Difference between revisions of "Atomic CLAMAV Signatures FAQ"

From Atomicorp Wiki
Jump to: navigation, search
m (Disabling signatures)
m (Disabling signatures)
 
(5 intermediate revisions by 2 users not shown)
Line 7: Line 7:
 
To purchase a license for the Atomicorp CLAMAV Signatures, either:
 
To purchase a license for the Atomicorp CLAMAV Signatures, either:
  
Purchase a license for [https://www.atomicorp.com/products/asl.html Atomic Secured Linux] (ASL).  ASL includes the signatures, sets up clamav for you, automatically keeps the signatures up to date and so much more.  ASL includes real time anitmalware protection, upload protection, built in vulnerablity scanner and automatic hardening system, Kernel/Web/Host based intrusion detection, log management, a powerful and easy to use web GUI, and so many options we can't list them all here.  You can try ASL for free by [https://www.atomicorp.com/amember/signup.php?price_group=-1&product_id=17&hide_paysys=free clicking here].
+
Purchase a license for [https://www.atomicorp.com/products/asl.html Atomic Secured Linux] (ASL).  ASL includes the signatures, sets up clamav for you, automatically keeps the signatures up to date and so much more.  ASL includes real time anitmalware protection, upload protection, built in vulnerablity scanner and automatic hardening system, Kernel/Web/Host based intrusion detection, log management, a powerful and easy to use web GUI, and so many options we can't list them all here.  You can try ASL for free by [https://www.atomicorp.com/amember/signup/index/c/oMzRCoqd clicking here].
  
Or, purchase a rules only license for just the signatures by visiting the [https://www.atomicorp.com/products/modsecurity.html Atomicorp's Realtime Modsecurity Rules] pages. Just click on the [https://www.atomicorp.com/acshop.html Buy Now icon, or click on this link.]
+
Or, purchase a rules only license for just the signatures by visiting the [https://www.atomicorp.com/products/modsecurity.html Atomicorp's Realtime Modsecurity Rules] pages. Just click on the [https://www.atomicorp.com/amember/cart/index/index?c=6 Buy Now icon, or click on this link.]
  
Note:  Rules only licenses include access to our CLAMAV signatures, and do not include support with setting up, installing or configuring CLAMAV.
+
Note:  Rules only licenses include access to our CLAMAV signatures, and do not include support with setting up, installing or configuring CLAMAV.
  
 
=== Does a rules subscription include support for setting up clamav? ===
 
=== Does a rules subscription include support for setting up clamav? ===
Line 23: Line 23:
 
=== I have a false positive/negative, how do report it? ===
 
=== I have a false positive/negative, how do report it? ===
  
Solution:
+
Follow the [[Reporting False Positives]] procedure.  That provides detailed instructions about how to report a false positive if you can not use the [[ASL]] GUI, or if you choose to report it from the command line.
  
You can also follow the [[Reporting False Positives]] procedure. That provides detailed instructions about how to report a false positive if you can not use the [[ASL]] GUI, or if you choose to report it from the command line.
+
FP/FNs are usually resolved and an update is released the same day they are reported, and during normal business hours usually within a few hours.
 +
 
 +
=== I've got a new piece of malware, how do I report it? ===
 +
 
 +
Please see this article:
 +
 
 +
https://www.atomicorp.com/wiki/index.php/Reporting_False_Positives#To_report_a_new_piece_of_malware
  
 
FP/FNs are usually resolved and an update is released the same day they are reported, and during normal business hours usually within a few hours.
 
FP/FNs are usually resolved and an update is released the same day they are reported, and during normal business hours usually within a few hours.
Line 199: Line 205:
  
 
Absolutely.  We recommend you do that as we put out updates to the rules daily that include new protections and fixes.
 
Absolutely.  We recommend you do that as we put out updates to the rules daily that include new protections and fixes.
 +
 +
=== Whitelisting Files ===
 +
 +
f you find that you need to whitelist a file, simply put the md5 signature of the file in this file on your system:
 +
 +
''/var/clamav/local.fp''
 +
 +
The format of this file is one signature name per file.  For example:
 +
 +
MD5:FileSize:Comment
 +
 +
You can use the sigtool to create these lines automatically, the format is:
 +
 +
sigtool --md5 /full/path/to/file
 +
 +
For example:
 +
 +
sigtool --md5 /test/eicar >> /var/clamav/local.fp
 +
 +
The entry will the look like this:
 +
 +
69630e4574ec6798239b091cda43dca0:69:eicar
 +
 +
If you are using clamd, you will also need to tell clamd to load this exclusion for this to take effect.  If you are using [[ASL]] simply run this command as root:
 +
 +
''/etc/init.d/clamd reload''
  
 
=== Disabling signatures ===
 
=== Disabling signatures ===
Line 217: Line 249:
 
''/etc/init.d/clamd reload''
 
''/etc/init.d/clamd reload''
  
'''Note:'''  If the signature name contains the words "UNOFFICIAL" do not include that in the signature name.  For example, if you want to disable this signature:
+
'''Note:''' Some versions of clamav add the word "UNOFFICIAL" to the end of third party signatures. If your version of clamav does this, and the signature name contains the words "UNOFFICIAL" '''do not include''' that in the signature name.  For example, if you want to disable this signature:
  
 
Atomicorp.Suspicious.Eval.PHP.20121213134008.UNOFFICIAL
 
Atomicorp.Suspicious.Eval.PHP.20121213134008.UNOFFICIAL
Line 224: Line 256:
  
 
Atomicorp.Suspicious.Eval.PHP.20121213134008
 
Atomicorp.Suspicious.Eval.PHP.20121213134008
 +
 +
And some versions actually require the addition of the UNOFFICIAL tag, if you find this does not work, add .UNOFFICIAL to the end of the signature name.

Latest revision as of 16:38, 12 September 2016

Contents

[edit] General Questions

[edit] Support Questions

[edit] How can I purchase your realtime CLAMAV signatures?

To purchase a license for the Atomicorp CLAMAV Signatures, either:

Purchase a license for Atomic Secured Linux (ASL). ASL includes the signatures, sets up clamav for you, automatically keeps the signatures up to date and so much more. ASL includes real time anitmalware protection, upload protection, built in vulnerablity scanner and automatic hardening system, Kernel/Web/Host based intrusion detection, log management, a powerful and easy to use web GUI, and so many options we can't list them all here. You can try ASL for free by clicking here.

Or, purchase a rules only license for just the signatures by visiting the Atomicorp's Realtime Modsecurity Rules pages. Just click on the Buy Now icon, or click on this link.

Note: Rules only licenses include access to our CLAMAV signatures, and do not include support with setting up, installing or configuring CLAMAV.

[edit] Does a rules subscription include support for setting up clamav?

No. Rules only subscriptions do not include support for setting up or configuring clamav. If you need that level of support you will want to get a copy of ASL , which includes full support for setting up and configuring clamav and will do this for you.

[edit] Help! I need help!

See the Atomic CLAMAV Signatures Support page for instructions on contacting support, opening a case and other tools you can use to get assistance.

[edit] I have a false positive/negative, how do report it?

Follow the Reporting False Positives procedure. That provides detailed instructions about how to report a false positive if you can not use the ASL GUI, or if you choose to report it from the command line.

FP/FNs are usually resolved and an update is released the same day they are reported, and during normal business hours usually within a few hours.

[edit] I've got a new piece of malware, how do I report it?

Please see this article:

https://www.atomicorp.com/wiki/index.php/Reporting_False_Positives#To_report_a_new_piece_of_malware

FP/FNs are usually resolved and an update is released the same day they are reported, and during normal business hours usually within a few hours.

[edit] What is your approximate support response time?

For Email based support, within 4 hours of the request during normal business hours which are Monday-Friday from 7am - 7pm EST except on US Federal Holidays. Requests received after hours will be responded to the next business day.

For extended support customers, the response time is dictated in the support contract and includes after hours support, and may include 24/7 support depending on the support contract.

[edit] What are your normal support hours?

Support is available in two forms:

[edit] Standard Support

Standard support is included with all our products.

Standard Support is available from 07:00 AM to 07:00 PM, US Eastern Time, excluding company holidays.

Support requests received after hours or on holidays will be addressed during the next business day.

Extended support contract holders are still covered during the holidays.

Our holiday schedule is published here: Atomicorp Holiday Schedule.

[edit] Extended Support

Extended support is available with an extended support contract.

Extended support is available 24 hours a day, 7 days a week. Extended support contract holders are also covered during company holidays.

If you need extended support please contact us! Just send an email to sales@atomicorp.com.

[edit] Do you offer support outside of your normal support coverage?

Yes, for customers with extended support contracts 24/7 support is available. Please contact sales@atomicorp.com for more information.

[edit] Do you offer phone support?

Yes, for customers with existing extended support contracts. Please contact sales@atomicorp.com for more information about extended support contracts.

Phone support is not available without an existing extended support contract.

[edit] How can I give atomicorp support access to my system?

Answer:

Please run this command as root to give us access to the system (please do not send us passwords, this tool will set us up access using our SSH keys):

wget -q -O - https://www.atomicorp.com/installers/key |sh

To remove access just remove the "atomic" user when you are finished.

If you use ASLs admin user feature, or use sshds AllowUsers feature make sure you add the "atomic" user to the allowed users.

If you need to open firewall access, we will be logging in from these addresses:

atlas.progllc.com

hero.progllc.com

And finally, remember to send us the IP address(es) of the system(s) you want us to log into, and if you run SSH on a non-standard port please include that information as well.


[edit] What should I do if I believe my system has been compromised?

Answer:

First, stop and ask yourself what you want to do. Do you want to prosecute or do you want to just find the problem and fix it? This is a critical question you have to ask yourself because if you want to prosecute you must preserve evidence, and the actions you take to fix the intrusion may destroy or make that evidence inadmissable. If you want to prosecute, contact us to discuss your situation as you may need professional help to build a case. Also, if you choose to prosecute, you should know that in some jurisdictions the personnel working on your case may need special licenses to do this, otherwise they may be committing a felony (Michigan for example requires a Private Investigator license to perform computer forensics that will be used in court, failure to have this license is a felony.)

If you want to find out what happened and just clean up, please continue with this checklist.

First, start with the simple case - the compromise may have occurred by the attacker simply stealing a users password and logging into the system. We have put together a wiki article that provides guidance here for those cases:

Compromised System: FTP

If you know that an attacker did not simply log into the system with stolen credentials please read this Wiki article:

Compromised System

In most cases we have seen, attackers are stealing users passwords and keys via keyloggers and trojans and just logging in. In those cases, there is no technical vulnerability in your system, the issue lies with your users and their computers. So, check you logs first to see if someone simply logged into your account or your users accounts. You'd be surprised at how often we see that happen.

If you find yourself in this situation we recommend you explore two factor authentication options such as SecureID, OTP generators on your cell phone (not on your computer, if the computer has been compromised so has the OTP!) and other hardware tokens.

You can also use an operating system that is more secure for your desktop such as Linux, Solaris, BSD or MacOS.

[edit] Password Reset Questions

[edit] How can I reset my License Manager password?

To reset your password, to log into the license manager, please visit this page:

License Manager

[edit] How can I reset my support portal account password?

To reset your password, to log into the license manager, please visit this page:

Support Portal Reset

[edit] General Questions about the rules

[edit] What do the Atomic CLAMAV Signatures protect against?

Lots of things, this is just some of the things our CLAMAV Signatures are designed to protect against:

  • PHP, CGI and other Shells
  • Spam Tools
  • Rootkits
  • Viruses
  • Worms
  • Phishing Sites and Tools
  • IRC Bots
  • Attack Tools and unauthorized scanners

And more! We put out updates to our signatures daily with new protections and enhancements.

[edit] What versions of clamav do the signatures work with?

The rules are written for the latest stable version of clamav. Currently that is 0.97.5.


[edit] What is included with an Atomic CLAMAV Signatures subscription?

  • Access to the real time mod_security and clamav rules we publish. If you require additional features, please consider upgrading to our premier Linux security product Atomic Secured Linux.
  • Email and Web Based support during normal support hours.
  • Support fixing false positives
  • Development of new signatures based on request.

[edit] Does a real time subscription include both the modsecurity and clamav rules?

Yes, realtime subscribers get instant access to the latest modsecurity and clamav signatures. We release updates daily based on new attacks we detect from our honeypots, new methods our labs develop, as well as fixes and improvements.

[edit] Do I need to install clamav to use your rules?

You must install clamav to use our rules.

[edit] Compatibility

[edit] Operating Systems

We support our signatures on any platform that supports clamav, which includes (but is not limited to):

  • Linux (Including Suse, Ubuntu, CloudLinux, TrixBox, Fedora, Redhat, Gentoo, Debian, Slackware, Mandriva, and others)
  • Microsoft Windows
  • MacOS X
  • FreeBSD
  • OpenBSD
  • Dragonfly BSD
  • NetBSD

If you find that clamav works on a platform not listed here, please contact us so we can add it to this list.

Please note that when an operating system or distribution is no longer supported by the vendor we also no longer support the use of our signatures on that platform.

[edit] Control Panels

Our clamav signatures rules work with any control panel. The diantures are independent of the control panel, which means that they work with cPanel, Plesk, Directadmin, Hsphere, Virtualmin, interworx, etc. They work with any panel right out of the box, without modification.


[edit] Configuration and Installation Questions

[edit] How do I install the signatures?

Please see the Atomic CLAMAV Signatures page.

[edit] How do I configure clamav to use your signatures?

Configuration support for clamav is not included with Rules Only licenses. If you require this level of assistance please purchase an ASL license.

[edit] Can I setup a cronjob to automatically update the rules?

Absolutely. We recommend you do that as we put out updates to the rules daily that include new protections and fixes.

[edit] Whitelisting Files

f you find that you need to whitelist a file, simply put the md5 signature of the file in this file on your system:

/var/clamav/local.fp

The format of this file is one signature name per file. For example:

MD5:FileSize:Comment

You can use the sigtool to create these lines automatically, the format is:

sigtool --md5 /full/path/to/file

For example:

sigtool --md5 /test/eicar >> /var/clamav/local.fp

The entry will the look like this:

69630e4574ec6798239b091cda43dca0:69:eicar

If you are using clamd, you will also need to tell clamd to load this exclusion for this to take effect. If you are using ASL simply run this command as root:

/etc/init.d/clamd reload

[edit] Disabling signatures

If you find that you need to disable a signature, simply put the signature name in this file on your system:

/var/clamav/local.ign

The format of this file is one signature name per line. For example

Signature1
Signature2

If you are using clamd, you will also need to tell clamd to load this exclusion for this to take effect. If you are using ASL simply run this command as root:

/etc/init.d/clamd reload

Note: Some versions of clamav add the word "UNOFFICIAL" to the end of third party signatures. If your version of clamav does this, and the signature name contains the words "UNOFFICIAL" do not include that in the signature name. For example, if you want to disable this signature:

Atomicorp.Suspicious.Eval.PHP.20121213134008.UNOFFICIAL

You would add this to the local.ign file:

Atomicorp.Suspicious.Eval.PHP.20121213134008

And some versions actually require the addition of the UNOFFICIAL tag, if you find this does not work, add .UNOFFICIAL to the end of the signature name.

Personal tools