[Rspamd-Users] rspamd with clamav and clamav-unofficial-sigs from Sanesecurity

Andreas Wass - Glas Gasperlmair a.wass at glas-gasperlmair.at
Thu Nov 25 11:57:20 UTC 2021

thx for your extensive explanations.
rspamd with clamav works fine, but i want better detecting on viruses, 
so i decided to use sanesecurity clamav-unofficial-sigs additionaly and 
i installed it exactly explaned in 

as i wrote before all the new signatures are in /var/lib/clamav
badmacro.ndb                 CVE-2010-1297.yar 
CVE-2017-11882.yar                      foxhole_filename.cdb 
jurlbla.ndb                porcupine.ndb spamattach.hdb          
blurl.ndb                    CVE-2012-0158.yar 
CVE-2018-20250.yar                      foxhole_generic.cdb 
jurlbl.ndb                 rogue.hdb spamimg.hdb             
bofhland_cracked_URL.ndb     CVE-2013-0074.yar 
CVE-2018-4878.yar                       foxhole_js.cdb 
lott.ndb                   sanesecurity.ftm spam.ldb                
bofhland_malware_attach.hdb  CVE-2013-0422.yar 
daily.cld                               foxhole_js.ndb 
main.cvd                   Sanesecurity_sigtest.yara 
spearl.ndb              winnow_malware.hdb
bofhland_malware_URL.ndb     CVE-2015-1701.yar 
EK_BleedingLife.yar                     freshclam.dat 
malwarehash.hsb            Sanesecurity_spam.yara 
spear.ndb               winnow_malware_links.ndb
bofhland_phishing_URL.ndb    CVE-2015-2426.yar 
EMAIL_Cryptowall.yar                    hackingteam.hsb 
MiscreantPunch099-Low.ldb  scam.ndb urlhaus.ndb             
bytecode.cvd                 CVE-2015-2545.yar 
Email_fake_it_maintenance_bulletin.yar  interserver256.hdb 
phish.ndb                  scam.yar whitelist.fp            
CVE-2010-0805.yar            CVE-2015-5119.yar 
Email_quota_limit_warning.yar           interservertopline.db 
phishtank.ndb              shelter.ldb winnow.attachments.hdb  
CVE-2010-0887.yar            CVE-2016-5195.yar 
email_Ukraine_BE_powerattack.yar        junk.ndb 
porcupine.hsb              sigwhitelist.ign2 winnow_bad_cw.hdb       
root at testmail1server:~#

is sombody out there using rspamd in combination with clamav and 

showing me how to test, if these signatures are used?

showing me, how to test these signatures?
as i wrote before when it comes to testing with signatures from:

No of these 3 Testmails from their site are blocked

Am 25.11.2021 um 12:32 schrieb G.W. Haywood via Users:
> Hi there,
> On Thu, 25 Nov 2021, Andreas Wass - Glas Gasperlmair wrote:
>> ...
>> clamscan --debug 2>&1 > /dev/null | grep "loaded"
>> ...
> Can you explain exactly what you're trying to do there?
>> But when it comes to testing with your signatures from:
>> https://sanesecurity.com/support/signature-testing/
>> No of this 3 Testmails are blocked
> In the ClamAV toolkit there are two executables which have very
> similar names but which behave very differently.  The names are
> 'clamscan' and 'clamdscan'.  It often causes confusion.  If you want
> to use the clamd daemon (as I guessed you will for scanning mail) then
> the tool to use with it is clamdscan, not clamscan.  You'll find a lot
> more information in the online documentation and the 'man' pages. If
> you have first made sure that the clamd daemon is running, then you
> can use the clamdscan tool to scan things with the clamd daemon. That
> will at least tell you if clamd itself is doing what you think it is.
> Or, indeed, anything at all.  You can set up logging to record amongst
> other things what clamd does when you feed it with data.

More information about the Users mailing list