Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
rspamd - ClamAV Config with unofficial sigs
clamav {
# Scan mime_parts seperately - otherwise the complete mail will be transfered to AV Scanner
scan_mime_parts = true;
# Scanning Text is suitable for some av scanner databases (e.g. Sanesecurity)
scan_text_mime = true;
#scan_image_mime = false;
max_size = 10000000;
symbol = "CLAM_VIRUS";
type = "clamav";
log_clean = true;
#servers = "127.0.0.1:3310";
patterns {
# symbol_name = "pattern";
CLAM_JUST_EICAR = "^Eicar-Test-Signature$";
CLAM_DOC_MALWARE = "^Doc\.Malware\..*";
CLAM_HTML_PHISH = "^Html\.Phishing\..*";
CLAM_HTML_EXPLOIT = "^Html\.Exploit\..*";
CLAM_BROKEN_EXEC = "^Broken\.Executable.*";
CLAM_WIN_WORM = "^Win\.Worm\.Mydoom-.*";
# Heuristics
CLAM_HEUR_PHISHING = "^Heuristics\.Phishing\.Email\.SpoofedDomain";
CLAM_HEUR_OLE2_VBA_MACRO = "^Heuristics\.OLE2\.ContainsMacros$";
CLAM_HEUR_ENCRYPTED = "^Heuristics\.Encrypted\..*";
CLAM_HEUR_STRUCT_CC = "^Heuristics.Structured.CreditCardNumber$";
CLAM_PUA_WIN = "^PUA\.Win\..*";
CLAM_PUA_DOC = "^PUA\.Doc\..*";
# ERROR not virus
CLAM_LIMITS_EXCEEDED = "^Heuristics\.Limits\.Exceeded";
# Extra Signatures
CLAM_G_SAFEBROWSING = "^Heuristics.Safebrowsing.*";
CLAM_PORCUPINE_JUNK = "^Porcupine\.Junk.*";
CLAM_SANESEC_JURBL = "^Sanesecurity\.Jurlbl.*";
CLAM_SANESEC_JUNK = "^Sanesecurity\.Junk.*";
CLAM_SANESEC_BLURL = "^Sanesecurity\.Blurl.*";
CLAM_SANESEC_SCAM = "^Sanesecurity\.Scam.*";
CLAM_WINNOW_SPAM = "^winnow\.spam.*";
CLAM_SECI_JS_PUA = "^PUA\.SecuriteInfo\.com\.JS\.Malware.*";
CLAM_SECI_JS_AD = "^SecuriteInfo\.com\.JS\.AdInject.*";
CLAM_SECI_JS_REDIR = "^SecuriteInfo\.com\.JS\.Redir.*";
CLAM_SECI_SUSPICIOUS = "^SecuriteInfo\.com\.Suspicious.*"
CLAM_SECI_HTML = "^SecuriteInfo\.com\.HTML.*";
CLAM_SECI_PHIS = "^SecuriteInfo\.com\.Phish.*";
CLAM_SECI_JPG = "^SecuriteInfo\.com\.JPG.*";
CLAM_MP_EVILMACRO = "^MiscreantPunch.EvilMacro\..*";
CLAM_YARA = "^YARA\..*\.UNOFFICIAL$";
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment