clamav-unofficial-sigs-3.7.2/0000755000000000000000000000000012207147371014550 5ustar rootrootclamav-unofficial-sigs-3.7.2/INSTALL0000644000000000000000000001261012207147371015601 0ustar rootroot==================== GENERAL INFORMATION: ==================== The clamav-unofficial-sigs script and accompanying files are provided by Bill Landry (unofficialsigs@gmail.com) under general BSD licensing guidelines. The two files needed to download, test and update third-party ClamAV database files provided by Sanesecurity, SecuriteInfo, MalwarePatrol, OITC, etc., are the script itself (clamav-unofficial-sig.sh), and the user configuration file (clamav-unofficial-sigs.conf). Since the user configuration section has been separated from the script itself, the script now needs to reference the configuration file when run by using the "-c" flag when running the script. It is also recommended that a copy of the configuration file be place in the "default" location "/etc" so that it can be used when running the script manually without using the "-c" flag, or when running the script with the "-d" (decode virus signature), "-g" (check gpg signature), or "-s" (check database integrity) flags. This also provides a way to run the script with different configuration options when run via cron versus when run manually. Script updates can be found at: http://sourceforge.net/projects/unofficial-sigs ========================== INSTALLATION INSTRUCTIONS: ========================== WARNING: Renaming any of the files included in the tarball may cause the script to fail to remove all files, databases, and work directories from the system if the '-r' (remove script) flag is used. Uncompress/Unpackage the tarball: tar -zxf clamav-unofficial-sigs.tar.gz Move into the package directory: cd clamav-unofficial-sigs-(version) Make sure script files are executable and have the appropriate UID/GID set: chmod 755 *.sh chown : *.sh Configure: Edit the clamav-unofficial-sigs.conf file IMPORTANT CONFIGURATION CONSIDERATIONS: - Make sure that the PATH statement correctly defines the location of your binary files. These include: find, sed, awk, cut, grep, tail, chown, chmod, cmp, diff, dig, host, gzip, ls, cp, mv, test, gpg, xargs, sleep, urandom, chksum, rsync, curl, socat, etc. It has been reported that on Sun systems, the GNU utilities should be used rather than the default Sun versions. - System shell setting: Based on user feedback, it has been reported that "sh" works best for BSD variants, "ksh" for Sun Solaris, and "bash" for Linux variants. If you experience problems running the script, please try editing the top line of the script file and changing "sh" to either "ksh" or "bash" before reporting a problem. - Adjust configuration settings to meet your system requirements. Install: cp clamav-unofficial-sigs.sh /path/to/script_dir (usually something like /usr/local/bin) cp clamav-unofficial-sigs.conf /path/to/config_dir (/etc & usually something like /usr/local/etc) cp clamav-unofficial-sigs.8 /path/to/man/man8 (usually something like /usr/local/man/man8) cp clamav-unofficial-sigs-cron /path/to/cron.d (usually something like /etc/cron.d) cp clamav-unofficial-sigs-logrotate /path/to/logrotate.d (usually something like /etc/logrotate.d) ================== USAGE INFORMATION: ================== To run at specific time intervals, either use the include cron file or edit the user crontab: crontab -e To run hourly, at 15 minute after the hour (for example), add the following to crontab: 15 * * * * /path/to/clamav-unofficial-sigs.sh -c /path/to/clamav-unofficial-sigs.conf To run manually: /path/to/clamav-unofficial-sigs.sh -c /path/to/clamav-unofficial-sigs.conf or, if a copy of the config file is located in "/etc", simply: /path/to/clamav-unofficial-sigs.sh =================== SCRIPT FLAGS USAGE: =================== To create a bypass signature for temporarily resolving a false-positive issue with a third-party signature: /path/to/clamav-unofficial-sigs.sh -b To direct the script to use an alternate configuration file other than the one in /etc: /path/to/clamav-unofficial-sigs.sh -c /path/to/clamav-unofficial-sigs.conf To decode a hexadecimal encoded string or specific third-party signature and determine what database it is in: /path/to/clamav-unofficial-sigs.sh -d To encode an entire data string in hexadecimal for signature use in any '*.ndb' file: /path/to/clamav-unofficial-sigs.sh -e To encode a formatted data string that contains field spacers '{}, (), *' in hexadecimal, without encoding the field spacers, for signature use in any '*.ndb' file: /path/to/clamav-unofficial-sigs.sh -f To GPG Signature test a specific Sanesecurity database file: /path/to/clamav-unofficial-sigs.sh -g filename (e.g., -g junk.ndb) To view Help and Usage instructions: /path/to/clamav-unofficial-sigs.sh -h To output script configuration and system information: /path/to/clamav-unofficial-sigs.sh -i To make a hexadecimal signature database file (*.ndb) from a clear text ascii file: /path/to/clamav-unofficial-sigs.sh -m To completely remove the script and all of its associated files, databases and work directories: /path/to/clamav-unofficial-sigs.sh -r To clamscan integrity test a specific database file: /path/to/clamav-unofficial-sigs.sh -s filename (e.g., -s junk.ndb) To output third-party signature names that triggered during local HAM directory scanning, if enabled in the configuration file: /path/to/clamav-unofficial-sigs.sh -t To check version: /path/to/clamav-unofficial-sigs.sh -v clamav-unofficial-sigs-3.7.2/clamav-unofficial-sigs-logrotate0000644000000000000000000000021212207147371023007 0ustar rootroot/var/log/clamav-unofficial-sigs.log { weekly rotate 4 missingok notifempty compress create 0600 root root } clamav-unofficial-sigs-3.7.2/CHANGELOG0000644000000000000000000012243212207147371015766 0ustar rootrootThis file contains changes to the clamav-unofficial-sigs script written by Bill Landry (unofficialsigs@gmail.com). The script provides a simple way to download, test, and use third-party ClamAV signature databases provided by Sanesecurity, SecuriteInfo, MalwarePatrol, OITC, etc. Version 3.7.2 (updated 2013-08-25) - Added Sanesecurity signature whitelist "sigwhitelist.ign2" file to the list of default databases in the config file. - Added "-w" flag to support adding signature whitelist entries in "my-whitelist.ign2" file in the newer ClamAV IGN2 format. Do not manually add or remove whitelist entries from this file, the script will automatically remove whitelist entries when the offending signatures have been modified or removed from the third-party database. - DEPRECATED the "-b" (signature bypass) flag. Although still supported, it is highly recommend that you instead use the new "-w" flag, which supports the newer ClamAV IGN2 signature whitelist format. - Anchored grep searches when using the "-b" flag in order to more exactly match signature searches. Requested by Paul Wise. - Added rsync and curl timeout variables to the configuration file to allow the script user to define custom connect and overall download timeout values. Requested by Paul Wise. - Added a "setmode" variable to the script's configuration file to allow the script user to enable or disable the "chmod" command usage on the signature files and directory. Requested by Paul Wise. - Added detail to the config file regarding correct file name spelling, adding only relevant signature file names to the appropriate sections of the config file, and not placing anything other than correctly spelled signature file names inside the quoted signature name sections of the config file. - Modified "add_dbs" section of the script to properly retrieve http downloaded signature database files on first-time run. Issue reported by Blaine Fleming. - Changed script database reporting to reflect the correct author. - Updated my contact and script download information in all files and updated "man" pages to reflect flag changes and additions. Version 3.7.1 (updated 2010-06-06) - Added the rsync "-r" flag to the "add_dbs" section of the script in order to support directory recursion. Reguested by Jim L. - Changed from "host" to "dig" when doing the reverse lookup on the Sanesecurity rsync host being used. The former parse string was truncating the last letter of the FQHN on Debian systems. This change removes the final usage of the "host" command from the script. Issue reported by Ralf Hildebrandt. - Fixed an issue where corrupted SecuriteInfo databases might be created when the signature download site is down or inaccessable. The script will now delete SecuriteInfo signature databases from the download directory when corruptions issues are detected. - Rearranged some logging lines in the MalwarePatrol section of the script to resolve an issue with rsyncing files into the ClamAV production directory when logging is disabled. Issue reported by Marko Njezic. - Updated the SecuriteInfo sections of the script and config files to support the new (uncompressed) signature databases. Version 3.7 (updated 2010-01-23) - Removed MSRBL from script as the signature files have not been updated since July 2009. Script users should consider removing the MSRBL signature files (MSRBL-Images.hdb & MSRBL-SPAM.ndb) from their systems. - Rearranged some logging lines in the SecruiteInfo section of the script to resolve an issue some were having with rsyncing of files into the ClamAV production directory. Issue reported by Ted S. - Removed "+tcp" from the dig command as some sites are blocking DNS queries over TCP Port 53. Added instead the "+ignore" flag which will silence the "Truncated" warning when the DNS query-response is larger than a single UDP packet can contain. This is not an issue since the script initially uses the first listed IP address anyway. Issue reported by Matija Nalis. - Replaced "echo -ne" with "printf" when the script is run with the "-m" flag, for creating a signature file. The echo "-e" and in some cases "-n" flags are not universally supported by all system shells. Issue reported by Paul Wise. - Added new Sanesecurity distributed signature databases and updated the risk ratings for all signature databases listed in the config file based on info provided at www.sanesecurity.com/databases.htm. Version 3.6 (updated 2009-08-23) - Added "tr" to remove Windows CRLF from signatures in local.ign monitoring section. - Updated signature database monitoring section to better handle rearrangement of signature database file name placement in the configuration file. - Removed several of the config file reload options in favor of simplicity and most reliable options. - Changed rsync mirror lookup from 'host' to 'dig' with the hope that 'dig' is more universally consistent between OS platforms. Issue reported by Al Sterman. - Added the '-u' (timestamp check) flag to the rsync downloads so that signature databases will not be downloaded from mirrors that are out of sync and hosting old files. Requested by Wolfgang Breyha - Added a configuration variable that will provide the ability to scan a HAM (non-spam) directory with new signature databases and automatically remove signatures that trigger from the database before implementing. Requested by Mike Cardwell. - Added the '-t' flag to the script to output third-party signatures that trigger during the HAM directory scan, but only if the 'ham_dir' variable is enabled in the configuration file and hit were found. - Updated required utilities section of the config file. Requested by Micah Anderson. - Updated Manual page, README, and INSTALL files. Version 3.5.4 (updated 2009-06-25) - Removed an unnecessary early database reload when a change was detected by the script in the local.ign signature bypass file. - The script was not properly handling exit status when configured with full script output silence and database reloading was disabled. Issue reported by Andreas Prieß. - The script was not detecting bypass signature entry changes in local.ign if the entry did not include the line number in the bypass signature entry. Issue reported by Paul Enlund. - Windows convention is to end each line of text with the carriage return character followed by the newline character. In order to work around this, the script now strips the CRLF from the end of signature lines before testing for changes, modifications, or removal of local.ign bypassed signature entries. Issue reported by Paul Enlund. Version 3.5.3 (updated 2009-06-04) - Replaced 'sed -i' (in-place) 'replace/remove' code in the script with similar perl code. It was determined that sed varies too much between OS platforms. The differences between FBSD, Linux, Sun, and HPUX was too problematic to rely on sed for 'in-place' editing. Thanks to Larry Rosenman for testing the new perl code sections on all 4 platforms listed above. Version 3.5.2 (updated 2009-06-04) - Renamed the cron and logrotate files, changing the "." to "-" due the fact that some platform (such as Debian) have certain naming restrictions on cron file names that does not allow for the use of a "." in the file name. The documentation has also been updated. Consider renaming your files. Issue reported by Yizhar Hurwitz. - Added the sed "-e" (expression=script) flag to the 4 sed commands that use the "-i" (edit in-place) in the script's "-b" (create signature bypass) flag. Apparently without the sed "-e" flag, FreeBSD intreprets part of the expanded variable as a command. Issue reported by Larry Rosenman. - Replaced a misplaced hard link with the appropriate variable in the signature bypass section of the script. Issue reported by Larry Rosenman. - Added feedback in warning message regarding signature database name misspelling as a possible issue when all rsync mirror sites fail. - Improved the signature bypass code section that monitors hexadecimal signature modifications and removals and keeps local.ign updated. Version 3.5.1 (updated 2009-05-30) - Fixed an issue with the script exiting with an error condition if both "clamd_reload" is disabled and all script silence options are enabled. Issue reported by Andreas Prieß. - Fixed a /path/file statement that was pointing to a scan test file that was used while testing the script and then inadvertently left in the released script. Issue reported by Lukasz Czarnowski. - Moved all third-party signature databases labeled as medium and high risk (as defined at http://www.sanesecurity.com/clamav/databases.htm) into comment sections in the configuration file with a pointer to the above URL. This will require script users to consciously enable the usage of these potentially high false-positive risk databases rather than have them enabled by default. Requested by Steve Basford. Version 3.5 (updated 2009-05-25) - Added the '-m' flag that will make a hexadecimal signature database file (*.ndb) from a clear text, ascii source file that contains one data string entry per line that will then be converted into signature lines in the new database file. - Added the new INetMsg SpamDomains database to the config file. - Updated the INSTALL, README and manual page. Version 3.4 (updated 2009-05-22) - Modified the '-b' (create signature bypass) flag so that the script no longer deletes the local.ign file. The script now tracks changes to any signature bypass entries it creates in local.ign and will remove the signature bypass entry if either the original offending third-party signature being bypassed has been modified or has been removed from the third-party database. - Updated the INSTALL, README and manual page. Version 3.3 (updated 2009-05-19) - Updated the MalwarePatrol URL to now use their new download link. - Added a new '-f' flag that can now hexadecimal encode formatted input strings containing spacing fields '{}, (), *', without encoding the spacing fields. - Modified the perl code that hexadecimal encodes and decodes input strings so that they are more compact, efficient and the decoding will not decode spacer fields containing '{}, (), *'. Thanks to Mark Martinec for his assistence with this. - Tightened up a few sections of the script. - Updated the INSTALL document and manual page. Version 3.2 (updated 2009-05-14) - Repositioned a badly placed 'echo' command that was causing empty cron emails to be sent even if all silence variables were set in the config file and no error conditions existed. Issue reported by Andreas Prieß. - Added a '-b' switch that can be used to create a bypass signature for local.ign in order to temporarily resolve false-positive issues with a third-party signature. The local.ign file will automatically be deleted once its timestame shows the last change time to be at least 24 hours old. This is done in order to keep bypass entries from becoming stale. - Updated the README and INSTALL documents, and the manual page. Also updated the cron file to point the script location to /usr/local/bin/ instead of /usr/bin/. This also matches the base path to the config file (/usr/local/). Version 3.1 (updated 2009-05-11) - The script now strips all single (') and double (") quote marks from input to the '-d' (decode) flag. - Added the missing SecruiteInfo '*.gz' files to the list of files to be removed from the system with the "-r" (remove) flag or when uninstalled via a package manager. Reported by Paul Wise. Version 3.0 (updated 2009-05-10) - Added a couple of missing stderr redirects. Reported by Paul Wise. - Updated the manual page and README and INSTALL documentation. - Added cron and logrotate files to the tarball. - Added a '-r' (remove script) flag that will allow the script user to easily remove the script and all of its associated files and databases and work directories from the system. - Provided two variables that package and port maintainers can use in order to prevent the script from removing itself with the '-r' flag if the script was installed via a package manager like yum, apt, pkg, etc. The script will instead provide feedback to the user about how to uninstall the package. - Added the ability to disable execution of "chown" (the setting of user and group permissions on files and directories) if either the "clam_user" or "clam_group" or both variables are commented in the config file. Requested by Micha Lenk - The script will now decode input from both third-party signature names (e.g.: Sanesecurity.Junk.15248) and hexadecimal encoded strings. - The script now supports decoding of third-party signatures that include spacing information within the hexadecimal string (e.g.: {-50}) and will now output the decode string with the spacing information intact. - Added the '-e' (encode) flag that will hexadecimal encode any input string and output a hexadecimal string that can be used in any *.ndb type signature database. - The script will now do a database reload if it detects that signature databases have been removed from the configuration file and deleted from the system. It will also report this information via cron email, if enabled, and will also write this information to the log file, if logging is enabled. Version 2.8 (updated 2009-05-01) - Added file management to the script so package/port maintainers can easily uninstall/purge the script's installation. This same "purge.txt" file, which can be found in the script's '$config_dir' directory, can also be used by script users to manually remove the script and all of its associated files. - Added file removal to the script so that legacy databases and backup files are completely removed from the file system if removed or disabled in the script's configuration file. Any legacy files that reside on the file system prior to using this version of the script will need to be removed manually. This is also true if migrating to this script from some other download script, due to different file naming conventions. - Added support for the rsync "--contimeout" flag, if the local rsync client supports this new flag. This provides a means to timeout a connection attempt after some time interval specified by the flag (set to 30 seconds in the script) when an rsync server is not responding to the connection attempt. - Added some additional output for the script's '-g' (GPG signature test) and '-s' (clamscan integrity test) flags which will output flag specific feedback to the user and provide for an easy way to copy/paste valid databases that can be tested with each flag. - The script's '-d' (decode virus signature) flag will now also output what database the virus signature was found in. - If the script is run in silent mode, it now silences all rsync error conditions and will only output error information if all rsync mirror connection attempts fail. Therefore, when running silent via cron, the script will not report an rsync connection failure as long as the script was able to successfully connect to an alternate mirror. If script logging is enabled, all rsync connection information will still be written to the log file. - Added support for the new Sanesecurity 'jurlbla.ndb' database. - Added manual page written by Paul Wise , for the Debian project. Version 2.7.3 (updated 2009-04-25) - Added error checking to GPG signature tests and will now fall-back and retest using different parameters if an error is detected. - Added error checking to "find" command and will now fall-back and try several alternatives (from most favorable to least favorable) until the command is run successfully. - Removed the rsync "-r" (recurse into directories) flag since we don't need it, as the script only syncs with those files that have been specifically defined if the '--files-from' file. - Changed the script's '-d' flag to '-i', to "Output system and configuration information". - The script's '-d' flag will now 'decode' ClamAV 'UNOFFICIAL' 3rd-Party signatures for viewing. The script will NOT decode image signatures (for obvious reasons), nor ClamAV 'OFFICIAL' signatures, due to the various signature formats. Version 2.7.2 (update 2009-04-23) - ***** ALERT - ALERT - ALERT - ALERT - ALERT - ALERT - ALERT ***** The script name has been changed. This has been done to facilitate packaging and redistribution of the scripts by various OS package and port maintainers. By renaming the script and tarball from "unofficial-clamav-sigs" to "clamav-unofficial-sigs", the package will show up when using package managers like yum, apt, pkg, etc., to install ClamAV and its supporting and complementary packages. Please be sure to make the necessary changes to your cron jobs to support the new script and config file names. - Added the new Winnow (winnow_spam_complete.ndb) and Sanesecurity (jurlbl.ndb) database files. - Added a safety net to all "rm" commands in the script in order to prevent script config file editing errors that could potentially cause deletion of unintended files and/or directories. Thanks to Mike Cappella for suggesting this. - Modified the script's "getopts" section logic to make it more efficient and easier to understand. Thanks to Mike Cappella for his comments and suggestions in this area. Version 2.7.1 (updated 2009-04-17) - Fixed a bug in the output of the script's '-s' flag (clamscan database integrity test), which would always erroneously output 'scam.ndb' as the database file being tested. - Added missing 'curl_proxy' variable to the Sanesecurity GPG Key download section. - Added an open-source license so that OS package maintainers can package the scripts for redistribution. - A duplicate tarball with the version number included in the file name is now also located in the download directory. This is done so that package maintainers can easily determine if an update has been released. Version 2.7 (updated 2009-03-31) - Added new signature database options: winnow_malware.hdb winnow_phish_complete.ndb winnow_phish_complete_url.ndb See the "unofficial-clamav-sigs.conf" file for usage information. - Revised the email report output of the SecruiteInfo update checks. - Minor modifications to the script's email report comments. - Minor change to the rsync update checks (using "--files-from=FILE" instead of "--include-from=FILE", and therefore no longer needing to use "--exclude=PATTERN"). This also configures rsync to report in its output the exact number of files it is checking for updates. - Apparently there's a problem with some versions of "xargs" causing the script to report "chmod: missing operand after `0644'" when used with the "find" command. The script has been changed to now use "-exec chmod 0644 {} +" instead of "xargs -0 chmod 0644", which is hopefully more widely supported. Reported by Chris Kuhles. - Minor update to INSTALL document to make the instructions flow more logically. Reported by Anthony Cartmell. Version 2.6 (updated 2009-03-25) - The script will now try alternate rsync mirror sites if a site fails for any reason, and will continue trying alternate mirror sites until either successful or all mirror sites have failed. The script will also report and log all failed attempts. This is only applicable to Sanesecurity and MSRBL, as these are currently the only two signature providers that use rsync and provide multiple mirror site locations. - Changed permissions on gpg_dir from 0600 to 0700, as the execute bit is necessary for access to this directory, with the exception being the root account on some distros. Reported by Jernej Porenta. - Corrected a typo in the GPG Signature verify example in the INSTALL file. It should have been: "unofficial-clamav-sigs.sh -g filename", not "-c". Reported by Jernej Porenta. Version 2.5 (updated 2009-03-20) - Changed permissions on gpg_dir from 0644 to 0600, otherwise GPG will report: "WARNING: unsafe permissions on homedir...". - Added "--exclude=*.gz" to the user defined "add_dbs" rsync downloads to prevent compressed files from being downloaded from local mirrors. Requested by Jim Lohiser. - Added comments to the config file with recommendations for specific shell options for different OS platforms, as well as additional path statement instructions. This information is based off of feedback from various script users. Suggested by Jeff Earickson. - Updated the INSTALL document to include information about defining the correct shell and path settings for different OS platforms. - Updated some script comments to make them more applicable with recent script updates. - It's recommended that rsync version 2.6.9 or newer is used, as older versions do not support the '--no-motd' flag. This is not an issue, as the flag is disabled if it's not supported. However, if the "rsync_silence" variable is not being used, the output will contain any "message of the day" text that is presented by the rsync mirror site being used for the update check. - Changed "$1" to "${@:-}" in the "comment" and "log" functions in order to prevent otherwise potentially puzzling errors. This was recommended by Charles Seeger. Version 2.4 (updated 2009-03-15) - Expanded the script's '-h' help and usage information output. - Added the following script flags: '-d' output system & configuration information for debug purposes '-g' gpg signature test a specific Sanesecurity database file '-s' clamscan integrity test a specific database file - Split the scripts RSYNC_PROXY 'PATH' and 'EXPORT' statements onto 2 separate lines. Version 2.3 (updated 2009-03-13) - Broke the PATH and EXPORT statements into two separate lines. Apparently some shells do not like "export PATH" on one line. - Added some perl based reload options for those that want to signal the clamd socket to do a reload after database updates but do not have socat installed on their systems. Also added socat and perl reload options for those running clamd with a tcp socket versus a local unix socket. - Modified help (-h) output and also provide better error handling. - Updated comments and logging to better reflect script changes. - Added comments and logging so as to provide better information about how the script ran. - Reconfigured GPG key handling and signature verifying. This will hopefully resolve the issue that some have been experiencing with GPG signature tests failing when run via cron. - The script now does a "chmod 0644" of the $work_dir to set access permissions to "-rw-r--r--" on all $work_dir files. - Rearranged the clamd status tests in both unofficial-clamav-sig.sh and clamd-status.sh scripts to run perl socket tests first, as it has been reported that the soon to be release ClamAV version 0.95 may not respond to a socat PING with the requisite PONG on some OSs, thereby causing the script to erroneously report clamd as not running and attempting to restart it. It has also been reported that adding a pause to the socat test seems to resolve the issue, so the pause has also been added to the script, as well. - Added the "-T" (enable TCP/IP mode) flag to the "host" lookups, as Patrick Cernko reported that without enabling tcp mode, that the response exceeded the maximum data that can be stored in a UDP packet. This was causing the "host" binary to report: "Truncated, retrying in TCP mode". - Added "rsync_proxy" and "curl_proxy" variables so that users that need to proxy their rsync and/or curl database downloads can now define them in the configuration file instead of having to edit the script itself. Requested by Flávio do Carmo Júnior. Version 2.2 (updated 2009-03-07) - Updated logging identifications (INFO, WARNING, ALERT, CRITICAL) so that logged events are more appropriately labeled. - Now using "checksum" with rsync to determine whether files have been updated instead of "timestamp/file-size", which has been shown to be unreliable with Sanesecurity files (although this may be resolved now). Also using "checksum" update verification with MSRBL files, as well. Currently, all Sanesecurity and MSRBL mirror sites support "checksum" file change testing. - Switched from "diff" to "cmp" to check whether downloaded database files are different then those running in production. Apparently "cmp" is more portable across platforms then "diff". This keeps the script from unnecessarily reloading ClamD's databases when no file changes are detected. - Now logging rsync and curl connection/download failures. - Now using rsync to update files in production instead of copy/move that was used previously. The script also no longer uses temp_dir. - Created a variable option that allows users to add database sites. This will also allow users that have many local servers using third party (unofficial) signature databases to create a local mirror so that the files can be downloaded once and all other servers update via the local mirror. Supports rsync and all download protocols supported by curl (see "man curl" for supported protocols). - The script has been consolidated and tighten as unnecessary routines have been removed and additional logic implemented to reduce size. Version 2.1b (updated 2009-02-26) - Changed MalwarePatrol database download from using older .db format to the newer .ndb format. - Check to see if the older mbl.db and mbl.db-bak files exist, and if so, delete them at the next MalwarePatrol database download of the newer mbl.ndb database file format. - Added another database reload option for those that have "socat" installed on their systems. - If "enable_random" is enabled in the script, then the pause time is now written to the log file. - Minor comment and logging info cleanup. - Updated README and INSTALL documents. - Added a logging option to the clamd-status.sh script. Version 2.1a (updated 2009-02-21) - Implemented patch to create functions for silencing comments and for logging as provided by Panagiotis Christias. - Moved the section that tests for whether the script is being run from the console or via cron to the top and removed the prompt when run manually from the console. Also enabled all script script output to screen when run manually. - Changed MalwarePatrol URL from IP address back to www.malware.com.br (this was an oversight leftover from testing). - Added code to the unofficial-clamav-sigs.sh and clamd-status.sh scripts to delete any orphaned daemon process files (pid, lock, socket) before attempting to start ClamD after a crash. Version 2.1 (updated 2009-02-20) - Provided a default location for the script's configuration file. Now the script can be run either with the "-c" flag, or without any flag, as long as the config file resides in the /etc directory. If you feel compelled to change the default config file location, it is the first variable located near the top of the script file. - Several people have requested logging capabilities. The samples that have been provided used the OS's logging facility. I didn't want to clutter up the "messages" or "maillog" with output from the script, so I've instead implemented more rudimentary logging that writes its output to a user defined log file. - Others have requested the ability to completely silence the script's output so that when run via cron, no emails are generated except when an error condition has been reported. This has now been done. - Some additional script logic corrections and code cleanup have also been made in this update. Version 2.0c (updated 2009-02-12) - Separated the script into 3 files, Script, Config, & Changelog. Now users will no longer have to update the user configuration section of the script every time the script is updated. - Removed the redirect of STDERR to /dev/null for the shell's RANDOM test since it's not necessary there. - Created a separate clamd status and restart script. The code section still remains in unofficial-clamav-sigs.sh script, as well, but can be disabled there if a user wants to run status checks more often then signature database downloads. Version 2.0b (updated 2/10/09) - Added a "diff" test that is run prior to moving a new database file into the clamav directory. If there is no difference between the 2 database files, then the script will report that it's testing the updated (but unchanged) database file. Processing of the database file will still continue so that the file timestamps stay synced. This test was added because it's been noted that some database files are repeatedly being download, even when nothing has changed. This test will assist in tracking down this issue. - Added a variable to silence the gpg output (based on a request from Steffen Ille). - Added a variable to silence most of the scripts text output. When all "silence" variables are enabled, the script will only output the database provider section headers, any error output from the GPG Signature verification tests and Clamscan database integrity tests, and whether updates were detected and clamd reload or not. - Corrected some script logic errors and missing (parenthesis) around some of the "test" command lines. Version 2.0a (updated 2/8/09) - Moved all SecuriteInfo *.gz files out of the clam_dbs directory and placed them instead into the si_dirs directory. Also moved the MBL and SecuriteInfo timestamp files (last-*-update.txt) out of the clam_dbs directory and placed them into the config_dir (based on suggestions from Panagiotis Christias). - Added a variable about whether to create a backup database file before moving an updated database file into the clam_dbs directory (based on suggestions from Panagiotis Christias). - Added a check to confirm that the local SecuriteInfo .gz file exists before doing an "rsync -z" (time condition) test against the remote rsync server's file. - Added a check to test that the uncompressed SecuriteInfo database files exist, are greater than zero, and are newer than the existing database files before proceeding with further database testing and processing. - Added a check to test that the MalwarePatrol database file exists, is greater than zero, and is newer than the existing database file before proceeding with further database testing and processing. - Changed "test_dir" to "temp_dir" since we no longer test database files in this directory. It is now only used as a temporary location for copying files to before moving them into the clam_dbs directory. - Database files for all unofficial database providers are now kept in their working sub-directories. The only directory that remains empty between updates now is the temp_dir directory. Version 2.0 (update 2/6/09) - Added some missing variable quotes and also added some additional checks to confirm which database providers and database files to update (based on suggestions from Alex Pleiner). - Major rearrangement of the scripts layout in order to make the flow more logical. Also consolidated some of the functions and variable names so they could be reused in different parts of the script. - Added a time variable to the SecuriteInfo checks so that the update checks could be configured on an hourly or daily basis (based on request from Bill Maidment). - Removed use of "." to define the current directory and instead used absolute path. This also removed the requirement for the shell to cd into the clamav directory. Version 1.9d (updated 2/5/09) - Added variable "reload_dbs" to enable/disable database reloads after a database has been updated. - Added variable "reload_opt" to select or set how to reload the databases after an update, if "reload_dbs" variable is set to "yes" (based on request from Bob Hutchinson). Version 1.9c (updated 2/4/09) - Added missing "&&" operators to the rsync download sections of the script (thanks to Paul Henson for catching this). Version 1.9b (updated 2/4/09) - Changed final directory permissions execution from "chmod 0664" to "chmod u+Xrw" so as not to change sub-directory permissions (based on recommendation from Daniel McDonald). - Consolidated working directory path to a single variable to simplify script directory location changes (based on request from Justin Davis). - Changed clamd database reload command from "kill -USR2 `cat $clamd_pid`" to "clamdscan --reload" (inspired by Malcolm Scott). - Inadvertently removed a script line from the rsync download section that saved a backup copy of the running database file before the database was updated - it's now been re-added. Version 1.9a (updated 2/4/09) - Added variable to silence rsync output, as already done for curl (based on request from Daniel McDonald). - Changed the rsync "-a" (archive) flag to "-rt" in order to ignore source ownership & permission settings when files are downloaded (based on feedback from Jeff Dairiki). Version 1.9 (updated 2/3/09) - Thanks to Jeff Dairiki & Steve Basford for their suggestions of using "--include-from=FILE" and "--exclude=PATTERN" with rsync to control database file downloads via a single connection. - Rewrote Sanesecurity and MSRBL rsync sections. Now all user specified databases will be downloaded over a single connection. - Script output will now show which Sanesecurity and MSRBL mirror the connection was made to. - Script output will also show the success or failure of GPG signature testing and clamscan database integrity testing for each updated file. - Database files now have permissions set (chmod & chown) before they are moved into the clamav working directory. A final check is also still done at the end of the script, as well. - Some variable names have changed or been removed, as well as some directory paths added, removed, or changed to better accomodate single rsync connection downloads, so carefully review the user configuration section before using the script. Version 1.8a (updated 2/1/09) - Added Sanesecurity.ftm & Sanesecurity.ftm.sig to the Sanesecurity rsync database downloads (this helps clamav determine the signature type to use when scanning email files). - Added output for GPG signature test results (reports good or bad GPG signature test results). - If using clamd daemon monitoring and crash restart, added a check to see if clamd's lock file still exists after the crash and deletes it if it does (the orphaned clamd lock file can sometimes prevent clamd from restarting after a crash has occurred). Version 1.8 (updated 1/21/09) - Changed Sanesecurity downloads from using curl to rsync. - Automatically download and import Sanesecurity GPG key to keyring. - Automatically download, and check for updated Sanesecurity GPG Signature files. - Test Sanesecurity database downloads against GPG Signature files before integrity testing databases with clamscan. If either test fails, that database file will not be updated. - Added and modified working directory paths to better accommodate gpg Signature testing. Version 1.7d (updated 10/5/08 - Thanks to Burt Heymanson for his contribution to this update - silence curl output) - Added 2 new Sanesecurity databases: junk.ndb & rogue.hdb. - Added a configuration option to silence curl output to only report errors to stderr rather than all download stats. Version 1.7c (updated 9/25/07 - Thanks to Dennis Peterson and Jan-Perter Cornet for the perl solution for calculating seconds since epoch) - Added timeout values to curl and rsync downloads in order to prevent the script from hanging on a non-responsive host site. - Apparently Solaris does not support "date +%s", which calculates the number of seconds since epoch. This date function is used to calculate when to do MBL downloads. A perl solution has been added as a fall-back option. If "date +%s" is not supported and perl is not found on the system, the script will report a warning message and skip MBL updates, but the script will continue processing other third-party database updates. Version 1.7b (updated 9/23/07) - Changed all script "`expr ...`" interger expressions to the shell supported "$((...))" format, which is what was being used in all other newer sections of the script. So this change should not pose any problems, but if it does, please let me know. - Changed all clamscan database file tests from using /dev/null, which was causing an access permissions issues to the temporary directory for some users, to a direct path to a temp test file. Version 1.7a (updated 9/10/07) - Added secondary perl socket test to detect if clamd is running. This test uses the 'IO::Socket::UNIX' perl module. If socat is not found on the system, then the script will attempt to use the perl module instead (the user will be warned if neither socat nor IO::Socket::UNIX are found, but the script will still run updates). - Added two new SecuriteInfo database file URLs. - Updated comments to reflect the additional perl socket test. Version 1.7 (updated 9/7/07) - Added a check to see if ClamD is running or not. This can be used if clamd is running in "LocalSocket" mode (*NOT* TCP/IP mode), and socat is installed on the system (a check for socat is done). This test can be enabled in the "User Edit" section below. - Added a user configurable variable to attempt to restart clamd if it's detected to not be running. - Added notification when database file updates are *NOT* detected and databases are *NOT* reloaded, rather than just when they are detected. - Added more portable secondary randomization code, removing the requirement to have the bash shell installed. - Added general improvements to the time randomization code so that the time interval does not always end with a zero. - Added user configurable min and max variables for setting time randomization intervals (defaults to min=60 and max=600 seconds). - Added terminal detection to determine whether the script is being run manually or via cron. If run manually, the script will now prompt the user to see if they want to delay the script execution (random) or not. If "yes" is selected, then the script will pause and display a visual countdown in seconds until script execution. - Added a variable that the user must set before the script will run. This will effectively require that script users at least minimally review the "User Edit Section" before running the script. - Rearranged some sections, timestame placement, and updated comments. Version 1.6 (updated 8/27/07) - Added support for SecuriteInfo and Malware Black List database file downloads. - Changed the script name from ss-msrbl.sh to unofficial-sigs.sh since there are now 4 different database providers supported. - Since the MBL database is dynamically created and therefor cannot be checked for change before downloading, a variable was added so that a specific download time interval can be set (see the "USER EDIT SECTION" below). - Added database file download time randomization (to disable randomization, see the "USER EDIT SECTION" below for details). Version 1.5 (updated 8/17/07 - Thanks to Dan Larsson for his contributions to this update) - Added separate variable for ClamAV group ID for setting appropriate file group access permissions. - Added variables for database file update URLs. - Added support for automatic reloading of databases when updates are found. Version 1.4 (updated 7/13/07) - Added checks to verify that the database files exist, and if not, do an initial download, decompress and test. - Added variables for clamav database location path and clamd user account (the account that clamd runs under). - Added/modified script comments. Version 1.3 - Added checks to either confirm the existence of the temporary working directories or to create them. - Changed "cp --reply=yes" to "cp -f". If this causes problems with older versions of "cp", you will need to change it back. Version 1.2 - Repointed URLs for Sanesecurity downloads to the new mirror redirect links. Version 1.1 - Converted MSRBL downloads from curl to rsync. Version 1.0 (initial script created). clamav-unofficial-sigs-3.7.2/clamav-unofficial-sigs.80000644000000000000000000000632312207147371021170 0ustar rootroot.\" Manual page for clamav-unofficial-sigs.sh .TH clamav-unofficial-sigs 8 "August 25, 2013" "Version 3.7.2" "SCRIPT COMMANDS" .SH NAME clamav-unofficial-sigs \- Download, test, and install third-party ClamAV signature databases. .SH SYNOPSIS .B clamav-unofficial-sigs .RI [ options ] .SH DESCRIPTION \fBclamav-unofficial-sigs\fP is a shell script that downloads, updates and tests the Sanesecurity, SecuriteInfo, MalwarePatrol, OITC, etc. third-party signature databases for ClamAV. .SH OPTIONS This script follows the standard GNU command line syntax. A summary of the options is shown below. .TP .B \-b DEPRECATED - Consider using -w instead, it supports the newer ClamAV signature whitelist functionality. .br Add a bypass signature entry to local.ign in order to temporarily resolve a false-positive issue with a third-party signature. The script will monitor any entries it makes to local.ign and will automatically remove bypass entries if either the original signature has been modified or removed from the database. .TP .B \-c FILE-NAME Source configuration information from a different file. .TP .B \-d Decode a hexadecimal encoded string or an individual ClamAV 3rd-party signature for viewing. This will not decode image signatures nor the official signatures. .TP .B \-e Encode a entire input string in hexadecimal for signature usage in any *.ndb database. .TP .B \-f Encode a formated input string in hexadecimal that contains spacing field '{}, (), *', without encoding the spacing fields, for signature usage in any '*.ndb' database. .TP .B \-g FILE-NAME Verify the GPG signature for a specific SaneSecurity database file. Only specify the filename as listed in the configuration file and the script will search for it in the work directory. .TP .B \-h Print the script help and usage information. .TP .B \-i Print system and script configuration information. .TP .B \-m Make a hexadecimal signature database file (*.ndb) from a clear text ascii file. Provides support for both full and formatted signatures. Additional information is provided when using the flag. .TP .B -r Remove the clamav-unofficial-sigs script and all of its associated files, databases and work directories from the system. .TP .B \-s FILE-NAME Test the integrity of a third-party signature database with clamscan. Only specify the filename as listed in the configuration file and the script will search for it in the work directory. .TP .B \-t If HAM directory scanning is enabled in the script's configuration file, then output the names of any third-party signatures that triggered during the HAM directory scan. .TP .B \-v Print the script version and date information. .TP .B \-w Adds a signature whitelist entry in the newer ClamAV IGN2 format to 'my-whitelist.ign2' in order to temporarily resolve a false-positive issue with a specific third-party signature. Script added whitelist entries will automatically be removed if the original signature is either modified or removed from the third-party signature database. .SH SEE ALSO .BR clamd (8), .BR clamscan (1) .SH COPYRIGHT Bill Landry .SH LICENSE BSD (Berkeley Software Distribution) .SH BUGS Report bugs to Bill Landry .SH AUTHOR Bill Landry clamav-unofficial-sigs-3.7.2/LICENSE0000644000000000000000000000276712207147371015571 0ustar rootrootCopyright (c) 2007 - 2013, Bill Landry (unofficialsigs@gmail.com) All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. * Neither the name of the author/copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY AUTHOR/COPYRIGHT HOLDER "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL AUTHOR/COPYRIGHT HOLDER BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. clamav-unofficial-sigs-3.7.2/clamav-unofficial-sigs-cron0000644000000000000000000000130312207147371021752 0ustar rootroot# ClamAV Unofficial Signature Databases Update Cron File # # Author: Bill Landry # # This cron file will execute the clamav-unofficial-sigs.sh script that # currently supports updating third-party signature databases provided # by Sanesecurity, SecuriteInfo, MalwarePatrol, OITC, etc. # # The script is set to run hourly, at 45 minutes past the hour, and the # script itself is set to randomize the actual execution time between # 60 - 600 seconds. Adjust the cron start time, user account to run the # script under, and path information shown below to meet your own needs. 45 * * * * root /usr/local/bin/clamav-unofficial-sigs.sh -c /usr/local/etc/clamav-unofficial-sigs.conf clamav-unofficial-sigs-3.7.2/clamav-unofficial-sigs.conf0000644000000000000000000003021212207147371021740 0ustar rootroot# This file contains user configuration settings for the clamav-unofficial-sigs.sh # Script provide by Bill Landry (unofficialsigs@gmail.com). # # Script updates can be found at: http://sourceforge.net/projects/unofficial-sigs # # License: BSD (Berkeley Software Distribution) ################################################################################ # USER CONFIGURATION FILE FOR SCRIPT: # # * * * # # clamav-unofficial-sigs.sh # # * * * # # SET PROGRAM PATHS AND OTHER VARIABLE OPTIONS FOR THE SCRIPT IN THIS FILE # ################################################################################ # Edit the quoted variables below to meet your own particular needs # and requirements, but do not remove the "quote" marks. # Be sure to set the appropriate shell for your OS Platform. It's been # reported that "sh" works best for BSD variants, "ksh" for Sun Solaris, # and "bash" for Linux variants. If you experience problems running the # script, please try editing the top line of the script file and changing # "sh" to either "ksh" or "bash" before reporting a problem. # Set and export the appropriate program paths for your OS platform. Required # utilities include: find, xargs, sed, awk, cut, dig, grep, tail, chown, chmod, # cmp, diff, gzip, ls, cp, mv, test, gpg, host, sleep, cksum, rsync, curl, perl, # and optionally socat. It's been reported that on Sun systems, the GNU utilities # should be used rather than the default Sun OS versions of these utilities. PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin" export PATH # Set the appropriate ClamD user and group accounts for your system. # If you do not want the script to set user and group permissions on # files and directories, comment the next two variables. clam_user="clamav" clam_group="clamav" # If you do not want the script to change the file mode of all signature # database files in the ClamAV working directory to 0644 (-rw-r--r--): # # owner: read, write # group: read # world: read # # as defined in the "clam_dbs" path variable below, then set the following # "setmode" variable to "no". setmode="yes" # Set path to ClamAV database files location. If unsure, check # your clamd.conf file for the "DatabaseDirectory" path setting. clam_dbs="/var/lib/clamav" # Set path to clamd.pid file (see clamd.conf for path location). clamd_pid="/var/run/clamd.pid" # To enable "ham" (non-spam) directory scanning and removal of # signatures that trigger on ham messages, uncomment the following # variable and set it to the appropriate ham message directory. #ham_dir="/path/to/ham-test/directory" # If you would like to reload the clamd databases after an update, # change the following variable to "yes". reload_dbs="no" # Set the reload or restart option if the "reload_dbs" variable above # is set to "yes" (only select 'ONE' of the following variables or the # last uncommented variable option will be the one used). # - The next variable signals clamd daemon to reload databases (this is the recommended reload option) reload_opt="clamdscan --reload" # Default # - The next variable signals clamd's Process ID (PID) to reload databases #reload_opt="kill -USR2 `cat $clamd_pid`" # - The next variable signals linux based systems to do a full clamd service stop/start #reload_opt="service clamd restart" # - Use the next variable to set a custom or system specific reload/restart option #reload_opt="" # If running clamd in "LocalSocket" mode (*NOT* in TCP/IP mode), and # either "SOcket Cat" (socat) or the "IO::Socket::UNIX" perl module # are installed on the system, and you want to report whether clamd # is running or not, uncomment the "clamd_socket" variable below (you # will be warned if neither socat nor IO::Socket::UNIX are found, but # the script will still run). You will also need to set the correct # path to your clamd socket file (if unsure of the path, check the # "LocalSocket" setting in your clamd.conf file for socket location). #clamd_socket="/var/run/clamd.socket" # If you would like to attempt to restart ClamD if detected not running, # uncomment the next 2 lines. Confirm the path to the "clamd_lock" file # (usually can be found in the clamd init script) and also enter the clamd # start command for your particular distro for the "start_clamd" variable # (the sample start command shown below should work for most linux distros). # NOTE: these 2 variables are dependant on the "clamd_socket" variable # shown above - if not enabled, then the following 2 variables will be # ignored, whether enabled or not. #clamd_lock="/var/lock/subsys/clamd" #start_clamd="service clamd start" # Enable or disable download time randomization. This allows the script to # be executed via cron, but the actual database file checking will pause # for a random number of seconds between the "min" and "max" time settings # specified below. This helps to more evenly distribute load on the host # download sites. To disable, set the following variable to "no". enable_random="yes" # If download time randomization is enabled above (enable_random="yes"), # then set the min and max radomization time intervals (in seconds). min_sleep_time="60" # Default minimum is 60 seconds (1 minute). max_sleep_time="600" # Default maximum is 600 seconds (10 minutes). # ======================== # Sanesecurity Database(s) # ======================== # Add or remove database file names between quote marks as needed. To # disable usage of any of the Sanesecurity distributed database files # shown, remove the database file name from the quoted section below. # To disable usage of all Sanesecurity distributed databases, comment # all of the quoted lines below. Only databases defined as "low" risk # have been enabled by default (for additional information about the # database ratings, see: http://www.sanesecurity.com/clamav/databases.htm). # Only add signature databases here that are "distributed" by Sanesecuirty # as defined at the URL shown above. Database distributed by others sources # (e.g., SecuriteInfo & MalewarePatrol, can be added to other sections of # this config file below). Finally, make sure that the database names are # spelled correctly or you will experience issues when the script runs # (hint: all rsync servers will fail to download signature updates). ss_dbs=" blurl.ndb junk.ndb jurlbl.ndb phish.ndb rogue.hdb sanesecurity.ftm scam.ndb sigwhitelist.ign2 spamattach.hdb spamimg.hdb winnow.attachments.hdb winnow_bad_cw.hdb winnow_extended_malware.hdb winnow_malware.hdb winnow_malware_links.ndb doppelstern.hdb bofhland_cracked_URL.ndb bofhland_malware_attach.hdb bofhland_malware_URL.ndb bofhland_phishing_URL.ndb crdfam.clamav.hdb phishtank.ndb porcupine.ndb " # ======================== # SecuriteInfo Database(s) # ======================== # Add or remove database file names between quote marks as needed. To # disable any SecuriteInfo database downloads, remove the appropriate # lines below. To disable all SecuriteInfo database file downloads, # comment all of the following lines. si_dbs=" honeynet.hdb securiteinfo.hdb securiteinfobat.hdb securiteinfodos.hdb securiteinfoelf.hdb securiteinfohtml.hdb securiteinfooffice.hdb securiteinfopdf.hdb securiteinfosh.hdb " # Since the SecuriteInfo databases are only updated a few time each # month, set a time interval to do database update checks. si_update_hours="4" # Default is 4 hours (6 update checks daily). # ========================= # MalwarePatrol Database(s) # ========================= # Add or remove database file names between quote marks as needed. To # disable any of the MalwarePatrol database file downloads, remove the # appropriate database file name lines below. To disable MalwarePatrol # database downloads, comment all of the following lines. mbl_dbs=" mbl.ndb " # Since the MalwarePatrol database file is dynamically created, # there is no way to test for changes prior to downloading. For this # reason, you will need to set a reasonable time interval in "hours" # for MBL database file downloads. As shown below, this has been # set to update every "6" hours, which seems appropriate (that's 4 # file downloads per day) Change only if you REALLY feel you must. # However, I would not suggest going below every 4 hour lest you risk # being blacklisted by the MalwarePatrol site. mbl_update_hours="6" # Default is 6 hours (4 downloads daily). # Additional signature databases can be specified here in the following # format: PROTOCOL://URL-or-IP/PATH/TO/FILE-NAME (use a trailing "/" in # place of the "FILE-NAME" to download all files from specified location, # but this *ONLY* works for files downloaded via rsync). For non-rsync # downloads, curl is used. For download protocols supported by curl, see # "man curl". This also works well for locations that have many ClamAV # servers that use 3rd party signature databases, as only one server need # download the remote databases, and all others can update from the local # mirror's copy. See format examples below. To use, remove the comments # and examples shown and add your own sites between the quote marks. #add_dbs=" # rsync://192.168.1.50/new-db/sigs.hdb # rsync://rsync.example.com/all-dbs/ # ftp://ftp.example.net/pub/sigs.ndb # http://www.example.org/sigs.ldb #" # Set rsync connection and data transfer timeout limits in seconds. # The defaults settings here are reasonable, only change if you are # experiencing timeout issues. rsync_connect_timeout="15" rsync_max_time="60" # Set curl connection and data transfer timeout limits in seconds. # The defaults settings here are reasonable, only change if you are # experiencing timeout issues. curl_connect_timeout="15" curl_max_time="90" # Set working directory paths (edit to meet your own needs). If these # directories do not exist, the script will attempt to create them. # Top level working directory path: work_dir="/usr/unofficial-dbs" #Top level working directory # Sub-directory names: ss_dir="$work_dir/ss-dbs" # Sanesecurity sub-directory si_dir="$work_dir/si-dbs" # SecuriteInfo sub-directory mbl_dir="$work_dir/mbl-dbs" # MalwarePatrol sub-directory config_dir="$work_dir/configs" # Script configs sub-directory gpg_dir="$work_dir/gpg-key" # Sanesecurity GPG Key sub-directory add_dir="$work_dir/add-dbs" # User defined databases sub-directory # If you would like to make a backup copy of the current running database # file before updating, leave the following variable set to "yes" and a # backup copy of the file will be created in the production directory # with -bak appended to the file name. keep_db_backup="no" # If you want to silence the information reported by curl, rsync, gpg # or the general script comments, change the following variables to # "yes". If all variables are set to "yes", the script will output # nothing except error conditions. curl_silence="no" # Default is "no" to report curl statistics rsync_silence="no" # Default is "no" to report rsync statistics gpg_silence="no" # Default is "no" to report gpg signature status comment_silence="no" # Default is "no" to report script comments # Log update information to '$log_file_path/$log_file_name'. enable_logging="yes" log_file_path="/var/log" log_file_name="clamav-unofficial-sigs.log" # If necessary to proxy database downloads, define the rsync and/or curl # proxy settings here. For rsync, the proxy must support connections to # port 873. Both curl and rsync proxy setting need to be defined in the # format of "hostname:port". For curl, also note the -x and -U flags, # which must be set as "-x hostname:port" and "-U username:password". rsync_proxy="" curl_proxy="" # After you have completed the configuration of this file, set the # following variable to "yes". user_configuration_complete="no" ################################################################################ # END OF USER CONFIGURATION # ################################################################################ clamav-unofficial-sigs-3.7.2/clamav-unofficial-sigs.sh0000755000000000000000000024400112207147371021433 0ustar rootroot#!/bin/sh # This script freely provided by Bill Landry (unofficialsigs@gmail.com). # Comments, suggestions, and recommendations for improving this script # are always welcome. # # Script updates can be found at: http://sourceforge.net/projects/unofficial-sigs # # License: BSD (Berkeley Software Distribution) ################################################################################ # # # THERE ARE NO USER CONFIGURABLE OPTIONS IN THIS SCRIPT # # * * * # # ALL CONFIGURATION OPTIONS ARE LOCATED IN THE INCLUDED CONFIGURATION FILE # # # ################################################################################ default_config="/etc/clamav-unofficial-sigs.conf" version="v3.7.2 (updated 2013-08-25)" output_ver=" `basename $0` $version " usage=" ClamAV Unofficial Signature Databases Update Script - $version Usage: `basename $0` [OPTION] [PATH|FILE] -b DEPRECATED - Consider using -w instead, it supports the newer ClamAV signature whitelist funtionality. ---------------------------------------------------------- Add a bypass signature entry to local.ign in order to temporarily resolve a false-positive issue with a specific third-party signature. The script added local.ign entries will automatically be removed if the original signature is either modified or removed from the third-party database. -c Direct script to use a specific configuration file e.g.: '-c /path/to/`basename "$default_config"`'. -d Decode a third-party signature either by signature name (e.g: Sanesecurity.Junk.15248) or hexadecimal string. This flag will 'NOT' decode image signatures. -e Hexadecimal encode an entire input string that can be used in any '*.ndb' signature database file. -f Hexadecimal encode a formatted input string containing signature spacing fields '{}, (), *', without encoding the spacing fields, so that the encoded signature can be used in any '*.ndb' signature database file. -g GPG verify a specific Sanesecurity database file e.g.: '-g filename.ext' (do not include file path). -h Display this script's help and usage information. -i Output system and configuration information for viewing or possible debugging purposes. -m Make a signature database from an ascii file containing data strings, with one data string per line. Additional information is provided when using this flag. -r Remove the clamav-unofficial-sigs script and all of its associated files and databases from the system. -s Clamscan integrity test a specific database file e.g.: '-s filename.ext' (do not include file path). -t If HAM directory scanning is enabled in the script's configuration file, then output names of any third-party signatures that triggered during the HAM directory scan. -v Output script version and date information. -w Adds a signature whitelist entry in the newer ClamAV IGN2 format to 'my-whitelist.ign2' in order to temporarily resolve a false-positive issue with a specific third-party signature. Script added whitelist entries will automatically be removed if the original signature is either modified or removed from the third-party signature database. Alternative to using '-c': Place config file in /etc ($default_config) " # Function to handle general response if script cannot find the config file in /etc. no_default_config () { if [ ! -s "$default_config" ] ; then echo "" echo "Cannot find your configuration file - place a copy in /etc and try again..." echo "" echo " e.g.: $default_config" echo "" exit fi . "$default_config" echo "" } # Function to support user config settings for applying file and directory access permissions. perms () { if [ -n "$clam_user" -a -n "$clam_group" ] ; then "${@:-}" fi } # Take input from the commandline and process. while getopts 'bc:defg:himrs:tvw' option ; do case $option in b) no_default_config echo "Input a third-party signature name that you wish to bypass due to false-positives" echo "and press enter (do not include '.UNOFFICIAL' in the signature name nor add quote" echo "marks to any input string):" echo "" read input if [ -n "$input" ] then cd "$clam_dbs" input=`echo "$input" | tr -d "'" | tr -d '"'` file_sig=`grep -n "$input:" *.ndb` sig_ign=`echo "$file_sig" | cut -d ":" -f-3` if [ -n "$sig_ign" ] then if ! grep "$sig_ign" local.ign > /dev/null 2>&1 then cp -f local.ign "$config_dir" 2>/dev/null echo "$sig_ign" | tr -d "\r" >> "$config_dir/local.ign" echo "$file_sig" | tr -d "\r" >> "$config_dir/monitor-ign.txt" if clamscan --quiet -d "$config_dir/local.ign" "$config_dir/scan-test.txt" then if rsync -pcqt $config_dir/local.ign $clam_dbs then perms chown $clam_user:$clam_group local.ign chmod 0644 local.ign "$config_dir/monitor-ign.txt" $reload_opt echo "" echo "Signature '$input' has been added to the local.ign signature bypass" echo "file and databases have been reloaded. The script will track any changes to the" echo "offending third-party signature and will automatically remove the signature bypass" echo "entry if either the signature is modified or removed from the third-party database." else echo "" echo "Failed to successfully update local.ign file - SKIPPING." fi else echo "" echo "Clamscan reports local.ign database integrity is bad - SKIPPING." fi else echo "" echo "Signature '$input' already exists in local.ign - no action taken." fi else echo "" echo "Signature '$input' could not be found." echo "" echo "This script will only create a bypass entry in local.ign for ClamAV" echo "'UNOFFICIAL' third-Party signatures as found in the *.ndb databases." fi else echo "No input detected - no action taken." fi echo "" exit ;; c) conf_file="$OPTARG" ;; d) no_default_config echo "Input a third-party signature name to decode (e.g: Sanesecurity.Junk.15248) or" echo "a hexadecimal encoded data string and press enter (do not include '.UNOFFICIAL'" echo "in the signature name nor add quote marks to any input string):" echo "" read input input=`echo "$input" | tr -d "'" | tr -d '"'` echo "" if `echo "$input" | grep "\." > /dev/null` then cd "$clam_dbs" sig=`grep "$input:" *.ndb` if [ -n "$sig" ] then db_file=`echo "$sig" | cut -d ':' -f1` echo "$input found in: $db_file" echo "$input signature decodes to:" echo "" echo "$sig" | cut -d ":" -f5 | perl -pe 's/([a-fA-F0-9]{2})|(\{[^}]*\}|\([^)]*\))/defined $2 ? $2 : chr(hex $1)/eg' else echo "Signature '$input' could not be found." echo "" echo "This script will only decode ClamAV 'UNOFFICIAL' third-Party," echo "non-image based, signatures as found in the *.ndb databases." fi else echo "Here is the decoded hexadecimal input string:" echo "" echo "$input" | perl -pe 's/([a-fA-F0-9]{2})|(\{[^}]*\}|\([^)]*\))/defined $2 ? $2 : chr(hex $1)/eg' fi echo "" exit ;; e) no_default_config echo "Input the data string that you want to hexadecimal encode and then press enter. Do not include" echo "any quotes around the string unless you want them included in the hexadecimal encoded output:" echo "" read input echo "" echo "Here is the hexadecimal encoded input string:" echo "" echo "$input" | perl -pe 's/(.)/sprintf("%02lx", ord $1)/eg' echo "" exit ;; f) no_default_config echo "Input a formated data string containing spacing fields '{}, (), *' that you want to hexadecimal" echo "encode, without encoding the spacing fields, and then press enter. Do not include any quotes" echo "around the string unless you want them included in the hexadecimal encoded output:" echo "" read input echo "" echo "Here is the hexadecimal encoded input string:" echo "" echo "$input" | perl -pe 's/(\{[^}]*\}|\([^)]*\)|\*)|(.)/defined $1 ? $1 : sprintf("%02lx", ord $2)/eg' echo "" exit ;; g) no_default_config db_file=`echo "$OPTARG" | awk -F '/' '{print $NF}'` if [ -s "$ss_dir/$db_file" ] then echo "GPG signature testing database file: $ss_dir/$db_file" echo "" if ! gpg --trust-model always -q --no-default-keyring --homedir $gpg_dir --keyring $gpg_dir/ss-keyring.gpg \ --verify $ss_dir/$db_file.sig $ss_dir/$db_file then gpg --always-trust -q --no-default-keyring --homedir $gpg_dir --keyring $gpg_dir/ss-keyring.gpg \ --verify $ss_dir/$db_file.sig $ss_dir/$db_file fi else echo "File '$db_file' cannot be found or is not a Sanesecurity database file." echo "Only the following Sanesecurity and OITC databases can be GPG signature tested:" echo "$ss_dbs" echo "Check the file name and try again..." fi echo "" exit ;; h) echo "$usage" exit ;; i) no_default_config echo "*** SCRIPT VERSION ***" echo "`basename $0` $version" echo "" echo "*** SYSTEM INFORMATION ***" uname=`which uname` $uname -a echo "" echo "*** CLAMSCAN LOCATION & VERSION ***" clamscan=`which clamscan` echo "$clamscan" $clamscan --version | head -1 echo "" echo "*** RSYNC LOCATION & VERSION ***" rsync=`which rsync` echo "$rsync" $rsync --version | head -1 echo "" echo "*** CURL LOCATION & VERSION ***" curl=`which curl` echo "$curl" $curl --version | head -1 echo "" echo "*** GPG LOCATION & VERSION ***" gpg=`which gpg` echo "$gpg" $gpg --version | head -1 echo "" echo "*** SCRIPT WORKING DIRECTORY INFORMATION ***" ls -ld $work_dir echo "" ls -lR $work_dir | grep -v total echo "" echo "*** CLAMAV DIRECTORY INFORMATION ***" ls -ld $clam_dbs echo "---" ls -l $clam_dbs | grep -v total echo "" echo "*** SCRIPT CONFIGURATION SETTINGS ***" egrep -v "^#|^$" $default_config echo "" exit ;; m) no_default_config echo " The '-m' script flag provides a way to create a ClamAV hexadecimal signature database (*.ndb) file from a list of data strings stored in a clear-text ascii file, with one data string entry per line. - Hexadecimal encoding can be either 'full' or 'formatted' on a per line basis: Full line encoding should be used if there are no formatted spacing entries [{}, (), *] included on the line. Prefix unformatted lines with: '-:' (no quote marks). Example: -:This signature contains no formatted spacing fields Encodes to: 54686973207369676e617475726520636f6e7461696e73206e6f20666f726d61747465642073706163696e67206669656c6473 Formatted line encoding should be used if there are user added spacing entries [{}, (), *] included on the line. Prefix formatted lines with '=:' (no quote marks). Example: =:This signature{-10}contains several(25|26|27)formatted spacing*fields Encodes to: 54686973207369676e6174757265{-10}636f6e7461696e73207365766572616c(25|26|27)666f726d61747465642073706163696e67*6669656c6473 Use 'full' encoding if you want to encode everything on the line [including {}, (), *] and 'formatted' encoding if you want to encode everything on the line except the formatted character spacing fields. The prefixes ('-:' and '=:') will be stripped from the line before hexadecimal encoding is done. If no prefix is found at the beginning of the line, full line encoding will be done (default). - It is assumed that the signatures will be created for email scanning purposes, thus the '4' target type is used and full file scanning is enabled (see ClamAV signatures.pdf for details). - Line numbering will be done automatically by the script. " | sed 's/^ //g' echo -n "Do you wish to continue? (y/n): " read reply if [ "$reply" = "y" -o "$reply" = "Y" ] then echo "" echo -n "Enter the source file as /path/filename: " read source if [ -s "$source" ] then source_file=`basename "$source"` echo "" echo "What signature prefix would you like to use? For example: 'Phish.Domains'" echo "will create signatures that looks like: 'Phish.Domains.1:4:*:HexSigHere'" echo "" echo -n "Enter signature prefix: " read prefix path_file=`echo "$source" | cut -d "." -f-1 | sed 's/$/.ndb/'` db_file=`basename $path_file` rm -f "$path_file" total=`wc -l "$source" | cut -d " " -f1` line_num=1 echo "" cat "$source" | while read line ; do line_prefix=`echo "$line" | awk -F ':' '{print $1}'` if [ "$line_prefix" = "-" ] then echo "$line" | cut -d ":" -f2- | perl -pe 's/(.)/sprintf("%02lx", ord $1)/eg' | \ sed "s/^/$prefix\.$line_num:4:\*:/" >> "$path_file" elif [ "$line_prefix" = "=" ] ; then echo "$line" | cut -d ":" -f2- | perl -pe 's/(\{[^}]*\}|\([^)]*\)|\*)|(.)/defined \ $1 ? $1 : sprintf("%02lx", ord $2)/eg' | sed "s/^/$prefix\.$line_num:4:\*:/" >> "$path_file" else echo "$line" | perl -pe 's/(.)/sprintf("%02lx", ord $1)/eg' | sed "s/^/$prefix\.$line_num:4:\*:/" >> "$path_file" fi printf "Hexadecimal encoding $source_file line: $line_num of $total\r" line_num=$(($line_num + 1)) done else echo "" echo "Source file not found, exiting..." echo "" exit fi echo "" echo "" echo "Signature database file created at: $path_file" if clamscan --quiet -d "$path_file" "$config_dir/scan-test.txt" 2>/dev/null then echo "" echo "Clamscan reports database integrity tested good." echo "" echo -n "Would you like to move '$db_file' into '$clam_dbs' and reload databases? (y/n): " read reply if [ "$reply" = "y" -o "$reply" = "Y" ] then if ! cmp -s "$path_file" "$clam_dbs/$db_file" then if rsync -pcqt "$path_file" "$clam_dbs" then perms chown $clam_user:$clam_group "$clam_dbs/$db_file" chmod 0644 "$clam_dbs/$db_file" $reload_opt echo "" echo "Signature database '$db_file' was successfully implemented and ClamD databases reloaded." else echo "" echo "Failed to add/update '$db_file', ClamD database not reloaded." fi else echo "" echo "Database '$db_file' has not changed - skipping" fi else echo "" echo "No action taken." fi else echo "" echo "Clamscan reports that '$db_file' signature database integrity tested bad." fi fi echo "" exit ;; r) no_default_config if [ -n "$pkg_mgr" -a -n "$pkg_rm" ] then echo " This script (clamav-unofficial-sigs) was installed on the system" echo " via '$pkg_mgr', use '$pkg_rm' to remove the script" echo " and all of its associated files and databases from the system." echo "" else echo " Are you sure you want to remove the clamav-unofficial-sigs script and all of its" echo -n " associated files, third-party databases, and work directories from the system? (y/n): " read response if [ "$response" = "y" -o "$response" = "Y" ] then if [ -s "$config_dir/purge.txt" ] then echo "" for file in `cat $config_dir/purge.txt` ; do rm -f -- "$file" echo " Removed file: $file" done cron_file=`find /etc/ -name clamav-unofficial-sigs-cron` if [ -s "$cron_file" ] ; then rm -f "$cron_file" echo " Removed file: $cron_file" fi log_rotate_file=`find /etc/ -name clamav-unofficial-sigs-logrotate` if [ -s "$log_rotate_file" ] ; then rm -f "$log_rotate_file" echo " Removed file: $log_rotate_file" fi rm -f -- "$default_config" && echo " Removed file: $default_config" rm -f -- "$0" && echo " Removed file: $0" rm -rf -- "$work_dir" && echo " Removed script working directories: $work_dir" echo "" echo " The clamav-unofficial-sigs script and all of its associated files, third-party" echo " databases, and work directories have been successfully removed from the system." echo "" else echo " Cannot locate 'purge.txt' file in $config_dir." echo " Files and signature database will need to be removed manually." echo "" fi else echo "$usage" fi fi exit ;; s) no_default_config input=`echo "$OPTARG" | awk -F '/' '{print $NF}'` db_file=`find $work_dir -name $input` if [ -s "$db_file" ] then echo "Clamscan integrity testing: $db_file" echo "" if clamscan --quiet -d "$db_file" "$config_dir/scan-test.txt" ; then echo "Clamscan reports that '$input' database integrity tested GOOD" fi else echo "File '$input' cannot be found." echo "Here is a list of third-party databases that can be clamscan integrity tested:" echo "" echo "Sanesecurity $ss_dbs""SecuriteInfo $si_dbs""MalwarePatrol $mbl_dbs" echo "Check the file name and try again..." fi echo "" exit ;; t) no_default_config if [ -n "$ham_dir" ] then if [ -s "$config_dir/whitelist.hex" ] then echo "The following third-party signatures triggered hits during the HAM Directory scan:" echo "" grep -h -f "$config_dir/whitelist.hex" "$work_dir"/*/*.ndb | cut -d ":" -f1 else echo "No third-party signatures have triggered hits during the HAM Directory scan." fi else echo "Ham directory scanning is not currently enabled in the script's configuration file." fi echo "" exit ;; v) echo "$output_ver" exit ;; w) no_default_config echo "Input a third-party signature name that you wish to whitelist due to false-positives" echo "and press enter (do not include '.UNOFFICIAL' in the signature name nor add quote" echo "marks to the input string):" echo "" read input if [ -n "$input" ] then cd "$clam_dbs" input=`echo "$input" | tr -d "'" | tr -d '"'` sig_full=`grep -H "$input:" *.ndb` sig_name=`echo "$sig_full" | cut -d ":" -f2` if [ -n "$sig_name" ] then if ! grep "$sig_name" my-whitelist.ign2 > /dev/null 2>&1 then cp -f my-whitelist.ign2 "$config_dir" 2>/dev/null echo "$sig_name" >> "$config_dir/my-whitelist.ign2" echo "$sig_full" >> "$config_dir/tracker.txt" if clamscan --quiet -d "$config_dir/my-whitelist.ign2" "$config_dir/scan-test.txt" then if rsync -pcqt $config_dir/my-whitelist.ign2 $clam_dbs then perms chown $clam_user:$clam_group my-whitelist.ign2 chmod 0644 my-whitelist.ign2 "$config_dir/monitor-ign.txt" $reload_opt echo "" echo "Signature '$input' has been added to my-whitelist.ign2 and" echo "all databases have been reloaded. The script will track any changes" echo "to the offending signature and will automatically remove it if the" echo "signature is modified or removed from the third-party database." else echo "" echo "Failed to successfully update my-whitelist.ign2 file - SKIPPING." fi else echo "" echo "Clamscan reports my-whitelist.ign2 database integrity is bad - SKIPPING." fi else echo "" echo "Signature '$input' already exists in my-whitelist.ign2 - no action taken." fi else echo "" echo "Signature '$input' could not be found." echo "" echo "This script will only create a whitelise entry in my-whitelist.ign2 for ClamAV" echo "'UNOFFICIAL' third-Party signatures as found in the *.ndb databases." fi else echo "No input detected - no action taken." fi echo "" exit ;; *) echo "$usage" exit ;; esac done # Handle '-c' config file location issues. if [ "$1" = -c ] ; then if [ ! -s "$conf_file" ] ; then echo "" echo " Config file does not exist at: $2" echo " Check the config file path and try again..." echo "$usage" exit fi if [ "`basename "$conf_file"`" != "`basename "$default_config"`" ] ; then echo "" echo " Invalid config file: $2" echo " Config file must be named: `basename $default_config`" echo "$usage" exit fi config_source="$conf_file" else if [ $# -ne 0 ] ; then echo "" echo " Invalid option: $1" echo "$usage" exit fi if [ ! -s "$default_config" ] ; then echo "" echo " Cannot find default config file at: $default_config" echo "$usage" exit fi config_source="$default_config" fi . "$config_source" ################################################################################ # Using functions here to handle config settings for script comments and logging. comment () { test "$comment_silence" = "no" && echo "${@:-}" } log () { test "$enable_logging" = "yes" && echo `date "+%b %d %T"` "${@:-}" >> "$log_file_path/$log_file_name" } # Check to see if the script's "USER CONFIGURATION FILE" has been completed. if [ "$user_configuration_complete" != "yes" ] then echo "" echo " *** SCRIPT CONFIGURATION HAS NOT BEEN COMPLETED ***" echo " Please review the script configuration file: `basename $default_config`." echo " Once the user configuration has been completed, rerun the script." echo "" log "ALERT - SCRIPT HALTED, user configuration not completed" exit 1 fi # If "ham_dir" variable is set, then create initial whitelist files (skipped if first-time script run). test_dir="$work_dir/test" if [ -n "$ham_dir" -a -d "$work_dir" -a ! -d "$test_dir" ] ; then if [ -d "$ham_dir" ] then mkdir -p "$test_dir" cp -f "$work_dir"/*/*.ndb "$test_dir" clamscan --infected --no-summary -d "$test_dir" "$ham_dir"/* | \ sed 's/\.UNOFFICIAL FOUND//' | awk '{print $NF}' >> "$config_dir/whitelist.txt" grep -h -f "$config_dir/whitelist.txt" "$test_dir"/* | \ cut -d "*" -f2 | sort | uniq > "$config_dir/whitelist.hex" cd "$test_dir" for db_file in `ls`; do grep -h -v -f "$config_dir/whitelist.hex" "$db_file" > "$db_file-tmp" mv -f "$db_file-tmp" "$db_file" if clamscan --quiet -d "$db_file" "$config_dir/scan-test.txt" 2>/dev/null ; then if rsync -pcqt $db_file $clam_dbs ; then perms chown $clam_user:$clam_group $clam_dbs/$db_file do_clamd_reload=1 fi fi done if [ -s "$config_dir/whitelist.hex" ] then echo "*** Initial HAM directory scan whitelist file created in $config_dir ***" echo "" log "INFO - Initial HAM directory scan whitelist file created in $config_dir" else echo "No false-positives detected in initial HAM directory scan" log "No false-positives detected in initial HAM directory scan" fi else echo "Cannot locate HAM directory: $ham_dir" echo "Skipping initial whitelist file creation. Fix 'ham_dir' path in config file" log "WARNING - Cannot locate HAM directory: $ham_dir" log "WARNING - Skipping initial whitelist file creation. Fix 'ham_dir' path in config file" fi fi # Check to see if the working directories have been created. # If not, create them. Otherwise, ignore and proceed with script. mkdir -p "$work_dir" "$ss_dir" "$si_dir" "$mbl_dir" "$config_dir" "$gpg_dir" "$add_dir" # Set secured access permissions to the GPG directory chmod 0700 "$gpg_dir" # If we haven't done so yet, download Sanesecurity public GPG key and import to custom keyring. if [ ! -s "$gpg_dir/publickey.gpg" ] ; then if ! curl -s -S $curl_proxy --connect-timeout "$curl_connect_timeout" --max-time "$curl_max_time" \ -L -R http://www.sanesecurity.net/publickey.gpg -o $gpg_dir/publickey.gpg then echo "" echo "Could not download Sanesecurity public GPG key" log "ALERT - Could not download Sanesecurity public GPG key" exit 1 else comment "" comment "Sanesecurity public GPG key successfully downloaded" comment "" log "INFO - Sanesecurity public GPG key successfully downloaded" rm -f -- "$gpg_dir/ss-keyring.gp*" if ! gpg -q --no-options --no-default-keyring --homedir $gpg_dir --keyring $gpg_dir/ss-keyring.gpg \ --import $gpg_dir/publickey.gpg 2>/dev/null then echo "Could not import Sanesecurity public GPG key to custom keyring" log "ALERT - Could not import Sanesecurity public GPG key to custom keyring" exit 1 else chmod 0644 $gpg_dir/*.* comment "Sanesecurity public GPG key successfully imported to custom keyring" log "INFO - Sanesecurity public GPG key successfully imported to custom keyring" fi fi fi # If custom keyring is missing, try to re-import Sanesecurity public GPG key. if [ ! -s "$gpg_dir/ss-keyring.gpg" ] ; then rm -f -- "$gpg_dir/ss-keyring.gp*" if ! gpg -q --no-options --no-default-keyring --homedir $gpg_dir --keyring $gpg_dir/ss-keyring.gpg --import $gpg_dir/publickey.gpg then echo "Custom keyring MISSING or CORRUPT! Could not import Sanesecurity public GPG key to custom keyring" log "ALERT - Custom keyring MISSING or CORRUPT! Could not import Sanesecurity public GPG key to custom keyring" exit 1 else chmod 0644 $gpg_dir/*.* comment "Sanesecurity custom keyring MISSING! GPG key successfully re-imported to custom keyring" comment "" log "INFO - Sanesecurity custom keyring MISSING! GPG key successfully re-imported to custom keyring" fi fi # Database update check, time randomization section. This script now # provides support for both bash and non-bash enabled system shells. if [ "$enable_random" = "yes" ] ; then if [ -n "$RANDOM" ] then sleep_time=$(($RANDOM * $(($max_sleep_time - $min_sleep_time)) / 32767 + $min_sleep_time)) else sleep_time=0 while [ "$sleep_time" -lt "$min_sleep_time" -o "$sleep_time" -gt "$max_sleep_time" ] ; do sleep_time=`head -1 /dev/urandom | cksum | awk '{print $2}'` done fi if [ ! -t 0 ] then comment "`date` - Pausing database file updates for $sleep_time seconds..." log "INFO - Pausing database file updates for $sleep_time seconds..." sleep $sleep_time comment "" comment "`date` - Pause complete, checking for new database files..." else curl_silence="no" rsync_silence="no" gpg_silence="no" comment_silence="no" log "INFO - Script was run manually" fi fi # Create "scan-test.txt" file for clamscan database integrity testing. if [ ! -s "$config_dir/scan-test.txt" ] ; then echo "This is the clamscan test file..." > "$config_dir/scan-test.txt" fi # Unofficial ClamAV database provider URLs ss_url="rsync.sanesecurity.net" si_url="clamav.securiteinfo.com" mbl_url="www.malwarepatrol.net" # Create the Sanesecurity rsync "include" file (defines which files to download). ss_include_dbs="$config_dir/ss-include-dbs.txt" if [ -n "$ss_dbs" ] ; then rm -f -- "$ss_include_dbs" "$ss_dir/*.sha256" for db_name in $ss_dbs ; do echo "$db_name" >> "$ss_include_dbs" echo "$db_name.sig" >> "$ss_include_dbs" done fi # If rsync proxy is defined in the config file, then export it for use. if [ -n "$rsync_proxy" ]; then RSYNC_PROXY="$rsync_proxy" export RSYNC_PROXY fi # Create files containing lists of current and previously active 3rd-party databases # so that databases and/or backup files that are no longer being used can be removed. current_tmp="$config_dir/current-dbs.tmp" current_dbs="$config_dir/current-dbs.txt" previous_dbs="$config_dir/previous-dbs.txt" sort "$current_dbs" > "$previous_dbs" 2>/dev/null rm -f "$current_dbs" clamav_files () { echo "$clam_dbs/$db" >> "$current_tmp" if [ "$keep_db_backup" = "yes" ] ; then echo "$clam_dbs/$db-bak" >> "$current_tmp" fi } if [ -n "$ss_dbs" ] ; then for db in $ss_dbs ; do echo "$ss_dir/$db" >> "$current_tmp" echo "$ss_dir/$db.sig" >> "$current_tmp" clamav_files done fi if [ -n "$si_dbs" ] ; then for db in $si_dbs ; do echo "$si_dir/$db" >> "$current_tmp" clamav_files done fi if [ -n "$mbl_dbs" ] ; then for db in $mbl_dbs ; do echo "$mbl_dir/$db" >> "$current_tmp" clamav_files done fi if [ -n "$add_dbs" ] ; then for db in $add_dbs ; do echo "$add_dir/$db" >> "$current_tmp" clamav_files done fi # Remove 3rd-party databases and/or backup files that are no longer being used. sort "$current_tmp" > "$current_dbs" 2>/dev/null rm -f "$current_tmp" db_changes="$config_dir/db-changes.txt" if [ ! -s "$previous_dbs" ] ; then cp -f "$current_dbs" "$previous_dbs" 2>/dev/null fi diff "$current_dbs" "$previous_dbs" 2>/dev/null | grep '>' | awk '{print $2}' > "$db_changes" if [ -s "$db_changes" ] ; then if grep -vq "bak" $db_changes 2>/dev/null ; then do_clamd_reload=2 fi comment "" for file in `cat $db_changes` ; do rm -f -- "$file" comment "File removed: $file" log "INFO - File removed: $file" done fi # Create "purge.txt" file for package maintainers to support package uninstall. purge="$config_dir/purge.txt" cp -f "$current_dbs" "$purge" echo "$config_dir/current-dbs.txt" >> "$purge" echo "$config_dir/db-changes.txt" >> "$purge" echo "$config_dir/last-mbl-update.txt" >> "$purge" echo "$config_dir/last-si-update.txt" >> "$purge" echo "$config_dir/local.ign" >> "$purge" echo "$config_dir/monitor-ign.txt" >> "$purge" echo "$config_dir/my-whitelist.ign2" >> "$purge" echo "$config_dir/tracker.txt" >> "$purge" echo "$config_dir/previous-dbs.txt" >> "$purge" echo "$config_dir/scan-test.txt" >> "$purge" echo "$config_dir/ss-include-dbs.txt" >> "$purge" echo "$config_dir/whitelist.hex" >> "$purge" echo "$gpg_dir/publickey.gpg" >> "$purge" echo "$gpg_dir/secring.gpg" >> "$purge" echo "$gpg_dir/ss-keyring.gpg*" >> "$purge" echo "$gpg_dir/trustdb.gpg" >> "$purge" echo "$log_file_path/$log_file_name*" >> "$purge" echo "$purge" >> "$purge" # Silence rsync output and only report errors - useful if script is run via cron. if [ "$rsync_silence" = "yes" ] ; then rsync_output_level="-q" fi # If the local rsync client supports the '--no-motd' flag, then enable it. if rsync --help | grep 'no-motd' > /dev/null ; then no_motd="--no-motd" fi # If the local rsync client supports the '--contimeout' flag, then enable it. if rsync --help | grep 'contimeout' > /dev/null ; then connect_timeout="--contimeout=$rsync_connect_timeout" fi # Silence curl output and only report errors - useful if script is run via cron. if [ "$curl_silence" = "yes" ] ; then curl_output_level="-s -S" fi # If ClamD status check is enabled ("clamd_socket" variable is uncommented # and the socket path is correctly specified in "User Edit" section above), # then test to see if clamd is running or not. if [ -n "$clamd_socket" ] ; then if [ "`perl -e 'use IO::Socket::UNIX; print $IO::Socket::UNIX::VERSION,"\n"' 2>/dev/null`" ] then io_socket1=1 if [ "`perl -MIO::Socket::UNIX -we '$s = IO::Socket::UNIX->new(shift); $s->print("PING"); \ print $s->getline; $s->close' "$clamd_socket" 2>/dev/null`" = "PONG" ] ; then io_socket2=1 comment "====================" comment "= ClamD is running =" comment "====================" log "INFO - ClamD is running" fi else socat="`which socat 2>/dev/null`" if [ -n "$socat" -a -x "$socat" ] ; then socket_cat1=1 if [ "`(echo "PING"; sleep 1;) | socat - "$clamd_socket" 2>/dev/null`" = "PONG" ] ; then socket_cat2=1 comment "====================" comment "= ClamD is running =" comment "====================" log "INFO - ClamD is running" fi fi fi if [ -z "$io_socket1" -a -z "$socket_cat1" ] then echo "" echo " --- WARNING ---" echo " It appears that neither 'SOcket CAT' (socat) nor the perl module" echo " 'IO::Socket::UNIX' are installed on the system. In order to run" echo " the ClamD socket test to determine whether ClamD is running or" echo " or not, either 'socat' or 'IO::Socket::UNIX' must be installed." echo "" echo " You can silence this warning by either installing 'socat' or the" echo " 'IO::Socket::UNIX' perl module, or by simply commenting out the" echo " 'clamd_socket' variable in the clamav-unofficial-sigs.conf file." log "WARNING - Neither socat nor IO::Socket::UNIX perl module found, cannot test whether ClamD is running" else if [ -z "$io_socket2" -a -z "$socket_cat2" ] ; then echo "" echo " *************************" echo " * !!! ALERT !!! *" echo " * CLAMD IS NOT RUNNING! *" echo " *************************" echo "" log "ALERT - ClamD is not running" if [ -n "$start_clamd" ] ; then echo " Attempting to start ClamD..." echo "" if [ -n "$io_socket1" ] then rm -f -- "$clamd_pid" "$clamd_lock" "$clamd_socket" 2>/dev/null $start_clamd > /dev/null && sleep 5 if [ "`perl -MIO::Socket::UNIX -we '$s = IO::Socket::UNIX->new(shift); $s->print("PING"); \ print $s->getline; $s->close' "$clamd_socket" 2>/dev/null`" = "PONG" ] then echo "==================================" echo "= ClamD was successfully started =" echo "==================================" log "NOTICE - ClamD was successfuly started" else echo " *************************" echo " * !!! PANIC !!! *" echo " * CLAMD FAILED TO START *" echo " *************************" echo "" echo "Check to confirm that the clamd start process defined for" echo "the 'start_clamd' variable in the 'USER EDIT SECTION' is" echo "set correctly for your particular distro. If it is, then" echo "check your logs to determine why clamd failed to start." echo "" log "CRITICAL - ClamD failed to start" exit 1 fi else if [ -n "$socket_cat1" ] ; then rm -f -- "$clamd_pid" "$clamd_lock" "$clamd_socket" 2>/dev/null $start_clamd > /dev/null && sleep 5 if [ "`(echo "PING"; sleep 1;) | socat - "$clamd_socket" 2>/dev/null`" = "PONG" ] then echo "==================================" echo "= ClamD was successfully started =" echo "==================================" log "NOTICE - ClamD was successfuly started" else echo " *************************" echo " * !!! PANIC !!! *" echo " * CLAMD FAILED TO START *" echo " *************************" echo "" echo "Check to confirm that the clamd start process defined for" echo "the 'start_clamd' variable in the 'USER EDIT SECTION' is" echo "set correctly for your particular distro. If it is, then" echo "check your logs to determine why clamd failed to start." echo "" log "CRITICAL - ClamD failed to start" exit 1 fi fi fi fi fi fi fi # Check and save current system time since epoch for time related database downloads. # However, if unsuccessful, issue a warning that we cannot calculate times since epoch. if [ -n "$si_dbs" -o -n "mbl_dbs" ] then if [ `date +%s` -gt 0 2>/dev/null ] then current_time=`date +%s` else if [ `perl -le print+time 2>/dev/null` ] ; then current_time=`perl -le print+time` fi fi else echo "" echo " --- WARNING ---" echo "The system's date function does not appear to support 'date +%s', nor was 'perl' found" echo "on the system. The SecuriteInfo and MalwarePatrol updates were bypassed at this time." echo "" echo "You can silence this warning by either commenting out the 'si_dbs' and 'mbl_dbs'" echo "variables in the 'USER CONFIGURATION' section of the script, or by installing perl or" echo "the GNU date utility, either of which can calculate the needed seconds since epoch." log "WARNING - Systems does not support calculating time since epoch, SecuriteInfo and MalwarePatrol updates bypassed" si_dbs="" mbl_dbs="" fi ################################################################ # Check for Sanesecurity database & GPG signature file updates # ################################################################ if [ -n "$ss_dbs" ] ; then db_file="" comment "" comment "======================================================================" comment "Sanesecurity Database & GPG Signature File Updates" comment "======================================================================" ss_mirror_ips=`dig +ignore +short $ss_url` for ss_mirror_ip in $ss_mirror_ips ; do ss_mirror_name=`dig +short -x $ss_mirror_ip | sed 's/\.$//'` ss_mirror_site_info="$ss_mirror_name $ss_mirror_ip" comment "" comment "Sanesecurity mirror site used: $ss_mirror_site_info" log "INFO - Sanesecurity mirror site used: $ss_mirror_site_info" if rsync $rsync_output_level $no_motd --files-from=$ss_include_dbs -ctuz $connect_timeout \ --timeout="$rsync_max_time" --stats rsync://$ss_mirror_ip/sanesecurity $ss_dir 2>/dev/null then ss_rsync_success="1" for db_file in $ss_dbs ; do if ! cmp -s $ss_dir/$db_file $clam_dbs/$db_file ; then comment "" comment "Testing updated Sanesecurity database file: $db_file" log "INFO - Testing updated Sanesecurity database file: $db_file" if ! gpg --trust-model always -q --no-default-keyring --homedir $gpg_dir --keyring $gpg_dir/ss-keyring.gpg \ --verify $ss_dir/$db_file.sig $ss_dir/$db_file 2>/dev/null then gpg --always-trust -q --no-default-keyring --homedir $gpg_dir --keyring $gpg_dir/ss-keyring.gpg \ --verify $ss_dir/$db_file.sig $ss_dir/$db_file 2>/dev/null fi if [ "$?" = "0" ] then test "$gpg_silence" = "no" && echo "Sanesecurity GPG Signature tested good on $db_file database" log "INFO - Sanesecurity GPG Signature tested good on $db_file database" ; true else echo "Sanesecurity GPG Signature test FAILED on $db_file database - SKIPPING" log "WARNING - Sanesecurity GPG Signature test FAILED on $db_file database - SKIPPING" ; false fi if [ "$?" = "0" ] ; then db_ext=`echo $db_file | cut -d "." -f2` if [ -z "$ham_dir" -o "$db_ext" != "ndb" ] then if clamscan --quiet -d "$ss_dir/$db_file" "$config_dir/scan-test.txt" 2>/dev/null then comment "Clamscan reports Sanesecurity $db_file database integrity tested good" log "INFO - Clamscan reports Sanesecurity $db_file database integrity tested good" ; true else echo "Clamscan reports Sanesecurity $db_file database integrity tested BAD - SKIPPING" log "WARNING - Clamscan reports Sanesecurity $db_file database integrity tested BAD - SKIPPING" ; false fi && \ (test "$keep_db_backup" = "yes" && cp -f $clam_dbs/$db_file $clam_dbs/$db_file-bak 2>/dev/null ; true) && \ if rsync -pcqt $ss_dir/$db_file $clam_dbs then perms chown $clam_user:$clam_group $clam_dbs/$db_file comment "Successfully updated Sanesecurity production database file: $db_file" log "INFO - Successfully updated Sanesecurity production database file: $db_file" ss_update=1 do_clamd_reload=1 else echo "Failed to successfully update Sanesecurity production database file: $db_file - SKIPPING" log "WARNING - Failed to successfully update Sanesecurity production database file: $db_file - SKIPPING" ; false fi else grep -h -v -f "$config_dir/whitelist.hex" "$ss_dir/$db_file" > "$test_dir/$db_file" clamscan --infected --no-summary -d "$test_dir/$db_file" "$ham_dir"/* | \ sed 's/\.UNOFFICIAL FOUND//' | awk '{print $NF}' > "$config_dir/whitelist.txt" grep -h -f "$config_dir/whitelist.txt" "$test_dir/$db_file" | \ cut -d "*" -f2 | sort | uniq >> "$config_dir/whitelist.hex" grep -h -v -f "$config_dir/whitelist.hex" "$test_dir/$db_file" > "$test_dir/$db_file-tmp" mv -f "$test_dir/$db_file-tmp" "$test_dir/$db_file" if clamscan --quiet -d "$test_dir/$db_file" "$config_dir/scan-test.txt" 2>/dev/null then comment "Clamscan reports Sanesecurity $db_file database integrity tested good" log "INFO - Clamscan reports Sanesecurity $db_file database integrity tested good" ; true else echo "Clamscan reports Sanesecurity $db_file database integrity tested BAD - SKIPPING" log "WARNING - Clamscan reports Sanesecurity $db_file database integrity tested BAD - SKIPPING" ; false fi && \ (test "$keep_db_backup" = "yes" && cp -f $clam_dbs/$db_file $clam_dbs/$db_file-bak 2>/dev/null ; true) && \ if rsync -pcqt $test_dir/$db_file $clam_dbs then perms chown $clam_user:$clam_group $clam_dbs/$db_file comment "Successfully updated Sanesecurity production database file: $db_file" log "INFO - Successfully updated Sanesecurity production database file: $db_file" ss_update=1 do_clamd_reload=1 else echo "Failed to successfully update Sanesecurity production database file: $db_file - SKIPPING" log "WARNING - Failed to successfully update Sanesecurity production database file: $db_file - SKIPPING" fi fi fi fi done if [ "$ss_update" != "1" ] then comment "" comment "No Sanesecurity database file updates found" log "INFO - No Sanesecurity database file updates found" break else break fi else comment "Connection to $ss_mirror_site_info failed - Trying next mirror site..." log "WARNING - Connection to $ss_mirror_site_info failed - Trying next mirror site..." fi done if [ "$ss_rsync_success" != "1" ] ; then echo "" echo "Access to all Sanesecurity mirror sites failed - Check for connectivity issues" echo "or signature database name(s) misspelled in the script's configuration file." log "WARNING - Access to all Sanesecurity mirror sites failed - Check for connectivity issues" log "WARNING - or signature database name(s) misspelled in the script's configuration file." fi fi ####################################################################### # Check for updated SecuriteInfo database files every set number of # # hours as defined in the "USER CONFIGURATION" section of this script # ####################################################################### if [ -n "$si_dbs" ] ; then rm -f "$si_dir/*.gz" if [ -s "$config_dir/last-si-update.txt" ] then last_si_update=`cat $config_dir/last-si-update.txt` else last_si_update="0" fi db_file="" loop="" update_interval=$(($si_update_hours * 3600)) time_interval=$(($current_time - $last_si_update)) if [ "$time_interval" -ge $(($update_interval - 600)) ] then echo "$current_time" > "$config_dir"/last-si-update.txt comment "" comment "======================================================================" comment "SecuriteInfo Database File Updates" comment "======================================================================" log "INFO - Checking for SecuriteInfo updates..." si_updates="0" for db_file in $si_dbs ; do if [ "$loop" = "1" ] then comment "---" else comment "" fi comment "Checking for updated SecuriteInfo database file: $db_file" comment "" si_db_update="0" if [ -s "$si_dir/$db_file" ] then z_opt="-z $si_dir/$db_file" else z_opt="" fi if curl $curl_proxy $curl_output_level --connect-timeout "$curl_connect_timeout" \ --max-time "$curl_max_time" -L -R $z_opt -o $si_dir/$db_file http://$si_url/$db_file then loop="1" if ! cmp -s $si_dir/$db_file $clam_dbs/$db_file ; then if [ "$?" = "0" ] ; then db_ext=`echo $db_file | cut -d "." -f2` comment "" comment "Testing updated SecuriteInfo database file: $db_file" log "INFO - Testing updated SecuriteInfo database file: $db_file" if [ -z "$ham_dir" -o "$db_ext" != "ndb" ] then if clamscan --quiet -d "$si_dir/$db_file" "$config_dir/scan-test.txt" 2>/dev/null then comment "Clamscan reports SecuriteInfo $db_file database integrity tested good" log "INFO - Clamscan reports SecuriteInfo $db_file database integrity tested good" ; true else echo "Clamscan reports SecuriteInfo $db_file database integrity tested BAD - SKIPPING" log "WARNING - Clamscan reports SecuriteInfo $db_file database integrity tested BAD - SKIPPING" ; false rm -f "$si_dir/$db_file" fi && \ (test "$keep_db_backup" = "yes" && cp -f $clam_dbs/$db_file $clam_dbs/$db_file-bak 2>/dev/null ; true) && \ if rsync -pcqt $si_dir/$db_file $clam_dbs then perms chown $clam_user:$clam_group $clam_dbs/$db_file comment "Successfully updated SecuriteInfo production database file: $db_file" log "INFO - Successfully updated SecuriteInfo production database file: $db_file" si_updates=1 si_db_update=1 do_clamd_reload=1 else echo "Failed to successfully update SecuriteInfo production database file: $db_file - SKIPPING" log "WARNING - Failed to successfully update SecuriteInfo production database file: $db_file - SKIPPING" fi else grep -h -v -f "$config_dir/whitelist.hex" "$si_dir/$db_file" > "$test_dir/$db_file" clamscan --infected --no-summary -d "$test_dir/$db_file" "$ham_dir"/* | \ sed 's/\.UNOFFICIAL FOUND//' | awk '{print $NF}' > "$config_dir/whitelist.txt" grep -h -f "$config_dir/whitelist.txt" "$test_dir/$db_file" | \ cut -d "*" -f2 | sort | uniq >> "$config_dir/whitelist.hex" grep -h -v -f "$config_dir/whitelist.hex" "$test_dir/$db_file" > "$test_dir/$db_file-tmp" mv -f "$test_dir/$db_file-tmp" "$test_dir/$db_file" if clamscan --quiet -d "$test_dir/$db_file" "$config_dir/scan-test.txt" 2>/dev/null then comment "Clamscan reports SecuriteInfo $db_file database integrity tested good" log "INFO - Clamscan reports SecuriteInfo $db_file database integrity tested good" ; true else echo "Clamscan reports SecuriteInfo $db_file database integrity tested BAD - SKIPPING" log "WARNING - Clamscan reports SecuriteInfo $db_file database integrity tested BAD - SKIPPING" ; false rm -f "$si_dir/$db_file" fi && \ (test "$keep_db_backup" = "yes" && cp -f $clam_dbs/$db_file $clam_dbs/$db_file-bak 2>/dev/null ; true) && \ if rsync -pcqt $test_dir/$db_file $clam_dbs then perms chown $clam_user:$clam_group $clam_dbs/$db_file comment "Successfully updated SecuriteInfo production database file: $db_file" log "INFO - Successfully updated SecuriteInfo production database file: $db_file" si_updates=1 si_db_update=1 do_clamd_reload=1 else echo "Failed to successfully update SecuriteInfo production database file: $db_file - SKIPPING" log "WARNING - Failed to successfully update SecuriteInfo production database file: $db_file - SKIPPING" fi fi fi fi else log "WARNING - Failed curl connection to $si_url - SKIPPED SecuriteInfo $db_file update" fi if [ "$si_db_update" != "1" ] ; then comment "" comment "No updated SecuriteInfo $db_file database file found" fi done if [ "$si_updates" != "1" ] ; then log "INFO - No SecuriteInfo database file updates found" fi else comment "" comment "======================================================================" comment "SecuriteInfo Database File Updates" comment "======================================================================" comment "" time_remaining=$(($update_interval - $time_interval)) hours_left=$(($time_remaining / 3600)) minutes_left=$(($time_remaining % 3600 / 60)) comment "$si_update_hours hours have not yet elapsed since the last SecuriteInfo update check" comment "" comment " --- No update check was performed at this time ---" comment "" comment "Next check will be performed in approximately $hours_left hour(s), $minutes_left minute(s)" log "INFO - Next SecuriteInfo check will be performed in approximately $hours_left hour(s), $minutes_left minute(s)" fi fi ##################################################################### # Download MalwarePatrol database file(s) every set number of hours # # as defined in the "USER CONFIGURATION" section of this script. # ##################################################################### if [ -n "$mbl_dbs" ] ; then if [ -s "$config_dir/last-mbl-update.txt" ] then last_mbl_update=`cat $config_dir/last-mbl-update.txt` else last_mbl_update="0" fi db_file="" update_interval=$(($mbl_update_hours * 3600)) time_interval=$(($current_time - $last_mbl_update)) if [ "$time_interval" -ge $(($update_interval - 600)) ] then echo "$current_time" > "$config_dir"/last-mbl-update.txt log "INFO - Checking for MalwarePatrol updates..." for db_file in $mbl_dbs ; do # Delete the old MBL (mbl.db) database file if it exists and start using the newer # format (mbl.ndb) database file instead. test -e $clam_dbs/$db_file -o -e $clam_dbs/$db_file-bak && rm -f -- "$clam_dbs/mbl.d*" comment "" comment "======================================================================" comment "MalwarePatrol $db_file Database File Update" comment "======================================================================" comment "" if curl $curl_proxy $curl_output_level -R --connect-timeout "$curl_connect_timeout" \ --max-time "$curl_max_time" -o $mbl_dir/$db_file http://$mbl_url/cgi/submit?action=list_clamav_ext then if ! cmp -s $mbl_dir/$db_file $clam_dbs/$db_file then if [ "$?" = "0" ] ; then db_ext=`echo $db_file | cut -d "." -f2` comment "" comment "Testing updated MalwarePatrol database file: $db_file" log "INFO - Testing updated database file: $db_file" if [ -z "$ham_dir" -o "$db_ext" != "ndb" ] then if clamscan --quiet -d "$mbl_dir/$db_file" "$config_dir/scan-test.txt" 2>/dev/null then comment "Clamscan reports MalwarePatrol $db_file database integrity tested good" log "INFO - Clamscan reports MalwarePatrol $db_file database integrity tested good" ; true else echo "Clamscan reports MalwarePatrol $db_file database integrity tested BAD - SKIPPING" log "WARNING - Clamscan reports MalwarePatrol $db_file database integrity tested BAD - SKIPPING" ; false fi && \ (test "$keep_db_backup" = "yes" && cp -f $clam_dbs/$db_file $clam_dbs/$db_file-bak 2>/dev/null ; true) && \ if rsync -pcqt $mbl_dir/$db_file $clam_dbs then perms chown $clam_user:$clam_group $clam_dbs/$db_file comment "Successfully updated MalwarePatrol production database file: $db_file" log "INFO - Successfully updated MalwarePatrol production database file: $db_file" mbl_update=1 do_clamd_reload=1 else echo "Failed to successfully update MalwarePatrol production database file: $db_file - SKIPPING" log "WARNING - Failed to successfully update MalwarePatrol production database file: $db_file - SKIPPING" fi else grep -h -v -f "$config_dir/whitelist.hex" "$mbl_dir/$db_file" > "$test_dir/$db_file" clamscan --infected --no-summary -d "$test_dir/$db_file" "$ham_dir"/* | \ sed 's/\.UNOFFICIAL FOUND//' | awk '{print $NF}' > "$config_dir/whitelist.txt" grep -h -f "$config_dir/whitelist.txt" "$test_dir/$db_file" | \ cut -d "*" -f2 | sort | uniq >> "$config_dir/whitelist.hex" grep -h -v -f "$config_dir/whitelist.hex" "$test_dir/$db_file" > "$test_dir/$db_file-tmp" mv -f "$test_dir/$db_file-tmp" "$test_dir/$db_file" if clamscan --quiet -d "$test_dir/$db_file" "$config_dir/scan-test.txt" 2>/dev/null then comment "Clamscan reports MalwarePatrol $db_file database integrity tested good" log "INFO - Clamscan reports MalwarePatrol $db_file database integrity tested good" ; true else echo "Clamscan reports MalwarePatrol $db_file database integrity tested BAD - SKIPPING" log "WARNING - Clamscan reports MalwarePatrol $db_file database integrity tested BAD - SKIPPING" ; false fi && \ (test "$keep_db_backup" = "yes" && cp -f $clam_dbs/$db_file $clam_dbs/$db_file-bak 2>/dev/null ; true) && \ if rsync -pcqt $test_dir/$db_file $clam_dbs then perms chown $clam_user:$clam_group $clam_dbs/$db_file comment "Successfully updated MalwarePatrol production database file: $db_file" log "INFO - Successfully updated MalwarePatrol production database file: $db_file" mbl_update=1 do_clamd_reload=1 else echo "Failed to successfully update MalwarePatrol production database file: $db_file - SKIPPING" log "WARNING - Failed to successfully update MalwarePatrol production database file: $db_file - SKIPPING" fi fi fi else comment "" comment "MalwarePatrol signature database ($db_file) did not change - skipping" log "INFO - MalwarePatrol signature database ($db_file) did not change - skipping" fi else log "WARNING - Failed curl connection to $mbl_url - SKIPPED MalwarePatrol $db_file update" fi done else comment "" comment "======================================================================" comment "MalwarePatrol Database File Update" comment "======================================================================" comment "" time_remaining=$(($update_interval - $time_interval)) hours_left=$(($time_remaining / 3600)) minutes_left=$(($time_remaining % 3600 / 60)) comment "$mbl_update_hours hours have not yet elapsed since the last MalwarePatrol download" comment "" comment " --- No database download was performed at this time ---" comment "" comment "Next download will be performed in approximately $hours_left hour(s), $minutes_left minute(s)" log "INFO - Next MalwarePatrol download will be performed in approximately $hours_left hour(s), $minutes_left minute(s)" fi fi ################################################### # Check for user added signature database updates # ################################################### if [ -n "$add_dbs" ] ; then comment "" comment "======================================================================" comment "User Added Signature Database File Update(s)" comment "======================================================================" comment "" for db_url in $add_dbs ; do base_url=`echo $db_url | cut -d "/" -f3` db_file=`basename $db_url` if [ "`echo $db_url | cut -d ":" -f1`" = "rsync" ] then if ! rsync $rsync_output_level $no_motd $connect_timeout --timeout="$rsync_max_time" --exclude=*.txt \ -crtuz --stats --exclude=*.sha256 --exclude=*.sig --exclude=*.gz $db_url $add_dir ; then echo "Failed rsync connection to $base_url - SKIPPED $db_file update" log "WARNING - Failed rsync connection to $base_url - SKIPPED $db_file update" fi else if [ -s "$add_dir/$db_file" ] then z_opt="-z $add_dir/$db_file" else z_opt="" fi if ! curl $curl_output_level --connect-timeout "$curl_connect_timeout" --max-time \ "$curl_max_time" -L -R $z_opt -o $add_dir/$db_file $db_url ; then echo "Failed curl connection to $base_url - SKIPPED $db_file update" log "WARNING - Failed curl connection to $base_url - SKIPPED $db_file update" fi fi done db_file="" for db_file in `ls $add_dir`; do if ! cmp -s $add_dir/$db_file $clam_dbs/$db_file ; then comment "" comment "Testing updated database file: $db_file" clamscan --quiet -d "$add_dir/$db_file" "$config_dir/scan-test.txt" 2>/dev/null if [ "$?" = "0" ] then comment "Clamscan reports $db_file database integrity tested good" log "INFO - Clamscan reports $db_file database integrity tested good" ; true else echo "Clamscan reports User Added $db_file database integrity tested BAD - SKIPPING" log "WARNING - Clamscan reports User Added $db_file database integrity tested BAD - SKIPPING" ; false fi && \ (test "$keep_db_backup" = "yes" && cp -f $clam_dbs/$db_file $clam_dbs/$db_file-bak 2>/dev/null ; true) && \ if rsync -pcqt $add_dir/$db_file $clam_dbs then perms chown $clam_user:$clam_group $clam_dbs/$db_file comment "Successfully updated User-Added production database file: $db_file" log "INFO - Successfully updated User-Added production database file: $db_file" add_update=1 do_clamd_reload=1 else echo "Failed to successfully update User-Added production database file: $db_file - SKIPPING" log "WARNING - Failed to successfully update User-Added production database file: $db_file - SKIPPING" fi fi done if [ "$add_update" != "1" ] ; then comment "" comment "No User-Defined database file updates found" log "INFO - No User-Defined database file updates found" fi fi # Check to see if the local.ign file exists, and if it does, check to see if any of the script # added bypass entries can be removed due to offending signature modifications or removals. if [ -s "$clam_dbs/local.ign" -a -s "$config_dir/monitor-ign.txt" ] ; then ign_updated=0 cd "$clam_dbs" cp -f local.ign "$config_dir/local.ign" comment "" comment "======================================================================" for entry in `cat "$config_dir/monitor-ign.txt" 2>/dev/null` ; do sig_file=`echo "$entry" | tr -d "\r" | awk -F ":" '{print $1}'` sig_hex=`echo "$entry" | tr -d "\r" | awk -F ":" '{print $NF}'` sig_name_old=`echo "$entry" | tr -d "\r" | awk -F ":" '{print $3}'` sig_ign_old=`grep "$sig_name_old" "$config_dir/local.ign"` sig_old=`echo "$entry" | tr -d "\r" | cut -d ":" -f3-` sig_new=`grep -hwF "$sig_hex" "$sig_file" | tr -d "\r" 2>/dev/null` sig_mon_new=`grep -HwF -n "$sig_hex" "$sig_file" | tr -d "\r"` if [ -n "$sig_new" ] then if [ "$sig_old" != "$sig_new" -o "$entry" != "$sig_mon_new" ] ; then sig_name_new=`echo "$sig_new" | tr -d "\r" | awk -F ":" '{print $1}'` sig_ign_new=`echo "$sig_mon_new" | cut -d ":" -f1-3` perl -i -ne "print unless /$sig_ign_old/" "$config_dir/monitor-ign.txt" echo "$sig_mon_new" >> "$config_dir/monitor-ign.txt" perl -p -i -e "s/$sig_ign_old/$sig_ign_new/" "$config_dir/local.ign" comment "" comment "$sig_name_old hexadecimal signature unchanged, however signature name and/or line placement" comment "in $sig_file has change to $sig_name_new - updated local.ign to reflect this change." log "INFO - $sig_name_old hexadecimal signature unchanged, however signature name and/or line placement" log "INFO - in $sig_file has change to $sig_name_new - updated local.ign to reflect this change." ign_updated=1 fi else perl -i -ne "print unless /$sig_ign_old/" "$config_dir/monitor-ign.txt" "$config_dir/local.ign" comment "" comment "$sig_name_old signature has been removed from $sig_file, entry removed from local.ign." log "INFO - $sig_name_old signature has been removed from $sig_file, entry removed from local.ign." ign_updated=1 fi done if [ "$ign_updated" = "1" ] then if clamscan --quiet -d "$config_dir/local.ign" "$config_dir/scan-test.txt" then if rsync -pcqt $config_dir/local.ign $clam_dbs then perms chown $clam_user:$clam_group "$clam_dbs/local.ign" chmod 0644 "$clam_dbs/local.ign" "$config_dir/monitor-ign.txt" do_clamd_reload=3 else echo "Failed to successfully update local.ign file - SKIPPING" log "WARNING - Failed to successfully update local.ign file - SKIPPING" fi else echo "Clamscan reports local.ign database integrity is bad - SKIPPING" log "WARNING - Clamscan reports local.ign database integrity is bad - SKIPPING" fi else comment "No whitelist signature changes found in local.ign." comment "======================================================================" log "INFO - No whitelist signature changes found in local.ign." fi fi # Check to see if my-whitelist.ign2 file exists, and if it does, check to see if any of the script # added whitelist entries can be removed due to offending signature modifications or removals. if [ -s "$clam_dbs/my-whitelist.ign2" -a -s "$config_dir/tracker.txt" ] ; then ign2_updated=0 cd "$clam_dbs" cp -f my-whitelist.ign2 "$config_dir/my-whitelist.ign2" comment "" comment "======================================================================" for entry in `cat "$config_dir/tracker.txt" 2>/dev/null` ; do sig_file=`echo "$entry" | cut -d ":" -f1` sig_full=`echo "$entry" | cut -d ":" -f2-` sig_name=`echo "$entry" | cut -d ":" -f2` if ! grep -F "$sig_full" "$sig_file" > /dev/null 2>&1 ; then perl -i -ne "print unless /$sig_name$/" "$config_dir/my-whitelist.ign2" perl -i -ne "print unless /:$sig_name:/" "$config_dir/tracker.txt" comment "" comment "$sig_name signature no longer exists in" comment "$sig_file, whitelist entry removed from my-whitelist.ign2." log "INFO - $sig_name signature no longer exists in" log "INFO - $sig_file, whitelist entry removed from my-whitelist.ign2." ign2_updated=1 fi done comment "" comment "======================================================================" if [ "$ign2_updated" = "1" ] then if clamscan --quiet -d "$config_dir/my-whitelist.ign2" "$config_dir/scan-test.txt" then if rsync -pcqt $config_dir/my-whitelist.ign2 $clam_dbs then perms chown $clam_user:$clam_group "$clam_dbs/my-whitelist.ign2" chmod 0644 "$clam_dbs/my-whitelist.ign2" "$config_dir/tracker.txt" do_clamd_reload=4 else echo "Failed to successfully update my-whitelist.ign2 file - SKIPPING" log "WARNING - Failed to successfully update my-whitelist.ign2 file - SKIPPING" fi else echo "Clamscan reports my-whitelist.ign2 database integrity is bad - SKIPPING" log "WARNING - Clamscan reports my-whitelist.ign2 database integrity is bad - SKIPPING" fi else comment "No whitelist signature changes found in my-whitelist.ign2." comment "======================================================================" log "INFO - No whitelist signature changes found in my-whitelist.ign2." fi fi # Check for non-matching whitelist.hex signatures and remove them from the whitelist file (signature modified or removed). if [ -n "$ham_dir" ] ; then if [ -s "$config_dir/whitelist.hex" ] then grep -h -f "$config_dir/whitelist.hex" "$work_dir"/*/*.ndb | cut -d "*" -f2 | tr -d "\r" | sort | uniq > "$config_dir/whitelist.tmp" mv -f "$config_dir/whitelist.tmp" "$config_dir/whitelist.hex" rm -f "$config_dir/whitelist.txt" rm -f "$test_dir"/*.* echo "" echo "***********************************************************************" echo "* Signature(s) triggered on HAM directory scan - signature(s) removed *" echo "***********************************************************************" log "WARNING - Signature(s) triggered on HAM directory scan - signature(s) removed" else comment "" comment "=================================================" comment "= No signatures triggered on HAM directory scan =" comment "=================================================" log "INFO - No signatures triggered on HAM directory scan" fi fi # Set appropriate directory and file permissions to all production signature files # and set file access mode to 0644 on all working directory files. perms chown -R $clam_user:$clam_group "$clam_dbs" if ! find "$work_dir" -type f -exec chmod 0644 {} + 2>/dev/null ; then if ! find "$work_dir" -type f -print0 | xargs -0 chmod 0644 2>/dev/null ; then if ! find "$work_dir" -type f | xargs chmod 0644 2>/dev/null ; then find "$work_dir" -type f -exec chmod 0644 {} \; fi fi fi # If enabled, set file access mode for all production signature database files to 0644. if [ "$setmode" = "yes" ] ; then if ! find "$clam_dbs" -type f -exec chmod 0644 {} + 2>/dev/null ; then if ! find "$clam_dbs" -type f -print0 | xargs -0 chmod 0644 2>/dev/null ; then if ! find "$clam_dbs" -type f | xargs chmod 0644 2>/dev/null ; then find "$clam_dbs" -type f -exec chmod 0644 {} \; fi fi fi fi # Reload all clamd databases if updates detected and $reload_dbs" is # set to "yes", and neither $reload_opt nor $do_clamd_reload are null. if [ "$reload_dbs" = "yes" -a -z "$reload_opt" ] then echo "" echo "********************************************************************************************" echo "* Check the script's configuration file, 'reload_dbs' enabled but no 'reload_opt' selected *" echo "********************************************************************************************" log "WARNING - Check the script's configuration file, 'reload_dbs' enabled but no 'reload_opt' selected" elif [ "$reload_dbs" = "yes" -a "$do_clamd_reload" = "1" -a -n "$reload_opt" ] ; then comment "" comment "=================================================" comment "= Update(s) detected, reloaded ClamAV databases =" comment "=================================================" log "INFO - Update(s) detected, reloaded ClamAV databases" $reload_opt elif [ "$reload_dbs" = "yes" -a "$do_clamd_reload" = "2" -a -n "$reload_opt" ] ; then comment "" comment "===========================================================" comment "= Database removal(s) detected, reloaded ClamAV databases =" comment "===========================================================" log "INFO - Database removal(s) detected, reloaded ClamAV databases" $reload_opt elif [ "$reload_dbs" = "yes" -a "$do_clamd_reload" = "3" -a -n "$reload_opt" ] ; then comment "" comment "===========================================================" comment "= File 'local.ign' has changed, reloaded ClamAV databases =" comment "===========================================================" log "INFO - File 'local.ign' has changed, reloaded ClamAV databases" $reload_opt elif [ "$reload_dbs" = "yes" -a "$do_clamd_reload" = "4" -a -n "$reload_opt" ] ; then comment "" comment "===================================================================" comment "= File 'my-whitelist.ign2' has changed, reloaded ClamAV databases =" comment "===================================================================" log "INFO - File 'my-whitelist.ign2' has changed, reloaded ClamAV databases" $reload_opt elif [ "$reload_dbs" = "yes" -a -z "$do_clamd_reload" ] ; then comment "" comment "===========================================================" comment "= No updates detected, ClamAV databases were not reloaded =" comment "===========================================================" log "INFO - No updates detected, ClamAV databases were not reloaded" else comment "" comment "===============================================================" comment "= Database reload has been disabled in the configuration file =" comment "===============================================================" log "INFO - Database reload has been disabled in the configuration file" true fi exit $? clamav-unofficial-sigs-3.7.2/clamd-status.sh0000755000000000000000000002236412207147371017517 0ustar rootroot#!/bin/sh # Script freely provided by Bill Landry (unofficialsigs@gmail.com); however, # use at your own peril! Comments, suggestions, and recommendations for # improving this script are always welcome. Feel free to report any # issues, as well. # This script will monitor and report the status of ClamD. It can also # be configured to attempt to restart the ClamD daemon if it is found to # be non-responsive. All variables below should be set correctly if set # to restart a failed, crashed, or non-responsive daemon. Before trying # to restart the ClamD daemon, the script will first delete any orphaned # pid, lock, or socket files that may have been left due to a crash. ###################################################################################### # START OF USER CONFIGURATION SECTION - SET PROGRAM PATHS AND OTHER VARIABLE OPTIONS # ###################################################################################### # Edit quoted variables below to meet your own particular # needs/requirements, but do not remove the "quote" marks. # Set and export program paths. PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin" export PATH # Set path to clamd.pid file (see clamd.conf for path location). clamd_pid="/var/run/clamav/clamd.pid" # If running clamd in "LocalSocket" mode (*NOT* in TCP/IP mode), and # either "SOcket Cat" (socat) or the "IO::Socket::UNIX" perl module # are installed on the system, and you want to report whether clamd # is running or not, uncomment the "clamd_socket" variable below (you # will be warned if neither socat nor IO::Socket::UNIX are found, but # the script will still run). You will also need to set the correct # path to your clamd socket file (if unsure of the path, check the # "LocalSocket" setting in your clamd.conf file for socket location). clamd_socket="/var/run/clamav/clamd.sock" # If you would like to attemtp to restart ClamD if detected not running, # uncomment the next 2 lines. Confirm the path to the "clamd_lock" file # (usually can be found in the clamd init script) and also enter the clamd # start command for your particular distro for the "start_clamd" variable # (the sample start command shown below should work for most linux distros). # NOTE: these 2 variables are dependant on the "clamd_socket" variable # shown above - if not enabled, then the following 2 variables will be # ignored, whether enabled or not. clamd_lock="/var/lock/subsys/clamd" start_clamd="service clamd start" # To only report issues, set the following variable to "yes". only_report_issues="yes" # Log update information to '$log_file_path/$log_file_name'. enable_logging="no" log_file_path="/var/log" log_file_name="clamd-status.log" # Set the following variable to "yes" once you have completed the # "USER CONFIGURATION SECTION" of this script. user_configuration_complete="no" ####################################################################################### # END OF USER CONFIGURATION SECTION - YOU SHOULD NOT NEED TO EDIT ANYTHING BELOW HERE # ####################################################################################### # Use functions to make code more readable. comment () { test "$only_report_issues" = "no" && echo "$1" } log () { test "$enable_logging" = "yes" && echo "`date "+%b %e %T"` $1" >> $log_file_path/$log_file_name } # Check to see if the script's "USER CONFIGURATION SECTION" has been completed. if [ "$user_configuration_complete" != "yes" ] then echo "" echo " *** SCRIPT CONFIGURATION HAS NOT BEEN COMPLETED ***" echo " Please review and configure the 'USER CONFIGURATION SECTION' of the script." echo " Once the user configuration section has been completed, rerun the script." echo "" log "ALERT - SCRIPT HALTED, user configuration not completed" exit 1 fi if [ -t 0 ] ; then only_report_issues="no" log "INFO - Script was run manually" fi # If ClamD status check is enabled ("clamd_socket" variable is uncommented # and the socket path is correctly specified in "User Edit" section above), # then test to see if clamd is running or not. if [ -n "$clamd_socket" ] ; then if [ "`perl -e 'use IO::Socket::UNIX; print $IO::Socket::UNIX::VERSION,"\n"' 2> /dev/null`" ] then io_socket1=1 if [ "`perl -MIO::Socket::UNIX -we '$s = IO::Socket::UNIX->new(shift); $s->print("PING"); \ print $s->getline; $s->close' "$clamd_socket" 2> /dev/null`" = "PONG" ] ; then io_socket2=1 comment "====================" comment "= ClamD is running =" comment "====================" log "INFO - ClamD is running" fi else socat="`which socat 2> /dev/null`" if [ -n "$socat" -a -x "$socat" ] ; then socket_cat1=1 if [ "`(echo "PING"; sleep 1;) | socat - "$clamd_socket" 2> /dev/null`" = "PONG" ] ; then socket_cat2=1 comment "====================" comment "= ClamD is running =" comment "====================" log "INFO - ClamD is running" fi fi fi if [ -z "$io_socket1" -a -z "$socket_cat1" ] then echo "" echo " --- WARNING ---" echo " It appears that neither 'SOcket CAT' (socat) nor the perl module" echo " 'IO::Socket::UNIX' are installed on the system. In order to run" echo " the ClamD socket test to determine whether ClamD is running or" echo " or not, either 'socat' or 'IO::Socket::UNIX' must be installed." log "WARNING - neither socat nor IO::Socket::UNIX perl module found, cannot test whether ClamD is running" else if [ -z "$io_socket2" -a -z "$socket_cat2" ] ; then echo "" echo " *************************" echo " * !!! ALERT !!! *" echo " * CLAMD IS NOT RUNNING! *" echo " *************************" echo "" log "ALERT - ClamD is not running" if [ -n "$start_clamd" ] ; then echo " Attempting to start ClamD..." echo "" if [ -n "$io_socket1" ] then rm -f $clamd_pid $clamd_lock $clamd_socket 2> /dev/null $start_clamd > /dev/null && sleep 5 if [ "`perl -MIO::Socket::UNIX -we '$s = IO::Socket::UNIX->new(shift); \ $s->print("PING"); print $s->getline; $s->close' "$clamd_socket" \ 2> /dev/null`" = "PONG" ] then echo "==================================" echo "= ClamD was successfully started =" echo "==================================" log "NOTICE - ClamD was successfuly started" else echo " *************************" echo " * !!! PANIC !!! *" echo " * CLAMD FAILED TO START *" echo " *************************" echo "" echo "Check to confirm that the clamd start process defined for" echo "the 'start_clamd' variable in the 'USER EDIT SECTION' is" echo "set correctly for your particular distro. If it is, then" echo "check your logs to determine why clamd failed to start." echo "" log "CRITICAL - ClamD failed to start" exit 1 fi else if [ -n "$socket_cat1" ] ; then rm -f $clamd_pid $clamd_lock $clamd_socket 2> /dev/null $start_clamd > /dev/null && sleep 5 if [ "`(echo "PING"; sleep 1;) | socat - "$clamd_socket" 2> /dev/null`" = "PONG" ] then echo "==================================" echo "= ClamD was successfully started =" echo "==================================" log "NOTICE - ClamD was successfuly started" else echo " *************************" echo " * !!! PANIC !!! *" echo " * CLAMD FAILED TO START *" echo " *************************" echo "" echo "Check to confirm that the clamd start process defined for" echo "the 'start_clamd' variable in the 'USER EDIT SECTION' is" echo "set correctly for your particular distro. If it is, then" echo "check your logs to determine why clamd failed to start." echo "" log "CRITICAL - ClamD failed to start" exit 1 fi fi fi fi fi fi fi exit $? clamav-unofficial-sigs-3.7.2/README0000644000000000000000000000747312207147371015443 0ustar rootroot====================== CLAMAV-UNOFFICIAL-SIGS ====================== The clamav-unofficial-sigs script and accompanying files are provided by Bill Landry (unofficialsigs@gmail.com) under general BSD licensing guidelines. The clamav-unofficial-sigs.tar.gz package contains script and configuration files that provide the capability to download, test, and update the 3rd-party signature databases provided by Sanesecurity, SecuriteInfo, MalwarePatrol, OITC, etc. Files contained in the clamav-unofficial-sigs.tar.gz package: 1. README - This file. Contains basic information about script features and capabilities. 2. CHANGELOG - This file contains the changes that have been made between script updates. 3. LICENSE - Open-Source license to allow packaging/porting and redistribution of scripts. 4. INSTALL - Contains detailed instructions for configuring and using scripts. 5. clamav-unofficial-sigs.conf - This file contains all of the user configurable variable setting for running the "clamav-unofficial-sigs.sh" shell script. 6. clamav-unofficial-sigs.sh - This file contains the shell scripting code necessary for checking for updated 3rd party clamav signature databases, downloading of databases, testing for valid GPG signatures and clamscan for database integrity, and finally implementation of updated databases. 7. clamav-unofficial-sigs.8 - This is the script's manual page. 8. clamav-unofficial-sigs-cron - This is the script's cron file used to support automated script execution at specified time intervals. 9. clamav-unofficial-sigs-logrotate - This is the script's logrotate file, used to rotate and compress log files at a specified time-interval and to keep the log archives for a specified time-frame. 10. clamd-status.sh - A stand-alone script that can be used to run status checks against clamd, and can be configured to attempt to start a non-running or crashed daemon. Script (clamav-unofficial-sigs.sh) features & capabilities: - Checks for updated unofficial clamav signature database files, detection and download. - GPG signature verify and clamscan integrity test updated signature databases and implement. - Download time randomization - this help to distribute the load more evenly for the database host mirror sites. - Create signature bypass entries for temporarily resolving false-positive issues with third- party signatures. - Ability to report which mirror site a download came from (good to know if there are issues). - Reports if a downloaded database is actually different than the running copy. - Status check to determine if clamd is running, and if enabled, ability to attemtp to start if detected not running. - Ability to control script output, which is good when run via cron. - Ability to create a backup copy of a running database before replacing it. - Currently provides support for six different unofficial clamav database providers: Sanesecurity, SecuriteInfo, MalwarePatrol, OITC, etc. - Ability to choose which database files to download and use from each provider. - Coded to be portable across as many different OS platforms and utility versions as possible. - Separate user configuration file, which will allow users to setup their configuration and not have to redo the configuration with each new script update. - The script can hexadecimal encode (for usage) and decode (for viewing) virus signatures. - Ability to create a hexadecimal signature database file from a clear text ascii file. - Ability to enable scanning of a local HAM (non-spam) directory for false-positive hits from third-party signatures and removal of errant signatures from databases before implementing. - Script logging can be enabled/disabled in the configuration file. - Includes cron, manual, and logrotate files. Script updates can be found at: http://sourceforge.net/projects/unofficial-sigs