Skip to content

Adding signatures to clamav

September 26, 2010

Mostly clamav gets updated with new virus signatures pretty quickly but occasionally it can take a few days.

In the past few days the mail server has been hit by a zip file that contains an executable that clamav does not report as a threat (niether does Symantec or McAlfee) however there is no way this is not malware. Thankfully adding the signature to clamav is trivial with a short script:

#!/bin/ksh -p
sigfile=$(dirname $(whence clamdscan))/../share/clamav/local.ndb
host=$(uname -n)
for i in $@
do
        case ${i##*.} in
                exe) t=Win32 ;;
                pdf) t=PDF ;;
                *) t=Unknown ;;
        esac
        if [[ -r $i ]] && clamdscan --quiet $i
        then
                sigtool --hex-dump < $i | head -c 1024 | read sig
                print Temp.$t.$host.${i##*/}:1:\*:$sig
                update=0
        fi
done >>  $sigfile
if ! [[ -s $sigfile ]]
then
        rm $sigfile
elif [[ ${update:-1} -eq 0 ]]
then
        clamscan -d $sigfile --quiet $@
        [[ $? -eq 1 ]] && pfexec svcadm restart svc:/network/clam:default
fi
exit ${update:-1}

The result is that overnight the virus scanner has blocked 12 emails containing this file.

Meanwhile I’ve posted the file to http://www.clamav.net/lang/en/sendvirus so it should turn up in the normal update soon.

Hat tip to http://blog.adamsweet.org/?p=250 for the initial instructions.

Advertisements

From → homeserver, Solaris

Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: