[Rspamd-Users] rspamd with clamav and clamav-unofficial-sigs from Sanesecurity

G.W. Haywood rspamd at jubileegroup.co.uk
Thu Nov 25 13:10:45 UTC 2021


Hi there,

On Thu, 25 Nov 2021, Andreas Wass - Glas Gasperlmair wrote:

> ... rspamd with clamav works fine, but i want better detecting on viruses
> ...
> ... all the new signatures are in /var/lib/clamav ...

First check that you do *not* have this configuration option:

OfficialDatabaseOnly yes

set in your clamd configuration file.

Then, if you have the unofficial (Sanesecurity etc.) data in the right
directory - the same directory as the official ClamAV data - and clamd
is running, and if it is detecting things, you can be sure that it is
using the unofficial data too.  You can ask how many signatures are in
use, see the documentation, there will be more if you add more data to
the signature database.  To test it I would create a small file in the
same directory which looks for something special.  For example you can
create a file called 'cryptocurrencyscam.yar' which contains something
like this:

rule Garbage_spam_indicator_0003        // Crypto-currency scams
{
   strings:
     $ = "bitcoin"                ascii   nocase
     $ = "discount"               ascii   nocase
     $ = /we.{1,50}(sell|sale)/   ascii   nocase
   condition:
     all of them
}

To recognize changes in the signature database, clamd must either be
restarted or it must reload the database as a result of a timeout or a
command.  You can send the command from the command line, see the man
page, or one of the database update daemons can send the command.

If you then send yourself a mail containing the text which the rule
matches you should easily see the result.  Be careful that any mail
which you send to yourself does get scanned!  Some systems only scan
incoming mail, for example.

You might then want to delete the test Yara file & restart clamd.

-- 

73,
Ged.


More information about the Users mailing list