Skip to content

Adding signatures to clamav

September 26, 2010

Mostly clamav gets updated with new virus signatures pretty quickly but occasionally it can take a few days.

In the past few days the mail server has been hit by a zip file that contains an executable that clamav does not report as a threat (niether does Symantec or McAlfee) however there is no way this is not malware. Thankfully adding the signature to clamav is trivial with a short script:

#!/bin/ksh -p
sigfile=$(dirname $(whence clamdscan))/../share/clamav/local.ndb
host=$(uname -n)
for i in $@
        case ${i##*.} in
                exe) t=Win32 ;;
                pdf) t=PDF ;;
                *) t=Unknown ;;
        if [[ -r $i ]] && clamdscan --quiet $i
                sigtool --hex-dump < $i | head -c 1024 | read sig
                print Temp.$t.$host.${i##*/}:1:\*:$sig
done >>  $sigfile
if ! [[ -s $sigfile ]]
        rm $sigfile
elif [[ ${update:-1} -eq 0 ]]
        clamscan -d $sigfile --quiet $@
        [[ $? -eq 1 ]] && pfexec svcadm restart svc:/network/clam:default
exit ${update:-1}

The result is that overnight the virus scanner has blocked 12 emails containing this file.

Meanwhile I’ve posted the file to so it should turn up in the normal update soon.

Hat tip to for the initial instructions.


From → homeserver, Solaris

Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: