NS8 and ClamAV signatures from SecuriteInfo

NethServer Version: 8
Module: Mail
I just testing NS8, please advise step by step to configure ClamAV with Signature from SecuriteInfo.

Hi,

I try this step by step, please correct me if I’m wrong.

  1. Access to the mail1 container’s console

    runagent -m mail1 bash -l

  2. Edit the environment
    vi environment

    #Add following line and save

    CLAMAV_CUSCFG_VOLUME_FLAG=Z

  3. Restart ClamAV
    systemctl --user restart clamav

  4. Access to the clamav container’s console
    podman exec -ti clamav bash

  5. Edit freshclam.conf
    vi /etc/clamav/freshclam.conf
    #Add following line and save

    DatabaseCustomURL https://www.securiteinfo.com/get/signatures/YOUR-SIGNATURE-NUMBER/securiteinfo.ign2
    DatabaseCustomURL https://www.securiteinfo.com/get/signatures/YOUR-SIGNATURE-NUMBER/javascript.ndb
    DatabaseCustomURL https://www.securiteinfo.com/get/signatures/YOUR-SIGNATURE-NUMBER/spam_marketing.ndb
    DatabaseCustomURL https://www.securiteinfo.com/get/signatures/YOUR-SIGNATURE-NUMBER/securiteinfohtml.hdb
    DatabaseCustomURL https://www.securiteinfo.com/get/signatures/YOUR-SIGNATURE-NUMBER/securiteinfoascii.hdb
    DatabaseCustomURL https://www.securiteinfo.com/get/signatures/YOUR-SIGNATURE-NUMBER/securiteinfoandroid.hdb
    DatabaseCustomURL https://www.securiteinfo.com/get/signatures/YOUR-SIGNATURE-NUMBER/securiteinfoold.hdb
    DatabaseCustomURL https://www.securiteinfo.com/get/signatures/YOUR-SIGNATURE-NUMBER/securiteinfopdf.hdb
    DatabaseCustomURL https://www.securiteinfo.com/get/signatures/YOUR-SIGNATURE-NUMBER/securiteinfo0hour.hdb
    DatabaseCustomURL https://www.securiteinfo.com/get/signatures/YOUR-SIGNATURE-NUMBER/securiteinfo.mdb
    DatabaseCustomURL https://www.securiteinfo.com/get/signatures/YOUR-SIGNATURE-NUMBER/securiteinfo.yara
    DatabaseCustomURL https://www.securiteinfo.com/get/signatures/YOUR-SIGNATURE-NUMBER/securiteinfo.pdb
    DatabaseCustomURL https://www.securiteinfo.com/get/signatures/YOUR-SIGNATURE-NUMBER/securiteinfo.wdb
  1. Edit user.conf
    vi /etc/clamav-unofficial-sigs/user.conf

    #Add following line and save
    securiteinfo_authorisation_signature="YOUR-SIGNATURE-NUMBER"

Ciao Augustinus.

The procedure for custom AV signatures is documented here: ns8-mail/README.md at main · NethServer/ns8-mail · GitHub.

Your steps are quite similar, however I can’t say if they work or not and if they’re still effective after a Clamav restart.

If something does not work properly, the documentation explains how to revert ClamAV config to the default.

“Yes, I’ve followed the step-by-step instructions from the provided URL and your video regarding containers. I haven’t yet migrated to NS8, as I’m still reviewing the entire configuration process before moving forward. Thanks for your feedback.”

Final working step by step, configuration persistent after restart.

Reference:

  1. NethServer 8 Deep Dive: how to run generic containers
  2. ns8-mail/README.md at main · NethServer/ns8-mail · GitHub
  3. [ns8-mail/clamav/README.md at main · NethServer/ns8-mail · GitHub]

Configure ClamAV for SecuriteInfo Signatures

  1. Access to the mail1 container’s console
    runagent -m mail1 bash -l

  2. Access to the clamav container’s console
    podman exec -ti clamav bash -l

  3. Edit the user.conf
    vi /etc/clamav-unofficial-sigs/user.conf
    Add following lines:
    #SecuriteInfo
    securiteinfo_dbs_rating="MEDIUM"
    securiteinfo_authorisation_signature="YOUR-SIGNATURE-NUMBER"
    securiteinfo_premium="yes"
    Note:
    securiteinfo_premium= "yes" if you have premium account.
    user.conf.orig is pre-configured with default options to allow for quicker setup
    File location: /etc/clamav-unofficial-sigs/user.conf.orig

  4. Check if signature are being loaded
    clamscan --debug 2>&1 /dev/null | grep "loaded"

  5. Clamscan integrity test a specific database file
    /usr/local/sbin/clamav-unofficial-sigs.sh -t securiteinfo.mdb

  6. View clamscan config
    clamconf -n

  7. Donwload Eicar Test file
    mkdir /etc/clamav-unofficial-sigs/eicar
    wget -P /etc/clamav-unofficial-sigs/eicar --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36" https://www.eicar.org/download/eicar-com/?wpdmdl=8840&refresh=672ff3f3dc4c81731195891
    wget -P /etc/clamav-unofficial-sigs/eicar --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36" https://www.eicar.org/download/eicar-com-2/?wpdmdl=8842&refresh=672ff3f5047de1731195893
    wget -P /etc/clamav-unofficial-sigs/eicar --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36" https://www.eicar.org/download/eicar_com-zip/?wpdmdl=8847&refresh=672ff3f6238e11731195894
    wget -P /etc/clamav-unofficial-sigs/eicar --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36" https://www.eicar.org/download/eicar-com-2-2/?wpdmdl=8848&refresh=672ff3f7425da1731195895
    wget -P /etc/clamav-unofficial-sigs/eicar --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36" http://www.securiteinfo.com/etc/clamav-unofficial-sigs/eicar/SecuriteInfo.com.Eicar_test_file.13756
    wget -P /etc/clamav-unofficial-sigs/eicar --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36" http://www.securiteinfo.com/eicar/SecuriteInfo.com.Eicar-Test-Signature.14788.14668.26795
    wget -P /etc/clamav-unofficial-sigs/eicar --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36" http://www.securiteinfo.com/eicar/SecuriteInfo.com.Eicar_Test_Signature.366
    wget -P /etc/clamav-unofficial-sigs/eicar --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36" http://www.securiteinfo.com/eicar/SecuriteInfo.com.Eicar_Test_Signature.6363
    wget -P /etc/clamav-unofficial-sigs/eicar --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36" http://www.securiteinfo.com/eicar/SecuriteInfo.com.Eicar_Test_Signature.6869

  8. Test clamscan
    clamscan /etc/clamav-unofficial-sigs/eicar/*

Correct result as below:

node:/# clamscan /etc/clamav-unofficial-sigs/eicar/*
Loading: 25s, ETA: 0s [========================>] 13.75M/13.75M sigs
Compiling: 6s, ETA: 0s [========================>] 42/42 tasks

/etc/clamav-unofficial-sigs/eicar/SecuriteInfo.com.Eicar-Test-Signature.14788.14668.26795: SecuriteInfo.com.Eicar-Test-Signature.14788.14668.26795.UNOFFICIAL FOUND
/etc/clamav-unofficial-sigs/eicar/SecuriteInfo.com.Eicar_Test_Signature.366: SecuriteInfo.com.Eicar_Test_Signature.366.UNOFFICIAL FOUND
/etc/clamav-unofficial-sigs/eicar/SecuriteInfo.com.Eicar_Test_Signature.6363: SecuriteInfo.com.Eicar_Test_Signature.6363.UNOFFICIAL FOUND
/etc/clamav-unofficial-sigs/eicar/SecuriteInfo.com.Eicar_Test_Signature.6869: SecuriteInfo.com.Eicar_Test_Signature.6869.UNOFFICIAL FOUND
/etc/clamav-unofficial-sigs/eicar/index.html?wpdmdl=8840: Eicar-Test-Signature.UNOFFICIAL FOUND
/etc/clamav-unofficial-sigs/eicar/index.html?wpdmdl=8842: Eicar-Test-Signature.UNOFFICIAL FOUND
/etc/clamav-unofficial-sigs/eicar/index.html?wpdmdl=8847: Eicar-Test-Signature.UNOFFICIAL FOUND
/etc/clamav-unofficial-sigs/eicar/index.html?wpdmdl=8848: Eicar-Test-Signature.UNOFFICIAL FOUND

----------- SCAN SUMMARY -----------
Known viruses: 13754279
Engine version: 1.2.2
Scanned directories: 0
Scanned files: 8
Infected files: 8
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 35.764 sec (0 m 35 s)
Start Date: 2024:11:10 07:08:13
End Date: 2024:11:10 07:08:48

1 Like