[Rspamd-Users] rspamd with clamav and clamav-unofficial-sigs from Sanesecurity
Andreas Wass - Glas Gasperlmair
a.wass at glas-gasperlmair.at
Thu Nov 25 11:57:20 UTC 2021
thx for your extensive explanations.
rspamd with clamav works fine, but i want better detecting on viruses,
so i decided to use sanesecurity clamav-unofficial-sigs additionaly and
i installed it exactly explaned in
https://github.com/extremeshok/clamav-unofficial-sigs/blob/master/guides/ubuntu-debian.md
as i wrote before all the new signatures are in /var/lib/clamav
badmacro.ndb CVE-2010-1297.yar
CVE-2017-11882.yar foxhole_filename.cdb
jurlbla.ndb porcupine.ndb spamattach.hdb
winnow.complex.patterns.ldb
blurl.ndb CVE-2012-0158.yar
CVE-2018-20250.yar foxhole_generic.cdb
jurlbl.ndb rogue.hdb spamimg.hdb
winnow_extended_malware.hdb
bofhland_cracked_URL.ndb CVE-2013-0074.yar
CVE-2018-4878.yar foxhole_js.cdb
lott.ndb sanesecurity.ftm spam.ldb
winnow_extended_malware_links.ndb
bofhland_malware_attach.hdb CVE-2013-0422.yar
daily.cld foxhole_js.ndb
main.cvd Sanesecurity_sigtest.yara
spearl.ndb winnow_malware.hdb
bofhland_malware_URL.ndb CVE-2015-1701.yar
EK_BleedingLife.yar freshclam.dat
malwarehash.hsb Sanesecurity_spam.yara
spear.ndb winnow_malware_links.ndb
bofhland_phishing_URL.ndb CVE-2015-2426.yar
EMAIL_Cryptowall.yar hackingteam.hsb
MiscreantPunch099-Low.ldb scam.ndb urlhaus.ndb
winnow_phish_complete_url.ndb
bytecode.cvd CVE-2015-2545.yar
Email_fake_it_maintenance_bulletin.yar interserver256.hdb
phish.ndb scam.yar whitelist.fp
winnow_spam_complete.ndb
CVE-2010-0805.yar CVE-2015-5119.yar
Email_quota_limit_warning.yar interservertopline.db
phishtank.ndb shelter.ldb winnow.attachments.hdb
WShell_ASPXSpy.yar
CVE-2010-0887.yar CVE-2016-5195.yar
email_Ukraine_BE_powerattack.yar junk.ndb
porcupine.hsb sigwhitelist.ign2 winnow_bad_cw.hdb
WShell_Drupalgeddon2_icos.yar
root at testmail1server:~#
is sombody out there using rspamd in combination with clamav and
clamav-unofficial-sigs?
showing me how to test, if these signatures are used?
showing me, how to test these signatures?
as i wrote before when it comes to testing with signatures from:
https://sanesecurity.com/support/signature-testing/
No of these 3 Testmails from their site are blocked
Am 25.11.2021 um 12:32 schrieb G.W. Haywood via Users:
> Hi there,
>
> On Thu, 25 Nov 2021, Andreas Wass - Glas Gasperlmair wrote:
>
>> ...
>> clamscan --debug 2>&1 > /dev/null | grep "loaded"
>> ...
>
> Can you explain exactly what you're trying to do there?
>
>> But when it comes to testing with your signatures from:
>> https://sanesecurity.com/support/signature-testing/
>>
>> No of this 3 Testmails are blocked
>
> In the ClamAV toolkit there are two executables which have very
> similar names but which behave very differently. The names are
> 'clamscan' and 'clamdscan'. It often causes confusion. If you want
> to use the clamd daemon (as I guessed you will for scanning mail) then
> the tool to use with it is clamdscan, not clamscan. You'll find a lot
> more information in the online documentation and the 'man' pages. If
> you have first made sure that the clamd daemon is running, then you
> can use the clamdscan tool to scan things with the clamd daemon. That
> will at least tell you if clamd itself is doing what you think it is.
> Or, indeed, anything at all. You can set up logging to record amongst
> other things what clamd does when you feed it with data.
>
More information about the Users
mailing list