Difference between revisions of "Atomic CLAMAV Signatures"

From Atomicorp Wiki
Jump to: navigation, search
m (What does each signature ruleset do?)
m (What does each signature ruleset do?)
Line 66: Line 66:
  
 
This includes advanced signatures for malicious sources and domains.
 
This includes advanced signatures for malicious sources and domains.
 +
 +
'''policy.zmd'''
 +
 +
Contains policy rules to block certain types of suspicious archives.  For example, this contains rules to block .zip files that contain a .exe.
  
 
==== Third party signatures ====
 
==== Third party signatures ====

Revision as of 16:05, 20 January 2014

Atomic Secured Linux includes the commercially support clamav and Atomicorp realtime CLAMAV signatures. These docs are for users that do not have ASL.

ASL will set all of this up for you automatically and provides a powerful and easy use to GUI to manage all of this for you. If you don't have ASL, upgrade to ASL today!

Contents

About the signatures

The signatures are only available to Real Time license holders.

Installation of the signatures assumes a certain level of comfort with configuring and installing clamav. If you are not comfortable with configuring and installing clamav yourself, you should contact someone that is, or use our Atomic Secured Linux product which does this automatically for you, and does not require you to configure or install anything.

Atomic CLAMAV Signatures Frequently Asked Questions

Please see the Atomic CLAMAV Signatures FAQ wiki page.

Real Time Rule Support

If you have a subscription to the real time Atomicorp CLAMAV signatures, you can request email support by sending an email to:

support@atomicorp.com

The Customer Support Forums are located here:

Customer Support Forums

And the Custom Support Portal is located here (you can submit bug reports and open cases through the portal):

Customer Support Portal

Use the same credentials you used to setup your account to log into the support portal.

Licenses

The Real Time Atomic CLAMAV Signatures are licensed by the server. For each license you can also run the rules on one Development and one QA server.

If you require additional licenses please log into the AtomiCorp License Manager. You can add additional systems there, you can control your payment methods and you can also sign up to become an affiliate.

What does each signature ruleset do?

The Atomicorp CLAMAV Signatures are broken into families - we recommend you load all the rule families. They work well together, and its safe to use all the rules on a box. We run every signature on all our boxes and have been since we first started publishing them almost ten years ago.

ASL-blacklist.ldb

This ruleset contains currently known malicious domains detected by our honeypots.

ASL.hdb

Known malware signatures.

ASL-h.ndb

Heuristic signatures that look for known malware techniques.

ASL-honeypot.hdb

Automatically generate malware signatures from honeypots.

ASL-honeypot-hex.ndb

Automatically generated heuristic signatures from our honeypots.

ASL.ldb

Advanced Rules using the clamav logic engine.

ASL-advanced.ldb

This includes advanced signatures for malicious sources and domains.

policy.zmd

Contains policy rules to block certain types of suspicious archives. For example, this contains rules to block .zip files that contain a .exe.

Third party signatures

The signatures also include a tested and tuned subset of signatures from the following third parties with their permission:

http://www.securiteinfo.com/services/clamav_unofficial_malwares_signatures.shtml

https://www.rfxn.com/projects/linux-malware-detect/

Installation

Easy One Step Installation

Install ASL. This installs everything: clamav, the real time malware protection system, upload scanners, the signatures, the GUI, rule/signature manager and all of ASL components, plus it includes the subscription to the real time signatures and will automatically keep the signatures up to date.

You can also try Atomic Secured Linux (ASL), for free! Just sign up for a 30 day free trial here.

Optional Manual Installation

A manual installation is "Do it Yourself". Its not possible to cover ever possible clamav installation, so this installation guide assumes you already have clamav installed and working. If you require assistance with setting up, configuring and installing clamav please purchase an ASL license. Rules only licenses do not include support for installing, configuring, and setting up clamav.

If you are running ASL - you do not need to do any of this. See the One Step Installation Above. IF YOU DO *NOT* HAVE AN ASL LICENSE, FOLLOW THE INSTRUCTIONS BELOW.

Step 1: Download Signatures

If you have not already setup a subscription to the Real Time rules (only $14.95 a month, or $99.95 a year), you can do so here:

Real Time Feed Signup

Once your account is setup, you can download the Real Time rules from here:

Real Time Rules Download

You can determine what the current rules are by downloading the VERSION file. If you look at the CLAMAV_VERSION variable that contains the current version number for the signatures. Each update to the signatures is published in this format:

CLAMAV_VERSION=201011111138

And the latest signatures file will be in the format:

clamav-201011111138.tar.gz

Where 201011111138 is the current date/time stamp for the release.

Step 2: Install the signatures

Note: This depends on the location of the signatures on your system. If you are not sure where that is on your system, please contact your OS or control panel vendor for assistance, or simply install ASL.

Most OSes put the clamav signatures in either:

/var/clamav

or

/var/lib/clamav

Extract the rules into that directory. Example:

cd /var/clamav

tar zxvf clamav-201011111138.tar.gz

root@host logs]# cd /var/clamav/
[root@host clamav]# ls -al ASL*
-rw-r--r-- 1 root root 314281 Jun 18 14:57 ASL-blacklist.ldb
-rw-r--r-- 1 root root  23488 Jun 18 14:57 ASL.hdb
-rw-r--r-- 1 root root  40875 Jun 18 14:57 ASL-h.ndb
-rw-r--r-- 1 root root 599695 Jun 18 14:57 ASL-honeypot.hdb
-rw-r--r-- 1 root root 464022 Jun 18 14:57 ASL-honeypot-hex.ndb
-rw-r--r-- 1 root root   1465 Jun 18 14:57 ASL.ldb
Step 3: Ensure the signatures can be read

For most systems, this means "world readable". This command run as root will configure this:

chmod og+r ASL*

Step 4: Reload clamd

Note: This depends on how clamav was installed on your system. If you are not sure where that is on your system, please contact your OS or control panel vendor for assistance, or simply install ASL.

/etc/init.d/clamd reload

You will need to do this each time you add new signatures to clamd.

Personal tools