How to customize CLAM-AV a little? - ORF Forums

How to customize CLAM-AV a little? RSS Back to forum

1

Hello

We have many, many false positives (set to redirect for review) from CLAM-AV... a lot more actual positives so we don't want to just turn off CLAM..

All of the false positives log as:
SecuriteInfo.com.Spam-4114.UNOFFICIAL FOUND".

Can one of you experts direct me on how to edit the clam-av config to just exclude anything regarding definitions from securiteinfo.com, or at least their 4114 pattern ?

Note: securiteinfo.com doesn't have anything to do with the from/to addresses, it's a clam filter (I guess)

by Bryon 8 years ago
2

@Bryon: Hello Bryon,

The signature databases used by ClamAV can be enabled or disabled by editing the ClamSup.ini file in the ClamAV folder with a simple text editor, such as Notepad. Look for the "SecuriteInfo databases" section and mark the unwanted databases disabled by adding the hyphen (-) character in front of the <http://...> entries. Unfortunately, I cannot tell which SecuriteInfo database contains the problematic signature, but I would recommend disabling all of them anyway. In the latest ClamAV package available on our website (http://vamsoft.com/support/docs/articles/using-clamav-with-ORF-part-2), the SecuriteInfo databases are disabled by default. If you want to experiment with them, I suggest that you re-enable the entries one by one while monitoring the filtering results in the ORF Log Viewer (http://vamsoft.com/support/docs/knowledge-base/using-the-log-viewer). I hope this helps.

by Daniel Novak (Vamsoft) 8 years ago
(in reply to this post)

3

@Daniel Novak (Vamsoft): Thanks for the reply, I really don't have a lot of experience with clam-av here.

Looking at my clamsup.ini file, anything related to secureite was already minused out... anywhere else i can look?

here are the contents of my clamsup.ini file, untouched:


#
# ClamSup 1.3.1 default download URL configuration file
#
# 1 Dec 2010
#
# Syntax (Switches must in one line and separated by a ";" )
#
# URL ;
# Filename ;
# Unpack (Y/N) ;
# Test sigs with ClamAV (Y/N) ;
# Submit filename with request (Y/N) ;
# Enforce local filename (Y/N) ;
# This is only a checksum file (Y/N)
#
# Lines starting with "#" are being ignored.
#
# Entries starting with "-" are disabled.
#
# See http://www.sanesecurity.co.uk/databases.htm for descriptions.
#

# -----------------------------------------------------------------------------#
# Signatures which will be updated:
# -----------------------------------------------------------------------------#
#
# Note: Rsync is required!

# INetMsg-SpamDomains-2w.ndb
rsync://rsync.sanesecurity.net/sanesecurity;INetMsg-SpamDomains-2w.ndb;N;Y;Y;N;N
# OITC winnow_phish_complete_url.ndb
rsync://rsync.sanesecurity.net/sanesecurity;winnow_phish_complete_url.ndb;N;Y;Y;N;N
# OITC winnow_malware.hdb
rsync://rsync.sanesecurity.net/sanesecurity;winnow_malware.hdb;N;Y;Y;N;N
# OITC winnow_extended_malware.hdb
rsync://rsync.sanesecurity.net/sanesecurity;winnow_extended_malware.hdb;N;Y;Y;N;N
# OITC winnow_malware_links.ndb
rsync://rsync.sanesecurity.net/sanesecurity;winnow_malware_links.ndb;N;Y;Y;N;N
# OITC winnow_extended_malware_links.ndb
rsync://rsync.sanesecurity.net/sanesecurity;winnow_extended_malware_links.ndb;N;Y;Y;N;N
# SaneSecurity sigwhitelist.ign2
rsync://rsync.sanesecurity.net/sanesecurity;sigwhitelist.ign2;N;Y;Y;N;N
# SaneSecurity spam.ldb
rsync://rsync.sanesecurity.net/sanesecurity;spam.ldb;N;Y;Y;N;N
# SaneSecurity scam.ndb
rsync://rsync.sanesecurity.net/sanesecurity;scam.ndb;N;Y;Y;N;N
# SaneSecurity spear.ndb
rsync://rsync.sanesecurity.net/sanesecurity;spear.ndb;N;Y;Y;N;N
# SaneSecurity phish.ndb
rsync://rsync.sanesecurity.net/sanesecurity;phish.ndb;N;Y;Y;N;N
# SaneSecurity jurlbl.ndb
rsync://rsync.sanesecurity.net/sanesecurity;jurlbl.ndb;N;Y;Y;N;N
# SaneSecurity junk.ndb
rsync://rsync.sanesecurity.net/sanesecurity;junk.ndb;N;Y;Y;N;N
# SaneSecurity rogue.ndb
rsync://rsync.sanesecurity.net/sanesecurity;rogue.hdb;N;Y;Y;N;N
# SecuriteInfo honeynet.hdb
-http://clamav.securiteinfo.com;honeynet.hdb;N;Y;Y;N;N
# SecuriteInfo securiteinfobat.hdb
-http://clamav.securiteinfo.com;securiteinfobat.hdb;N;Y;Y;N;N
# SecuriteInfo securiteinfodos.hdb
-http://clamav.securiteinfo.com;securiteinfodos.hdb;N;Y;Y;N;N
# SecuriteInfo securiteinfo.hdb
-http://clamav.securiteinfo.com;securiteinfo.hdb;N;Y;Y;N;N
# SecuriteInfo securiteinfohtml.hdb
-http://clamav.securiteinfo.com;securiteinfohtml.hdb;N;Y;Y;N;N
# SecuriteInfo securiteinfooffice.hdb
-http://clamav.securiteinfo.com;securiteinfooffice.hdb;N;Y;Y;N;N
# SecuriteInfo securiteinfopdf.hdb
-http://clamav.securiteinfo.com;securiteinfopdf.hdb;N;Y;Y;N;N
# CRDF (crdf.fr)
rsync://rsync.sanesecurity.net/sanesecurity;crdfam.clamav.hdb;N;Y;Y;N;N

# -----------------------------------------------------------------------------#
# Databases which are disabled by default
# -----------------------------------------------------------------------------#

# SaneSecurity SaneSecurity.ftm - Warning, enabling it might cause problems!
-rsync://rsync.sanesecurity.net/sanesecurity;sanesecurity.ftm;N;N;Y;N;N
# Doppelstern (ndb)
-rsync://rsync.sanesecurity.net/sanesecurity;doppelstern.ndb;N;Y;Y;N;N
# Doppelstern (hdb)
-rsync://rsync.sanesecurity.net/sanesecurity;doppelstern.hdb;N;Y;Y;N;N
# OITC winnow_spam_complete.ndb
-rsync://rsync.sanesecurity.net/sanesecurity;winnow_spam_complete.ndb;N;Y;Y;N;N
# OITC winnow_complex_patterns.ndb
-rsync://rsync.sanesecurity.net/sanesecurity;winnow.complex.patterns.ldb;N;Y;Y;N;N
# OITC winnow_attachments.hdb
-rsync://rsync.sanesecurity.net/sanesecurity;winnow.attachments.hdb;N;Y;Y;N;N
# SaneSecurity spearl.ndb
-rsync://rsync.sanesecurity.net/sanesecurity;spearl.ndb;N;Y;Y;N;N
# SaneSecurity scamnailer.ndb
-rsync://rsync.sanesecurity.net/sanesecurity;scamnailer.ndb;N;Y;Y;N;N
# SaneSecurity spamattach.hdb
-rsync://rsync.sanesecurity.net/sanesecurity;spamattach.hdb;N;Y;Y;N;N
# SaneSecurity spamimg.hdb
-rsync://rsync.sanesecurity.net/sanesecurity;spamimg.hdb;N;Y;Y;N;N
# SaneSecurity lott.ndb
-rsync://rsync.sanesecurity.net/sanesecurity;lott.ndb;N;Y;Y;N;N
# SecuriteInfo securiteinfosh.hdb
-http://clamav.securiteinfo.com;securiteinfosh.hdb;N;Y;Y;N;N
# SecuriteInfo securiteinfoelf.hdb
-http://clamav.securiteinfo.com;securiteinfoelf.hdb;N;Y;Y;N;N

# -----------------------------------------------------------------------------#
# High risk databases - Enable at your own risk!
# -----------------------------------------------------------------------------#

# OITC winnow_phish_complete.ndb
-rsync://rsync.sanesecurity.net/sanesecurity;winnow_phish_complete.ndb;N;Y;Y;N;N
# SecuriteInfo securiteinfoelf.hdb
-http://clamav.securiteinfo.com;antispam.ndb;N;Y;Y;N;N

# -----------------------------------------------------------------------------#
# Obsolete Databases - Do *NOT* enable them!
# -----------------------------------------------------------------------------#

-php://www.malwarepatrol.com.br/cgi/submit?action=list_clamav_ext;mbl.ndb;N;Y;N;Y
-rsync://rsync.mirror.msrbl.com/msrbl;MSRBL-Images-3M-R-SoN.hdb;N;Y;Y
-rsync://rsync.mirror.msrbl.com/msrbl;MSRBL-SPAM.ndb;N;Y;Y
-http://clamav.securiteinfo.com;antispam.ndb.gz;Y;Y;Y
-http://clamav.securiteinfo.com;vx.hdb.gz;Y;Y;Y
-http://clamav.securiteinfo.com;securiteinfo.hdb.gz;Y;Y;Y
-http://clamav.securiteinfo.com;honeynet.hdb.gz;Y;Y;Y

by Bryon 8 years ago
(in reply to this post)

4

I suspect that some of the SecuriteInfo signatures are still in "\ClamAV\db" folder and ClamAV is using them. See if you can find any of the SecuriteInfo database files (e.g. securiteinfosh.hdb, securiteinfoelf.hdb etc.) in there. If so, delete them. Furthermore, I would recommend updating your ClamAV installation. Based on your ClamSup.ini file, you are using an outdated ClamAV package. The latest package, which can be downloaded from http://vamsoft.com/support/docs/articles/using-clamav-with-ORF-part-2 has a more recent signature database selection and deletes the disabled databases automatically.

by Daniel Novak (Vamsoft) 8 years ago
5

Wow, spot on - there were some year-old securite files there... deleted those

Going to update to the latest package now just to be more clean about it

Thanks so much for your help here

by Bryon 8 years ago
6

@Bryon: I am glad I could help :)

by Daniel Novak (Vamsoft) 8 years ago
(in reply to this post)

7

@Bryon: Hello,

Any false positive with name "SecuriteInfo.com" should be reported to . It will be dropped/corrected very fast.
We *DO NOT* recommand to disable all signature databases only for 1 false positives, as it's more than 4.000.000 malwares detection.

by SecuriteInfo.com 4 years ago
(in reply to this post)

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

It will not be published.
hnp1 | hnp2