Difference between revisions of "Atomic CLAMAV Signatures"
m (→What does each signature ruleset do?) |
m (→What does each signature ruleset do?) |
||
Line 66: | Line 66: | ||
This includes advanced signatures for malicious sources and domains. | This includes advanced signatures for malicious sources and domains. | ||
+ | |||
+ | '''policy.zmd''' | ||
+ | |||
+ | Contains policy rules to block certain types of suspicious archives. For example, this contains rules to block .zip files that contain a .exe. | ||
==== Third party signatures ==== | ==== Third party signatures ==== |
Revision as of 16:05, 20 January 2014
Atomic Secured Linux includes the commercially support clamav and Atomicorp realtime CLAMAV signatures. These docs are for users that do not have ASL.
ASL will set all of this up for you automatically and provides a powerful and easy use to GUI to manage all of this for you. If you don't have ASL, upgrade to ASL today!
Contents |
About the signatures
The signatures are only available to Real Time license holders.
Installation of the signatures assumes a certain level of comfort with configuring and installing clamav. If you are not comfortable with configuring and installing clamav yourself, you should contact someone that is, or use our Atomic Secured Linux product which does this automatically for you, and does not require you to configure or install anything.
Atomic CLAMAV Signatures Frequently Asked Questions
Please see the Atomic CLAMAV Signatures FAQ wiki page.
Real Time Rule Support
If you have a subscription to the real time Atomicorp CLAMAV signatures, you can request email support by sending an email to:
support@atomicorp.com
The Customer Support Forums are located here:
And the Custom Support Portal is located here (you can submit bug reports and open cases through the portal):
Use the same credentials you used to setup your account to log into the support portal.
Licenses
The Real Time Atomic CLAMAV Signatures are licensed by the server. For each license you can also run the rules on one Development and one QA server.
If you require additional licenses please log into the AtomiCorp License Manager. You can add additional systems there, you can control your payment methods and you can also sign up to become an affiliate.
What does each signature ruleset do?
The Atomicorp CLAMAV Signatures are broken into families - we recommend you load all the rule families. They work well together, and its safe to use all the rules on a box. We run every signature on all our boxes and have been since we first started publishing them almost ten years ago.
ASL-blacklist.ldb
This ruleset contains currently known malicious domains detected by our honeypots.
ASL.hdb
Known malware signatures.
ASL-h.ndb
Heuristic signatures that look for known malware techniques.
ASL-honeypot.hdb
Automatically generate malware signatures from honeypots.
ASL-honeypot-hex.ndb
Automatically generated heuristic signatures from our honeypots.
ASL.ldb
Advanced Rules using the clamav logic engine.
ASL-advanced.ldb
This includes advanced signatures for malicious sources and domains.
policy.zmd
Contains policy rules to block certain types of suspicious archives. For example, this contains rules to block .zip files that contain a .exe.
Third party signatures
The signatures also include a tested and tuned subset of signatures from the following third parties with their permission:
http://www.securiteinfo.com/services/clamav_unofficial_malwares_signatures.shtml
https://www.rfxn.com/projects/linux-malware-detect/
Installation
Easy One Step Installation
Install ASL. This installs everything: clamav, the real time malware protection system, upload scanners, the signatures, the GUI, rule/signature manager and all of ASL components, plus it includes the subscription to the real time signatures and will automatically keep the signatures up to date.
You can also try Atomic Secured Linux (ASL), for free! Just sign up for a 30 day free trial here.
Optional Manual Installation
A manual installation is "Do it Yourself". Its not possible to cover ever possible clamav installation, so this installation guide assumes you already have clamav installed and working. If you require assistance with setting up, configuring and installing clamav please purchase an ASL license. Rules only licenses do not include support for installing, configuring, and setting up clamav.
If you are running ASL - you do not need to do any of this. See the One Step Installation Above. IF YOU DO *NOT* HAVE AN ASL LICENSE, FOLLOW THE INSTRUCTIONS BELOW.
Step 1: Download Signatures
If you have not already setup a subscription to the Real Time rules (only $14.95 a month, or $99.95 a year), you can do so here:
Once your account is setup, you can download the Real Time rules from here:
You can determine what the current rules are by downloading the VERSION file. If you look at the CLAMAV_VERSION variable that contains the current version number for the signatures. Each update to the signatures is published in this format:
CLAMAV_VERSION=201011111138
And the latest signatures file will be in the format:
clamav-201011111138.tar.gz
Where 201011111138 is the current date/time stamp for the release.
Step 2: Install the signatures
Note: This depends on the location of the signatures on your system. If you are not sure where that is on your system, please contact your OS or control panel vendor for assistance, or simply install ASL.
Most OSes put the clamav signatures in either:
/var/clamav
or
/var/lib/clamav
Extract the rules into that directory. Example:
cd /var/clamav
tar zxvf clamav-201011111138.tar.gz
root@host logs]# cd /var/clamav/ [root@host clamav]# ls -al ASL* -rw-r--r-- 1 root root 314281 Jun 18 14:57 ASL-blacklist.ldb -rw-r--r-- 1 root root 23488 Jun 18 14:57 ASL.hdb -rw-r--r-- 1 root root 40875 Jun 18 14:57 ASL-h.ndb -rw-r--r-- 1 root root 599695 Jun 18 14:57 ASL-honeypot.hdb -rw-r--r-- 1 root root 464022 Jun 18 14:57 ASL-honeypot-hex.ndb -rw-r--r-- 1 root root 1465 Jun 18 14:57 ASL.ldb
Step 3: Ensure the signatures can be read
For most systems, this means "world readable". This command run as root will configure this:
chmod og+r ASL*
Step 4: Reload clamd
Note: This depends on how clamav was installed on your system. If you are not sure where that is on your system, please contact your OS or control panel vendor for assistance, or simply install ASL.
/etc/init.d/clamd reload
You will need to do this each time you add new signatures to clamd.