating" != "DISABLED" ] ; then + if [ "$db_name_rating" == "$current_rating" ] ; then + new_dbs="$new_dbs $db_name" + elif [ "$db_name_rating" == "REQUIRED" ] ; then + new_dbs="$new_dbs $db_name" + elif [ "$current_rating" == "LOW" ] ; then + if [ "$db_name_rating" == "LOWONLY" ] || [ "$db_name_rating" == "LOW" ] || [ "$db_name_rating" == "LOWMEDIUM" ] ; then + new_dbs="$new_dbs $db_name" + fi + elif [ "$current_rating" == "MEDIUM" ] ; then + if [ "$db_name_rating" == "MEDIUMONLY" ] || [ "$db_name_rating" == "MEDIUM" ] || [ "$db_name_rating" == "LOW" ] || [ "$db_name_rating" == "LOWMEDIUM" ] ; then + new_dbs="$new_dbs $db_name" + fi + elif [ "$current_rating" == "HIGH" ] ; then + if [ "$db_name_rating" == "HIGH" ] || [ "$db_name_rating" == "MEDIUM" ] || [ "$db_name_rating" == "LOW" ] ; then + new_dbs="$new_dbs $db_name" + fi + fi + fi + fi + fi + done + fi + fi + echo "$new_dbs" | xargs #remove extra whitespace + +} + +################################################################################ +# ADDITIONAL PROGRAM FUNCTIONS +################################################################################ + + +#generates a man config and installs it +function install_man () { + + if [ -n "$pkg_mgr" ] || [ -n "$pkg_rm" ] ; then + echo "This script (clamav-unofficial-sigs) was installed on the system via '$pkg_mgr'" + exit 1 + fi + + + echo "" + echo "Generating man file for install...." + + #Use defined varibles or attempt to use default varibles + + if [ ! -e "$man_dir/$man_filename" ] ; then + mkdir -p "$man_dir" + touch "$man_dir/$man_filename" 2>/dev/null + fi + if [ ! -w "$man_dir/$man_filename" ] ; then + echo "ERROR: man install aborted, as file not writable: $man_dir/$man_filename" + else + +BOLD="\fB" +#REV="" +NORM="\fR" +manresult=$(help_and_usage "man") + +#Our template.. + cat << EOF > "$man_dir/$man_filename" + +.\" Manual page for eXtremeSHOK.com ClamAV Unofficial Signature Updater +.TH clamav-unofficial-sigs 8 "$script_version_date" "Version: $script_version" "SCRIPT COMMANDS" +.SH NAME +clamav-unofficial-sigs \- Download, test, and install third-party ClamAV signature databases. +.SH SYNOPSIS +.B clamav-unofficial-sigs +.RI [ options ] +.SH DESCRIPTION +\fBclamav-unofficial-sigs\fP provides a simple way to download, test, and update third-party signature databases provided by Sanesecurity, FOXHOLE, OITC, Scamnailer, BOFHLAND, CRDF, Porcupine, Securiteinfo, MalwarePatrol, Yara-Rules Project, etc. It will also generate and install cron, logrotate, and man files. +.SH UPDATES +Script updates can be found at: \fBhttps://github.com/extremeshok/clamav-unofficial-sigs\fP +.SH OPTIONS +This script follows the standard GNU command line syntax. +.LP +$manresult +.SH SEE ALSO +.BR clamd (8), +.BR clamscan (1) +.SH COPYRIGHT +Copyright (c) Adrian Jon Kriel :: admin@extremeshok.com +.TP +You are free to use, modify and distribute, however you may not remove this notice. +.SH LICENSE +BSD (Berkeley Software Distribution) +.SH BUGS +Report bugs to \fBhttps://github.com/extremeshok/clamav-unofficial-sigs\fP +.SH AUTHOR +Adrian Jon Kriel :: admin@extremeshok.com +Originially based on Script provide by Bill Landry + + +EOF + + fi + echo "Completed: man installed, as file: $man_dir/$man_filename" +} + + +#generates a logrotate config and installs it +function install_logrotate () { + + if [ -n "$pkg_mgr" ] || [ -n "$pkg_rm" ] ; then + echo "This script (clamav-unofficial-sigs) was installed on the system via '$pkg_mgr'" + exit 1 + fi + + echo "" + echo "Generating logrotate file for install...." + + #Use defined varibles or attempt to use default varibles + + if [ ! -n "$logrotate_user" ] ; then + logrotate_user="$clam_user"; + fi + if [ ! -n "$logrotate_group" ] ; then + logrotate_group="$clam_group"; + fi + if [ ! -n "$logrotate_log_file_full_path" ] ; then + logrotate_log_file_full_path="$log_file_path/$log_file_name" + fi + + + if [ ! -e "$logrotate_dir/$logrotate_filename" ] ; then + mkdir -p "$logrotate_dir" + touch "$logrotate_dir/$logrotate_filename" 2>/dev/null + fi + if [ ! -w "$logrotate_dir/$logrotate_filename" ] ; then + echo "ERROR: logrotate install aborted, as file not writable: $logrotate_dir/$logrotate_filename" + else +#Our template.. + cat << EOF > "$logrotate_dir/$logrotate_filename" +# https://eXtremeSHOK.com ###################################################### +# This file contains the logrotate settings for clamav-unofficial-sigs.sh +################### +# This is property of eXtremeSHOK.com +# You are free to use, modify and distribute, however you may not remove this notice. +# Copyright (c) Adrian Jon Kriel :: admin@extremeshok.com +################## +# +# Script updates can be found at: https://github.com/extremeshok/clamav-unofficial-sigs +# +# Originially based on: +# Script provide by Bill Landry (unofficialsigs@gmail.com). +# +# License: BSD (Berkeley Software Distribution) +# +################## +# Automatically Generated: $(date) +################## +# +# This logrotate file will rotate the logs generated by the clamav-unofficial-sigs.sh +# +# To Adjust the logrotate values, edit your configs and run +# bash clamav-unofficial-sigs.sh --install-logrotate to generate a new file. + +$logrotate_log_file_full_path { + weekly + rotate 4 + missingok + notifempty + compress + create 0644 $logrotate_user $logrotate_group +} + +EOF + + fi + echo "Completed: logrotate installed, as file: $logrotate_dir/$logrotate_filename" +} + +#generates a cron config and installs it +function install_cron () { + + if [ -n "$pkg_mgr" ] || [ -n "$pkg_rm" ] ; then + echo "This script (clamav-unofficial-sigs) was installed on the system via '$pkg_mgr'" + exit 1 + fi + + echo "" + echo "Generating cron file for install...." + + #Use defined varibles or attempt to use default varibles + if [ ! -n "$cron_minute" ] ; then + cron_minute=$(( ( RANDOM % 59 ) + 1 )); + fi + if [ ! -n "$cron_user" ] ; then + cron_user="$clam_user"; + fi + if [ ! -n "$cron_bash" ] ; then + cron_bash=$(which bash) + fi + if [ ! -n "$cron_script_full_path" ] ; then + cron_script_full_path="$this_script_full_path" + fi + + if [ ! -e "$cron_dir/$cron_filename" ] ; then + mkdir -p "$cron_dir" + touch "$cron_dir/$cron_filename" 2>/dev/null + fi + if [ ! -w "$cron_dir/$cron_filename" ] ; then + echo "ERROR: cron install aborted, as file not writable: $cron_dir/$cron_filename" + else +#Our template.. + cat << EOF > "$cron_dir/$cron_filename" +# https://eXtremeSHOK.com ###################################################### +# This file contains the cron settings for clamav-unofficial-sigs.sh +################### +# This is property of eXtremeSHOK.com +# You are free to use, modify and distribute, however you may not remove this notice. +# Copyright (c) Adrian Jon Kriel :: admin@extremeshok.com +################## +# +# Script updates can be found at: https://github.com/extremeshok/clamav-unofficial-sigs +# +# Originially based on: +# Script provide by Bill Landry (unofficialsigs@gmail.com). +# +# License: BSD (Berkeley Software Distribution) +# +################## +# Automatically Generated: $(date) +################## +# +# This cron file will execute the clamav-unofficial-sigs.sh script that +# currently supports updating third-party signature databases provided +# by Sanesecurity, SecuriteInfo, MalwarePatrol, OITC, etc. +# +# The script is set to run hourly, at a random minute past the hour, and the +# script itself is set to randomize the actual execution time between +# 60 - 600 seconds. To Adjust the cron values, edit your configs and run +# bash clamav-unofficial-sigs.sh --install-cron to generate a new file. + +$cron_minute * * * * $cron_user [ -x $cron_script_full_path ] && $cron_bash $cron_script_full_path > /dev/null + +# https://eXtremeSHOK.com ###################################################### + +EOF + + fi + echo "Completed: cron installed, as file: $cron_dir/$cron_filename" +} + + +#decode a third-party signature either by signature name +function decode_third_party_signature_by_signature_name () { + echo "" + echo "Input a third-party signature name to decode (e.g: Sanesecurity.Junk.15248) or" + echo "a hexadecimal encoded data string and press enter (do not include '.UNOFFICIAL'" + echo "in the signature name nor add quote marks to any input string):" + read -r input + input=$(echo "$input" | tr -d "'" | tr -d '"') + if echo "$input" | $grep_bin "\." > /dev/null ; then + cd "$clam_dbs" || exit + sig=$($grep_bin "$input:" ./*.ndb) + if [ -n "$sig" ] ; then + db_file=$(echo "$sig" | cut -d ':' -f1) + echo "$input found in: $db_file" + echo "$input signature decodes to:" + echo "$sig" | cut -d ":" -f5 | perl -pe 's/([a-fA-F0-9]{2})|(\{[^}]*\}|\([^)]*\))/defined $2 ? $2 : chr(hex $1)/eg' + else + echo "Signature '$input' could not be found." + echo "This script will only decode ClamAV 'UNOFFICIAL' third-Party," + echo "non-image based, signatures as found in the *.ndb databases." + fi + else + echo "Here is the decoded hexadecimal input string:" + echo "$input" | perl -pe 's/([a-fA-F0-9]{2})|(\{[^}]*\}|\([^)]*\))/defined $2 ? $2 : chr(hex $1)/eg' + fi +} + +#Hexadecimal encode an entire input string +function hexadecimal_encode_entire_input_string () { + echo "" + echo "Input the data string that you want to hexadecimal encode and then press enter. Do not include" + echo "any quotes around the string unless you want them included in the hexadecimal encoded output:" + read -r input + echo "Here is the hexadecimal encoded input string:" + echo "$input" | perl -pe 's/(.)/sprintf("%02lx", ord $1)/eg' +} + +#Hexadecimal encode a formatted input string +function hexadecimal_encode_formatted_input_string () { + echo "" + echo "Input a formated data string containing spacing fields '{}, (), *' that you want to hexadecimal" + echo "encode, without encoding the spacing fields, and then press enter. Do not include any quotes" + echo "around the string unless you want them included in the hexadecimal encoded output:" + read -r input + echo "Here is the hexadecimal encoded input string:" + echo "$input" | perl -pe 's/(\{[^}]*\}|\([^)]*\)|\*)|(.)/defined $1 ? $1 : sprintf("%02lx", ord $2)/eg' +} + +#GPG verify a specific Sanesecurity database file +function gpg_verify_specific_sanesecurity_database_file () { #databasefile + echo "" + if [ "$1" ] ; then + db_file=$(echo "$1" | awk -F '/' '{print $NF}') + if [ -r "$work_dir_sanesecurity/$db_file" ] ; then + echo "GPG signature testing database file: $work_dir_sanesecurity/$db_file" + if [ -r "$work_dir_sanesecurity/$db_file".sig ] ; then + "$gpg_bin" -q --trust-model always --no-default-keyring --homedir "$work_dir_gpg" --keyring "$work_dir_gpg"/ss-keyring.gpg --verify "$work_dir_sanesecurity"/"$db_file".sig "$work_dir_sanesecurity"/"$db_file" + if [ "$?" != "0" ]; then + "$gpg_bin" -q --always-trust --no-default-keyring --homedir "$work_dir_gpg" --keyring "$work_dir_gpg"/ss-keyring.gpg --verify "$work_dir_sanesecurity"/"$db_file".sig "$work_dir_sanesecurity"/"$db_file" + if [ "$?" == "0" ]; then + exit 0 + else + exit 1 + fi + else + exit 0 + fi + else + echo "Signature '$db_file.sig' cannot be found." + fi + else + echo "File '$db_file' cannot be found or is not a Sanesecurity database file." + echo "Only the following Sanesecurity and OITC databases can be GPG signature tested:" + ls --ignore "*.sig" --ignore "*.md5" --ignore "*.ign2" "$work_dir_sanesecurity" + fi + else + xshok_pretty_echo_and_log "ERROR: Missing value for option" "=" + exit 1 + fi +} + +#Output system and configuration information +function output_system_configuration_information () { + echo "" + echo "*** SCRIPT VERSION ***" + echo "$this_script_name $script_version ($script_version_date)" + echo "*** SYSTEM INFORMATION ***" + $uname_bin -a + echo "*** CLAMSCAN LOCATION & VERSION ***" + echo "$clamscan_bin" + $clamscan_bin --version | head -1 + echo "*** RSYNC LOCATION & VERSION ***" + echo "$rsync_bin" + $rsync_bin --version | head -1 + if [ "$wget_bin" != "" ] ; then + echo "*** WGET LOCATION & VERSION ***" + echo "$wget_bin" + $wget_bin --version | head -1 + else + echo "*** CURL LOCATION & VERSION ***" + echo "$curl_bin" + $curl_bin --version | head -1 + fi + echo "*** GPG LOCATION & VERSION ***" + echo "$gpg_bin" + $gpg_bin --version | head -1 + echo "*** SCRIPT WORKING DIRECTORY INFORMATION ***" + echo "$work_dir" + echo "*** CLAMAV DIRECTORY INFORMATION ***" + echo "$clam_dbs" + echo "*** SCRIPT CONFIGURATION SETTINGS ***" + if [ "$custom_config" != "no" ] ; then + if [ -d "$custom_config" ] ; then + # Assign the custom config dir and remove trailing / (removes / and //) + echo "Custom Configuration Directory: $config_dir" + else + echo "Custom Configuration File: $custom_config" + fi + else + echo "Configuration Directory: $config_dir" + fi +} + +#Make a signature database from an ascii file +function make_signature_database_from_ascii_file () { + echo "" + echo " + The '-m' script flag provides a way to create a ClamAV hexadecimal signature database (*.ndb) file + from a list of data strings stored in a clear-text ascii file, with one data string entry per line. + + - Hexadecimal encoding can be either 'full' or 'formatted' on a per line basis: + + Full line encoding should be used if there are no formatted spacing entries [{}, (), *] + included on the line. Prefix unformatted lines with: '-:' (no quote marks). + + Example: + + -:This signature contains no formatted spacing fields + + Encodes to: + + 54686973207369676e617475726520636f6e7461696e73206e6f20666f726d61747465642073706163696e67206669656c6473 + + Formatted line encoding should be used if there are user added spacing entries [{}, (), *] + included on the line. Prefix formatted lines with '=:' (no quote marks). + + Example: + + =:This signature{-10}contains several(25|26|27)formatted spacing*fields + + Encodes to: + + 54686973207369676e6174757265{-10}636f6e7461696e73207365766572616c(25|26|27)666f726d61747465642073706163696e67*6669656c6473 + + Use 'full' encoding if you want to encode everything on the line [including {}, (), *] and 'formatted' + encoding if you want to encode everything on the line except the formatted character spacing fields. + + The prefixes ('-:' and '=:') will be stripped from the line before hexadecimal encoding is done. + If no prefix is found at the beginning of the line, full line encoding will be done (default). + + - It is assumed that the signatures will be created for email scanning purposes, thus the '4' + target type is used and full file scanning is enabled (see ClamAV signatures.pdf for details). + + - Line numbering will be done automatically by the script. + " | command sed 's/^ //g' + echo -n "Do you wish to continue? " + if xshok_prompt_confirm ; then + + echo -n "Enter the source file as /path/filename: " + read -r source + if [ -r "$source" ] ; then + source_file=$(basename "$source") + + echo "What signature prefix would you like to use? For example: 'Phish.Domains'" + echo "will create signatures that looks like: 'Phish.Domains.1:4:*:HexSigHere'" + + echo -n "Enter signature prefix: " + read -r prefix + path_file=$(echo "$source" | cut -d "." -f-1 | command sed 's/$/.ndb/') + db_file=$(basename "$path_file") + rm -f "$path_file" + total=$(wc -l "$source" | cut -d " " -f1) + line_num=1 + + while read -r line ; do + line_prefix=$(echo "$line" | awk -F ':' '{print $1}') + if [ "$line_prefix" = "-" ] ; then + echo "$line" | cut -d ":" -f2- | perl -pe 's/(.)/sprintf("%02lx", ord $1)/eg' | command sed "s/^/$prefix\.$line_num:4:\*:/" >> "$path_file" + elif [ "$line_prefix" = "=" ] ; then + echo "$line" | cut -d ":" -f2- | perl -pe 's/(\{[^}]*\}|\([^)]*\)|\*)|(.)/defined $1 ? $1 : sprintf("%02lx", ord $2)/eg' | command sed "s/^/$prefix\.$line_num:4:\*:/" >> "$path_file" + else + echo "$line" | perl -pe 's/(.)/sprintf("%02lx", ord $1)/eg' | command sed "s/^/$prefix\.$line_num:4:\*:/" >> "$path_file" + fi + echo "Hexadecimal encoding $source_file line: $line_num of $total" + line_num=$((line_num + 1)) + done < "$source" + else + echo "Source file not found, exiting..." + exit + fi + + + echo "Signature database file created at: $path_file" + if $clamscan_bin --quiet -d "$path_file" "$work_dir_work_configs/scan-test.txt" 2>/dev/null ; then + + echo "Clamscan reports database integrity tested good." + + echo -n "Would you like to move '$db_file' into '$clam_dbs' and reload databases?" + if xshok_prompt_confirm ; then + if ! cmp -s "$path_file" "$clam_dbs/$db_file" ; then + if $rsync_bin -pcqt "$path_file" "$clam_dbs" ; then + perms chown -f "$clam_user:$clam_group" "$clam_dbs/$db_file" + perms chmod -f 0644 "$clam_dbs"/"$db_file" + if [ "$selinux_fixes" == "yes" ] ; then + restorecon "$clam_dbs/$db_file" + fi + $clamd_restart_opt + + echo "Signature database '$db_file' was successfully implemented and ClamD databases reloaded." + else + + echo "Failed to add/update '$db_file', ClamD database not reloaded." + fi + else + + echo "Database '$db_file' has not changed - skipping" + fi + else + + echo "No action taken." + fi + else + + echo "Clamscan reports that '$db_file' signature database integrity tested bad." + fi + fi +} + +#Remove the clamav-unofficial-sigs script +function remove_script () { + echo "" + if [ -n "$pkg_mgr" ] || [ -n "$pkg_rm" ] ; then + echo "This script (clamav-unofficial-sigs) was installed on the system via '$pkg_mgr'" + echo "use '$pkg_rm' to remove the script and all of its associated files and databases from the system." + + else + cron_file_full_path="$cron_dir/$cron_filename" + logrotate_file_full_path="$logrotate_dir/$logrotate_filename" + man_file_full_path="$man_dir/$man_filename" + + echo "This will remove the workdir ($work_dir), logrotate file ($logrotate_file_full_path), cron file ($cron_file_full_path), man file ($man_file_full_path)" + echo "Are you sure you want to remove the clamav-unofficial-sigs script and all of its associated files, third-party databases, and work directory from the system?" + if xshok_prompt_confirm ; then + echo "This can not be undone are you sure ?" + if xshok_prompt_confirm ; then + if [ -r "$work_dir_work_configs/purge.txt" ] ; then + + while read -r file ; do + xshok_is_file "$file" && rm -f -- "$file" + echo " Removed file: $file" + done < "$work_dir_work_configs"/purge.txt + if [ -r "$cron_file_full_path" ] ; then + xshok_is_file "$cron_file_full_path" && rm -f "$cron_file_full_path" + echo " Removed file: $cron_file_full_path" + fi + if [ -r "$logrotate_file_full_path" ] ; then + xshok_is_file "$logrotate_file_full_path" && rm -f "$logrotate_file_full_path" + echo " Removed file: $logrotate_file_full_path" + fi + if [ -r "$man_file_full_path" ] ; then + xshok_is_file "$man_file_full_path" && rm -f "$man_file_full_path" + echo " Removed file: $man_file_full_path" + fi + + #rather keep the configs + #rm -f -- "$default_config" && echo " Removed file: $default_config" + #rm -f -- "$0" && echo " Removed file: $0" + xshok_is_subdir "$work_dir" && rm -rf -- "$work_dir" && echo " Removed script working directories: $work_dir" + + echo " The clamav-unofficial-sigs script and all of its associated files, third-party" + echo " databases, and work directories have been successfully removed from the system." + + else + echo " Cannot locate 'purge.txt' file in $work_dir_work_configs." + echo " Files and signature database will need to be removed manually." + fi + else + echo "Aborted" + fi + else + echo "Aborted" + fi + fi +} + +#Clamscan integrity test a specific database file +function clamscan_integrity_test_specific_database_file () { #databasefile + echo "" + if [ "$1" ] ; then + input=$(echo "$1" | awk -F '/' '{print $NF}') + db_file=$(find "$work_dir" -name "$input") + if [ -r "$db_file" ] ; then + echo "Clamscan integrity testing: $db_file" + + $clamscan_bin --quiet -d "$db_file" "$work_dir_work_configs/scan-test.txt" + if [ "$?" -eq "0" ]; then + echo "Clamscan reports that '$input' database integrity tested GOOD" + exit 0 + else + echo "Clamscan reports that '$input' database integrity tested BAD" + exit 1 + fi + else + echo "File '$input' cannot be found." + echo "Here is a list of third-party databases that can be clamscan integrity tested:" + + echo "=== Sanesecurity ===" + ls --ignore "*.sig" --ignore "*.md5" --ignore "*.ign2" "$work_dir_sanesecurity" + + echo "=== SecuriteInfo ===" + ls --ignore "*.sig" --ignore "*.md5" --ignore "*.ign2" "$work_dir_securiteinfo" + + echo "=== MalwarePatrol ===" + ls --ignore "*.sig" --ignore "*.md5" --ignore "*.ign2" "$work_dir_malwarepatrol" + + echo "=== Linux Malware Detect ===" + ls --ignore "*.sig" --ignore "*.md5" --ignore "*.ign2" "$work_dir_linuxmalwaredetect" + + echo "=== Linux Malware Detect ===" + ls --ignore "*.sig" --ignore "*.md5" --ignore "*.ign2" "$work_dir_yararulesproject" + + echo "=== User Defined Databases ===" + ls --ignore "*.sig" --ignore "*.md5" --ignore "*.ign2" "$work_dir_add" + + echo "Check the file name and try again..." + fi + else + xshok_pretty_echo_and_log "ERROR: Missing value for option" "=" + exit 1 + fi +} + +#output names of any third-party signatures that triggered during the HAM directory scan +function output_signatures_triggered_during_ham_directory_scan () { + echo "" + if [ -n "$ham_dir" ] ; then + if [ -r "$work_dir_work_configs/whitelist.hex" ] ; then + echo "The following third-party signatures triggered hits during the HAM Directory scan:" + + $grep_bin -h -f "$work_dir_work_configs/whitelist.hex" "$work_dir"/*/*.ndb | cut -d ":" -f1 + else + echo "No third-party signatures have triggered hits during the HAM Directory scan." + fi + else + echo "Ham directory scanning is not currently enabled in the script's configuration file." + fi +} + +#Adds a signature whitelist entry in the newer ClamAV IGN2 format +function add_signature_whitelist_entry () { + echo "" + echo "Input a third-party signature name that you wish to whitelist due to false-positives" + echo "and press enter (do not include '.UNOFFICIAL' in the signature name nor add quote" + echo "marks to the input string):" + + read -r input + if [ -n "$input" ] ; then + cd "$clam_dbs" || exit + input=$(echo "$input" | tr -d "'" | tr -d '"') + sig_full=$($grep_bin -H "$input" ./*.*db) + sig_name=$(echo "$sig_full" | cut -d ":" -f2) + if [ -n "$sig_name" ] ; then + if ! $grep_bin "$sig_name" my-whitelist.ign2 > /dev/null 2>&1 ; then + cp -f my-whitelist.ign2 "$work_dir_work_configs" 2>/dev/null + echo "$sig_name" >> "$work_dir_work_configs/my-whitelist.ign2" + echo "$sig_full" >> "$work_dir_work_configs/tracker.txt" + if $clamscan_bin --quiet -d "$work_dir_work_configs/my-whitelist.ign2" "$work_dir_work_configs/scan-test.txt" ; then + if $rsync_bin -pcqt "$work_dir_work_configs/my-whitelist.ign2" "$clam_dbs" ; then + perms chown -f "$clam_user:$clam_group" my-whitelist.ign2 + + if [ ! -s "$work_dir_work_configs/monitor-ign.txt" ] ; then + # Create "monitor-ign.txt" file for clamscan database integrity testing. + echo "This is the monitor ignore file..." > "$work_dir_work_configs/monitor-ign.txt" + fi + + perms chmod -f 0644 my-whitelist.ign2 "$work_dir_work_configs/monitor-ign.txt" + if [ "$selinux_fixes" == "yes" ] ; then + restorecon "$clam_dbs/local.ign" + fi + clamscan_reload_dbs + + echo "Signature '$input' has been added to my-whitelist.ign2 and" + echo "all databases have been reloaded. The script will track any changes" + echo "to the offending signature and will automatically remove it if the" + echo "signature is modified or removed from the third-party database." + else + + echo "Failed to successfully update my-whitelist.ign2 file - SKIPPING." + fi + else + + echo "Clamscan reports my-whitelist.ign2 database integrity is bad - SKIPPING." + fi + else + + echo "Signature '$input' already exists in my-whitelist.ign2 - no action taken." + fi + else + + echo "Signature '$input' could not be found." + + echo "This script will only create a whitelise entry in my-whitelist.ign2 for ClamAV" + echo "'UNOFFICIAL' third-Party signatures as found in the *.ndb *.hdb *.db databases." + fi + else + echo "No input detected - no action taken." + fi +} + +#Clamscan reload database +function clamscan_reload_dbs () { + # Reload all clamd databases if updates detected and $reload_dbs" is set to "yes" + if [ "$reload_dbs" = "yes" ] ; then + if [ "$do_clamd_reload" != "0" ] ; then + if [ "$do_clamd_reload" = "1" ] ; then + xshok_pretty_echo_and_log "Update(s) detected, reloading ClamAV databases" "=" + elif [ "$do_clamd_reload" = "2" ] ; then + xshok_pretty_echo_and_log "Database removal(s) detected, reloading ClamAV databases" "=" + elif [ "$do_clamd_reload" = "3" ] ; then + xshok_pretty_echo_and_log "File 'local.ign' has changed, reloading ClamAV databases" "=" + elif [ "$do_clamd_reload" = "4" ] ; then + xshok_pretty_echo_and_log "File 'my-whitelist.ign2' has changed, reloading ClamAV databases" "=" + else + xshok_pretty_echo_and_log "Update(s) detected, reloading ClamAV databases" "=" + fi + + if [[ $($clamd_reload_opt 2>&1) = *"ERROR"* ]] ; then + xshok_pretty_echo_and_log "ERROR: Failed to reload, trying again" "-" + if [ -r "$clamd_pid" ] ; then + mypid=$(cat "$clamd_pid") + kill -USR2 "$mypid" + if [ $? -eq 0 ] ; then + xshok_pretty_echo_and_log "ClamAV databases Reloaded" "=" + else + xshok_pretty_echo_and_log "ERROR: Failed to reload, forcing clamd to restart" "-" + if [ -z "$clamd_restart_opt" ] ; then + xshok_pretty_echo_and_log "WARNING: Check the script's configuration file, 'reload_dbs' enabled but no 'clamd_restart_opt'" "*" + else + $clamd_restart_opt + xshok_pretty_echo_and_log "ClamAV Restarted" "=" + fi + fi + else + xshok_pretty_echo_and_log "ERROR: Failed to reload, forcing clamd to restart" "=" + if [ -z "$clamd_restart_opt" ] ; then + xshok_pretty_echo_and_log "WARNING: Check the script's configuration file, 'reload_dbs' enabled but no 'clamd_restart_opt'" "*" + else + $clamd_restart_opt + xshok_pretty_echo_and_log "ClamAV Restarted" "=" + fi + fi + else + xshok_pretty_echo_and_log "ClamAV databases Reloaded" "=" + fi + else + xshok_pretty_echo_and_log "No updates detected, ClamAV databases were not reloaded" "=" + fi + else + xshok_pretty_echo_and_log "Database reload has been disabled in the configuration file" "=" + fi + +} + +# If ClamD status check is enabled ("clamd_socket" variable is uncommented +# and the socket path is correctly specified in "User Edit" section above), +# then test to see if clamd is running or not. +function check_clamav () { + if [ -n "$clamd_socket" ] ; then + if [ -S "$clamd_socket" ] ; then + if [ "$(perl -e 'use IO::Socket::UNIX; print $IO::Socket::UNIX::VERSION,"\n"' 2>/dev/null)" ] ; then + io_socket1=1 + if [ "$(perl -MIO::Socket::UNIX -we '$s = IO::Socket::UNIX->new(shift); $s->print("PING"); print $s->getline; $s->close' "$clamd_socket" 2>/dev/null)" = "PONG" ] ; then + io_socket2=1 + xshok_pretty_echo_and_log "ClamD is running" "=" + fi + else + socat="$(which socat 2>/dev/null)" + if [ -n "$socat" ] && [ -x "$socat" ] ; then + socket_cat1=1 + if [ "$( (echo "PING"; sleep 1;) | socat - "$clamd_socket" 2>/dev/null)" = "PONG" ] ; then + socket_cat2=1 + xshok_pretty_echo_and_log "ClamD is running" "=" + fi + fi + fi + if [ -z "$io_socket1" ] && [ -z "$socket_cat1" ] ; then + xshok_pretty_echo_and_log "WARNING: socat or perl module 'IO::Socket::UNIX' not found, cannot test if ClamD is running" "*" + else + if [ -z "$io_socket2" ] && [ -z "$socket_cat2" ] ; then + + xshok_pretty_echo_and_log "ALERT: CLAMD IS NOT RUNNING!" "=" + if [ -n "$clamd_restart_opt" ] ; then + xshok_pretty_echo_and_log "Attempting to start ClamD..." "-" + if [ -n "$io_socket1" ] ; then + $clamd_restart_opt > /dev/null && sleep 5 + if [ "$(perl -MIO::Socket::UNIX -we '$s = IO::Socket::UNIX->new(shift); $s->print("PING"); print $s->getline; $s->close' "$clamd_socket" 2>/dev/null)" = "PONG" ] ; then + xshok_pretty_echo_and_log "ClamD was successfully started" "=" + else + xshok_pretty_echo_and_log "ERROR: CLAMD FAILED TO START" "=" + exit 1 + fi + else + if [ -n "$socket_cat1" ] ; then + $clamd_restart_opt > /dev/null && sleep 5 + if [ "$( (echo "PING"; sleep 1;) | socat - "$clamd_socket" 2>/dev/null)" = "PONG" ] ; then + xshok_pretty_echo_and_log "ClamD was successfully started" "=" + else + xshok_pretty_echo_and_log "ERROR: CLAMD FAILED TO START" "=" + exit 1 + fi + fi + fi + fi + fi + fi + else + xshok_pretty_echo_and_log "WARNING: $clamd_socket is not a usable socket" "*" + fi + else + xshok_pretty_echo_and_log "WARNING: clamd_socket is not defined in the configuration file" "*" + fi +} + +#function to check for a new version +function check_new_version () { + if [ "$wget_bin" != "" ] ; then + latest_version="$($wget_bin https://raw.githubusercontent.com/extremeshok/clamav-unofficial-sigs/master/clamav-unofficial-sigs.sh -O - 2> /dev/null | $grep_bin "script""_version=" | cut -d\" -f2)" + else + latest_version="$($curl_bin https://raw.githubusercontent.com/extremeshok/clamav-unofficial-sigs/master/clamav-unofficial-sigs.sh 2> /dev/null | $grep_bin "script""_version=" | cut -d\" -f2)" + fi + if [ "$latest_version" ] ; then + if [ ! "$latest_version" == "$script_version" ] ; then + xshok_pretty_echo_and_log "New version : v$latest_version @ https://github.com/extremeshok/clamav-unofficial-sigs" "-" + fi + fi +} + +#function for help and usage +##usage: +# help_and_usage "1" - enables the man output formatting +# help_and_usage - normal help output formatting +function help_and_usage () { + + if [ "$1" ] ; then + #option_format_start + ofs="\fB" + #option_format_end + ofe="\fR" + #option_format_blankline + ofb=".TP" + #option_format_tab_line + oft=" " + else + #option_format_start + ofs="${BOLD}" + #option_format_end + ofe="${NORM}\t" + #option_format_blankline + ofb="\n" + #option_format_tab_line + oft="\n\t" + fi + +helpcontents=$(cat << EOF +$ofs Usage: $(basename "$0") $ofe [OPTION] [PATH|FILE] +$ofb +$ofs -c, --config $ofe Use a specific configuration file or directory $oft eg: '-c /your/dir' or ' -c /your/file.name' $oft Note: If a directory is specified the directory must contain atleast: $oft master.conf, os.conf or user.conf $oft Default Directory: $config_dir +$ofb +$ofs -F, --force $ofe Force all databases to be downloaded, could cause ip to be blocked +$ofb +$ofs -h, --help $ofe Display this script's help and usage information +$ofb +$ofs -V, --version $ofe Output script version and date information +$ofb +$ofs -v, --verbose $ofe Be verbose, enabled when not run under cron +$ofb +$ofs -s, --silence $ofe Only output error messages, enabled when run under cron +$ofb +$ofs -d, --decode-sig $ofe Decode a third-party signature either by signature name $oft (eg: Sanesecurity.Junk.15248) or hexadecimal string. $oft This flag will 'NOT' decode image signatures +$ofb +$ofs -e, --encode-string $ofe Hexadecimal encode an entire input string that can $oft be used in any '*.ndb' signature database file +$ofb +$ofs -f, --encode-formatted $ofe Hexadecimal encode a formatted input string containing $oft signature spacing fields '{}, (), *', without encoding $oft the spacing fields, so that the encoded signature $oft can be used in any '*.ndb' signature database file +$ofb +$ofs -g, --gpg-verify $ofe GPG verify a specific Sanesecurity database file $oft eg: '-g filename.ext' (do not include file path) +$ofb +$ofs -i, --information $ofe Output system and configuration information for $oft viewing or possible debugging purposes +$ofb +$ofs -m, --make-database $ofe Make a signature database from an ascii file containing $oft data strings, with one data string per line. Additional $oft information is provided when using this flag +$ofb +$ofs -t, --test-database $ofe Clamscan integrity test a specific database file $oft eg: '-t filename.ext' (do not include file path) +$ofb +$ofs -o, --output-triggered $ofe If HAM directory scanning is enabled in the script's $oft configuration file, then output names of any third-party $oft signatures that triggered during the HAM directory scan +$ofb +$ofs -w, --whitelist $ofe Adds a signature whitelist entry in the newer ClamAV IGN2 $oft format to 'my-whitelist.ign2' in order to temporarily resolve $oft a false-positive issue with a specific third-party signature. $oft Script added whitelist entries will automatically be removed $oft if the original signature is either modified or removed from $oft the third-party signature database +$ofb +$ofs --check-clamav $ofe If ClamD status check is enabled and the socket path is correctly $oft specifiedthen test to see if clamd is running or not +$ofb +$ofs --install-all $ofe Install and generate the cron, logroate and man files, autodetects the values $oft based on your config files +$ofb +$ofs --install-cron $ofe Install and generate the cron file, autodetects the values $oft based on your config files +$ofb +$ofs --install-logrotate $ofe Install and generate the logrotate file, autodetects the $oft values based on your config files +$ofb +$ofs --install-man $ofe Install and generate the man file, autodetects the $oft values based on your config files +$ofb +$ofs --remove-script $ofe Remove the clamav-unofficial-sigs script and all of $oft its associated files and databases from the system +$ofb +EOF + ) #this is very important... + + if [ "$1" ] ; then + echo "${helpcontents//-/\\-}" + else + echo -e "$helpcontents" + fi +} + +################################################################################ +# MAIN PROGRAM +################################################################################ + +#Script Info +script_version="5.4.1" +script_version_date="20 July 2016" +minimum_required_config_version="65" +minimum_yara_clamav_version="0.99" + +#default config files +config_dir="/etc/clamav-unofficial-sigs" +config_files=("$config_dir/master.conf" "$config_dir/os.conf" "$config_dir/user.conf") + +#Initialise +config_version="0" +do_clamd_reload="0" +comment_silence="no" +logging_enabled="no" +force_updates="no" +enable_log="no" +custom_config="no" +we_have_a_config="0" + +## Solaris which function returns garbage when the program is not found +## only define the new which function if running under Solaris +if [ "$(uname -s)" = "SunOS" ] ; then + which () { + # use the switch -p to ignore ksh internal commands + ksh whence -p "$@" + } +fi + +#Default Binaries & Commands +clamd_reload_opt="clamdscan --reload" +uname_bin=$(which uname) +clamscan_bin=$(which clamscan) +rsync_bin=$(which rsync) +#detect support for wget +if [ -x /usr/sfw/bin/wget ] ; then + wget_bin="/usr/sfw/bin/wget" +else + wget_bin=$(which wget) +fi +if [ "$wget_bin" == "" ] ; then + curl_bin=$(which curl) +fi +#detect supprot for gnu grep +if [ -x /usr/gnu/bin/grep ] ; then + grep_bin="/usr/gnu/bin/grep" +else + grep_bin=$(which grep) +fi +if [ -x /opt/csw/bin/gpg ] ; then + gpg_bin="/opt/csw/bin/gpg" +else + gpg_bin=$(which gpg) +fi +if [ "$gpg_bin" == "" ] ; then + gpg_bin=$(which gpg2) +fi + +#Detect if terminal +if [ -t 1 ] ; then + #Set fonts + ##Usage: echo "${BOLD}-a${NORM}" + BOLD=$(tput bold) + #REV=$(tput smso) + NORM=$(tput sgr0) + #Verbose + force_verbose="yes" +else + #Null Fonts + BOLD='' + #REV='' + NORM='' + #silence + force_verbose="no" +fi + + +# Generic command line options +while true ; do + case "$1" in + -c | --config ) xshok_check_s2 "$2"; custom_config="$2"; shift 2; break ;; + -F | --force ) force_updates="yes"; shift 1; break ;; + -v | --verbose ) force_verbose="yes"; shift 1; break ;; + -s | --silence ) force_verbose="no"; shift 1; break ;; + * ) break ;; + esac +done + +#Set the verbosity +if [ "$force_verbose" == "yes" ] ; then + #verbose + downloader_silence="no" + rsync_silence="no" + gpg_silence="no" + comment_silence="no" +else + #silence + downloader_silence="yes" + rsync_silence="yes" + gpg_silence="yes" + comment_silence="yes" +fi + +xshok_pretty_echo_and_log "" "#" "80" +xshok_pretty_echo_and_log " eXtremeSHOK.com ClamAV Unofficial Signature Updater" +xshok_pretty_echo_and_log " Version: v$script_version ($script_version_date)" +xshok_pretty_echo_and_log " Required Configuration Version: v$minimum_required_config_version" +xshok_pretty_echo_and_log " Copyright (c) Adrian Jon Kriel :: admin@extremeshok.com" +xshok_pretty_echo_and_log "" "#" "80" + +# Generic command line options +while true ; do + case "$1" in + -h | --help ) help_and_usage; exit; break ;; + -V | --version ) exit; break ;; + * ) break ;; + esac +done + +## CONFIG LOADING AND ERROR CHECKING ############################################## +if [ "$custom_config" != "no" ] ; then + if [ -d "$custom_config" ] ; then + # Assign the custom config dir and remove trailing / (removes / and //) + config_dir=$(echo "$custom_config" | sed 's:/*$::') + config_files=("$config_dir/master.conf" "$config_dir/os.conf" "$config_dir/user.conf") + else + config_files=("$custom_config") + fi +fi + +for config_file in "${config_files[@]}" ; do + if [ -r "$config_file" ] ; then #exists and readable + we_have_a_config="1" + #config stripping + xshok_pretty_echo_and_log "Loading config: $config_file" "=" + + + + if [ "$(uname -s)" = "SunOS" ] ; then + #Solaris FIXES only, i had issues with running with a single command.. + clean_config=$(command sed -e '/^#.*/d' "$config_file") # comment line + clean_config=$(echo "$clean_config" | sed -e 's/#[[:space:]].*//') # comment line (duplicated) + clean_config=$(echo "$clean_config" | sed -e '/^[[:blank:]]*#/d;s/#.*//') #comments at end of line + clean_config=$(echo "$clean_config" | sed -e 's/^[ \t]*//;s/[ \t]*$//') #trailing and leading whitespace + clean_config=$(echo "$clean_config" | sed -e '/^\s*$/d') #blank lines + else + # delete lines beginning with # + # delete from ' #' to end of the line + # delete from '# ' to end of the line + # delete both trailing and leading whitespace + # delete all trailing whitespace + # delete all empty lines + clean_config=$(command sed -e '/^#.*/d' -e 's/[[:space:]]#.*//' -e 's/#[[:space:]].*//' -e 's/^[ \t]*//;s/[ \t]*$//' -e '/^\s*$/d' "$config_file") + fi + + ### config error checking + # check "" are an even number + config_check="${clean_config//[^\"]}" + if [ $(( ${#config_check} % 2)) -eq 1 ] ; then + xshok_pretty_echo_and_log "ERROR: Your configuration has errors, every \" requires a closing \"" "=" + exit 1 + fi + + # check there is an = for every set of "" #optional whitespace \s* between = and " + config_check_vars=$(echo "$clean_config" | $grep_bin -c '=\s*\"' ) + + if [ $(( ${#config_check} / 2)) -ne "$config_check_vars" ] ; then + xshok_pretty_echo_and_log "ERROR: Your configuration has errors, every = requires a pair of \"\"" "=" + exit 1 + fi + + #config loading + for i in "${clean_config[@]}" ; do + eval "$(echo "${i}" | command sed -e 's/[[:space:]]*$//' 2> /dev/null)" + done + fi +done + + + +# Assign the log_file_path earlier and remove trailing / (removes / and //) +log_file_path=$(echo "$log_file_path" | sed 's:/*$::') +#Only start logging once all the configs have been loaded +if [ "$logging_enabled" == "yes" ] ; then + enable_log="yes" +fi + +## Make sure we have a readable config file +if [ "$we_have_a_config" == "0" ] ; then + xshok_pretty_echo_and_log "ERROR: Config file/s could NOT be read/loaded" "=" + exit 1 +fi + +#prevent some issues with an incomplete or only a user.conf being loaded +if [ $config_version == "0" ] ; then + xshok_pretty_echo_and_log "ERROR: Config file/s are missing important contents" "=" + xshok_pretty_echo_and_log "Note: Possible fix would be to point the script to the dir with the configs" + exit 1 +fi + +#config version validation +if [ $config_version -lt $minimum_required_config_version ] ; then + xshok_pretty_echo_and_log "ERROR: Your config version $config_version is not compatible with the min required version $minimum_required_config_version" "=" + exit 1 +fi + +# Check to see if the script's "USER CONFIGURATION FILE" has been completed. +if [ "$user_configuration_complete" != "yes" ] ; then + xshok_pretty_echo_and_log "WARNING: SCRIPT CONFIGURATION HAS NOT BEEN COMPLETED" "*" + xshok_pretty_echo_and_log "Please review the script configuration files." + exit 1 +fi + +# Assign the directories and remove trailing / (removes / and //) +work_dir=$(echo "$work_dir" | sed 's:/*$::') + +#Allow overriding of all the individual workdirs, this is mainly to aid package maintainers +if [ ! -n "$work_dir_sanesecurity" ] ; then + work_dir_sanesecurity=$(echo "$work_dir/$sanesecurity_dir" | sed 's:/*$::') +else + work_dir_sanesecurity=$(echo "$work_dir_sanesecurity" | sed 's:/*$::') +fi +if [ ! -n "$work_dir_securiteinfo" ] ; then + work_dir_securiteinfo=$(echo "$work_dir/$securiteinfo_dir" | sed 's:/*$::') +else + work_dir_securiteinfo=$(echo "$work_dir_securiteinfo" | sed 's:/*$::') +fi +if [ ! -n "$work_dir_linuxmalwaredetect" ] ; then + work_dir_linuxmalwaredetect=$(echo "$work_dir/$linuxmalwaredetect_dir" | sed 's:/*$::') +else + work_dir_linuxmalwaredetect=$(echo "$work_dir_linuxmalwaredetect" | sed 's:/*$::') +fi +if [ ! -n "$work_dir_malwarepatrol" ] ; then + work_dir_malwarepatrol=$(echo "$work_dir/$malwarepatrol_dir" | sed 's:/*$::') +else + work_dir_malwarepatrol=$(echo "$work_dir_malwarepatrol" | sed 's:/*$::') +fi +if [ ! -n "$work_dir_yararulesproject" ] ; then + work_dir_yararulesproject=$(echo "$work_dir/$yararulesproject_dir" | sed 's:/*$::') +else + work_dir_yararulesproject=$(echo "$work_dir_yararulesproject" | sed 's:/*$::') +fi +if [ ! -n "$work_dir_add" ] ; then + work_dir_add=$(echo "$work_dir/$add_dir" | sed 's:/*$::') +else + work_dir_add=$(echo "$work_dir_add" | sed 's:/*$::') +fi +if [ ! -n "$work_dir_work_configs" ] ; then + work_dir_work_configs=$(echo "$work_dir/$work_dir_configs" | sed 's:/*$::') +else + work_dir_work_configs=$(echo "$work_dir_work_configs" | sed 's:/*$::') +fi +if [ ! -n "$work_dir_gpg" ] ; then + work_dir_gpg=$(echo "$work_dir/$gpg_dir" | sed 's:/*$::') +else + work_dir_gpg=$(echo "$work_dir_gpg" | sed 's:/*$::') +fi + +if [ ! -n "$work_dir_pid" ] ; then + work_dir_pid=$(echo "$work_dir/$pid_dir" | sed 's:/*$::') +else + work_dir_pid=$(echo "$work_dir_pid" | sed 's:/*$::') +fi + +# Assign defaults if not defined +if [ ! -n "$cron_dir" ] ; then + cron_dir="/etc/cron.d" +fi +cron_dir=$(echo "$cron_dir" | sed 's:/*$::') +if [ ! -n "$cron_filename" ] ; then + cron_filename="clamav-unofficial-sigs" +fi +if [ ! -n "$logrotate_dir" ] ; then + logrotate_dir="/etc/logrotate.d" +fi +logrotate_dir=$(echo "$logrotate_dir" | sed 's:/*$::') +if [ ! -n "$logrotate_filename" ] ; then + logrotate_filename="clamav-unofficial-sigs" +fi +if [ ! -n "$man_dir" ] ; then + man_dir="/usr/share/man/man8" +fi +man_dir=$(echo "$man_dir" | sed 's:/*$::') +if [ ! -n "$man_filename" ] ; then + man_filename="clamav-unofficial-sigs.8" +fi +if [ ! -n "$man_log_file_full_path" ] ; then + man_log_file_full_path="$log_file_path/$log_file_name" +fi + +### SANITY checks +#Check default Binaries & Commands are defined +if [ "$clamd_reload_opt" == "" ] ; then + xshok_pretty_echo_and_log "ERROR: Missing clamd_reload_opt" "=" + exit 1 +fi +if [ "$uname_bin" == "" ] ; then + xshok_pretty_echo_and_log "ERROR: uname (uname_bin) not found" "=" + exit 1 +fi +if [ "$clamscan_bin" == "" ] ; then + xshok_pretty_echo_and_log "ERROR: clamscan binary (clamscan_bin) not found" "=" + exit 1 +fi +if [ "$rsync_bin" == "" ] ; then + xshok_pretty_echo_and_log "ERROR: rsync binary (rsync_bin) not found" "=" + exit 1 +fi +if [ "$wget_bin" == "" ] ; then + if [ "$curl_bin" == "" ] ; then + xshok_pretty_echo_and_log "ERROR: wget and curl binaries not found, script requires either wget or curl" "=" + exit 1 + fi +fi +if [ "$gpg_bin" == "" ] ; then + xshok_pretty_echo_and_log "ERROR: gpg binary (gpg_bin) not found" "=" + exit 1 +fi +#Check default directories are defined +if [ "$work_dir" == "" ] ; then + xshok_pretty_echo_and_log "ERROR: working directory (work_dir) not defined" "=" + exit 1 +fi + +# Reset the update timers to force a full update. +if [ "$force_updates" == "yes" ] ; then + xshok_pretty_echo_and_log "Force Updates: enabled" + sanesecurity_update_hours="0" + securiteinfo_update_hours="0" + linuxmalwaredetect_update_hours="0" + malwarepatrol_update_hours="0" + yararulesproject_update_hours="0" + additional_update_hours="0" +fi + +# Enable pid file to prevent issues with multiple instances +# opted not to use flock as it appears to have issues with some systems +if [ "$enable_locking" == "yes" ] ; then + xshok_mkdir_ownership "$work_dir_pid" + pid_file_fullpath="$work_dir_pid/clamav-unofficial-sigs.pid" + if [ -f "$pid_file_fullpath" ] ; then + pid_file_pid=$(cat "$pid_file_fullpath") + ps -p "$pid_file_pid" > /dev/null 2>&1 + if [ $? -eq 0 ] ; then + xshok_pretty_echo_and_log "ERROR: Only one instance can run at the same time." "=" + exit 1 + else + xshok_create_pid_file "$pid_file_fullpath" + fi + else + xshok_create_pid_file "$pid_file_fullpath" + fi + # run this wehen the script exits + trap -- "rm -f $pid_file_fullpath" EXIT +fi + +# Verify the clam_user and clam_group actually exists on the system +if ! xshok_user_group_exists "$clam_user" "$clam_group" ; then + xshok_pretty_echo_and_log "ERROR: Either the user: $clam_user and/or group: $clam_group does not exist on the system." "=" + exit 1 +fi + +# Silence rsync output and only report errors - useful if script is run via cron. +if [ "$rsync_silence" = "yes" ] ; then + rsync_output_level="--quiet" +else + rsync_output_level="--progress" +fi + +# If the local rsync client supports the '--no-motd' flag, then enable it. +if $rsync_bin --help | $grep_bin 'no-motd' > /dev/null ; then + no_motd="--no-motd" +fi + +# If the local rsync client supports the '--contimeout' flag, then enable it. +if $rsync_bin --help | $grep_bin 'contimeout' > /dev/null ; then + connect_timeout="--contimeout=$rsync_connect_timeout" +fi + +# Silence wget output and only report errors - useful if script is run via cron. +if [ "$downloader_silence" = "yes" ] ; then + wget_output_level="--quiet" #--quiet + curl_output_level="--silent --show-error" +else + wget_output_level="--no-verbose" + curl_output_level="" +fi + +#suppress ssl warnings +if [ "$downloader_ignore_ssl" = "yes" ] ; then + wget_insecure="--no-check-certificate" + curl_insecure="--insecure" +else + wget_insecure="" + curl_insecure="" +fi + +# This scripts name and path +this_script_name="$(basename "$0")" +this_script_path="$( cd "$(dirname "$0")" ; pwd -P )" +this_script_full_path="$this_script_path/$this_script_name" + +#set the script to 755 permissions +if xshok_is_root ; then + if [ "$setmode" == "yes" ] ; then + if [ ! -x "$this_script_path/$this_script_name" ] ; then + chmod 755 "$this_script_path/$this_script_name" + xshok_pretty_echo_and_log "Fixing permission on $this_script_path/$this_script_name" "=" + fi + fi +else + #disable setmode + setmode="no" +fi + +################################################################################ +# MAIN LOGIC +################################################################################ + +while true; do + case "$1" in + -d | --decode-sig ) decode_third_party_signature_by_signature_name; exit; break ;; + -e | --encode-string ) hexadecimal_encode_entire_input_string; exit; break ;; + -f | --encode-formatted ) hexadecimal_encode_formatted_input_string; exit; break ;; + -g | --gpg-verify ) xshok_check_s2 "$2"; gpg_verify_specific_sanesecurity_database_file "$2"; exit; break ;; + -i | --information ) output_system_configuration_information; exit; break ;; + -m | --make-database ) make_signature_database_from_ascii_file; exit; break ;; + -t | --test-database ) xshok_check_s2 "$2"; clamscan_integrity_test_specific_database_file "$2"; exit; break ;; + -o | --output-triggered ) output_signatures_triggered_during_ham_directory_scan; exit; break ;; + -w | --whitelist ) add_signature_whitelist_entry; exit; break ;; + --check-clamav ) check_clamav; exit; break ;; + --install-all ) install_cron; install_logrotate; install_man; exit; break ;; + --install-cron ) install_cron; exit; break ;; + --install-logrotate ) install_logrotate; exit; break ;; + --install-man ) install_man; exit; break ;; + --remove-script ) remove_script; exit; break ;; + * ) break ;; + esac +done + +xshok_pretty_echo_and_log "Preparing Databases" "=" + +# Check yararule support is available +if [ "$enable_yararules" == "yes" ] ; then + current_clamav_version=$($clamscan_bin -V | cut -d " " -f2 | cut -d "/" -f1 | awk -F. '{ printf("%d%03d%03d%03d\n", $1,$2,$3,$4); }') + minimum_yara_clamav_version=$(echo "$minimum_yara_clamav_version" | awk -F. '{ printf("%d%03d%03d%03d\n", $1,$2,$3,$4); }') + #Check current clamav version against the minimum required version for yara support + if [ "$current_clamav_version" -lt "$minimum_yara_clamav_version" ] ; then #older + yararulesproject_enabled="no" + enable_yararules="no" + xshok_pretty_echo_and_log "Notice: Yararules Disabled due to clamav being older than the minimum required version" + fi +else + yararulesproject_enabled="no" + enable_yararules="no" +fi + +# Generate the signature databases +if [ "$sanesecurity_enabled" == "yes" ] ; then + if [ -n "$sanesecurity_dbs" ] ; then + if [ -n "$sanesecurity_dbs_rating" ] ; then + sanesecurity_dbs="$(xshok_database "$sanesecurity_dbs" "$sanesecurity_dbs_rating")" + else + sanesecurity_dbs="$(xshok_database "$sanesecurity_dbs" "$default_dbs_rating")" + fi + fi +fi +if [ "$securiteinfo_enabled" == "yes" ] ; then + if [ -n "$securiteinfo_dbs" ] ; then + if [ -n "$securiteinfo_dbs_rating" ] ; then + securiteinfo_dbs="$(xshok_database "$securiteinfo_dbs" "$securiteinfo_dbs_rating")" + else + securiteinfo_dbs="$(xshok_database "$securiteinfo_dbs" "$default_dbs_rating")" + fi + fi +fi +if [ "$linuxmalwaredetect_enabled" == "yes" ] ; then + if [ -n "$linuxmalwaredetect_dbs" ] ; then + if [ -n "$linuxmalwaredetect_dbs_rating" ] ; then + linuxmalwaredetect_dbs="$(xshok_database "$linuxmalwaredetect_dbs" "$linuxmalwaredetect_dbs_rating")" + else + linuxmalwaredetect_dbs="$(xshok_database "$linuxmalwaredetect_dbs" "$default_dbs_rating")" + fi + fi +fi +if [ "$yararulesproject_enabled" == "yes" ] ; then + if [ -n "$yararulesproject_dbs" ] ; then + if [ -n "$yararulesproject_dbs_rating" ] ; then + yararulesproject_dbs="$(xshok_database "$yararulesproject_dbs" "$yararulesproject_dbs_rating")" + else + yararulesproject_dbs="$(xshok_database "$yararulesproject_dbs" "$default_dbs_rating")" + fi + fi +fi + +# Set the variables for MalwarePatrol +if [ "$malwarepatrol_free" == "yes" ] ; then + malwarepatrol_product_code="8" + malwarepatrol_list="clamav_basic" +else + if [ -z $malwarepatrol_list ] ; then + malwarepatrol_list="clamav_basic" + fi + if [ -z $malwarepatrol_product_code ] ; then + # Not sure, it may be better to return an error. + malwarepatrol_product_code=8 + fi +fi +if [ $malwarepatrol_list == "clamav_basic" ] ; then + malwarepatrol_db="malwarepatrol.db" +else + malwarepatrol_db="malwarepatrol.ndb" +fi +malwarepatrol_url="$malwarepatrol_url?product=$malwarepatrol_product_code&list=$malwarepatrol_list" + +# If "ham_dir" variable is set, then create initial whitelist files (skipped if first-time script run). +test_dir="$work_dir/test" +if [ -n "$ham_dir" ] && [ -d "$work_dir" ] && [ ! -d "$test_dir" ] ; then + if [ -d "$ham_dir" ] ; then + xshok_mkdir_ownership "$test_dir" + cp -f "$work_dir"/*/*.ndb "$test_dir" + $clamscan_bin --infected --no-summary -d "$test_dir" "$ham_dir"/* | command sed 's/\.UNOFFICIAL FOUND//' | awk '{print $NF}' >> "$work_dir_work_configs/whitelist.txt" + $grep_bin -h -f "$work_dir_work_configs/whitelist.txt" "$test_dir"/* | cut -d "*" -f2 | sort | uniq > "$work_dir_work_configs/whitelist.hex" + cd "$test_dir" || exit + for db_file in * ; do + [[ -e $db_file ]] || break # handle the case of no files + $grep_bin -h -v -f "$work_dir_work_configs/whitelist.hex" "$db_file" > "$db_file-tmp" + mv -f "$db_file-tmp" "$db_file" + if $clamscan_bin --quiet -d "$db_file" "$work_dir_work_configs/scan-test.txt" 2>/dev/null ; then + if $rsync_bin -pcqt "$db_file" "$clam_dbs" ; then + perms chown -f "$clam_user:$clam_group" "$clam_dbs/$db_file" + if [ "$selinux_fixes" == "yes" ] ; then + restorecon "$clam_dbs/$db_file" + fi + do_clamd_reload=1 + fi + fi + done + if [ -r "$work_dir_work_configs/whitelist.hex" ] ; then + xshok_pretty_echo_and_log "Initial HAM directory scan whitelist file created in $work_dir_work_configs" + else + xshok_pretty_echo_and_log "No false-positives detected in initial HAM directory scan" + fi + else + xshok_pretty_echo_and_log "WARNING: Cannot locate HAM directory: $ham_dir" + xshok_pretty_echo_and_log "Skipping initial whitelist file creation. Fix 'ham_dir' path in config file" + fi +fi + +# Check to see if the working directories have been created. If not, create them. Otherwise, ignore and proceed with script. +xshok_mkdir_ownership "$work_dir" +xshok_mkdir_ownership "$work_dir_securiteinfo" +xshok_mkdir_ownership "$work_dir_malwarepatrol" +xshok_mkdir_ownership "$work_dir_linuxmalwaredetect" +xshok_mkdir_ownership "$work_dir_sanesecurity" +xshok_mkdir_ownership "$work_dir_yararulesproject" +xshok_mkdir_ownership "$work_dir_work_configs" +xshok_mkdir_ownership "$work_dir_gpg" +xshok_mkdir_ownership "$work_dir_add" + +# Set secured access permissions to the GPG directory +perms chmod -f 0700 "$work_dir_gpg" + +# If we haven't done so yet, download Sanesecurity public GPG key and import to custom keyring. +if [ ! -s "$work_dir_gpg/publickey.gpg" ] ; then + if [ "$wget_bin" != "" ] ; then + #echo $wget_bin $wget_proxy_https $wget_proxy_http $wget_insecure $wget_output_level --connect-timeout="$downloader_connect_timeout" --random-wait --tries="$downloader_tries" --timeout="$downloader_max_time" --output-document="$work_dir_gpg/publickey.gpg" "$sanesecurity_gpg_url" + $wget_bin $wget_proxy_https $wget_proxy_http $wget_insecure $wget_output_level --connect-timeout="$downloader_connect_timeout" --random-wait --tries="$downloader_tries" --timeout="$downloader_max_time" --output-document="$work_dir_gpg/publickey.gpg" "$sanesecurity_gpg_url" + ret="$?" + else + #echo $curl_bin $curl_proxy $curl_insecure $curl_output_level --connect-timeout "$downloader_connect_timeout" --remote-time --location --retry "$downloader_tries" --max-time "$downloader_max_time" --output "$work_dir_gpg/publickey.gpg" "$sanesecurity_gpg_url" + $curl_bin $curl_proxy $curl_insecure $curl_output_level --connect-timeout "$downloader_connect_timeout" --remote-time --location --retry "$downloader_tries" --max-time "$downloader_max_time" --output "$work_dir_gpg/publickey.gpg" "$sanesecurity_gpg_url" + ret="$?" + fi + if [ "$ret" != "0" ] ; then + xshok_pretty_echo_and_log "ALERT: Could not download Sanesecurity public GPG key" "*" + exit 1 + else + xshok_pretty_echo_and_log "Sanesecurity public GPG key successfully downloaded" + rm -f -- "$work_dir_gpg/ss-keyring.gp*" + if ! $gpg_bin -q --no-options --no-default-keyring --homedir "$work_dir_gpg" --keyring "$work_dir_gpg/ss-keyring.gpg" --import "$work_dir_gpg/publickey.gpg" 2>/dev/null ; then + xshok_pretty_echo_and_log "ALERT: could not import Sanesecurity public GPG key to custom keyring" "*" + exit 1 + else + chmod -f 0644 "$work_dir_gpg/*.*" + xshok_pretty_echo_and_log "Sanesecurity public GPG key successfully imported to custom keyring" + fi + fi +fi + +# If custom keyring is missing, try to re-import Sanesecurity public GPG key. +if [ ! -s "$work_dir_gpg/ss-keyring.gpg" ] ; then + rm -f -- "$work_dir_gpg/ss-keyring.gp*" + if ! $gpg_bin -q --no-options --no-default-keyring --homedir "$work_dir_gpg" --keyring "$work_dir_gpg/ss-keyring.gpg" --import "$work_dir_gpg/publickey.gpg" 2>/dev/null ; then + xshok_pretty_echo_and_log "ALERT: Custom keyring MISSING or CORRUPT! Could not import Sanesecurity public GPG key to custom keyring" "*" + exit 1 + else + chmod -f 0644 "$work_dir_gpg/*.*" + xshok_pretty_echo_and_log "Sanesecurity custom keyring MISSING! GPG key successfully re-imported to custom keyring" + fi +fi + +# Database update check, time randomization section. This script now +# provides support for both bash and non-bash enabled system shells. +if [ "$enable_random" = "yes" ] ; then + if [ -n "$RANDOM" ] ; then + sleep_time=$((RANDOM * $((max_sleep_time - min_sleep_time)) / 32767 + min_sleep_time)) + else + sleep_time=0 + while [ "$sleep_time" -lt "$min_sleep_time" ] || [ "$sleep_time" -gt "$max_sleep_time" ] ; do + sleep_time=$(head -1 /dev/urandom | cksum | awk '{print $2}') + done + fi + if [ ! -t 0 ] ; then + xshok_pretty_echo_and_log "$(date) - Pausing database file updates for $sleep_time seconds..." + sleep "$sleep_time" + xshok_pretty_echo_and_log "$(date) - Pause complete, checking for new database files..." + fi +fi + +# Create "scan-test.txt" file for clamscan database integrity testing. +if [ ! -s "$work_dir_work_configs/scan-test.txt" ] ; then + echo "This is the clamscan test file..." > "$work_dir_work_configs/scan-test.txt" +fi + +# If rsync proxy is defined in the config file, then export it for use. +if [ -n "$rsync_proxy" ] ; then + RSYNC_PROXY="$rsync_proxy" + export RSYNC_PROXY +fi + +# Create $current_dbsfiles containing lists of current and previously active 3rd-party databases +# so that databases and/or backup files that are no longer being used can be removed. +current_tmp="$work_dir_work_configs/current-dbs.tmp" +current_dbs="$work_dir_work_configs/current-dbs.txt" + +if [ "$sanesecurity_enabled" == "yes" ] ; then + # Create the Sanesecurity rsync "include" file (defines which files to download). + sanesecurity_include_dbs="$work_dir_work_configs/ss-include-dbs.txt" + if [ -n "$sanesecurity_dbs" ] ; then + rm -f -- "$sanesecurity_include_dbs" "$work_dir_sanesecurity/*.sha256" + for db in $sanesecurity_dbs ; do + echo "$db" >> "$sanesecurity_include_dbs" + echo "$db.sig" >> "$sanesecurity_include_dbs" + + echo "$work_dir_sanesecurity/$db" >> "$current_tmp" + echo "$work_dir_sanesecurity/$db.sig" >> "$current_tmp" + clamav_files + done + fi +fi +if [ "$securiteinfo_enabled" == "yes" ] ; then + if [ -n "$securiteinfo_dbs" ] ; then + for db in $securiteinfo_dbs ; do + echo "$work_dir_securiteinfo/$db" >> "$current_tmp" + clamav_files + done + fi +fi +if [ "$linuxmalwaredetect_enabled" == "yes" ] ; then + if [ -n "$linuxmalwaredetect_dbs" ] ; then + for db in $linuxmalwaredetect_dbs ; do + echo "$work_dir_linuxmalwaredetect/$db" >> "$current_tmp" + clamav_files + done + fi +fi +if [ "$malwarepatrol_enabled" == "yes" ] ; then + if [ -n "$malwarepatrol_db" ] ; then + echo "$work_dir_malwarepatrol/$malwarepatrol_db" >> "$current_tmp" + clamav_files + fi +fi +if [ "$yararulesproject_enabled" == "yes" ] ; then + if [ -n "$yararulesproject_dbs" ] ; then + for db in $yararulesproject_dbs ; do + if echo "$db" | $grep_bin -q "/"; then + db=$(echo "$db" | cut -d"/" -f2) + fi + echo "$work_dir_yararulesproject/$db" >> "$current_tmp" + clamav_files + done + fi +fi +if [ "$additional_enabled" == "yes" ] ; then + if [ -n "$additional_dbs" ] ; then + for db in $additional_dbs ; do + echo "$work_dir_add/$db" >> "$current_tmp" + clamav_files + done + fi +fi +sort "$current_tmp" > "$current_dbs" 2>/dev/null +rm -f "$current_tmp" + +# Remove 3rd-party databases and/or backup files that are no longer being used. +if [ "$remove_disabled_databases" == "yes" ] ; then + previous_dbs="$work_dir_work_configs/previous-dbs.txt" + sort "$current_dbs" > "$previous_dbs" 2>/dev/null + #do not remove the current_dbs + #rm -f "$current_dbs" + + db_changes="$work_dir_work_configs/db-changes.txt" + if [ ! -s "$previous_dbs" ] ; then + cp -f "$current_dbs" "$previous_dbs" 2>/dev/null + fi + diff "$current_dbs" "$previous_dbs" 2>/dev/null | $grep_bin '>' | awk '{print $2}' > "$db_changes" + if [ -r "$db_changes" ] ; then + if $grep_bin -vq "bak" "$db_changes" 2>/dev/null ; then + do_clamd_reload=2 + fi + while read -r file ; do + rm -f -- "$file" + xshok_pretty_echo_and_log "Unused/Disabled file removed: $file" + done < "$db_changes" + fi +fi + +# Create "purge.txt" file for package maintainers to support package uninstall. +purge="$work_dir_work_configs/purge.txt" +cp -f "$current_dbs" "$purge" +{ +echo "$work_dir_work_configs/current-dbs.txt" +echo "$work_dir_work_configs/db-changes.txt" +echo "$work_dir_work_configs/last-mbl-update.txt" +echo "$work_dir_work_configs/last-si-update.txt" +echo "$work_dir_work_configs/local.ign" +echo "$work_dir_work_configs/monitor-ign.txt" +echo "$work_dir_work_configs/my-whitelist.ign2" +echo "$work_dir_work_configs/tracker.txt" +echo "$work_dir_work_configs/previous-dbs.txt" +echo "$work_dir_work_configs/scan-test.txt" +echo "$work_dir_work_configs/ss-include-dbs.txt" +echo "$work_dir_work_configs/whitelist.hex" +echo "$work_dir_gpg/publickey.gpg" +echo "$work_dir_gpg/secring.gpg" +echo "$work_dir_gpg/ss-keyring.gpg*" +echo "$work_dir_gpg/trustdb.gpg" +echo "$log_file_path/$log_file_name*" +echo "$work_dir_work_configs/purge.txt" +} >> "$purge" + +# Check and save current system time since epoch for time related database downloads. +# However, if unsuccessful, issue a warning that we cannot calculate times since epoch. +if [ -n "$securiteinfo_dbs" ] || [ -n "$malwarepatrol_db" ] ; then + current_time=$(date "+%s" 2> /dev/null) + current_time="${current_time//[^0-9]/}" + current_time="$((current_time + 0))" + if [ "$current_time" -le 0 ] ; then + current_time=$(perl -le print+time 2> /dev/null) + fi + if [ "$current_time" -le 0 ] ; then + xshok_pretty_echo_and_log "WARNING: No support for 'date +%s' or 'perl' was not found , SecuriteInfo and MalwarePatrol updates bypassed" "=" + securiteinfo_dbs="" + malwarepatrol_db="" + fi +fi + +################################################################ +# Check for Sanesecurity database & GPG signature file updates # +################################################################ +if [ "$sanesecurity_enabled" == "yes" ] ; then + if [ -n "$sanesecurity_dbs" ] ; then + ##if [ ${#sanesecurity_dbs[@]} -lt "1" ] ; then ##will not work due to compound array assignment + if [ "$(xshok_array_count "$sanesecurity_dbs")" -lt "1" ] ; then + xshok_pretty_echo_and_log "Failed sanesecurity_dbs config is invalid or not defined - SKIPPING" + else + if [ -r "$work_dir_work_configs/last-ss-update.txt" ] ; then + last_sanesecurity_update=$(cat "$work_dir_work_configs/last-ss-update.txt") + else + last_sanesecurity_update="0" + fi + db_file="" + update_interval=$((sanesecurity_update_hours * 3600)) + time_interval=$((current_time - last_sanesecurity_update)) + if [ "$time_interval" -ge $((update_interval - 600)) ] ; then + echo "$current_time" > "$work_dir_work_configs/last-ss-update.txt" + xshok_pretty_echo_and_log "Sanesecurity Database & GPG Signature File Updates" "=" + xshok_pretty_echo_and_log "Checking for Sanesecurity updates..." + + sanesecurity_mirror_ips=$(dig +ignore +short "$sanesecurity_url") + #add fallback to host if dig returns no records + if [ "$(xshok_array_count "$sanesecurity_mirror_ips")" -lt 1 ] ; then + sanesecurity_mirror_ips=$(host -t A "$sanesecurity_url" | sed -n '/has address/{s/.*address \([^ ]*\).*/\1/;p;}') + fi + + if [ "$(xshok_array_count "$sanesecurity_mirror_ips")" -ge "1" ] ; then + for sanesecurity_mirror_ip in $sanesecurity_mirror_ips ; do + sanesecurity_mirror_name="" + sanesecurity_mirror_name=$(dig +short -x "$sanesecurity_mirror_ip" | command sed 's/\.$//') + #add fallback to host if dig returns no records + if [ "$sanesecurity_mirror_name" == "" ] ; then + sanesecurity_mirror_name=$(host "$sanesecurity_mirror_ip" | sed -n '/name pointer/{s/.*pointer \([^ ]*\).*\.$/\1/;p;}') + fi + sanesecurity_mirror_site_info="$sanesecurity_mirror_name $sanesecurity_mirror_ip" + xshok_pretty_echo_and_log "Sanesecurity mirror site used: $sanesecurity_mirror_site_info" + $rsync_bin $rsync_output_level $no_motd --files-from="$sanesecurity_include_dbs" -ctuz $connect_timeout --timeout="$rsync_max_time" "rsync://$sanesecurity_mirror_ip/sanesecurity" "$work_dir_sanesecurity" 2>/dev/null + if [ "$?" -eq "0" ] ; then #the correct way + sanesecurity_rsync_success="1" + for db_file in $sanesecurity_dbs ; do + if ! cmp -s "$work_dir_sanesecurity/$db_file" "$clam_dbs/$db_file" ; then + xshok_pretty_echo_and_log "Testing updated Sanesecurity database file: $db_file" + if ! $gpg_bin --trust-model always -q --no-default-keyring --homedir "$work_dir_gpg" --keyring "$work_dir_gpg/ss-keyring.gpg" --verify "$work_dir_sanesecurity/$db_file.sig" "$work_dir_sanesecurity/$db_file" 2>/dev/null ; then + $gpg_bin --always-trust -q --no-default-keyring --homedir "$work_dir_gpg" --keyring "$work_dir_gpg/ss-keyring.gpg" --verify "$work_dir_sanesecurity/$db_file.sig" "$work_dir_sanesecurity/$db_file" 2>/dev/null + ret="$?" + else + ret="0" + fi + if [ "$ret" -eq "0" ] ; then + test "$gpg_silence" = "no" && xshok_pretty_echo_and_log "Sanesecurity GPG Signature tested good on $db_file database" + true + else + xshok_pretty_echo_and_log "Sanesecurity GPG Signature test FAILED on $db_file database - SKIPPING" + false + fi + if [ "$?" -eq "0" ] ; then + db_ext=$(echo "$db_file" | cut -d "." -f2) + if [ -z "$ham_dir" ] || [ "$db_ext" != "ndb" ] ; then + if $clamscan_bin --quiet -d "$work_dir_sanesecurity/$db_file" "$work_dir_work_configs/scan-test.txt" 2>/dev/null ; then + xshok_pretty_echo_and_log "Clamscan reports Sanesecurity $db_file database integrity tested good" + true + else + xshok_pretty_echo_and_log "Clamscan reports Sanesecurity $db_file database integrity tested BAD" + if [ "$remove_bad_database" == "yes" ] ; then + if rm -f "$work_dir_sanesecurity/$db_file" ; then + xshok_pretty_echo_and_log "Removed invalid database: $work_dir_sanesecurity/$db_file" + fi + fi + false + fi && (test "$keep_db_backup" = "yes" && cp -f "$clam_dbs/$db_file" "$clam_dbs/$db_file-bak" 2>/dev/null ; true) && if $rsync_bin -pcqt "$work_dir_sanesecurity/$db_file" "$clam_dbs" 2>/dev/null ; then + perms chown -f "$clam_user:$clam_group" "$clam_dbs/$db_file" + if [ "$selinux_fixes" == "yes" ] ; then + restorecon "$clam_dbs/$db_file" + fi + xshok_pretty_echo_and_log "Successfully updated Sanesecurity production database file: $db_file" + sanesecurity_update=1 + do_clamd_reload=1 + else + xshok_pretty_echo_and_log "Failed to successfully update Sanesecurity production database file: $db_file - SKIPPING" + false + fi + else + $grep_bin -h -v -f "$work_dir_work_configs/whitelist.hex" "$work_dir_sanesecurity/$db_file" > "$test_dir/$db_file" + $clamscan_bin --infected --no-summary -d "$test_dir/$db_file" "$ham_dir"/* | command sed 's/\.UNOFFICIAL FOUND//' | awk '{print $NF}' > "$work_dir_work_configs/whitelist.txt" + $grep_bin -h -f "$work_dir_work_configs/whitelist.txt" "$test_dir/$db_file" | cut -d "*" -f2 | sort | uniq >> "$work_dir_work_configs/whitelist.hex" + $grep_bin -h -v -f "$work_dir_work_configs/whitelist.hex" "$test_dir/$db_file" > "$test_dir/$db_file-tmp" + mv -f "$test_dir/$db_file-tmp" "$test_dir/$db_file" + if $clamscan_bin --quiet -d "$test_dir/$db_file" "$work_dir_work_configs/scan-test.txt" 2>/dev/null ; then + xshok_pretty_echo_and_log "Clamscan reports Sanesecurity $db_file database integrity tested good" + true + else + xshok_pretty_echo_and_log "Clamscan reports Sanesecurity $db_file database integrity tested BAD" + ##DO NOT KILL THIS DB + false + fi && (test "$keep_db_backup" = "yes" && cp -f "$clam_dbs/$db_file" "$clam_dbs/$db_file-bak" 2>/dev/null ; true) && if $rsync_bin -pcqt "$test_dir/$db_file" "$clam_dbs" 2>/dev/null ; then + perms chown -f "$clam_user:$clam_group" "$clam_dbs/$db_file" + if [ "$selinux_fixes" == "yes" ] ; then + restorecon "$clam_dbs/$db_file" + fi + xshok_pretty_echo_and_log "Successfully updated Sanesecurity production database file: $db_file" + sanesecurity_update=1 + do_clamd_reload=1 + else + xshok_pretty_echo_and_log "Failed to successfully update Sanesecurity production database file: $db_file - SKIPPING" + fi + fi + fi + fi + done + if [ "$sanesecurity_update" != "1" ] ; then + xshok_pretty_echo_and_log "No Sanesecurity database file updates found" "-" + break + else + break + fi + else + xshok_pretty_echo_and_log "Connection to $sanesecurity_mirror_site_info failed - Trying next mirror site..." + fi + done + if [ "$sanesecurity_rsync_success" != "1" ] ; then + xshok_pretty_echo_and_log "Access to all Sanesecurity mirror sites failed - Check for connectivity issues" + xshok_pretty_echo_and_log "or signature database name(s) misspelled in the script's configuration file." + fi + else + xshok_pretty_echo_and_log "No Sanesecurity mirror sites found - Check for dns/connectivity issues" + fi + else + xshok_pretty_echo_and_log "Sanesecurity Database File Updates" "=" + + time_remaining=$((update_interval - time_interval)) + hours_left=$((time_remaining / 3600)) + minutes_left=$((time_remaining % 3600 / 60)) + xshok_pretty_echo_and_log "$sanesecurity_update_hours hours have not yet elapsed since the last sanesecurity update check" + xshok_pretty_echo_and_log "No update check was performed at this time" "-" + xshok_pretty_echo_and_log "Next check will be performed in approximately $hours_left hour(s), $minutes_left minute(s)" + fi + fi + fi +else + if [ -n "$sanesecurity_dbs" ] ; then + if [ "$remove_disabled_databases" == "yes" ] ; then + xshok_pretty_echo_and_log "Removing disabled Sanesecurity Database files" + for db_file in $sanesecurity_dbs ; do + if [ -r "$work_dir_sanesecurity/$db_file" ] ; then + rm -f "$work_dir_sanesecurity/$db_file"* + do_clamd_reload=1 + fi + if [ -r "$clam_dbs/$db_file" ] ; then + rm -f "$clam_dbs/$db_file" + do_clamd_reload=1 + fi + done + fi + fi +fi + +############################################################################################################################################## +# Check for updated SecuriteInfo database files every set number of hours as defined in the "USER CONFIGURATION" section of this script # +############################################################################################################################################## +if [ "$securiteinfo_enabled" == "yes" ] ; then + if [ "$securiteinfo_authorisation_signature" != "YOUR-SIGNATURE-NUMBER" ] ; then + if [ -n "$securiteinfo_dbs" ] ; then + if [ "$(xshok_array_count "$securiteinfo_dbs")" -lt "1" ] ; then + xshok_pretty_echo_and_log "Failed securiteinfo_dbs config is invalid or not defined - SKIPPING" + else + rm -f "$work_dir_securiteinfo/*.gz" + if [ -r "$work_dir_work_configs/last-si-update.txt" ] ; then + last_securiteinfo_update=$(cat "$work_dir_work_configs/last-si-update.txt") + else + last_securiteinfo_update="0" + fi + db_file="" + loop="" + update_interval=$((securiteinfo_update_hours * 3600)) + time_interval=$((current_time - last_securiteinfo_update)) + if [ "$time_interval" -ge $((update_interval - 600)) ] ; then + echo "$current_time" > "$work_dir_work_configs/last-si-update.txt" + xshok_pretty_echo_and_log "SecuriteInfo Database File Updates" "=" + xshok_pretty_echo_and_log "Checking for SecuriteInfo updates..." + securiteinfo_updates="0" + for db_file in $securiteinfo_dbs ; do + if [ "$loop" = "1" ] ; then + xshok_pretty_echo_and_log "---" + fi + xshok_pretty_echo_and_log "Checking for updated SecuriteInfo database file: $db_file" + securiteinfo_db_update="0" + if [ "$wget_bin" != "" ] ; then + $wget_bin $wget_proxy_https $wget_proxy_http $wget_insecure $wget_output_level --connect-timeout="$downloader_connect_timeout" --random-wait --tries="$downloader_tries" --timeout="$downloader_max_time" --output-document="$work_dir_securiteinfo/$db_file" "$securiteinfo_url/$securiteinfo_authorisation_signature/$db_file" + ret="$?" + else + $curl_bin $curl_proxy $curl_insecure $curl_output_level --connect-timeout "$downloader_connect_timeout" --remote-time --location --retry "$downloader_tries" --max-time "$downloader_max_time" --output "$work_dir_securiteinfo/$db_file" "$securiteinfo_url/$securiteinfo_authorisation_signature/$db_file" + ret="$?" + fi + if [ "$ret" -eq "0" ] ; then + loop="1" + if ! cmp -s "$work_dir_securiteinfo/$db_file" "$clam_dbs/$db_file" ; then + if [ "$?" -eq "0" ] ; then + db_ext=$(echo "$db_file" | cut -d "." -f2) + + + xshok_pretty_echo_and_log "Testing updated SecuriteInfo database file: $db_file" + if [ -z "$ham_dir" ] || [ "$db_ext" != "ndb" ] + then + if $clamscan_bin --quiet -d "$work_dir_securiteinfo/$db_file" "$work_dir_work_configs/scan-test.txt" 2>/dev/null + then + xshok_pretty_echo_and_log "Clamscan reports SecuriteInfo $db_file database integrity tested good" + true + else + xshok_pretty_echo_and_log "Clamscan reports SecuriteInfo $db_file database integrity tested BAD" + if [ "$remove_bad_database" == "yes" ] ; then + if rm -f "$work_dir_securiteinfo/$db_file" ; then + xshok_pretty_echo_and_log "Removed invalid database: $work_dir_securiteinfo/$db_file" + fi + fi + false + fi && (test "$keep_db_backup" = "yes" && cp -f "$clam_dbs/$db_file" "$clam_dbs/$db_file-bak" 2>/dev/null ; true) && if $rsync_bin -pcqt "$work_dir_securiteinfo/$db_file" "$clam_dbs" 2>/dev/null ; then + perms chown -f "$clam_user:$clam_group" "$clam_dbs/$db_file" + if [ "$selinux_fixes" == "yes" ] ; then + restorecon "$clam_dbs/$db_file" + fi + xshok_pretty_echo_and_log "Successfully updated SecuriteInfo production database file: $db_file" + securiteinfo_updates=1 + securiteinfo_db_update=1 + do_clamd_reload=1 + else + xshok_pretty_echo_and_log "Failed to successfully update SecuriteInfo production database file: $db_file - SKIPPING" + fi + else + $grep_bin -h -v -f "$work_dir_work_configs/whitelist.hex" "$work_dir_securiteinfo/$db_file" > "$test_dir/$db_file" + $clamscan_bin --infected --no-summary -d "$test_dir/$db_file" "$ham_dir"/* | command sed 's/\.UNOFFICIAL FOUND//' | awk '{print $NF}' > "$work_dir_work_configs/whitelist.txt" + $grep_bin -h -f "$work_dir_work_configs/whitelist.txt" "$test_dir/$db_file" | cut -d "*" -f2 | sort | uniq >> "$work_dir_work_configs/whitelist.hex" + $grep_bin -h -v -f "$work_dir_work_configs/whitelist.hex" "$test_dir/$db_file" > "$test_dir/$db_file-tmp" + mv -f "$test_dir/$db_file-tmp" "$test_dir/$db_file" + if $clamscan_bin --quiet -d "$test_dir/$db_file" "$work_dir_work_configs/scan-test.txt" 2>/dev/null + then + xshok_pretty_echo_and_log "Clamscan reports SecuriteInfo $db_file database integrity tested good" + true + else + xshok_pretty_echo_and_log "Clamscan reports SecuriteInfo $db_file database integrity tested BAD" + rm -f "$work_dir_securiteinfo/$db_file" + if [ "$remove_bad_database" == "yes" ] ; then + if rm -f "$work_dir_securiteinfo/$db_file" ; then + xshok_pretty_echo_and_log "Removed invalid database: $work_dir_securiteinfo/$db_file" + fi + fi + false + fi && (test "$keep_db_backup" = "yes" && cp -f "$clam_dbs/$db_file" "$clam_dbs/$db_file-bak" 2>/dev/null ; true) && if $rsync_bin -pcqt "$test_dir/$db_file" "$clam_dbs" 2>/dev/null ; then + perms chown -f "$clam_user:$clam_group" "$clam_dbs/$db_file" + if [ "$selinux_fixes" == "yes" ] ; then + restorecon "$clam_dbs/$db_file" + fi + xshok_pretty_echo_and_log "Successfully updated SecuriteInfo production database file: $db_file" + securiteinfo_updates=1 + securiteinfo_db_update=1 + do_clamd_reload=1 + else + xshok_pretty_echo_and_log "Failed to successfully update SecuriteInfo production database file: $db_file - SKIPPING" + fi + fi + fi + fi + else + xshok_pretty_echo_and_log "Failed connection to $securiteinfo_url - SKIPPED SecuriteInfo $db_file update" + fi + if [ "$securiteinfo_db_update" != "1" ] ; then + xshok_pretty_echo_and_log "No updated SecuriteInfo $db_file database file found" "-" + fi + done + if [ "$securiteinfo_updates" != "1" ] ; then + xshok_pretty_echo_and_log "No SecuriteInfo database file updates found" "-" + fi + else + xshok_pretty_echo_and_log "SecuriteInfo Database File Updates" "=" + + time_remaining=$((update_interval - time_interval)) + hours_left=$((time_remaining / 3600)) + minutes_left=$((time_remaining % 3600 / 60)) + xshok_pretty_echo_and_log "$securiteinfo_update_hours hours have not yet elapsed since the last SecuriteInfo update check" + xshok_pretty_echo_and_log "No update check was performed at this time" "-" + xshok_pretty_echo_and_log "Next check will be performed in approximately $hours_left hour(s), $minutes_left minute(s)" + fi + fi + fi + fi +else + if [ -n "$securiteinfo_dbs" ] ; then + if [ "$remove_disabled_databases" == "yes" ] ; then + xshok_pretty_echo_and_log "Removing disabled SecuriteInfo Database files" + for db_file in $securiteinfo_dbs ; do + if [ -r "$work_dir_securiteinfo/$db_file" ] ; then + rm -f "$work_dir_securiteinfo/$db_file" + do_clamd_reload=1 + fi + if [ -r "$clam_dbs/$db_file" ] ; then + rm -f "$clam_dbs/$db_file" + do_clamd_reload=1 + fi + done + fi + fi +fi + + +############################################################################################################################################## +# Check for updated linuxmalwaredetect database files every set number of hours as defined in the "USER CONFIGURATION" section of this script +############################################################################################################################################## +if [ "$linuxmalwaredetect_enabled" == "yes" ] ; then + if [ -n "$linuxmalwaredetect_dbs" ] ; then + if [ "$(xshok_array_count "$linuxmalwaredetect_dbs")" -lt "1" ] ; then + xshok_pretty_echo_and_log "Failed linuxmalwaredetect_dbs config is invalid or not defined - SKIPPING" + else + rm -f "$work_dir_linuxmalwaredetect/*.gz" + if [ -r "$work_dir_work_configs/last-linuxmalwaredetect-update.txt" ] ; then + last_linuxmalwaredetect_update=$(cat "$work_dir_work_configs/last-linuxmalwaredetect-update.txt") + else + last_linuxmalwaredetect_update="0" + fi + db_file="" + loop="" + update_interval=$((linuxmalwaredetect_update_hours * 3600)) + time_interval=$((current_time - last_linuxmalwaredetect_update)) + if [ "$time_interval" -ge $((update_interval - 600)) ] ; then + echo "$current_time" > "$work_dir_work_configs/last-linuxmalwaredetect-update.txt" + + xshok_pretty_echo_and_log "linuxmalwaredetect Database File Updates" "=" + xshok_pretty_echo_and_log "Checking for linuxmalwaredetect updates..." + linuxmalwaredetect_updates="0" + for db_file in $linuxmalwaredetect_dbs ; do + if [ "$loop" = "1" ] ; then + xshok_pretty_echo_and_log "---" + fi + xshok_pretty_echo_and_log "Checking for updated linuxmalwaredetect database file: $db_file" + + linuxmalwaredetect_db_update="0" + if [ "$wget_bin" != "" ] ; then + $wget_bin $wget_proxy_https $wget_proxy_http $wget_insecure $wget_output_level --connect-timeout="$downloader_connect_timeout" --random-wait --tries="$downloader_tries" --timeout="$downloader_max_time" --output-document="$work_dir_linuxmalwaredetect/$db_file" "$linuxmalwaredetect_url/$db_file" + ret="$?" + else + $curl_bin $curl_proxy $curl_insecure $curl_output_level --connect-timeout "$downloader_connect_timeout" --remote-time --location --retry "$downloader_tries" --max-time "$downloader_max_time" --output "$work_dir_linuxmalwaredetect/$db_file" "$linuxmalwaredetect_url/$db_file" + ret="$?" + fi + if [ "$ret" -eq "0" ] ; then + loop="1" + if ! cmp -s "$work_dir_linuxmalwaredetect/$db_file" "$clam_dbs/$db_file" ; then + if [ "$?" -eq "0" ] ; then + db_ext=$(echo "$db_file" | cut -d "." -f2) + + xshok_pretty_echo_and_log "Testing updated linuxmalwaredetect database file: $db_file" + if [ -z "$ham_dir" ] || [ "$db_ext" != "ndb" ] ; then + if $clamscan_bin --quiet -d "$work_dir_linuxmalwaredetect/$db_file" "$work_dir_work_configs/scan-test.txt" 2>/dev/null + then + xshok_pretty_echo_and_log "Clamscan reports linuxmalwaredetect $db_file database integrity tested good" + true + else + xshok_pretty_echo_and_log "Clamscan reports linuxmalwaredetect $db_file database integrity tested BAD" + if [ "$remove_bad_database" == "yes" ] ; then + if rm -f "$work_dir_linuxmalwaredetect/$db_file" ; then + xshok_pretty_echo_and_log "Removed invalid database: $work_dir_linuxmalwaredetect/$db_file" + fi + fi + false + fi && (test "$keep_db_backup" = "yes" && cp -f "$clam_dbs/$db_file" "$clam_dbs/$db_file-bak" 2>/dev/null ; true) && if $rsync_bin -pcqt "$work_dir_linuxmalwaredetect/$db_file" "$clam_dbs" 2>/dev/null ; then + perms chown -f "$clam_user:$clam_group" "$clam_dbs/$db_file" + if [ "$selinux_fixes" == "yes" ] ; then + restorecon "$clam_dbs/local.ign" + fi + xshok_pretty_echo_and_log "Successfully updated linuxmalwaredetect production database file: $db_file" + linuxmalwaredetect_updates=1 + linuxmalwaredetect_db_update=1 + do_clamd_reload=1 + else + xshok_pretty_echo_and_log "Failed to successfully update linuxmalwaredetect production database file: $db_file - SKIPPING" + fi + else + $grep_bin -h -v -f "$work_dir_work_configs/whitelist.hex" "$work_dir_linuxmalwaredetect/$db_file" > "$test_dir/$db_file" + $clamscan_bin --infected --no-summary -d "$test_dir/$db_file" "$ham_dir"/* | command sed 's/\.UNOFFICIAL FOUND//' | awk '{print $NF}' > "$work_dir_work_configs/whitelist.txt" + $grep_bin -h -f "$work_dir_work_configs/whitelist.txt" "$test_dir/$db_file" | cut -d "*" -f2 | sort | uniq >> "$work_dir_work_configs/whitelist.hex" + $grep_bin -h -v -f "$work_dir_work_configs/whitelist.hex" "$test_dir/$db_file" > "$test_dir/$db_file-tmp" + mv -f "$test_dir/$db_file-tmp" "$test_dir/$db_file" + if $clamscan_bin --quiet -d "$test_dir/$db_file" "$work_dir_work_configs/scan-test.txt" 2>/dev/null ; then + xshok_pretty_echo_and_log "Clamscan reports linuxmalwaredetect $db_file database integrity tested good" + true + else + xshok_pretty_echo_and_log "Clamscan reports linuxmalwaredetect $db_file database integrity tested BAD" + if [ "$remove_bad_database" == "yes" ] ; then + if rm -f "$work_dir_linuxmalwaredetect/$db_file" ; then + xshok_pretty_echo_and_log "Removed invalid database: $work_dir_linuxmalwaredetect/$db_file" + fi + fi + false + fi && (test "$keep_db_backup" = "yes" && cp -f "$clam_dbs/$db_file" "$clam_dbs/$db_file-bak" 2>/dev/null ; true) && if $rsync_bin -pcqt "$test_dir/$db_file" "$clam_dbs" 2>/dev/null ; then + perms chown -f "$clam_user:$clam_group" "$clam_dbs/$db_file" + if [ "$selinux_fixes" == "yes" ] ; then + restorecon "$clam_dbs/$db_file" + fi + xshok_pretty_echo_and_log "Successfully updated linuxmalwaredetect production database file: $db_file" + linuxmalwaredetect_updates=1 + linuxmalwaredetect_db_update=1 + do_clamd_reload=1 + else + xshok_pretty_echo_and_log "Failed to successfully update linuxmalwaredetect production database file: $db_file - SKIPPING" + fi + fi + fi + fi + else + xshok_pretty_echo_and_log "WARNING: Failed connection to $linuxmalwaredetect_url - SKIPPED linuxmalwaredetect $db_file update" + fi + if [ "$linuxmalwaredetect_db_update" != "1" ] ; then + + xshok_pretty_echo_and_log "No updated linuxmalwaredetect $db_file database file found" + fi + done + if [ "$linuxmalwaredetect_updates" != "1" ] ; then + xshok_pretty_echo_and_log "No linuxmalwaredetect database file updates found" "-" + fi +else + + xshok_pretty_echo_and_log "linuxmalwaredetect Database File Updates" "=" + + time_remaining=$((update_interval - time_interval)) + hours_left=$((time_remaining / 3600)) + minutes_left=$((time_remaining % 3600 / 60)) + xshok_pretty_echo_and_log "$linuxmalwaredetect_update_hours hours have not yet elapsed since the last linux malware detect update check" + xshok_pretty_echo_and_log "No update check was performed at this time" "-" + xshok_pretty_echo_and_log "Next check will be performed in approximately $hours_left hour(s), $minutes_left minute(s)" +fi +fi +fi +else + if [ -n "$linuxmalwaredetect_dbs" ] ; then + if [ "$remove_disabled_databases" == "yes" ] ; then + xshok_pretty_echo_and_log "Removing disabled linuxmalwaredetect Database files" + for db_file in $linuxmalwaredetect_dbs ; do + if [ -r "$work_dir_linuxmalwaredetect/$db_file" ] ; then + rm -f "$work_dir_linuxmalwaredetect/$db_file" + do_clamd_reload=1 + fi + if [ -r "$clam_dbs/$db_file" ] ; then + rm -f "$clam_dbs/$db_file" + do_clamd_reload=1 + fi + done + fi + fi +fi + + +########################################################################################################################################## +# Download MalwarePatrol database file every set number of hours as defined in the "USER CONFIGURATION" section of this script. # +########################################################################################################################################## +if [ "$malwarepatrol_enabled" == "yes" ] ; then + if [ "$malwarepatrol_receipt_code" != "YOUR-RECEIPT-NUMBER" ] ; then + if [ -n "$malwarepatrol_db" ] ; then + if [ -r "$work_dir_work_configs/last-mbl-update.txt" ] ; then + last_malwarepatrol_update=$(cat "$work_dir_work_configs/last-mbl-update.txt") + else + last_malwarepatrol_update="0" + fi + db_file="" + update_interval=$((malwarepatrol_update_hours * 3600)) + time_interval=$((current_time - last_malwarepatrol_update)) + if [ "$time_interval" -ge $((update_interval - 600)) ] ; then + echo "$current_time" > "$work_dir_work_configs"/last-mbl-update.txt + xshok_pretty_echo_and_log "Checking for MalwarePatrol updates..." + # Delete the old MBL (mbl.db) database file if it exists and start using the newer + # format (mbl.ndb) database file instead. + # test -e $clam_dbs/$malwarepatrol_db -o -e $clam_dbs/$malwarepatrol_db-bak && rm -f -- "$clam_dbs/mbl.d*" + + # remove the .db is th new format if ndb and + # symetrically + if [ "$malwarepatrol_db" == "malwarepatrol.db" ] && [ -f "$clam_dbs/malwarepatrol.ndb" ] ; then + rm "$clam_dbs/malwarepatrol.ndb"; + fi + + if [ "$malwarepatrol_db" == "malwarepatrol.ndb" ] && [ -f "$clam_dbs/malwarepatrol.db" ] ; then + rm "$clam_dbs/malwarepatrol.db"; + fi + + xshok_pretty_echo_and_log "MalwarePatrol $db_file Database File Update" "=" + + malwarepatrol_reloaded=0 + if [ "$malwarepatrol_free" == "yes" ] ; then + if [ "$wget_bin" != "" ] ; then + $wget_bin $wget_proxy_https $wget_proxy_http $wget_insecure $wget_output_level --connect-timeout="$downloader_connect_timeout" --random-wait --tries="$downloader_tries" --timeout="$downloader_max_time" --output-document="$work_dir_malwarepatrol/$malwarepatrol_db" "$malwarepatrol_url&receipt=$malwarepatrol_receipt_code" + ret="$?" + else + $curl_bin $curl_proxy $curl_insecure $curl_output_level --connect-timeout "$downloader_connect_timeout" --remote-time --location --retry "$downloader_tries" --max-time "$downloader_max_time" --output "$work_dir_malwarepatrol/$malwarepatrol_db" "$malwarepatrol_url&receipt=$malwarepatrol_receipt_code" + ret="$?" + fi + if [ "$ret" -eq "0" ] ; then + if ! cmp -s "$work_dir_malwarepatrol/$malwarepatrol_db" "$clam_dbs/$malwarepatrol_db" ; then + if [ "$?" -eq "0" ] ; then + malwarepatrol_reloaded=1 + else + malwarepatrol_reloaded=2 + fi + fi + else # wget failed + malwarepatrol_reloaded=-1 + fi + + else # The not free branch + if [ "$wget_bin" != "" ] ; then + $wget_bin $wget_proxy_https $wget_proxy_http $wget_insecure $wget_output_level --connect-timeout="$downloader_connect_timeout" --random-wait --tries="$downloader_tries" --timeout="$downloader_max_time" --output-document="$work_dir_malwarepatrol/$malwarepatrol_db.md5" "$malwarepatrol_url&receipt=$malwarepatrol_receipt_code&hash=1" + ret="$?" + else + $curl_bin $curl_proxy $curl_insecure $curl_output_level --connect-timeout "$downloader_connect_timeout" --remote-time --location --retry "$downloader_tries" --max-time "$downloader_max_time" --output "$work_dir_malwarepatrol/$malwarepatrol_db.md5" "$malwarepatrol_url&receipt=$malwarepatrol_receipt_code&hash=1" + ret="$?" + fi + if [ "$ret" -eq "0" ] ; then + if [ -f "$clam_dbs/$malwarepatrol_db" ] ; then + malwarepatrol_md5=$(openssl md5 -r "$clam_dbs/$malwarepatrol_db" 2>/dev/null | cut -d" " -f1) + if [ ! "$malwarepatrol_md5" ] ; then + #fallback for missing -r option + malwarepatrol_md5=$(openssl md5 "$clam_dbs/$malwarepatrol_db" 2>/dev/null | cut -d" " -f2) + fi + fi + malwarepatrol_md5_new=$(cat "$work_dir_malwarepatrol/$malwarepatrol_db.md5") + if [ -n "$malwarepatrol_md5_new" ] && [ "$malwarepatrol_md5" != "$malwarepatrol_md5_new" ] ; then + if [ "$wget_bin" != "" ] ; then + $wget_bin $wget_proxy_https $wget_proxy_http $wget_insecure $wget_output_level --connect-timeout="$downloader_connect_timeout" --random-wait --tries="$downloader_tries" --timeout="$downloader_max_time" --output-document="$work_dir_malwarepatrol/$malwarepatrol_db" "$malwarepatrol_url&receipt=$malwarepatrol_receipt_code" + ret="$?" + else + $curl_bin $curl_proxy $curl_insecure $curl_output_level --connect-timeout "$downloader_connect_timeout" --remote-time --location --retry "$downloader_tries" --max-time "$downloader_max_time" --output "$work_dir_malwarepatrol/$malwarepatrol_db" "$malwarepatrol_url&receipt=$malwarepatrol_receipt_code" + ret="$?" + fi + if [ "$ret" -eq "0" ] ; then + malwarepatrol_reloaded=1 + else # wget DB fail + malwarepatrol_reloaded=-1 + fi # wget DB + fi # MD5 not equal + else # wget MD5 fail + malwarepatrol_reloaded=-1 + fi # wget md5 + fi + + case "$malwarepatrol_reloaded" in + 1) # database was updated, need test and reload + xshok_pretty_echo_and_log "Testing updated MalwarePatrol database file: $malwarepatrol_db" + if $clamscan_bin --quiet -d "$work_dir_malwarepatrol/$malwarepatrol_db" "$work_dir_work_configs/scan-test.txt" 2>/dev/null ; then + xshok_pretty_echo_and_log "Clamscan reports MalwarePatrol $malwarepatrol_db database integrity tested good" + true + else + xshok_pretty_echo_and_log "Clamscan reports MalwarePatrol $malwarepatrol_db database integrity tested BAD" + if [ "$remove_bad_database" == "yes" ] ; then + if rm -f "$work_dir_malwarepatrol/$malwarepatrol_db" ; then + xshok_pretty_echo_and_log "Removed invalid database: $work_dir_malwarepatrol/$malwarepatrol_db" + fi + fi + false + fi && (test "$keep_db_backup" = "yes" && cp -f "$clam_dbs/$malwarepatrol_db" "$clam_dbs/$malwarepatrol_db-bak" 2>/dev/null ; true) && if $rsync_bin -pcqt "$work_dir_malwarepatrol/$malwarepatrol_db" "$clam_dbs" 2>/dev/null ; then + perms chown -f "$clam_user:$clam_group" "$clam_dbs/$malwarepatrol_db" + if [ "$selinux_fixes" == "yes" ] ; then + restorecon "$clam_dbs/$malwarepatrol_db" + fi + xshok_pretty_echo_and_log "Successfully updated MalwarePatrol production database file: $malwarepatrol_db" + do_clamd_reload=1 + else + xshok_pretty_echo_and_log "Failed to successfully update MalwarePatrol production database file: $malwarepatrol_db - SKIPPING" + fi + ;; # The strange case when $? != 0 in the original + 2) + $grep_bin -h -v -f "$work_dir_work_configs/whitelist.hex" "$work_dir_malwarepatrol/$malwarepatrol_db" > "$test_dir/$malwarepatrol_db" + $clamscan_bin --infected --no-summary -d "$test_dir/$malwarepatrol_db" "$ham_dir"/* | command sed 's/\.UNOFFICIAL FOUND//' | awk '{print $NF}' > "$work_dir_work_configs/whitelist.txt" + $grep_bin -h -f "$work_dir_work_configs/whitelist.txt" "$test_dir/$malwarepatrol_db" | cut -d "*" -f2 | sort | uniq >> "$work_dir_work_configs/whitelist.hex" + $grep_bin -h -v -f "$work_dir_work_configs/whitelist.hex" "$test_dir/$malwarepatrol_db" > "$test_dir/$malwarepatrol_db-tmp" + mv -f "$test_dir/$malwarepatrol_db-tmp" "$test_dir/$malwarepatrol_db" + if $clamscan_bin --quiet -d "$test_dir/$malwarepatrol_db" "$work_dir_work_configs/scan-test.txt" 2>/dev/null ; then + xshok_pretty_echo_and_log "Clamscan reports MalwarePatrol $malwarepatrol_db database integrity tested good" + true + else + xshok_pretty_echo_and_log "Clamscan reports MalwarePatrol $malwarepatrol_db database integrity tested BAD" + if [ "$remove_bad_database" == "yes" ] ; then + if rm -f "$test_dir/$malwarepatrol_db" ; then + xshok_pretty_echo_and_log "Removed invalid database: $test_dir/$malwarepatrol_db" + fi + fi + false + fi && (test "$keep_db_backup" = "yes" && cp -f "$clam_dbs/$malwarepatrol_db" "$clam_dbs/$malwarepatrol_db-bak" 2>/dev/null ; true) && if $rsync_bin -pcqt "$test_dir/$malwarepatrol_db" "$clam_dbs" 2>/dev/null ; then + perms chown -f "$clam_user:$clam_group" "$clam_dbs/$malwarepatrol_db" + if [ "$selinux_fixes" == "yes" ] ; then + restorecon "$clam_dbs/$malwarepatrol_db" + fi + xshok_pretty_echo_and_log "Successfully updated MalwarePatrol production database file: $malwarepatrol_db" + do_clamd_reload=1 + else + xshok_pretty_echo_and_log "Failed to successfully update MalwarePatrol production database file: $malwarepatrol_db - SKIPPING" + fi + ;; + 0) # The database did not update + xshok_pretty_echo_and_log "MalwarePatrol signature database ($malwarepatrol_db) did not change - skipping" + ;; + -1) # wget failed + xshok_pretty_echo_and_log "WARNING - Failed connection to $malwarepatrol_url - SKIPPED MalwarePatrol $malwarepatrol_db update" + ;; + esac + + else + + xshok_pretty_echo_and_log "MalwarePatrol Database File Update" "=" + + time_remaining=$((update_interval - time_interval)) + hours_left=$((time_remaining / 3600)) + minutes_left=$((time_remaining % 3600 / 60)) + xshok_pretty_echo_and_log "$malwarepatrol_update_hours hours have not yet elapsed since the last MalwarePatrol download" + xshok_pretty_echo_and_log "No database download was performed at this time" "-" + xshok_pretty_echo_and_log "Next download will be performed in approximately $hours_left hour(s), $minutes_left minute(s)" + fi +fi +fi +else + if [ -n "$malwarepatrol_db" ] ; then + if [ "$remove_disabled_databases" == "yes" ] ; then + xshok_pretty_echo_and_log "Removing disabled MalwarePatrol Database file" + if [ -r "$work_dir_malwarepatrol/$malwarepatrol_db" ] ; then + rm -f "$work_dir_malwarepatrol/$malwarepatrol_db" + do_clamd_reload=1 + fi + if [ -r "$clam_dbs/$malwarepatrol_db" ] ; then + rm -f "$clam_dbs/$malwarepatrol_db" + do_clamd_reload=1 + fi + fi + fi +fi + +############################################################################################################################################## +# Check for updated yararulesproject database files every set number of hours as defined in the "USER CONFIGURATION" section of this script +############################################################################################################################################## +if [ "$yararulesproject_enabled" == "yes" ] ; then + if [ -n "$yararulesproject_dbs" ] ; then + if [ "$(xshok_array_count "$yararulesproject_dbs")" -lt "1" ] ; then + xshok_pretty_echo_and_log "Failed yararulesproject_dbs config is invalid or not defined - SKIPPING" + else + rm -f "$work_dir_yararulesproject/*.gz" + if [ -r "$work_dir_work_configs/last-yararulesproject-update.txt" ] ; then + last_yararulesproject_update=$(cat "$work_dir_work_configs/last-yararulesproject-update.txt") + else + last_yararulesproject_update="0" + fi + db_file="" + loop="" + update_interval=$((yararulesproject_update_hours * 3600)) + time_interval=$((current_time - last_yararulesproject_update)) + if [ "$time_interval" -ge $((update_interval - 600)) ] ; then + echo "$current_time" > "$work_dir_work_configs/last-yararulesproject-update.txt" + + xshok_pretty_echo_and_log "Yara-Rules Database File Updates" "=" + xshok_pretty_echo_and_log "Checking for yararulesproject updates..." + yararulesproject_updates="0" + for db_file in $yararulesproject_dbs ; do + if echo "$db_file" | $grep_bin -q "/"; then + yr_dir="/"$(echo "$db_file" | cut -d"/" -f1) + db_file=$(echo "$db_file" | cut -d"/" -f2) + else yr_dir="" + fi + if [ "$loop" = "1" ] ; then + xshok_pretty_echo_and_log "---" + fi + xshok_pretty_echo_and_log "Checking for updated yararulesproject database file: $db_file" + + yararulesproject_db_update="0" + if [ "$wget_bin" != "" ] ; then + $wget_bin $wget_proxy_https $wget_proxy_http $wget_insecure $wget_output_level --connect-timeout="$downloader_connect_timeout" --random-wait --tries="$downloader_tries" --timeout="$downloader_max_time" --output-document="$work_dir_yararulesproject/$db_file" "$yararulesproject_url/$yr_dir/$db_file" + ret="$?" + else + $curl_bin $curl_proxy $curl_insecure $curl_output_level --connect-timeout "$downloader_connect_timeout" --remote-time --location --retry "$downloader_tries" --max-time "$downloader_max_time" --output "$work_dir_yararulesproject/$db_file" "$yararulesproject_url/$yr_dir/$db_file" + ret="$?" + fi + if [ "$ret" -eq "0" ] ; then + loop="1" + if ! cmp -s "$work_dir_yararulesproject/$db_file" "$clam_dbs/$db_file" ; then + if [ "$?" -eq "0" ] ; then + db_ext=$(echo "$db_file" | cut -d "." -f2) + + xshok_pretty_echo_and_log "Testing updated yararulesproject database file: $db_file" + if [ -z "$ham_dir" ] || [ "$db_ext" != "ndb" ] ; then + if $clamscan_bin --quiet -d "$work_dir_yararulesproject/$db_file" "$work_dir_work_configs/scan-test.txt" 2>/dev/null + then + xshok_pretty_echo_and_log "Clamscan reports yararulesproject $db_file database integrity tested good" + true + else + xshok_pretty_echo_and_log "Clamscan reports yararulesproject $db_file database integrity tested BAD" + if [ "$remove_bad_database" == "yes" ] ; then + if rm -f "$work_dir_yararulesproject/$db_file" ; then + xshok_pretty_echo_and_log "Removed invalid database: $work_dir_yararulesproject/$db_file" + fi + fi + false + fi && (test "$keep_db_backup" = "yes" && cp -f "$clam_dbs/$db_file" "$clam_dbs/$db_file-bak" 2>/dev/null ; true) && if $rsync_bin -pcqt "$work_dir_yararulesproject/$db_file" "$clam_dbs" 2>/dev/null ; then + perms chown -f "$clam_user:$clam_group" "$clam_dbs/$db_file" + if [ "$selinux_fixes" == "yes" ] ; then + restorecon "$clam_dbs/$db_file" + fi + xshok_pretty_echo_and_log "Successfully updated yararulesproject production database file: $db_file" + yararulesproject_updates=1 + yararulesproject_db_update=1 + do_clamd_reload=1 + else + xshok_pretty_echo_and_log "Failed to successfully update yararulesproject production database file: $db_file - SKIPPING" + fi + else + $grep_bin -h -v -f "$work_dir_work_configs/whitelist.hex" "$work_dir_yararulesproject/$db_file" > "$test_dir/$db_file" + $clamscan_bin --infected --no-summary -d "$test_dir/$db_file" "$ham_dir"/* | command sed 's/\.UNOFFICIAL FOUND//' | awk '{print $NF}' > "$work_dir_work_configs/whitelist.txt" + $grep_bin -h -f "$work_dir_work_configs/whitelist.txt" "$test_dir/$db_file" | cut -d "*" -f2 | sort | uniq >> "$work_dir_work_configs/whitelist.hex" + $grep_bin -h -v -f "$work_dir_work_configs/whitelist.hex" "$test_dir/$db_file" > "$test_dir/$db_file-tmp" + mv -f "$test_dir/$db_file-tmp" "$test_dir/$db_file" + if $clamscan_bin --quiet -d "$test_dir/$db_file" "$work_dir_work_configs/scan-test.txt" 2>/dev/null ; then + xshok_pretty_echo_and_log "Clamscan reports yararulesproject $db_file database integrity tested good" + true + else + xshok_pretty_echo_and_log "Clamscan reports yararulesproject $db_file database integrity tested BAD" + if [ "$remove_bad_database" == "yes" ] ; then + if rm -f "$work_dir_yararulesproject/$db_file" ; then + xshok_pretty_echo_and_log "Removed invalid database: $work_dir_yararulesproject/$db_file" + fi + fi + false + fi && (test "$keep_db_backup" = "yes" && cp -f "$clam_dbs/$db_file" "$clam_dbs/$db_file-bak" 2>/dev/null ; true) && if $rsync_bin -pcqt "$test_dir/$db_file" "$clam_dbs" 2>/dev/null ; then + perms chown -f "$clam_user:$clam_group" "$clam_dbs/$db_file" + if [ "$selinux_fixes" == "yes" ] ; then + restorecon "$clam_dbs/$db_file" + fi + xshok_pretty_echo_and_log "Successfully updated yararulesproject production database file: $db_file" + yararulesproject_updates=1 + yararulesproject_db_update=1 + do_clamd_reload=1 + else + xshok_pretty_echo_and_log "Failed to successfully update yararulesproject production database file: $db_file - SKIPPING" + fi + fi + fi + fi + else + xshok_pretty_echo_and_log "WARNING: Failed connection to $yararulesproject_url - SKIPPED yararulesproject $db_file update" + fi + if [ "$yararulesproject_db_update" != "1" ] ; then + xshok_pretty_echo_and_log "No updated yararulesproject $db_file database file found" + fi + done + if [ "$yararulesproject_updates" != "1" ] ; then + xshok_pretty_echo_and_log "No yararulesproject database file updates found" "-" + fi +else + + xshok_pretty_echo_and_log "Yara-Rules Database File Updates" "=" + + time_remaining=$((update_interval - time_interval)) + hours_left=$((time_remaining / 3600)) + minutes_left=$((time_remaining % 3600 / 60)) + xshok_pretty_echo_and_log "$yararulesproject_update_hours hours have not yet elapsed since the last yararulesproject database update check" + xshok_pretty_echo_and_log "No update check was performed at this time" "-" + xshok_pretty_echo_and_log "Next check will be performed in approximately $hours_left hour(s), $minutes_left minute(s)" +fi +fi +fi +else + if [ -n "$yararulesproject_dbs" ] ; then + if [ "$remove_disabled_databases" == "yes" ] ; then + xshok_pretty_echo_and_log "Removing disabled yararulesproject Database files" + for db_file in $yararulesproject_dbs ; do + if echo "$db_file" | $grep_bin -q "/"; then + db_file=$(echo "$db_file" | cut -d"/" -f2) + fi + if [ -r "$work_dir_yararulesproject/$db_file" ] ; then + rm -f "$work_dir_yararulesproject/$db_file" + do_clamd_reload=1 + fi + if [ -r "$clam_dbs/$db_file" ] ; then + rm -f "$clam_dbs/$db_file" + do_clamd_reload=1 + fi + done + fi + fi +fi + +############################################################################################################################################## +# Check for updated additional database files every set number of hours as defined in the "USER CONFIGURATION" section of this script +############################################################################################################################################## +if [ "$additional_enabled" == "yes" ] ; then + if [ -n "$additional_dbs" ] ; then + if [ "$(xshok_array_count "$additional_dbs")" -lt "1" ] ; then + xshok_pretty_echo_and_log "Failed additional_dbs config is invalid or not defined - SKIPPING" + else + rm -f "$work_dir_add/*.gz" + if [ -r "$work_dir_work_configs/last-additional-update.txt" ] ; then + last_additional_update=$(cat "$work_dir_work_configs/last-additional-update.txt") + else + last_additional_update="0" + fi + db_file="" + loop="" + update_interval=$((additional_update_hours * 3600)) + time_interval=$((current_time - last_additional_update)) + if [ "$time_interval" -ge $((update_interval - 600)) ] ; then + echo "$current_time" > "$work_dir_work_configs/last-additional-update.txt" + + xshok_pretty_echo_and_log "Additional Database File Updates" "=" + xshok_pretty_echo_and_log "Checking for additional updates..." + additional_updates="0" + for db_url in $additional_dbs ; do + # left for future dir manipulation + # if echo "$db_file" | $grep_bin -q "/"; then + # add_dir="/"$(echo "$db_file" | cut -d"/" -f1) + # db_file=$(echo "$db_file" | cut -d"/" -f2) + # else + # add_dir="" + # fi + db_file=$(basename "$db_url") + + if [ "$loop" = "1" ] ; then + xshok_pretty_echo_and_log "---" + fi + xshok_pretty_echo_and_log "Checking for updated additional database file: $db_file" + + additional_db_update="0" + + if [ "$(echo "$db_url" | cut -d ":" -f1)" = "rsync" ] ; then + $rsync_bin $rsync_output_level $no_motd -ctuz $connect_timeout --timeout="$rsync_max_time" --exclude=*.txt --exclude=*.sha256 --exclude=*.sig --exclude=*.gz "$db_url" "$work_dir_add" 2>/dev/null + ret="$?" + else + if [ "$wget_bin" != "" ] ; then + $wget_bin $wget_proxy_https $wget_proxy_http $wget_insecure $wget_output_level --connect-timeout="$downloader_connect_timeout" --random-wait --tries="$downloader_tries" --timeout="$downloader_max_time" --output-document="$work_dir_add/$db_file" "$db_url" + ret="$?" + else + $curl_bin $curl_proxy $curl_insecure $curl_output_level --connect-timeout "$downloader_connect_timeout" --remote-time --location --retry "$downloader_tries" --max-time "$downloader_max_time" --output "$work_dir_add/$db_file" "$db_url" + ret="$?" + fi + fi + + ##this needs enhancement for rsync, as it will only work with single files... maybe better to process each file inside work_dir_add in its own for loop. + if [ "$ret" -eq "0" ] ; then + loop="1" + if ! cmp -s "$work_dir_add/$db_file" "$clam_dbs/$db_file" ; then + if [ "$?" -eq "0" ] ; then + db_ext=$(echo "$db_file" | cut -d "." -f2) + + xshok_pretty_echo_and_log "Testing updated additional database file: $db_file" + if [ -z "$ham_dir" ] || [ "$db_ext" != "ndb" ] ; then + if $clamscan_bin --quiet -d "$work_dir_add/$db_file" "$work_dir_work_configs/scan-test.txt" 2>/dev/null + then + xshok_pretty_echo_and_log "Clamscan reports additional $db_file database integrity tested good" + true + else + xshok_pretty_echo_and_log "Clamscan reports additional $db_file database integrity tested BAD" + if [ "$remove_bad_database" == "yes" ] ; then + if rm -f "$work_dir_add/$db_file" ; then + xshok_pretty_echo_and_log "Removed invalid database: $work_dir_add/$db_file" + fi + fi + false + fi && (test "$keep_db_backup" = "yes" && cp -f "$clam_dbs/$db_file" "$clam_dbs/$db_file-bak" 2>/dev/null ; true) && if $rsync_bin -pcqt "$work_dir_add/$db_file" "$clam_dbs" 2>/dev/null ; then + perms chown -f "$clam_user:$clam_group" "$clam_dbs/$db_file" + if [ "$selinux_fixes" == "yes" ] ; then + restorecon "$clam_dbs/$db_file" + fi + xshok_pretty_echo_and_log "Successfully updated additional production database file: $db_file" + additional_updates=1 + additional_db_update=1 + do_clamd_reload=1 + else + xshok_pretty_echo_and_log "Failed to successfully update additional production database file: $db_file - SKIPPING" + fi + else + $grep_bin -h -v -f "$work_dir_work_configs/whitelist.hex" "$work_dir_add/$db_file" > "$test_dir/$db_file" + $clamscan_bin --infected --no-summary -d "$test_dir/$db_file" "$ham_dir"/* | command sed 's/\.UNOFFICIAL FOUND//' | awk '{print $NF}' > "$work_dir_work_configs/whitelist.txt" + $grep_bin -h -f "$work_dir_work_configs/whitelist.txt" "$test_dir/$db_file" | cut -d "*" -f2 | sort | uniq >> "$work_dir_work_configs/whitelist.hex" + $grep_bin -h -v -f "$work_dir_work_configs/whitelist.hex" "$test_dir/$db_file" > "$test_dir/$db_file-tmp" + mv -f "$test_dir/$db_file-tmp" "$test_dir/$db_file" + if $clamscan_bin --quiet -d "$test_dir/$db_file" "$work_dir_work_configs/scan-test.txt" 2>/dev/null ; then + xshok_pretty_echo_and_log "Clamscan reports additional $db_file database integrity tested good" + true + else + xshok_pretty_echo_and_log "Clamscan reports additional $db_file database integrity tested BAD" + if [ "$remove_bad_database" == "yes" ] ; then + if rm -f "$work_dir_add/$db_file" ; then + xshok_pretty_echo_and_log "Removed invalid database: $work_dir_add/$db_file" + fi + fi + false + fi && (test "$keep_db_backup" = "yes" && cp -f "$clam_dbs/$db_file" "$clam_dbs/$db_file-bak" 2>/dev/null ; true) && if $rsync_bin -pcqt "$test_dir/$db_file" "$clam_dbs" 2>/dev/null ; then + perms chown -f "$clam_user:$clam_group" "$clam_dbs/$db_file" + if [ "$selinux_fixes" == "yes" ] ; then + restorecon "$clam_dbs/$db_file" + fi + xshok_pretty_echo_and_log "Successfully updated additional production database file: $db_file" + additional_updates=1 + additional_db_update=1 + do_clamd_reload=1 + else + xshok_pretty_echo_and_log "Failed to successfully update additional production database file: $db_file - SKIPPING" + fi + fi + fi + fi + else + xshok_pretty_echo_and_log "WARNING: Failed connection to $additional_url - SKIPPED additional $db_file update" + fi + if [ "$additional_db_update" != "1" ] ; then + xshok_pretty_echo_and_log "No updated additional $db_file database file found" + fi + done + if [ "$additional_updates" != "1" ] ; then + xshok_pretty_echo_and_log "No additional database file updates found" "-" + fi +else + + xshok_pretty_echo_and_log "Additional Database File Updates" "=" + + time_remaining=$((update_interval - time_interval)) + hours_left=$((time_remaining / 3600)) + minutes_left=$((time_remaining % 3600 / 60)) + xshok_pretty_echo_and_log "$additional_update_hours hours have not yet elapsed since the last additional database update check" + xshok_pretty_echo_and_log "No update check was performed at this time" "-" + xshok_pretty_echo_and_log "Next check will be performed in approximately $hours_left hour(s), $minutes_left minute(s)" +fi +fi +fi +else + if [ -n "$additional_dbs" ] ; then + if [ "$remove_disabled_databases" == "yes" ] ; then + xshok_pretty_echo_and_log "Removing disabled additional Database files" + for db_file in $additional_dbs ; do + if echo "$db_file" | $grep_bin -q "/"; then + db_file=$(echo "$db_file" | cut -d"/" -f2) + fi + if [ -r "$work_dir_add/$db_file" ] ; then + rm -f "$work_dir_add/$db_file" + do_clamd_reload=1 + fi + if [ -r "$clam_dbs/$db_file" ] ; then + rm -f "$clam_dbs/$db_file" + do_clamd_reload=1 + fi + done + fi + fi +fi + +################################################### +# Generate whitelists +################################################### +# Check to see if the local.ign file exists, and if it does, check to see if any of the script +# added bypass entries can be removed due to offending signature modifications or removals. +if [ -r "$clam_dbs/local.ign" ] && [ -s "$work_dir_work_configs/monitor-ign.txt" ] ; then + ign_updated=0 + cd "$clam_dbs" || exit + cp -f local.ign "$work_dir_work_configs/local.ign" + cp -f "$work_dir_work_configs/monitor-ign.txt" "$work_dir_work_configs/monitor-ign-old.txt" + + xshok_pretty_echo_and_log "" "=" "80" + while read -r entry ; do + sig_file=$(echo "$entry" | tr -d "\r" | awk -F ":" '{print $1}') + sig_hex=$(echo "$entry" | tr -d "\r" | awk -F ":" '{print $NF}') + sig_name_old=$(echo "$entry" | tr -d "\r" | awk -F ":" '{print $3}') + sig_ign_old=$($grep_bin ":$sig_name_old" "$work_dir_work_configs/local.ign") + sig_old=$(echo "$entry" | tr -d "\r" | cut -d ":" -f3-) + sig_new=$($grep_bin -hwF ":$sig_hex" "$sig_file" | tr -d "\r" 2>/dev/null) + sig_mon_new=$($grep_bin -HwF -n ":$sig_hex" "$sig_file" | tr -d "\r") + if [ -n "$sig_new" ] ; then + if [ "$sig_old" != "$sig_new" ] || [ "$entry" != "$sig_mon_new" ] ; then + sig_name_new=$(echo "$sig_new" | tr -d "\r" | awk -F ":" '{print $1}') + sig_ign_new=$(echo "$sig_mon_new" | cut -d ":" -f1-3) + perl -i -ne "print unless /$sig_ign_old/" "$work_dir_work_configs/monitor-ign.txt" + echo "$sig_mon_new" >> "$work_dir_work_configs/monitor-ign.txt" + perl -p -i -e "s/$sig_ign_old/$sig_ign_new/" "$work_dir_work_configs/local.ign" + xshok_pretty_echo_and_log "$sig_name_old hexadecimal signature is unchanged, however signature name and/or line placement" + xshok_pretty_echo_and_log "in $sig_file has changed to $sig_name_new - updated local.ign to reflect this change." + ign_updated=1 + fi + else + perl -i -ne "print unless /$sig_ign_old/" "$work_dir_work_configs/monitor-ign.txt" "$work_dir_work_configs/local.ign" + + xshok_pretty_echo_and_log "$sig_name_old signature has been removed from $sig_file, entry removed from local.ign." + ign_updated=1 + fi + done < "$work_dir_work_configs/monitor-ign-old.txt" + if [ "$ign_updated" = "1" ] ; then + if $clamscan_bin --quiet -d "$work_dir_work_configs/local.ign" "$work_dir_work_configs/scan-test.txt" + then + if $rsync_bin -pcqt "$work_dir_work_configs/local.ign" "$clam_dbs" + then + perms chown -f "$clam_user:$clam_group" "$clam_dbs/local.ign" + perms chmod -f 0644 "$clam_dbs/local.ign" "$work_dir_work_configs/monitor-ign.txt" + if [ "$selinux_fixes" == "yes" ] ; then + restorecon "$clam_dbs/local.ign" + fi + do_clamd_reload=3 + else + xshok_pretty_echo_and_log "Failed to successfully update local.ign file - SKIPPING" + fi + else + xshok_pretty_echo_and_log "Clamscan reports local.ign database integrity is bad - SKIPPING" + fi + else + xshok_pretty_echo_and_log "No whitelist signature changes found in local.ign" "=" + fi +fi + +# Check to see if my-whitelist.ign2 file exists, and if it does, check to see if any of the script +# added whitelist entries can be removed due to offending signature modifications or removals. +if [ -r "$clam_dbs/my-whitelist.ign2" ] && [ -s "$work_dir_work_configs/tracker.txt" ] ; then + ign2_updated=0 + cd "$clam_dbs" || exit + cp -f my-whitelist.ign2 "$work_dir_work_configs/my-whitelist.ign2" + + xshok_pretty_echo_and_log "" "=" "80" + + while read -r entry ; do + sig_file=$(echo "$entry" | cut -d ":" -f1) + sig_full=$(echo "$entry" | cut -d ":" -f2-) + sig_name=$(echo "$entry" | cut -d ":" -f2) + if ! $grep_bin -F "$sig_full" "$sig_file" > /dev/null 2>&1 ; then + perl -i -ne "print unless /$sig_name$/" "$work_dir_work_configs/my-whitelist.ign2" + perl -i -ne "print unless /:$sig_name:/" "$work_dir_work_configs/tracker-tmp.txt" + + xshok_pretty_echo_and_log "$sig_name signature no longer exists in $sig_file, whitelist entry removed from my-whitelist.ign2" + ign2_updated=1 + fi + done < "$work_dir_work_configs/tracker.txt" + mv -f "$work_dir_work_configs/tracker-tmp.txt" "$work_dir_work_configs/tracker.txt" + + xshok_pretty_echo_and_log "" "=" "80" + if [ "$ign2_updated" = "1" ] + then + if $clamscan_bin --quiet -d "$work_dir_work_configs/my-whitelist.ign2" "$work_dir_work_configs/scan-test.txt" + then + if $rsync_bin -pcqt "$work_dir_work_configs/my-whitelist.ign2" "$clam_dbs" + then + perms chown -f "$clam_user:$clam_group" "$clam_dbs/my-whitelist.ign2" + perms chmod -f 0644 "$clam_dbs/my-whitelist.ign2" "$work_dir_work_configs/tracker.txt" + if [ "$selinux_fixes" == "yes" ] ; then + restorecon "$clam_dbs/my-whitelist.ign2" + restorecon "$work_dir_work_configs/tracker.txt" + fi + do_clamd_reload=4 + else + xshok_pretty_echo_and_log "Failed to successfully update my-whitelist.ign2 file - SKIPPING" + fi + else + xshok_pretty_echo_and_log "Clamscan reports my-whitelist.ign2 database integrity is bad - SKIPPING" + fi + else + xshok_pretty_echo_and_log "No whitelist signature changes found in my-whitelist.ign2" + fi +fi + +# Check for non-matching whitelist.hex signatures and remove them from the whitelist file (signature modified or removed). +if [ -n "$ham_dir" ] ; then + if [ -r "$work_dir_work_configs/whitelist.hex" ] ; then + $grep_bin -h -f "$work_dir_work_configs/whitelist.hex" "$work_dir"/*/*.ndb | cut -d "*" -f2 | tr -d "\r" | sort | uniq > "$work_dir_work_configs/whitelist.tmp" + mv -f "$work_dir_work_configs/whitelist.tmp" "$work_dir_work_configs/whitelist.hex" + rm -f "$work_dir_work_configs/whitelist.txt" + rm -f "$test_dir"/*.* + xshok_pretty_echo_and_log "WARNING: Signature(s) triggered on HAM directory scan - signature(s) removed" "*" + else + xshok_pretty_echo_and_log "No signatures triggered on HAM directory scan" "=" + fi +fi + +# Set appropriate directory and file permissions to all production signature files +# and set file access mode to 0644 on all working directory files. + +if [ "$setmode" = "yes" ] ; then + xshok_pretty_echo_and_log "Setting permissions and ownership" "=" + perms chown -f -R "$clam_user:$clam_group" "$work_dir" + if ! find "$work_dir" -type f -exec chmod -f 0644 {} + 2>/dev/null ; then + if ! find "$work_dir" -type f -print0 | xargs -0 chmod -f 0644 2>/dev/null ; then + if ! find "$work_dir" -type f -print0 | xargs chmod -f 0644 2>/dev/null ; then + find "$work_dir" -type f -exec chmod -f 0644 {} \; + fi + fi + fi + +# If enabled, set file access mode for all production signature database files to 0644. + perms chown -f -R "$clam_user:$clam_group" "$clam_dbs" + if ! find "$clam_dbs" -type f -exec chmod -f 0644 {} + 2>/dev/null ; then + if ! find "$clam_dbs" -type f -print0 | xargs -0 chmod -f 0644 2>/dev/null ; then + if ! find "$clam_dbs" -type f -print0 | xargs chmod -f 0644 2>/dev/null ; then + find "$clam_dbs" -type f -exec chmod -f 0644 {} \; + fi + fi + fi +fi + +# Reload all clamd databases +clamscan_reload_dbs + +xshok_pretty_echo_and_log "Issue tracker : https://github.com/extremeshok/clamav-unofficial-sigs/issues" "-" + +check_new_version + +xshok_cleanup + +# And lastly we exit, Note: the exit is always on the 2nd last line +exit $? diff --git a/clamav-unofficial-sigs.8 b/clamav-unofficial-sigs.8 new file mode 100644 index 0000000..bdc1d60 --- /dev/null +++ b/clamav-unofficial-sigs.8 @@ -0,0 +1,75 @@ + +.\" Manual page for eXtremeSHOK.com ClamAV Unofficial Signature Updater +.TH clamav-unofficial-sigs 8 "20 July 2016" "Version: 5.4.1" "SCRIPT COMMANDS" +.SH NAME +clamav-unofficial-sigs \- Download, test, and install third-party ClamAV signature databases. +.SH SYNOPSIS +.B clamav-unofficial-sigs +.RI [ options ] +.SH DESCRIPTION +\fBclamav-unofficial-sigs\fP provides a simple way to download, test, and update third-party signature databases provided by Sanesecurity, FOXHOLE, OITC, Scamnailer, BOFHLAND, CRDF, Porcupine, Securiteinfo, MalwarePatrol, Yara-Rules Project, etc. It will also generate and install cron, logrotate, and man files. +.SH UPDATES +Script updates can be found at: \fBhttps://github.com/extremeshok/clamav-unofficial-sigs\fP +.SH OPTIONS +This script follows the standard GNU command line syntax. +.LP +\fB Usage: clamav\-unofficial\-sigs.sh \fR [OPTION] [PATH|FILE] +.TP +\fB \-c, \-\-config \fR Use a specific configuration file or directory eg: '\-c /your/dir' or ' \-c /your/file.name' Note: If a directory is specified the directory must contain atleast: master.conf, os.conf or user.conf Default Directory: /etc/clamav\-unofficial\-sigs +.TP +\fB \-F, \-\-force \fR Force all databases to be downloaded, could cause ip to be blocked +.TP +\fB \-h, \-\-help \fR Display this script's help and usage information +.TP +\fB \-V, \-\-version \fR Output script version and date information +.TP +\fB \-v, \-\-verbose \fR Be verbose, enabled when not run under cron +.TP +\fB \-s, \-\-silence \fR Only output error messages, enabled when run under cron +.TP +\fB \-d, \-\-decode\-sig \fR Decode a third\-party signature either by signature name (eg: Sanesecurity.Junk.15248) or hexadecimal string. This flag will 'NOT' decode image signatures +.TP +\fB \-e, \-\-encode\-string \fR Hexadecimal encode an entire input string that can be used in any '*.ndb' signature database file +.TP +\fB \-f, \-\-encode\-formatted \fR Hexadecimal encode a formatted input string containing signature spacing fields '{}, (), *', without encoding the spacing fields, so that the encoded signature can be used in any '*.ndb' signature database file +.TP +\fB \-g, \-\-gpg\-verify \fR GPG verify a specific Sanesecurity database file eg: '\-g filename.ext' (do not include file path) +.TP +\fB \-i, \-\-information \fR Output system and configuration information for viewing or possible debugging purposes +.TP +\fB \-m, \-\-make\-database \fR Make a signature database from an ascii file containing data strings, with one data string per line. Additional information is provided when using this flag +.TP +\fB \-t, \-\-test\-database \fR Clamscan integrity test a specific database file eg: '\-t filename.ext' (do not include file path) +.TP +\fB \-o, \-\-output\-triggered \fR If HAM directory scanning is enabled in the script's configuration file, then output names of any third\-party signatures that triggered during the HAM directory scan +.TP +\fB \-w, \-\-whitelist \fR Adds a signature whitelist entry in the newer ClamAV IGN2 format to 'my\-whitelist.ign2' in order to temporarily resolve a false\-positive issue with a specific third\-party signature. Script added whitelist entries will automatically be removed if the original signature is either modified or removed from the third\-party signature database +.TP +\fB \-\-check\-clamav \fR If ClamD status check is enabled and the socket path is correctly specifiedthen test to see if clamd is running or not +.TP +\fB \-\-install\-all \fR Install and generate the cron, logroate and man files, autodetects the values based on your config files +.TP +\fB \-\-install\-cron \fR Install and generate the cron file, autodetects the values based on your config files +.TP +\fB \-\-install\-logrotate \fR Install and generate the logrotate file, autodetects the values based on your config files +.TP +\fB \-\-install\-man \fR Install and generate the man file, autodetects the values based on your config files +.TP +\fB \-\-remove\-script \fR Remove the clamav\-unofficial\-sigs script and all of its associated files and databases from the system +.TP +.SH SEE ALSO +.BR clamd (8), +.BR clamscan (1) +.SH COPYRIGHT +Copyright (c) Adrian Jon Kriel :: admin@extremeshok.com +.TP +You are free to use, modify and distribute, however you may not remove this notice. +.SH LICENSE +BSD (Berkeley Software Distribution) +.SH BUGS +Report bugs to \fBhttps://github.com/extremeshok/clamav-unofficial-sigs\fP +.SH AUTHOR +Adrian Jon Kriel :: admin@extremeshok.com +Originially based on Script provide by Bill Landry + + diff --git a/debian/changelog b/debian/changelog new file mode 100644 index 0000000..1ac02da --- /dev/null +++ b/debian/changelog @@ -0,0 +1,158 @@ +clamav-unofficial-sigs (5.4.1-1) unstable; urgency=medium + + * First eXtremeSHOK release + * Packaged for CARNet + + -- Ivan Rako Fri, 22 Jul 2016 00:18:32 +0200 + +clamav-unofficial-sigs (3.7.2-2) unstable; urgency=medium + + * Fix bashisms in the documentation in the config (Closes: #733998) + + -- Paul Wise Wed, 15 Jan 2014 16:33:34 +0800 + +clamav-unofficial-sigs (3.7.2-1) unstable; urgency=low + + * New upstream release + * Fixes signature ignore problem (Closes: #714132) + * Adds configurability for curl/rsync timeouts (Closes: #693542) + * Adds the ability to turn off chmod calls (See: #566702) + * Deal with the cron job being disabled (Closes: #711161) + * Turn off the chmod calls by default (Closes: #566702) + * Switch priority to optional + * Bump debhelper compat level + * Bump Standards-Version, no changes needed + * Simplify the dirs file slightly + * Rewrite and update the copyright file to copyright-format 1.0 + * Ignore a missing purge file + + -- Paul Wise Wed, 27 Nov 2013 15:38:03 +0800 + +clamav-unofficial-sigs (3.7.1-4) unstable; urgency=low + + * Point the homepage/watch at sourceforge since the domain expired. + * Use the canonical Vcs-* URLs + * Bump Standards-Version, no changes needed + * Suggest apt-get purge instead now that it exists + * Build with dh --parallel + + -- Paul Wise Sat, 25 May 2013 16:17:04 +0800 + +clamav-unofficial-sigs (3.7.1-3) unstable; urgency=low + + * Don't run clamdscan if it is not present + + -- Paul Wise Fri, 01 Jun 2012 19:27:28 +0800 + +clamav-unofficial-sigs (3.7.1-2) unstable; urgency=low + + * Package technically complies with policy 3.9.3, bump Standards-Version + * Wrap and sort various files + * Drop clamav-daemon to suggests to allow using just clamscan + (Closes: #672537) + * Revert to the upstream default of not acting as a watchdog for clamd + * Add a NEWS.Debian entry explaining how to re-enable the watchdog stuff + + -- Paul Wise Tue, 29 May 2012 20:50:22 +0800 + +clamav-unofficial-sigs (3.7.1-1) unstable; urgency=low + + * New upstream release + - Fixes a minor bashism in the sig creation option (Closes: #547743) + - Drops MSRBL signature, no updates since July 2009 (Closes: #612796) + - Supports new uncompressed SecuriteInfo signatures (Closes: #612795) + * Allow sysadmins to easily override default configs (Closes: #566620) + * Package technically complies with policy 3.9.1, bump Standards-Version + + -- Paul Wise Fri, 11 Feb 2011 18:40:36 +0800 + +clamav-unofficial-sigs (3.6-1) unstable; urgency=low + + * New upstream release + - Now uses dig to discover mirror IPs, depend on dnsutils + * In the instructions for extra security, send mail to root + * Bump Standards-Version, no changes needed + * Set the default log file permissions to clamav:adm 644 (Closes: #552351) + * Switch to dpkg-source 3.0 (quilt) format + * Switch to debhelper 7 minimal rules file + + -- Paul Wise Sat, 02 Jan 2010 12:27:11 +0800 + +clamav-unofficial-sigs (3.5.4-2) unstable; urgency=low + + * Brown paper bag upload + * Update the instructions in README.Debian to be more correct + and more comprehensive wrt changing file permissions + * Unset the right variables so that the script doesn't try + to chown stuff all over the joint. + + -- Paul Wise Wed, 22 Jul 2009 14:04:00 +0200 + +clamav-unofficial-sigs (3.5.4-1) unstable; urgency=low + + * New upstream release + * Document removal of mediam and high risk databases + * Document that some of the default settings are altered + * Run the script as the clamav user by default and + ensure correct ownership of all the files when the + sysadmin accepts the cron.d configuration change. + - Will no longer be able to start clamav when it is + not running, so document that and don't try to do it. + * Bump Standards-Version, no changes needed + * Switch the host dep away from the ancient host package to bind9-host + + -- Paul Wise Tue, 21 Jul 2009 19:02:43 +0200 + +clamav-unofficial-sigs (3.3-2) unstable; urgency=low + + * Brown paper bag upload + * Fix path to the script in the cron.d file + + -- Paul Wise Thu, 21 May 2009 15:50:43 +0800 + +clamav-unofficial-sigs (3.3-1) unstable; urgency=low + + * New upstream release + * Add Vcs-Git and Vcs-Browser fields + + -- Paul Wise Thu, 21 May 2009 13:58:02 +0800 + +clamav-unofficial-sigs (3.1-1) unstable; urgency=low + + * New upstream release + * Mention OITC signatures in the package description + * Drop the restart reload_opt options from the config, they don't work + * Handle the case where the upstream purge.txt does not exist yet + * Move the Debian-specific configuration to /usr/share + * Use the new upstream logrotate configuration + * Remove the gpg key in the case where the script hasn't run yet + * Update the cron configuration based on the new upstream crontab + * Prevent files from being removed when the script -r option is used + * Handle filenames starting with a '-' in the postrm script + + -- Paul Wise Tue, 12 May 2009 01:28:21 +0800 + +clamav-unofficial-sigs (2.8-1) unstable; urgency=low + + * New upstream version + - Generates its own purge.txt, use that instead of generating our own + - Includes our manpage, use that instead of our own + * Let the upstream script import the gpg key on first run + * Revert back to the default upstream reload_opt="clamdscan --reload" + - Depend on clamav-daemon 0.94.dfsg.1 or later for that + - Provide a Debian-specific option for those who want to restart + + -- Paul Wise Sat, 02 May 2009 10:05:52 +0800 + +clamav-unofficial-sigs (2.7.3-2) unstable; urgency=low + + * Update manual page with some changes from upstream + * Silence non-error output from the cron job + + -- Paul Wise Wed, 29 Apr 2009 00:27:09 +0800 + +clamav-unofficial-sigs (2.7.3-1) unstable; urgency=low + + * Initial release (Closes: #524565) + + -- Paul Wise Sun, 26 Apr 2009 13:40:08 +0800 diff --git a/debian/compat b/debian/compat new file mode 100644 index 0000000..ec63514 --- /dev/null +++ b/debian/compat @@ -0,0 +1 @@ +9 diff --git a/debian/control b/debian/control new file mode 100644 index 0000000..a265065 --- /dev/null +++ b/debian/control @@ -0,0 +1,28 @@ +Source: clamav-unofficial-sigs +Section: utils +Priority: optional +Maintainer: Ivan Rako +Build-Depends: debhelper (>= 9) +Standards-Version: 3.9.6 +Homepage: https://github.com/extremeshok/clamav-unofficial-sigs + +Package: clamav-unofficial-sigs +Architecture: all +Depends: clamav, curl, wget, rsync, dnsutils, gnupg, ${misc:Depends} +Suggests: clamav-daemon (>= 0.99.2) +Description: update script for 3rd-party clamav signatures + This package provides a script for updating the following sources of + 3rd-party clamav signatures until freshclamav gains support for such + signatures. + . + The SaneSecurity/OITC signatures provide detection of phishing, spear + phishing, fake lottery, ecard malware, casino, fake jobs, fake loans, + 419s, fake diplomas, porn, emailed malware and other general spam. + . + MSRBL signatures provide detection of image spam and general spam. + . + SecuriteInfo signatures provide various badware signatures, + securiteinfo.com honeypot signatures, honeynet.cz signatures + and French anti-spam signatures + . + MalwarePatrol provides detection of mail containing URLs to malware. diff --git a/debian/copyright b/debian/copyright new file mode 100644 index 0000000..de2433b --- /dev/null +++ b/debian/copyright @@ -0,0 +1,34 @@ +This is property of eXtremeSHOK.com +You are free to use, modify and distribute, however you may not remove this notice. +Copyright (c) Adrian Jon Kriel :: admin@extremeshok.com + +Originially based on: + +Copyright (c) 2007 - 2013, Bill Landry (unofficialsigs@gmail.com) + +All rights reserved. + +Redistribution and use in source and binary forms, with or without modification, +are permitted provided that the following conditions are met: + + * Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + + * Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + * Neither the name of the author/copyright holder nor the names of its + contributors may be used to endorse or promote products derived from + this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY AUTHOR/COPYRIGHT HOLDER "AS IS" AND ANY EXPRESS OR +IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT +SHALL AUTHOR/COPYRIGHT HOLDER BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, +PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING +IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY +OF SUCH DAMAGE. diff --git a/debian/cron.d b/debian/cron.d new file mode 100644 index 0000000..c8190aa --- /dev/null +++ b/debian/cron.d @@ -0,0 +1,6 @@ +# This cron file will execute the clamav-unofficial-sigs.sh script that +# currently supports updating third-party signature databases provided +# by Sanesecurity, SecuriteInfo, MalwarePatrol, OITC, etc. + +54 * * * * clamav [ -x /usr/sbin/clamav-unofficial-sigs.sh ] && /bin/bash /usr/sbin/clamav-unofficial-sigs.sh > /dev/null + diff --git a/debian/dirs b/debian/dirs new file mode 100644 index 0000000..c558e87 --- /dev/null +++ b/debian/dirs @@ -0,0 +1,5 @@ +etc/clamav-unofficial-sigs +usr/sbin +var/lib/clamav-unofficial-sigs/gpg-key +var/lib/clamav-unofficial-sigs/configs +var/log/clamav-unofficial-sigs diff --git a/debian/docs b/debian/docs new file mode 100644 index 0000000..b43bf86 --- /dev/null +++ b/debian/docs @@ -0,0 +1 @@ +README.md diff --git a/debian/install b/debian/install new file mode 100644 index 0000000..24d794c --- /dev/null +++ b/debian/install @@ -0,0 +1,4 @@ +clamav-unofficial-sigs usr/sbin +master.conf etc/clamav-unofficial-sigs +os.conf etc/clamav-unofficial-sigs +user.conf etc/clamav-unofficial-sigs diff --git a/debian/logrotate b/debian/logrotate new file mode 100644 index 0000000..b60a2cd --- /dev/null +++ b/debian/logrotate @@ -0,0 +1,11 @@ +# This logrotate file will rotate the logs generated by the clamav-unofficial-sigs.sh + +/var/log/clamav-unofficial-sigs/clamav-unofficial-sigs.log { + weekly + rotate 4 + missingok + notifempty + compress + create 0644 clamav clamav +} + diff --git a/debian/manpages b/debian/manpages new file mode 100644 index 0000000..90e9c55 --- /dev/null +++ b/debian/manpages @@ -0,0 +1 @@ +clamav-unofficial-sigs.8 diff --git a/debian/postinst b/debian/postinst new file mode 100644 index 0000000..36f1dfd --- /dev/null +++ b/debian/postinst @@ -0,0 +1,10 @@ +#!/bin/sh + +set -e + +[ "$1" = "configure" ] || exit 0 +[ "$DEBIAN_SCRIPT_DEBUG" ] && set -vx + +if [ -x /usr/sbin/clamav-unofficial-sigs.sh ]; then + clamav-unofficial-sigs --silence || true +fi diff --git a/debian/preinst b/debian/preinst new file mode 100644 index 0000000..5fe0e81 --- /dev/null +++ b/debian/preinst @@ -0,0 +1,17 @@ +#!/bin/sh + +set -e + +if [ "$1" = install -o "$1" = upgrade ]; then + if [ -d /etc/clamav-unofficial-sigs.conf.d/ ]; then + rm -rf /etc/clamav-unofficial-sigs.conf.d + fi + + if [ -f /etc/clamav-unofficial-sigs.conf ]; then + rm -f /etc/clamav-unofficial-sigs.conf + fi + + if [ -d /var/cache/clamav-unofficial-sigs/ ]; then + rm -rf /var/cache/clamav-unofficial-sigs + fi +fi diff --git a/debian/rules b/debian/rules new file mode 100755 index 0000000..cbe925d --- /dev/null +++ b/debian/rules @@ -0,0 +1,3 @@ +#!/usr/bin/make -f +%: + dh $@ diff --git a/master.conf b/master.conf new file mode 100644 index 0000000..b761631 --- /dev/null +++ b/master.conf @@ -0,0 +1,524 @@ +# This file contains master configuration settings for clamav-unofficial-sigs.sh +################### +# This is property of eXtremeSHOK.com +# You are free to use, modify and distribute, however you may not remove this notice. +# Copyright (c) Adrian Jon Kriel :: admin@extremeshok.com +################## +# +# Script updates can be found at: https://github.com/extremeshok/clamav-unofficial-sigs +# +# Originially based on: +# Script provide by Bill Landry (unofficialsigs@gmail.com). +# +# License: BSD (Berkeley Software Distribution) +# +################## +# +# NOT COMPATIBLE WITH VERSION 3.XX / 4.XX CONFIG +# +################################################################################ + +# Edit the quoted variables below to meet your own particular needs +# and requirements, but do not remove the "quote" marks. + +# Set the appropriate ClamD user and group accounts for your system. +# If you do not want the script to set user and group permissions on +# files and directories, comment the next two variables. +#clam_user="clamav" +#clam_group="clamav" + +# If you do not want the script to change the file mode of all signature +# database files in the ClamAV working directory to 0644 (-rw-r--r--): +# +# owner: read, write +# group: read +# world: read +# +# as defined in the "clam_dbs" path variable below, then set the following +# "setmode" variable to "no". +setmode="yes" + +# Set path to ClamAV database files location. If unsure, check +# your clamd.conf file for the "DatabaseDirectory" path setting. +clam_dbs="/var/lib/clamav" + +# Set path to clamd.pid file (see clamd.conf for path location). +clamd_pid="/var/run/clamav/clamd.pid" + +# To enable "ham" (non-spam) directory scanning and removal of +# signatures that trigger on ham messages, uncomment the following +# variable and set it to the appropriate ham message directory. +#ham_dir="/var/lib/clamav-unofficial-sigs/ham-test" + +# If you would like to reload the clamd databases after an update, +# change the following variable to "yes". +reload_dbs="yes" + +# Top level working directory, script will attempt to create them. +work_dir="/var/lib/clamav-unofficial-sigs" #Top level working directory + +# Log update information to '$log_file_path/$log_file_name'. +logging_enabled="yes" +log_file_path="/var/log/clamav-unofficial-sigs" +log_file_name="clamav-unofficial-sigs.log" + + +# ========================= +# MalwarePatrol : https://www.malwarepatrol.net +# MalwarePatrol 2016 (free) clamav signatures +# +# 1. Sign up for an account : https://www.malwarepatrol.net/signup-free.shtml +# 2. You will recieve an email containing your password/receipt number +# 3. Login to your account at malwarePatrol +# 4. In My Accountpage, choose the ClamAV list you will download. Free subscribers only get ClamAV Basic, commercial subscribers have access to ClamAV Extended. Do not use the agressive lists. +# 5. In the download URL, you will see 3 parameters: receipt, product and list, enter them in the variables below. + +malwarepatrol_receipt_code="YOUR-RECEIPT-NUMBER" +malwarepatrol_product_code="8" +malwarepatrol_list="clamav_basic" # clamav_basic or clamav_ext +# Set to no to enable the commercial subscription url. +malwarepatrol_free="yes" + +# ========================= +# SecuriteInfo : https://www.SecuriteInfo.com +# SecuriteInfo 2015 free clamav signatures +# +# Usage of SecuriteInfo 2015 free clamav signatures : https://www.securiteinfo.com +# - 1. Sign up for a free account : https://www.securiteinfo.com/clients/customers/signup +# - 2. You will recieve an email to activate your account and then a followup email with your login name +# - 3. Login and navigate to your customer account : https://www.securiteinfo.com/clients/customers/account +# - 4. Click on the Setup tab +# - 5. You will need to get your unique identifier from one of the download links, they are individual for every user +# - 5.1. The 128 character string is after the http://www.securiteinfo.com/get/signatures/ +# - 5.2. Example https://www.securiteinfo.com/get/signatures/your_unique_and_very_long_random_string_of_characters/securiteinfo.hdb +# Your 128 character authorisation signature would be : your_unique_and_very_long_random_string_of_characters +# - 6. Enter the authorisation signature into the config securiteinfo_authorisation_signature: replacing YOUR-SIGNATURE-NUMBER with your authorisation signature from the link + +securiteinfo_authorisation_signature="YOUR-SIGNATURE-NUMBER" + +# ======================== +# Database provider update time +# ======================== +# Since the database files are dynamically created, non default values can cause banning, change with caution + +sanesecurity_update_hours="2" # Default is 2 hours (12 downloads daily). +securiteinfo_update_hours="4" # Default is 4 hours (6 downloads daily). +linuxmalwaredetect_update_hours="6" # Default is 6 hours (4 downloads daily). +malwarepatrol_update_hours="24" # Default is 24 hours (1 downloads daily). +yararulesproject_update_hours="24" # Default is 24 hours (1 downloads daily). +additional_update_hours="4" # Default is 4 hours (6 downloads daily). + +# ======================== +# Enabled Databases +# ======================== +# Set to no to disable an entire database, if the database is empty it will also be disabled. +sanesecurity_enabled="yes" # Sanesecurity +securiteinfo_enabled="yes" # SecuriteInfo +linuxmalwaredetect_enabled="yes" # Linux Malware Detect +malwarepatrol_enabled="yes" # Malware Patrol +yararulesproject_enabled="yes" # Yara-Rule Project, automatically disabled if clamav is older than 0.99 +additional_enabled="yes" # Additional Databases + +## Disabling this will also cause the yararulesproject to be disabled. +enable_yararules="yes" #Enables yararules in the various databases, automatically disabled if clamav is older than 0.99 + +# ======================== +# eXtremeSHOK Database format +# ======================== +# The new and old database formats are supported for backwards compatibility +# +# New Format Usage: +# new_example_dbs=" +# file.name|RATING #description +# " +# +# Rating (False Positive Rating) +# valid ratings: +# REQUIRED : always used +# LOW : used when the rating is low, medium and high +# MEDIUM : used when the rating is medium and high +# HIGH : used when the rating is high +# LOWONLY : used only when the rating is low +# MEDIUMONLY : used only when the rating is medium +# LOWMEDIUMONLY : used only when the rating is medium or low +# DISABLED : never used, or you can also comment the line out if you want +# +# Old Format is still supported, requiring you to comment out files to disable them +# old_example_dbs=" +# file.name #LOW description +# " + +# Default dbs rating +# valid rating: LOW, MEDIUM, HIGH +default_dbs_rating="LOW" + +# Per Database +# These ratings will override the global rating for the specific database +# valid rating: LOW, MEDIUM, HIGH, DISABLED +#sanesecurity_dbs_rating="" +#securiteinfo_dbs_rating="" +#linuxmalwaredetect_dbs_rating="" +#yararulesproject_dbs_rating="" + +# ======================== +# Sanesecurity Database(s) +# ======================== +# Add or remove database file names between quote marks as needed. To +# disable usage of any of the Sanesecurity distributed database files +# shown, remove the database file name from the quoted section below. +# Only databases defined as "low" risk have been enabled by default +# for additional information about the database ratings, see: +# http://www.sanesecurity.com/clamav/databases.htm +# Only add signature databases here that are "distributed" by Sanesecuirty +# as defined at the URL shown above. Database distributed by others sources +# (e.g., SecuriteInfo & MalewarePatrol, can be added to other sections of +# this config file below). Finally, make sure that the database names are +# spelled correctly or you will experience issues when the script runs +# (hint: all rsync servers will fail to download signature updates). + +sanesecurity_dbs=" # BEGIN SANESECURITY DATABASE +### SANESECURITY http://sanesecurity.com/usage/signatures/ +## REQUIRED, Do NOT disable +sanesecurity.ftm|REQUIRED # Message file types, for best performance +sigwhitelist.ign2|REQUIRED # Fast update file to whitelist any problem signatures +## LOW +junk.ndb|LOW # General high hitting junk, containing spam/phishing/lottery/jobs/419s etc +jurlbl.ndb|LOW # Junk Url based +phish.ndb|LOW # Phishing +rogue.hdb|LOW # Malware, Rogue anti-virus software and Fake codecs etc. Updated hourly to cover the latest malware threats +scam.ndb|LOW # Spam/scams +spamimg.hdb|LOW # Spam images +spamattach.hdb|LOW # Spam Spammed attachments such as pdf/doc/rtf/zip +blurl.ndb|LOW # Blacklisted full urls over the last 7 days, covering malware/spam/phishing. URLs added only when main signatures have failed to detect but are known to be "bad" +malwarehash.hsb|LOW # Malware hashes without known Size +## MEDIUM +jurlbla.ndb|MEDIUM # Junk Url based autogenerated from various feeds +lott.ndb|MEDIUM # Lottery +spam.ldb|MEDIUM # Spam detected using the new Logical Signature type +spear.ndb|MEDIUM # Spear phishing email addresses (autogenerated from data here) +spearl.ndb|MEDIUM # Spear phishing urls (autogenerated from data here) +badmacro.ndb|MEDIUM # Detect dangerous macros + +### FOXHOLE http://sanesecurity.com/foxhole-databases/ +## LOW +foxhole_generic.cdb|LOW # See Foxhole page for more details +foxhole_filename.cdb|LOW # See Foxhole page for more details +## MEDIUM +foxhole_js.cdb|MEDIUM # See Foxhole page for more details +## HIGH +foxhole_all.cdb|HIGH # See Foxhole page for more details + +### OITC http://www.oitc.com/winnow/clamsigs/index.html +### Note: the two databases winnow_phish_complete.ndb and winnow_phish_complete_url.ndb should NOT be used together. +# LOW +winnow_malware.hdb|LOW # Current virus, trojan and other malware not yet detected by ClamAV. +winnow_malware_links.ndb|LOW # Links to malware +winnow_extended_malware.hdb|LOW # contain hand generated signatures for malware +winnow.attachments.hdb|LOW # Spammed attachments such as pdf/doc/rtf/zip as well as malware crypted configs +winnow_bad_cw.hdb|LOW # md5 hashes of malware attachments acquired directly from a group of botnets +winnow_phish_complete_url.ndb|LOWMEDIUMONLY # Similar to winnow_phish_complete.ndb except that entire urls are used +# MEDIUM +winnow_spam_complete.ndb|MEDIUM # Signatures to detect fraud and other malicious spam +winnow.complex.patterns.ldb|MEDIUM # contain hand generated signatures for malware and some egregious fraud +winnow_extended_malware_links.ndb|MEDIUM # contain hand generated signatures for malware links +# HIGH +winnow_phish_complete.ndb|HIGH # Phishing and other malicious urls and compromised hosts **DO NOT USE WITH winnow_phish_complete_url** +### OITC YARA Format rules +### Note: Yara signatures require ClamAV 0.99 or newer to work +winnow_malware.yara|LOW # detect spam + +### SCAMNAILER http://www.scamnailer.info/ +# MEDIUM +scamnailer.ndb|MEDIUM # Spear phishing and other phishing emails + +### BOFHLAND http://clamav.bofhland.org/ +# LOW +bofhland_cracked_URL.ndb|LOW # Spam URLs +bofhland_malware_URL.ndb|LOW # Malware URLs +bofhland_phishing_URL.ndb|LOW # Phishing URLs +bofhland_malware_attach.hdb|LOW # Malware Hashes + +### RockSecurity http://rooksecurity.com/ +#LOW +hackingteam.hsb|LOW # Hacking Team hashes + +### CRDF https://threatcenter.crdf.fr/ +# LOW +#crdfam.clamav.hdb|LOW # List of new threats detected by CRDF Anti Malware + +### Porcupine +# LOW +porcupine.ndb|LOW # Brazilian e-mail phishing and malware signatures +phishtank.ndb|LOW # Online and valid phishing urls from phishtank.com data feed +porcupine.hsb|LOW # Sha256 Hashes of VBS and JSE malware, kept for 7 days + +### Sanesecurity YARA Format rules +### Note: Yara signatures require ClamAV 0.99 or newer to work +Sanesecurity_sigtest.yara|LOW # Sanesecurity test signatures +Sanesecurity_spam.yara|LOW # detect spam + +" # END SANESECURITY DATABASES + +# ======================== +# SecuriteInfo Database(s) +# ======================== +# Only active when you set your securiteinfo_authorisation_signature +# Add or remove database file names between quote marks as needed. To +# disable any SecuriteInfo database downloads, remove the appropriate +# lines below. +securiteinfo_dbs=" #START SECURITEINFO DATABASES +### Securiteinfo https://www.securiteinfo.com/services/anti-spam-anti-virus/improve-detection-rate-of-zero-day-malwares-for-clamav.shtml +## REQUIRED, Do NOT disable +securiteinfo.ign2|REQUIRED +# LOW +securiteinfo.hdb|LOW # Malwares in the Wild +javascript.ndb|LOW # Malwares Javascript +securiteinfohtml.hdb|LOW # Malwares HTML +securiteinfoascii.hdb|LOW # Text file malwares (Perl or shell scripts, bat files, exploits, ...) +securiteinfopdf.hdb|LOW # Malwares PDF +securiteinfoandroid.hdb|LOW # Malwares Java/Android Dalvik +# HIGH +spam_marketing.ndb|HIGH # Spam Marketing / spammer blacklist +" #END SECURITEINFO DATABASES + +# ======================== +# Linux Malware Detect Database(s) +# ======================== +# Add or remove database file names between quote marks as needed. To +# disable any SecuriteInfo database downloads, remove the appropriate +# lines below. +linuxmalwaredetect_dbs=" +### Linux Malware Detect https://www.rfxn.com/projects/linux-malware-detect/ +# LOW +rfxn.ndb|LOW # HEX Malware detection signatures +rfxn.hdb|LOW # MD5 malware detection signatures +" #END LINUXMALWAREDETECT DATABASES + +# ======================== +# Yara Rules Project Database(s) +# ======================== +# Add or remove database file names between quote marks as needed. To +# disable any Yara Rule database downloads, remove the appropriate +# lines below. +yararulesproject_dbs=" +### Yara Rules https://github.com/Yara-Rules/rules +# +# Some rules are now in sub-directories. To reference a file in a sub-directory +# use subdir/file +# LOW +email/EMAIL_Cryptowall.yar|LOW # CryptoWall Resume phish +Antidebug_AntiVM/antidebug_antivm.yar|LOW # anti debug and anti virtualization techniques used by malware +Exploit-Kits/EK_Angler.yar|LOW # Angler Exploit Kit Redirector +Exploit-Kits/EK_Blackhole.yar|LOW # BlackHole2 Exploit Kit Detection +Exploit-Kits/EK_BleedingLife.yar|LOW # BleedingLife2 Exploit Kit Detection +Exploit-Kits/EK_Crimepack.yar|LOW # CrimePack Exploit Kit Detection +Exploit-Kits/EK_Eleonore.yar|LOW # Eleonore Exploit Kit Detection +Exploit-Kits/EK_Fragus.yar|LOW # Fragus Exploit Kit Detection +Exploit-Kits/EK_Phoenix.yar|LOW # Phoenix Exploit Kit Detection +Exploit-Kits/EK_Sakura.yar|LOW # Sakura Exploit Kit Detection +Exploit-Kits/EK_ZeroAcces.yar|LOW # ZeroAccess Exploit Kit Detection +Exploit-Kits/EK_Zerox88.yar|LOW # 0x88 Exploit Kit Detection +Exploit-Kits/EK_Zeus.yar|LOW # Zeus Exploit Kit Detection +# MEDIUM +Malicious_Documents/maldoc_somerules.yar|MEDIUM # documents with malicious code +Malicious_Documents/Maldoc_Hidden_PE_file.yar|MEDIUM # Detect a hidden PE file inside a sequence of numbers (comma separated) +Packers/Javascript_exploit_and_obfuscation.yar|MEDIUM # JavaScript Obfuscation Detection +Packers/packer.yar|MEDIUM # well-known sofware packers +CVE_Rules/CVE-2010-0805.yar|MEDIUM # CVE 2010 0805 +CVE_Rules/CVE-2010-0887.yar|MEDIUM # CVE 2010 0887 +CVE_Rules/CVE-2010-1297.yar|MEDIUM # CVE 2010 1297 +CVE_Rules/CVE-2013-0074.yar|MEDIUM # CVE 2013 0074 +CVE_Rules/CVE-2013-0422.yar|MEDIUM # CVE 2013 0422 +CVE_Rules/CVE-2015-5119.yar|MEDIUM # CVE 2015 5119 +# HIGH +Crypto/crypto.yar|HIGH # detect the existence of cryptographic algoritms +" #END yararulesproject DATABASES + +# ========================= +# Additional signature databases +# ========================= +# Additional signature databases can be specified here in the following +# format: PROTOCOL://URL-or-IP/PATH/TO/FILE-NAME (use a trailing "/" in +# place of the "FILE-NAME" to download all files from specified location, +# but this *ONLY* works for files downloaded via rsync). For non-rsync +# downloads, wget and curl is used. For download protocols supported by +# wget and curl, see "man wget" and "man curl". +# This also works well for locations that have many ClamAV +# servers that use 3rd party signature databases, as only one server need +# download the remote databases, and all others can update from the local +# mirrors copy. See format examples below. To use, remove the comments +# and examples shown and add your own sites between the quote marks. +#additional_dbs=" +# rsync://192.168.1.50/new-db/sigs.hdb +# rsync://rsync.example.com/all-dbs/ +# ftp://ftp.example.net/pub/sigs.ndb +# http://www.example.org/sigs.ldb +#" #END ADDITIONAL DATABASES + + +# ================================================== +# ================================================== +# A D V A N C E D O P T I O N S +# ================================================== +# ================================================== + +# Enable or disable download time randomization. This allows the script to +# be executed via cron, but the actual database file checking will pause +# for a random number of seconds between the "min" and "max" time settings +# specified below. This helps to more evenly distribute load on the host +# download sites. To disable, set the following variable to "no". +enable_random="yes" + +# Enable to prevent issues with multiple instances running +# To disable, set the following variable to "no". +enable_locking="yes" + +# If download time randomization is enabled above (enable_random="yes"), +# then set the min and max radomization time intervals (in seconds). +min_sleep_time="60" # Default minimum is 60 seconds (1 minute). +max_sleep_time="600" # Default maximum is 600 seconds (10 minutes). + +# Command to do a full clamd service stop/start +#clamd_restart_opt="service clamd restart" + +# Custom Command to fo a full clamd reload, this defaults to "clamdscan --reload" when not set +#clamd_reload_opt="clamdscan --reload" + +# Custom Command Paths, these are detected with the which command when not set +#uname_bin="/usr/bin/uname" +#clamscan_bin="/usr/bin/clamscan" +#rsync_bin="/usr/bin/rsync" +#wget_bin="/usr/bin/wget" +#curl_bin="/usr/bin/curl" +#gpg_bin="/usr/bin/gpg" + +# If running clamd in "LocalSocket" mode (*NOT* in TCP/IP mode), and +# either "SOcket Cat" (socat) or the "IO::Socket::UNIX" perl module +# are installed on the system, and you want to report whether clamd +# is running or not, uncomment the "clamd_socket" variable below (you +# will be warned if neither socat nor IO::Socket::UNIX are found, but +# the script will still run). You will also need to set the correct +# path to your clamd socket file (if unsure of the path, check the +# "LocalSocket" setting in your clamd.conf file for socket location). +#clamd_socket="/tmp/clamd.socket" + +# Set rsync connection and data transfer timeout limits in seconds. +# The defaults settings here are reasonable, only change if you are +# experiencing timeout issues. +rsync_connect_timeout="60" +rsync_max_time="180" + +# Ignore ssl errors and warnings, ie. operate in insecure mode. +downloader_ignore_ssl="yes" # Default is "yes" ignore ssl errors and warnings + +# Set downloader connection, data transfer timeout limits in seconds. +# The defaults settings here are reasonable, only change if you are +# experiencing timeout issues. +downloader_connect_timeout="60" +downloader_max_time="180" + +# Set downloader retry count for failed transfers +downloader_tries="3" + +# Set working directory paths (edit to meet your own needs). If these +# directories do not exist, the script will attempt to create them. +# Always located inside the work_dir, do not add / +# Sub-directory names: +sanesecurity_dir="dbs-ss" # Sanesecurity sub-directory +securiteinfo_dir="dbs-si" # SecuriteInfo sub-directory +linuxmalwaredetect_dir="dbs-lmd" # Linux Malware Detect sub-directory +malwarepatrol_dir="dbs-mbl" # MalwarePatrol sub-directory +yararulesproject_dir="dbs-yara" # Yara-Rules sub-directory +work_dir_configs="configs" # Script configs sub-directory +gpg_dir="gpg-key" # Sanesecurity GPG Key sub-directory +pid_dir="pid" # User defined pid sub-directory +add_dir="dbs-add" # User defined databases sub-directory + +# If you would like to make a backup copy of the current running database +# file before updating, leave the following variable set to "yes" and a +# backup copy of the file will be created in the production directory +# with -bak appended to the file name. +keep_db_backup="no" + +# When a database integrity has tested BAD, the failed database will be removed. +remove_bad_database="yes" + +# When a database is disabled we will remove the associated database files. +remove_disabled_databases="no" # Default is "no" since we are not a database managament tool by default. + +# Enable SELinux fixes, ie. running restorecon on the database files. +# **Run the following command as root to enable clamav selinux support** +# setsebool -P antivirus_can_scan_system true +# +selinux_fixes="no" # Default is "no" ignore ssl errors and warnings + +# If necessary to proxy database downloads, define the rsync and/or wget +# proxy settings here. For rsync, the proxy must support connections to +# port 873. Both wget and rsync proxy setting need to be defined in the +# format of "hostname:port". For wget, also note the https and http +#rsync_proxy="" +#curl_proxy="" +#wget_proxy_http="http://username:password@proxy_host:proxy_port" +#wget_proxy_https="https://username:password@proxy_host:proxy_port" + + +# Custom Cron install settings, these are detected and only used if you want to override +# the automatic detection and generation of the values when not set, this is mainly to aid package maintainers +#cron_dir="" #default: /etc/cron.d +#cron_filename="" #default: clamav-unofficial-sigs +#cron_minute="" #default: random value between 0-59 +#cron_user="" #default: uses the clam_user +#cron_bash="" #default: detected with the which command +#cron_script_full_path="" #default: detected to the fullpath of the script + +# Custom logrotate install settings, these are detected and only used if you want to override +# the automatic detection and generation of the values when not set, this is mainly to aid package maintainers +#logrotate_dir="" #default: /etc/logrotate.d +#logrotate_filename="" #default: clamav-unofficial-sigs +#logrotate_user="" #default: uses the clam_user +#logrotate_group="" #default: uses the clam_group +#logrotate_log_file_full_path="" #default: detected to the $log_file_path/$log_file_name + +# Custom man install settings, these are detected and only used if you want to override +# the automatic detection and generation of the values when not set, this is mainly to aid package maintainers +#man_dir="" #default: /usr/share/man/man8 +#man_filename="" #default: clamav-unofficial-sigs.8 + +# Provided two variables that package and port maintainers can use in order to +# prevent the script from removing itself with the '-r' flag +# If the script was installed via a package manager like yum, apt, pkg, etc. +# The script will instead provide feedback to the user about how to uninstall the package. +#pkg_mgr="" #the package manager name +#pkg_rm="" #the package manager command to remove the script + +# Custom full working directory paths, these are detected and only used if you want to override +# the automatic detection and generation of the values when not set, this is mainly to aid package maintainers +#work_dir_sanesecurity="" #default: uses work_dir/sanesecurity_dir +#work_dir_securiteinfo="" #default: uses work_dir/securiteinfo_dir +#work_dir_linuxmalwaredetect="" #default: uses work_dir/linuxmalwaredetect_dir +#work_dir_malwarepatrol="" #default: uses work_dir/malwarepatrol_dir +#work_dir_yararulesproject="" #default: uses work_dir/yararulesproject_dir +#work_dir_add="" #default: uses work_dir/add_dir +#work_dir_work_configs="" #default: uses work_dir/work_dir_configs +#work_dir_gpg="" #default: uses work_dir/gpg_dir +#work_dir_pid="" #default: uses work_dir/pid_dir + +# ======================== +# After you have completed the configuration of this file, set the value to "yes" +user_configuration_complete="no" + +# ======================== +# DO NOT EDIT ! +# Database provider URLs +sanesecurity_url="rsync.sanesecurity.net" +sanesecurity_gpg_url="http://www.sanesecurity.net/publickey.gpg" +securiteinfo_url="https://www.securiteinfo.com/get/signatures" +linuxmalwaredetect_url="http://cdn.rfxn.com/downloads" +malwarepatrol_url="https://lists.malwarepatrol.net/cgi/getfile" +yararulesproject_url="https://raw.githubusercontent.com/Yara-Rules/rules/master" + +# ======================== +# DO NOT EDIT ! +config_version="69" + +# https://eXtremeSHOK.com ###################################################### diff --git a/os.conf b/os.conf new file mode 100644 index 0000000..3982773 --- /dev/null +++ b/os.conf @@ -0,0 +1,38 @@ +# This file contains os configuration settings for clamav-unofficial-sigs.sh +################### +# This is property of eXtremeSHOK.com +# You are free to use, modify and distribute, however you may not remove this notice. +# Copyright (c) Adrian Jon Kriel :: admin@extremeshok.com +################## +# +# Script updates can be found at: https://github.com/extremeshok/clamav-unofficial-sigs +# +# Originially based on: +# Script provide by Bill Landry (unofficialsigs@gmail.com). +# +# License: BSD (Berkeley Software Distribution) +# +################## +# +# NOT COMPATIBLE WITH VERSION 3.XX / 4.XX CONFIG +# +################################################################################ +# SEE MASTER.CONF FOR CONFIG EXPLAINATIONS +################################################################################ +# Rename to os.conf to enable this file +################################################################################ + +# Debian 8 (Jessie) + +clam_user="clamav" +clam_group="clamav" + +clam_dbs="/var/lib/clamav" + +clamd_pid="/var/run/clamd.pid" + +clamd_restart_opt="service clamav-daemon restart" + +#clamd_socket="/var/run/clamav/clamd.ctl" + +# https://eXtremeSHOK.com ###################################################### diff --git a/user.conf b/user.conf new file mode 100644 index 0000000..dede3a2 --- /dev/null +++ b/user.conf @@ -0,0 +1,49 @@ +# This file contains user configuration settings for clamav-unofficial-sigs.sh +################### +# This is property of eXtremeSHOK.com +# You are free to use, modify and distribute, however you may not remove this notice. +# Copyright (c) Adrian Jon Kriel :: admin@extremeshok.com +################## +# +# Script updates can be found at: https://github.com/extremeshok/clamav-unofficial-sigs +# +# Originially based on: +# Script provide by Bill Landry (unofficialsigs@gmail.com). +# +# License: BSD (Berkeley Software Distribution) +# +################## +# +# NOT COMPATIBLE WITH VERSION 3.XX / 4.XX CONFIG +# +################################################################################ +# SEE MASTER.CONF FOR CONFIG EXPLAINATIONS +################################################################################ + +# Values in this file will always override those in the master.conf and os.conf files. +# This is useful to specify your authorisation/receipt codes and to always force certain options. +# Please note, it is your responsibility to manage the contents of this file. +# Values provided here are just examples, feel free to use any values from the main config file. + +#malwarepatrol_receipt_code="YOUR-RECEIPT-NUMBER" +#malwarepatrol_product_code="8" +#malwarepatrol_list="clamav_basic" # clamav_basic or clamav_ext +#malwarepatrol_free="yes" + +#securiteinfo_authorisation_signature="YOUR-SIGNATURE-NUMBER" + +# Default dbs rating +# valid rating: LOW, MEDIUM, HIGH +#default_dbs_rating="LOW" + +# Per Database +# These ratings will override the global rating for the specific database +# valid rating: LOW, MEDIUM, HIGH, DISABLE +#sanesecurity_dbs_rating="" +#securiteinfo_dbs_rating="" +#linuxmalwaredetect_dbs_rating="" +#yararulesproject_dbs_rating="" + +user_configuration_complete="yes" + +# https://eXtremeSHOK.com ###################################################### -- 1.7.10.4