Created
August 11, 2020 08:38
-
-
Save einyx/b41f78588fa878d37ed9038dc728c444 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This file contains master configuration settings for clamav-unofficial-sigs.sh | |
| ################################################################################ | |
| # This is property of eXtremeSHOK.com | |
| # You are free to use, modify and distribute, however you may not remove this notice. | |
| # Copyright (c) Adrian Jon Kriel :: admin@extremeshok.com | |
| # License: BSD (Berkeley Software Distribution) | |
| ################################################################################ | |
| # | |
| # DO NOT EDIT THIS FILE !! DO NOT EDIT THIS FILE !! DO NOT EDIT THIS FILE !! | |
| # | |
| ################################################################################ | |
| # | |
| # SET YOUR CUSTOM OPTIONS AND SETTINGS IN THE user.conf | |
| # | |
| # os.conf (os.***.conf) AND user.conf OVERRIDES THE OPTIONS IN THIS FILE | |
| # | |
| ################################################################################ | |
| # Edit the quoted variables below to meet your own particular needs | |
| # and requirements, but do not remove the "quote" marks. | |
| # Set the appropriate ClamD user and group accounts for your system. | |
| # If you do not want the script to set user and group permissions on | |
| # files and directories, comment the next two variables. | |
| #clam_user="clamav" | |
| #clam_group="clamav" | |
| # If you do not want the script to change the file mode of all signature | |
| # database files in the ClamAV working directory to 0644 (-rw-r--r--): | |
| # | |
| # owner: read, write | |
| # group: read | |
| # world: read | |
| # | |
| # as defined in the "clam_dbs" path variable below, then set the following | |
| # "setmode" variable to "no". | |
| setmode="yes" | |
| # Set path to ClamAV database files location. If unsure, check | |
| # your clamd.conf file for the "DatabaseDirectory" path setting. | |
| clam_dbs="/var/lib/clamav" | |
| # Set path to clamd.pid file (see clamd.conf for path location). | |
| clamd_pid="/var/run/clamav/clamd.pid" | |
| # To enable "ham" (non-spam) directory scanning and removal of | |
| # signatures that trigger on ham messages, uncomment the following | |
| # variable and set it to the appropriate ham message directory. | |
| #ham_dir="/var/lib/clamav-unofficial-sigs/ham-test" | |
| # If you would like to reload the clamd databases after an update, | |
| # change the following variable to "yes". | |
| reload_dbs="yes" | |
| # Custom Command to do a full clamd reload, this is only used when reload_dbs is enabled | |
| clamd_reload_opt="clamdscan --reload" | |
| # Top level working directory, script will attempt to create them. | |
| work_dir="/var/lib/clamav-unofficial-sigs" #Top level working directory | |
| # Log update information to '$log_file_path/$log_file_name'. | |
| logging_enabled="yes" | |
| log_file_path="/var/log/clamav-unofficial-sigs" | |
| log_file_name="clamav-unofficial-sigs.log" | |
| ## Use a program to log messages | |
| #log_pipe_cmd="/usr/bin/logger -it 'clamav-unofficial-sigs'" | |
| # ========================= | |
| # MalwarePatrol : https://www.malwarepatrol.net | |
| # MalwarePatrol 2016 (free) clamav signatures | |
| # | |
| # 1. Sign up for an account : https://www.malwarepatrol.net/free-guard-upgrade-option/ | |
| # 2. You will recieve an email containing your password/receipt number | |
| # 3. Login to your account at malwarePatrol | |
| # 4. In My Accountpage, choose the ClamAV list you will download. Free subscribers only get ClamAV Basic, commercial subscribers have access to ClamAV Extended. Do not use the agressive lists. | |
| # 5. In the download URL, you will see 3 parameters: receipt, product and list, enter them in the variables below. | |
| malwarepatrol_receipt_code="YOUR-RECEIPT-NUMBER" | |
| malwarepatrol_product_code="8" | |
| malwarepatrol_list="clamav_basic" # clamav_basic or clamav_ext | |
| # if the malwarepatrol_product_code is not 8, | |
| # the malwarepatrol_free is set to no (non-free) | |
| # set to no to enable the commercial subscription url, | |
| malwarepatrol_free="yes" | |
| # ========================= | |
| # SecuriteInfo : https://www.SecuriteInfo.com | |
| # SecuriteInfo 2015 free clamav signatures | |
| # | |
| # Usage of SecuriteInfo 2015 free clamav signatures : https://www.securiteinfo.com | |
| # - 1. Sign up for a free account : https://www.securiteinfo.com/clients/customers/signup | |
| # - 2. You will recieve an email to activate your account and then a followup email with your login name | |
| # - 3. Login and navigate to your customer account : https://www.securiteinfo.com/clients/customers/account | |
| # - 4. Click on the Setup tab | |
| # - 5. You will need to get your unique identifier from one of the download links, they are individual for every user | |
| # - 5.1. The 128 character string is after the http://www.securiteinfo.com/get/signatures/ | |
| # - 5.2. Example https://www.securiteinfo.com/get/signatures/your_unique_and_very_long_random_string_of_characters/securiteinfo.hdb | |
| # Your 128 character authorisation signature would be : your_unique_and_very_long_random_string_of_characters | |
| # - 6. Enter the authorisation signature into the config securiteinfo_authorisation_signature: replacing YOUR-SIGNATURE-NUMBER with your authorisation signature from the link | |
| securiteinfo_authorisation_signature="YOUR-SIGNATURE-NUMBER" | |
| securiteinfo_premium="no" | |
| # ======================== | |
| # Database provider update time | |
| # ======================== | |
| # Since the database files are dynamically created, non default values can cause banning, change with caution | |
| additional_update_hours="4" # Default is 4 hours (6 downloads daily). | |
| linuxmalwaredetect_update_hours="6" # Default is 6 hours (4 downloads daily). | |
| malwarepatrol_update_hours="24" # Default is 24 hours (1 downloads daily). | |
| sanesecurity_update_hours="2" # Default is 2 hours (12 downloads daily). | |
| securiteinfo_update_hours="4" # Default is 4 hours (6 downloads daily). | |
| urlhaus_update_hours="0" # Default is 0 hours (Update constantly). | |
| yararulesproject_update_hours="24" # Default is 24 hours (1 downloads daily). | |
| # ======================== | |
| # Enabled Databases | |
| # ======================== | |
| # Set to no to disable an entire database, if the database is empty it will also be disabled. | |
| additional_enabled="yes" # Additional Databases | |
| linuxmalwaredetect_enabled="yes" # Linux Malware Detect | |
| malwarepatrol_enabled="yes" # Malware Patrol | |
| sanesecurity_enabled="yes" # Sanesecurity | |
| securiteinfo_enabled="yes" # SecuriteInfo | |
| urlhaus_enabled="yes" # urlhaus | |
| yararulesproject_enabled="no" # Yara-Rule Project, automatically disabled if clamav is older than 0.100 and enable_yararules is disabled | |
| # Disabled by default | |
| ## Enabling this will also cause the yararulesproject to be enabled if they are det to enabled. | |
| enable_yararules="yes" #Enables yararules in the various databases, automatically disabled if clamav is older than 0.100 | |
| # ======================== | |
| # eXtremeSHOK Database format | |
| # ======================== | |
| # The new and old database formats are supported for backwards compatibility | |
| # | |
| # New Format Usage: | |
| # declare -a new_example_dbs=( | |
| # file.name|RATING #description | |
| # ) | |
| # | |
| # Rating (False Positive Rating) | |
| # valid ratings: | |
| # REQUIRED : always used | |
| # LOW : used when the rating is low, medium and high | |
| # MEDIUM : used when the rating is medium and high | |
| # HIGH : used when the rating is high | |
| # LOWONLY : used only when the rating is low | |
| # MEDIUMONLY : used only when the rating is medium | |
| # LOWMEDIUMONLY : used only when the rating is medium or low | |
| # DISABLED : never used, or you can also comment the line out if you want | |
| # | |
| # Old Format is still supported, requiring you to comment out files to disable them | |
| # old_example_dbs=" | |
| # file.name #LOW description | |
| # " | |
| # Default dbs rating | |
| # valid rating: LOW, MEDIUM, HIGH | |
| default_dbs_rating="MEDIUM" | |
| # Per Database | |
| # These ratings will override the global rating for the specific database | |
| # valid rating: LOW, MEDIUM, HIGH, DISABLED | |
| #linuxmalwaredetect_dbs_rating="" | |
| #sanesecurity_dbs_rating="" | |
| #securiteinfo_dbs_rating="" | |
| #urlhaus_dbs_rating="" | |
| #yararulesproject_dbs_rating="" | |
| # ======================== | |
| # Sanesecurity Database(s) | |
| # ======================== | |
| # Add or remove database file names between quote marks as needed. To | |
| # disable usage of any of the Sanesecurity distributed database files | |
| # shown, remove the database file name from the quoted section below. | |
| # Only databases defined as "low" risk have been enabled by default | |
| # for additional information about the database ratings, see: | |
| # http://www.sanesecurity.com/clamav/databases.htm | |
| # Only add signature databases here that are "distributed" by Sanesecuirty | |
| # as defined at the URL shown above. Database distributed by others sources | |
| # (e.g., SecuriteInfo & MalewarePatrol, can be added to other sections of | |
| # this config file below). Finally, make sure that the database names are | |
| # spelled correctly or you will experience issues when the script runs | |
| # (hint: all rsync servers will fail to download signature updates). | |
| declare -a sanesecurity_dbs=( # BEGIN SANESECURITY DATABASE | |
| ### SANESECURITY http://sanesecurity.com/usage/signatures/ | |
| ## REQUIRED, Do NOT disable | |
| sanesecurity.ftm|REQUIRED # Message file types, for best performance | |
| sigwhitelist.ign2|REQUIRED # Fast update file to whitelist any problem signatures | |
| # LOW | |
| blurl.ndb|LOW # Blacklisted full urls over the last 7 days, covering malware/spam/phishing. URLs added only when main signatures have failed to detect but are known to be "bad" | |
| junk.ndb|LOW # General high hitting junk, containing spam/phishing/lottery/jobs/419s etc | |
| jurlbl.ndb|LOW # Junk Url based | |
| malwarehash.hsb|LOW # Malware hashes without known Size | |
| phish.ndb|LOW # Phishing and Malware | |
| rogue.hdb|LOW # Malware, Rogue anti-virus software and Fake codecs etc. Updated hourly to cover the latest malware threats | |
| scam.ndb|LOW # Spam/scams | |
| spamattach.hdb|LOW # Spam Spammed attachments such as pdf/doc/rtf/zips | |
| spamimg.hdb|LOW # Spam images | |
| # MEDIUM | |
| badmacro.ndb|MEDIUM # Blocks dangerous macros embedded in Word/Excel/Xml/RTF/JS documents | |
| jurlbla.ndb|MEDIUM # Junk Url based autogenerated from various feeds | |
| lott.ndb|MEDIUM # Lottery | |
| shelter.ldb|MEDIUM # Phishing and Malware | |
| spam.ldb|MEDIUM # Spam detected using the new Logical Signature type | |
| spear.ndb|MEDIUM # Spear phishing email addresses (autogenerated from data here) | |
| spearl.ndb|MEDIUM # Spear phishing urls (autogenerated from data here) | |
| ### MALWARE.EXPERT https://malware.expert/ | |
| # LOW | |
| malware.expert.hdb|MEDIUM # statics MD5 pattern for files | |
| # MEDIUM | |
| malware.expert.fp|MEDIUM # found to be false positive malware | |
| malware.expert.ldb|MEDIUM # which use multi-words search for malware in files | |
| malware.expert.ndb|MEDIUM # Generic Hex pattern PHP malware, which can cause false positive alarms | |
| ### FOXHOLE http://sanesecurity.com/foxhole-databases/ | |
| # LOW | |
| foxhole_filename.cdb|LOW # See Foxhole page for more details | |
| foxhole_generic.cdb|LOW # See Foxhole page for more details | |
| # MEDIUM | |
| foxhole_js.cdb|MEDIUM # See Foxhole page for more details | |
| foxhole_js.ndb|MEDIUM # See Foxhole page for more details | |
| # HIGH | |
| foxhole_all.cdb|HIGH # See Foxhole page for more details | |
| foxhole_all.ndb|HIGH # See Foxhole page for more details | |
| foxhole_mail.cdb|HIGH # block any mail that contains a possible dangerous attachments such as: js, jse, exe, bat, com, scr, uue, ace, pif, jar, gz, lnk, lzh. | |
| ### OITC http://www.oitc.com/winnow/clamsigs/index.html | |
| ### Note: the two databases winnow_phish_complete.ndb and winnow_phish_complete_url.ndb should NOT be used together. | |
| # LOW | |
| winnow_bad_cw.hdb|LOW # md5 hashes of malware attachments acquired directly from a group of botnets | |
| winnow_extended_malware.hdb|LOW # contain hand generated signatures for malware | |
| winnow_malware_links.ndb|LOW # Links to malware | |
| winnow_malware.hdb|LOW # Current virus, trojan and other malware not yet detected by ClamAV. | |
| winnow_phish_complete_url.ndb|LOWMEDIUMONLY # Similar to winnow_phish_complete.ndb except that entire urls are used | |
| winnow.attachments.hdb|LOW # Spammed attachments such as pdf/doc/rtf/zip as well as malware crypted configs | |
| # MEDIUM | |
| winnow_extended_malware_links.ndb|MEDIUM # contain hand generated signatures for malware links | |
| winnow_spam_complete.ndb|MEDIUM # Signatures to detect fraud and other malicious spam | |
| winnow.complex.patterns.ldb|MEDIUM # contain hand generated signatures for malware and some egregious fraud | |
| # HIGH | |
| winnow_phish_complete.ndb|HIGH # Phishing and other malicious urls and compromised hosts **DO NOT USE WITH winnow_phish_complete_url** | |
| ### OITC YARA Format rules | |
| ### Note: Yara signatures require ClamAV 0.100 or newer to work | |
| ##winnow_malware.yara|LOW # detect spam | |
| ### MiscreantPunch http://malwarefor.me/about/ | |
| ## MEDIUM | |
| MiscreantPunch099-Low.ldb|MEDIUM # ruleset contains comprehensive rules for detecting malicious or abnormal Macros, JS, HTA, HTML, XAP, JAR, SWF, and more. | |
| ## HIGH | |
| MiscreantPunch099-INFO-Low.ldb|HIGH # ruleset provides context to various files. Info and Suspicious level signatures may inform analysts of potentially interesting conditions that exist within a document. | |
| ### SCAMNAILER http://www.scamnailer.info/ | |
| # MEDIUM | |
| scamnailer.ndb|MEDIUM # Spear phishing and other phishing emails | |
| ### BOFHLAND http://clamav.bofhland.org/ | |
| # LOW | |
| bofhland_cracked_URL.ndb|LOW # Spam URLs | |
| bofhland_malware_attach.hdb|LOW # Malware Hashes | |
| bofhland_malware_URL.ndb|LOW # Malware URLs | |
| bofhland_phishing_URL.ndb|LOW # Phishing URLs | |
| ### RockSecurity http://rooksecurity.com/ | |
| # LOW | |
| hackingteam.hsb|LOW # Hacking Team hashes based on work by rooksecurity.com | |
| ### Porcupine | |
| # LOW | |
| phishtank.ndb|LOW # Online and valid phishing urls from phishtank.com data feed | |
| porcupine.hsb|LOW # Sha256 Hashes of VBS and JSE malware, kept for 7 days | |
| porcupine.ndb|LOW # Brazilian e-mail phishing and malware signatures | |
| ### Sanesecurity YARA Format rules | |
| ### Note: Yara signatures require ClamAV 0.100 or newer to work | |
| Sanesecurity_sigtest.yara|LOW # Sanesecurity test signatures | |
| Sanesecurity_spam.yara|LOW # Detects Spam emails | |
| ) # END SANESECURITY DATABASES | |
| # ======================== | |
| # SecuriteInfo Database(s) | |
| # ======================== | |
| # Only active when you set your securiteinfo_authorisation_signature | |
| # Add or remove database file names between quote marks as needed. To | |
| # disable any SecuriteInfo database downloads, remove the appropriate | |
| # lines below. | |
| declare -a securiteinfo_dbs=( #START SECURITEINFO DATABASES | |
| ### Securiteinfo https://www.securiteinfo.com/services/anti-spam-anti-virus/improve-detection-rate-of-zero-day-malwares-for-clamav.shtml | |
| ## REQUIRED, Do NOT disable | |
| securiteinfo.ign2|REQUIRED # Signature Whitelist | |
| # LOW | |
| javascript.ndb|LOW # Malwares Javascript | |
| securiteinfo.hdb|LOW # Malwares younger than 3 years. | |
| securiteinfoandroid.hdb|LOW # Malwares Java/Android Dalvik | |
| securiteinfoascii.hdb|LOW # Text file malwares (Perl or shell scripts, bat files, exploits, ...) | |
| securiteinfohtml.hdb|LOW # Malwares HTML | |
| securiteinfoold.hdb|LOW # Malwares older than 3 years. | |
| securiteinfopdf.hdb|LOW # Malwares PDF | |
| # HIGH | |
| spam_marketing.ndb|HIGH # Spam Marketing / spammer blacklist | |
| ) #END SECURITEINFO DATABASES | |
| # NON-FREE DATABASES | |
| declare -a securiteinfo_dbs_premium=( #START SECURITEINFO DATABASES | |
| securiteinfo.mdb|LOW # 0-day Malwares | |
| securiteinfo0hour.hdb|LOW # 0-Hour Malwares | |
| ) | |
| # ======================== | |
| # LinuxMalwareDetect Database(s) | |
| # ======================== | |
| # Add or remove database file names between quote marks as needed. To | |
| # disable any LinuxMalwareDetect database downloads, remove the appropriate | |
| # lines below. | |
| declare -a linuxmalwaredetect_dbs=( | |
| ### Linux Malware Detect https://www.rfxn.com/projects/linux-malware-detect/ | |
| # LOW | |
| rfxn.ndb|LOW # HEX Malware detection signatures | |
| rfxn.hdb|LOW # MD5 Malware detection signatures | |
| rfxn.yara|LOW # Yara Malware detection signatures | |
| ) #END LINUXMALWAREDETECT DATABASES | |
| # ======================== | |
| # urlhaus Database(s) | |
| # ======================== | |
| # Add or remove database file names between quote marks as needed. To | |
| # disable any urlhaus database downloads, remove the appropriate | |
| # lines below. | |
| declare -a urlhaus_dbs=( | |
| ### urlhaus https://urlhaus.abuse.ch/browse/ | |
| # LOW | |
| urlhaus.ndb|LOW # malicious URLs that are being used for malware distribution | |
| ) #END URLHAUS DATABASES | |
| # ======================== | |
| # Yara Rules Project Database(s) | |
| # ======================== | |
| # Add or remove database file names between quote marks as needed. To | |
| # disable any Yara Rule database downloads, remove the appropriate | |
| # lines below. | |
| declare -a yararulesproject_dbs=( | |
| ### Yara Rules https://github.com/Yara-Rules/rules | |
| # | |
| # Some rules are now in sub-directories. To reference a file in a sub-directory | |
| # use subdir/file | |
| # LOW | |
| # Anti debug and anti virtualization techniques used by malware | |
| antidebug_antivm/antidebug_antivm.yar|LOW | |
| # Aimed toward the detection and existence of Exploit Kits. | |
| #exploit_kits/EK_Angler.yar|LOW # duplicated in rxfn.yara | |
| #exploit_kits/EK_Blackhole.yar|LOW # duplicated in rxfn.yara | |
| exploit_kits/EK_BleedingLife.yar|LOW # duplicated in rxfn.yara | |
| #exploit_kits/EK_Crimepack.yar|LOW # duplicated in rxfn.yara | |
| #exploit_kits/EK_Eleonore.yar|LOW # duplicated in rxfn.yara | |
| #exploit_kits/EK_Fragus.yar|LOW # duplicated in rxfn.yara | |
| #exploit_kits/EK_Phoenix.yar|LOW # duplicated in rxfn.yara | |
| #exploit_kits/EK_Sakura.yar|LOW # duplicated in rxfn.yara | |
| #exploit_kits/EK_ZeroAcces.yar|LOW # duplicated in rxfn.yara | |
| #exploit_kits/EK_Zerox88.yar|LOW # duplicated in rxfn.yara | |
| #exploit_kits/EK_Zeus.yar|LOW # duplicated in rxfn.yara | |
| # Identification of well-known webshells | |
| #webshells/WShell_APT_Laudanum.yar|LOW # duplicated in rxfn.yara | |
| webshells/WShell_ASPXSpy.yar|LOW | |
| webshells/WShell_Drupalgeddon2_icos.yar|LOW | |
| #webshells/WShell_PHP_Anuna.yar|LOW # duplicated in rxfn.yara | |
| #webshells/WShell_PHP_in_images.yar|LOW # duplicated in rxfn.yara | |
| #webshells/WShell_THOR_Webshells.yar|LOW # duplicated in rxfn.yara | |
| #webshells/Wshell_ChineseSpam.yar|LOW # duplicated in rxfn.yara | |
| #webshells/Wshell_fire2013.yar|LOW # duplicated in rxfn.yara | |
| # MEDIUM | |
| # Identification of specific Common Vulnerabilities and Exposures (CVEs) | |
| cve_rules/CVE-2010-0805.yar|MEDIUM | |
| cve_rules/CVE-2010-0887.yar|MEDIUM | |
| cve_rules/CVE-2010-1297.yar|MEDIUM | |
| cve_rules/CVE-2012-0158.yar|MEDIUM | |
| cve_rules/CVE-2013-0074.yar|MEDIUM | |
| cve_rules/CVE-2013-0422.yar|MEDIUM | |
| cve_rules/CVE-2015-1701.yar|MEDIUM | |
| cve_rules/CVE-2015-2426.yar|MEDIUM | |
| cve_rules/CVE-2015-2545.yar|MEDIUM | |
| cve_rules/CVE-2015-5119.yar|MEDIUM | |
| cve_rules/CVE-2016-5195.yar|MEDIUM | |
| cve_rules/CVE-2017-11882.yar|MEDIUM | |
| cve_rules/CVE-2018-20250.yar|MEDIUM | |
| cve_rules/CVE-2018-4878.yar|MEDIUM | |
| # Identification of malicious e-mails. | |
| email/bank_rule.yar|MEDIUM | |
| email/EMAIL_Cryptowall.yar|MEDIUM | |
| email/Email_fake_it_maintenance_bulletin|MEDIUM | |
| email/Email_generic_phishing|MEDIUM | |
| email/Email_quota_limit_warning|MEDIUM | |
| email/email_Ukraine_BE_powerattack.yar|MEDIUM | |
| email/scam.yar|MEDIUM | |
| # Detect well-known software packers, that can be used by malware to hide itself. | |
| packers/JJencode.yar|MEDIUM | |
| packers/packer_compiler_signatures.yar|MEDIUM | |
| packers/packer.yar|MEDIUM | |
| packers/peid.yar|MEDIUM | |
| # HIGH | |
| # Used with documents to find if they have been crafted to leverage malicious code. | |
| maldocs/Maldoc_APT_OLE_JSRat.yar|HIGH | |
| maldocs/Maldoc_APT10_MenuPass.yar|HIGH | |
| maldocs/Maldoc_APT19_CVE-2017-1099.yar|HIGH | |
| maldocs/Maldoc_Contains_VBE_File.yar|HIGH | |
| maldocs/Maldoc_CVE_2017_11882.yar|HIGH | |
| maldocs/Maldoc_CVE_2017_8759.yar|HIGH | |
| maldocs/Maldoc_CVE-2017-0199.yar|HIGH | |
| maldocs/Maldoc_DDE.yar|HIGH | |
| maldocs/Maldoc_Dridex.yar|HIGH | |
| maldocs/Maldoc_hancitor_dropper|HIGH | |
| maldocs/Maldoc_Hidden_PE_file.yar|HIGH | |
| maldocs/Maldoc_malrtf_ole2link.yar|HIGH | |
| maldocs/Maldoc_MIME_ActiveMime_b64.yar|HIGH | |
| maldocs/Maldoc_PDF.yar|HIGH | |
| maldocs/Maldoc_PowerPointMouse.yar|HIGH | |
| maldocs/maldoc_somerules.yar|HIGH | |
| maldocs/Maldoc_Suspicious_OLE_target.yar|HIGH | |
| maldocs/Maldoc_UserForm.yar|HIGH | |
| maldocs/Maldoc_VBA_macro_code.yar|HIGH | |
| maldocs/Maldoc_Word_2007_XML_Flat_OPC.yar|HIGH | |
| # Yara Rules aimed to detect well-known software packers, that can be used by malware to hide itself. | |
| packers/Javascript_exploit_and_obfuscation.yar|HIGH | |
| ) #END yararulesproject DATABASES | |
| declare -a yararulesproject_dbs_blacklisted=( | |
| email/attachment.yar # detects all emails with attachments | |
| email/image.yar # detects all emails with images | |
| email/urls.yar # detects all emails with urls | |
| crypto/crypto_signatures.yar # detects all files which are encrypted | |
| ) | |
| declare -a yararulesproject_dbs_catagories=( | |
| #LOW | |
| antidebug_antivm|LOW | |
| cve_rules|LOW | |
| exploit_kits|LOW | |
| malware|LOW | |
| webshells|LOW | |
| #MEDIUM | |
| email|MEDIUM | |
| maldocs|MEDIUM | |
| # HIGH | |
| capabilities|HIGH | |
| crypto|HIGH | |
| packers|HIGH | |
| ) | |
| # ========================= | |
| # Additional signature databases | |
| # ========================= | |
| # Additional signature databases can be specified here in the following | |
| # format: PROTOCOL://URL-or-IP/PATH/TO/FILE-NAME (use a trailing "/" in | |
| # place of the "FILE-NAME" to download all files from specified location, | |
| # but this *ONLY* works for files downloaded via rsync). For non-rsync | |
| # downloads, wget and curl is used. For download protocols supported by | |
| # wget and curl, see "man wget" and "man curl". | |
| # This also works well for locations that have many ClamAV | |
| # servers that use 3rd party signature databases, as only one server need | |
| # download the remote databases, and all others can update from the local | |
| # mirrors copy. See format examples below. To use, remove the comments | |
| # and examples shown and add your own sites between the quote marks. | |
| #declare -a additional_dbs=( | |
| # rsync://192.168.1.50/new-db/sigs.hdb | |
| # rsync://rsync.example.com/all-dbs/ | |
| # ftp://ftp.example.net/pub/sigs.ndb | |
| # http://www.example.org/sigs.ldb | |
| #) #END ADDITIONAL DATABASES | |
| # ================================================== | |
| # ================================================== | |
| # D E B U G O P T I O N S | |
| # ================================================== | |
| # ================================================== | |
| # Enable debugging, will cause all options below to enable | |
| debug="no" | |
| # Causes the xshok_file_download function to be verbose, used for debugging | |
| downloader_debug="no" | |
| # Causes clamscan signature test errors to be vebose | |
| clamscan_debug="no" | |
| # Causes curl errors to be vebose | |
| curl_debug="no" | |
| # Causes wget errors to be vebose | |
| wget_debug="no" | |
| # Causes rsync errors to be vebose | |
| rsync_debug="no" | |
| # ================================================== | |
| # ================================================== | |
| # A D V A N C E D O P T I O N S | |
| # ================================================== | |
| # ================================================== | |
| # Branch for update checking, default: master | |
| git_branch="master" | |
| # Enable support for script and master.conf upgrades | |
| # enbles the --upgrade command line option | |
| # packagers, if required please disable or set this option to no in the os.conf | |
| allow_upgrades="yes" | |
| # Enable support for script and master.conf update checks | |
| # packagers, if required please disable or set this option to no in the os.conf | |
| allow_update_checks="yes" | |
| # How often the script should check for updates | |
| update_check_hours="12"# Default is 12 hours (2 checks daily). | |
| # Enable or disable download time randomization. This allows the script to | |
| # be executed via cron, but the actual database file checking will pause | |
| # for a random number of seconds between the "min" and "max" time settings | |
| # specified below. This helps to more evenly distribute load on the host | |
| # download sites. To disable, set the following variable to "no". | |
| enable_random="no" | |
| # Enable to prevent issues with multiple instances running | |
| # To disable, set the following variable to "no". | |
| enable_locking="yes" | |
| # If download time randomization is enabled above (enable_random="yes"), | |
| # then set the min and max radomization time intervals (in seconds). | |
| max_sleep_time="600" # Default maximum is 600 seconds (10 minutes). | |
| min_sleep_time="60" # Default minimum is 60 seconds (1 minute). | |
| # Command to do a full clamd service stop/start | |
| #clamd_restart_opt="service clamd restart" | |
| # Custom Command Paths, these are detected with the which command when not set | |
| #clamscan_bin="/usr/bin/clamscan" | |
| #curl_bin="/usr/bin/curl" | |
| #gpg_bin="/usr/bin/gpg" | |
| #rsync_bin="/usr/bin/rsync" | |
| #tar_bin="/usr/bin/tar" | |
| #uname_bin="/usr/bin/uname" | |
| #wget_bin="/usr/bin/wget" | |
| # force wget, by default curl is used when curl and wget is present. | |
| force_wget="no" | |
| # GnuPG / Signature verification | |
| # To disable usage of gpg, set the following variable to "no". | |
| # If gpg_bin cannot be found, enable_gpg will automatically disable | |
| enable_gpg="yes" | |
| # If running clamd in "LocalSocket" mode (*NOT* in TCP/IP mode), and | |
| # either "SOcket Cat" (socat) or the "IO::Socket::UNIX" perl module | |
| # are installed on the system, and you want to report whether clamd | |
| # is running or not, uncomment the "clamd_socket" variable below (you | |
| # will be warned if neither socat nor IO::Socket::UNIX are found, but | |
| # the script will still run). You will also need to set the correct | |
| # path to your clamd socket file (if unsure of the path, check the | |
| # "LocalSocket" setting in your clamd.conf file for socket location). | |
| #clamd_socket="/tmp/clamd.socket" | |
| # Set rsync connection and data transfer timeout limits in seconds. | |
| # The defaults settings here are reasonable, only change if you are | |
| # experiencing timeout issues. | |
| rsync_connect_timeout="60" | |
| rsync_max_time="180" | |
| # Ignore ssl errors and warnings, ie. operate in insecure mode. | |
| downloader_ignore_ssl="yes" # Default is "yes" ignore ssl errors and warnings | |
| # Set downloader connection, data transfer timeout limits in seconds. | |
| # The defaults settings here are reasonable, only change if you are | |
| # experiencing timeout issues. | |
| downloader_connect_timeout="60" | |
| downloader_max_time="1800" | |
| # Set downloader retry count for failed transfers | |
| downloader_tries="5" | |
| # Set working directory paths (edit to meet your own needs). If these | |
| # directories do not exist, the script will attempt to create them. | |
| # Always located inside the work_dir, do not add / | |
| # Sub-directory names: | |
| add_dir="dbs-add" # User defined databases sub-directory | |
| gpg_dir="gpg-key" # Sanesecurity GPG Key sub-directory | |
| linuxmalwaredetect_dir="dbs-lmd" # Linux Malware Detect sub-directory | |
| malwarepatrol_dir="dbs-mbl" # MalwarePatrol sub-directory | |
| pid_dir="pid" # User defined pid sub-directory | |
| sanesecurity_dir="dbs-ss" # Sanesecurity sub-directory | |
| securiteinfo_dir="dbs-si" # SecuriteInfo sub-directory | |
| urlhausy_dir="dbs-uh" # urlhaus sub-directory | |
| work_dir_configs="configs" # Script configs sub-directory | |
| yararulesproject_dir="dbs-yara" # Yara-Rules sub-directory | |
| # If you would like to make a backup copy of the current running database | |
| # file before updating, leave the following variable set to "yes" and a | |
| # backup copy of the file will be created in the production directory | |
| # with -bak appended to the file name. | |
| keep_db_backup="no" | |
| # When a database integrity has tested BAD, the failed database will be removed. | |
| remove_bad_database="yes" | |
| # When a database is disabled we will remove the associated database files. | |
| remove_disabled_databases="no" # Default is "no" since we are not a database managament tool by default. | |
| # Enable SELinux fixes, ie. running restorecon on the database files. | |
| # **Run the following command as root to enable clamav selinux support** | |
| # setsebool -P antivirus_can_scan_system true | |
| # | |
| selinux_fixes="no" # Default is "no" ignore ssl errors and warnings | |
| # Proxy Support | |
| # If necessary to proxy database downloads, define the rsync, curl, wget, dig, hosr proxy settings here. | |
| #rsync_proxy="username:password@proxy_host:proxy_port" | |
| #curl_proxy="--proxy http://username:password@proxy_host:proxy_port" | |
| #wget_proxy="-e http_proxy=http://username:password@proxy_host:proxy_port -e https_proxy=https://username:password@proxy_host:proxy_port" | |
| #dig_proxy="@proxy_host -p proxy_host:proxy_port" | |
| #host_proxy="@proxy_host" #does not support port | |
| # Custom Cron install settings, these are detected and only used if you want to override | |
| # the automatic detection and generation of the values when not set, this is mainly to aid package maintainers | |
| #cron_dir="" #default: /etc/cron.d | |
| #cron_filename="" #default: clamav-unofficial-sigs | |
| #cron_minute="" #default: random value between 0-59 | |
| #cron_user="" #default: uses the clam_user | |
| #cron_sudo="no" #default no, yes will append sudo -u before the username | |
| #cron_bash="" #default: detected with the which command | |
| #cron_script_full_path="" #default: detected to the fullpath of the script | |
| # Custom logrotate install settings, these are detected and only used if you want to override | |
| # the automatic detection and generation of the values when not set, this is mainly to aid package maintainers | |
| #logrotate_dir="" #default: /etc/logrotate.d | |
| #logrotate_filename="" #default: clamav-unofficial-sigs | |
| #logrotate_user="" #default: uses the clam_user | |
| #logrotate_group="" #default: uses the clam_group | |
| #logrotate_log_file_full_path="" #default: detected to the $log_file_path/$log_file_name | |
| # Custom man install settings, these are detected and only used if you want to override | |
| # the automatic detection and generation of the values when not set, this is mainly to aid package maintainers | |
| #man_dir="" #default: /usr/share/man/man8 | |
| #man_filename="" #default: clamav-unofficial-sigs.8 | |
| # Provided two variables that package and port maintainers can use in order to | |
| # prevent the script from removing itself with the '-r' flag | |
| # If the script was installed via a package manager like yum, apt, pkg, etc. | |
| # The script will instead provide feedback to the user about how to uninstall the package. | |
| #pkg_mgr="" #the package manager name | |
| #pkg_rm="" #the package manager command to remove the script | |
| # Custom full working directory paths, these are detected and only used if you want to override | |
| # the automatic detection and generation of the values when not set, this is mainly to aid package maintainers | |
| #work_dir_add="" #default: uses work_dir/add_dir | |
| #work_dir_gpg="" #default: uses work_dir/gpg_dir | |
| #work_dir_linuxmalwaredetect="" #default: uses work_dir/linuxmalwaredetect_dir | |
| #work_dir_malwarepatrol="" #default: uses work_dir/malwarepatrol_dir | |
| #work_dir_pid="" #default: uses work_dir/pid_dir | |
| #work_dir_sanesecurity="" #default: uses work_dir/sanesecurity_dir | |
| #work_dir_securiteinfo="" #default: uses work_dir/securiteinfo_dir | |
| #work_dir_urlhaus="" #default: uses work_dir/urlhaus_dir | |
| #work_dir_work_configs="" #default: uses work_dir/work_dir_configs | |
| #work_dir_yararulesproject="" #default: uses work_dir/yararulesproject_dir | |
| # ======================== | |
| # After you have completed the configuration of this file, set the value to "yes" | |
| user_configuration_complete="no" | |
| # ======================== | |
| # DO NOT EDIT ! | |
| # Database provider URLs | |
| linuxmalwaredetect_sigpack_url="https://cdn.rfxn.com/downloads/maldet-sigpack.tgz" | |
| linuxmalwaredetect_version_url="https://cdn.rfxn.com/downloads/maldet.sigs.ver" | |
| malwarepatrol_url="https://lists.malwarepatrol.net/cgi/getfile" | |
| sanesecurity_gpg_url="http://www.sanesecurity.net/publickey.gpg" | |
| sanesecurity_url="rsync.sanesecurity.net" | |
| securiteinfo_url="https://www.securiteinfo.com/get/signatures" | |
| urlhaus_url="https://urlhaus.abuse.ch/downloads" | |
| yararulesproject_url="https://raw.githubusercontent.com/Yara-Rules/rules/master" | |
| # ======================== | |
| # DO NOT EDIT ! | |
| config_version="91" | |
| ################################################################################ | |
| # | |
| # DO NOT EDIT THIS FILE !! DO NOT EDIT THIS FILE !! DO NOT EDIT THIS FILE !! | |
| # | |
| ################################################################################ | |
| # https://eXtremeSHOK.com ###################################################### |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment