Using ClamAV with ORF - Part II

Introduction - what is this about?

This guide provides detailed instructions on configuring ClamAV for phising, scam and spam protection by using third-party ClamAV signatures . This is the second part of a two-part series – find the first part on the link below:

ClamAV Guide - Part I: Setting Up ClamAV Anti-virus for ORF

Generally, the quality of third-party signatures provided by SaneSecurity is quite good, but your mileage may vary. If you are not sure what to expect, configure the ClamAV agent to tag or redirect emails on hit for a short testing period, so you can recover any falsely blacklisted emails.


Getting started - downloading required tools

Download the following package and extract its contents to a temporary folder: ClamAV Tools Package (ZIP)

The package contains the following:

  • Sigupdate: a third-party batch file which will download the signatures periodically through a scheduled task. Our package includes the latest available version (as of writing this, v0.8 beta).
  • Rsync: Used by Sigupdate for file synchronization and mirroring. The package contains the latest Rsync version from Cygwin (as of writing this, v3.1.2). If you need a more recent version of it, download and install it from Cygwin.
  • Cygwin DLL files: these are required for Rsync to work (cyggcc_s-1.dll, cygiconv-2.dll, cygintl-8.dll, cygpopt-0.dll, cygwin1.dll).

IMPORTANT The communication protocol used by rsync is TCP/873. Make sure this port is open on your firewall.


Installing Sigupdate

Copy or move the sigupdate directory to the installation directory of ClamAV (C:\clamav\ by default). Please note that if you did not install ClamAV to the default directory, you have to manually update the relevant file paths in sigupdate.bat.

You can configure Sigupdate signature sources by editing signames.txt. You will probably find the default signature set suitable, so we recommend to skip this step for now, and revisit this file once you familiarized yourself with ClamAV and Sanesecurity signatures.

IMPORTANT The first two entries in signames.txt must remain: sanesecurity.ftm and sigwhitelist.ign2


Downloading signatures

Run sigupdate.bat from command line to see whether it can download the signature files without issues.


Scheduling updates

To schedule the update process, run the following command as Administrator:

schtasks /create /sc hourly /mo 1 /tn "Sigupdate" /tr "C:\clamav\sigupdate\sigupdate.bat" /ru "NT AUTHORITY\SYSTEM"

This will add a scheduled task called Sigupdate which will run sigupdate.bat under the SYSTEM account every hour to update the default anti-virus signatures. If you would like to update more (or less) frequently, feel free to modify the command accordingly (read this article regarding the syntax).

To ensure the correct resolution of relative file names, the working directory for the task needs to be specified. Unfortunately, there is no command line parameter to do this, so you will have to use the Task Scheduler user interface:

  1. Start the Windows Task Scheduler (Start > Run > taskschd.msc)
  2. Select the Task Scheduler Library
  3. Right-click on the Sigupdate task and select Properties
  4. Select the Actions tab, click Edit
  5. In the "Start in (optional)" field, enter the Sigupdate folder path without a trailing backslash (e.g. C:\clamav\sigupdate)
  6. Click Ok.

To delete the scheduled task, run the following command as Administrator:

schtasks /delete /tn "Sigupdate" /f

Adding further signatures (optional)

There are a lot of third-party signatures available for ClamAV to extend its filtering capabilities. Probably the most well-known are the signatures offered by Sanesecurity, built against different threats. You can find more info about these at:

hnp1 | hnp2