[Rspamd-Users] rspamd with clamav and clamav-unofficial-sigs from Sanesecurity

Andreas Wass - Glas Gasperlmair a.wass at glas-gasperlmair.at
Thu Nov 25 13:50:26 UTC 2021


Hi Ged, think i missunderstood something and now it seems to work :-)

I sent the strings as plaintext in a message and nothing happend because 
in my case (Configuration rspamd with clamav) rspamd takes control over 
text headers and bodys and not clamav.

clamav takes effect, when attchments with viruses or virusstrings come in

If i put your strings or the testrings from 
https://sanesecurity.com/support/signature-testing/ in files and send 
these to my mailserver, then these mails all are blocked

And now in my rspamd logfile i can see something like this:
forced: reject "clamav: virus found: 
"YARA.Garbage_spam_indicator_0003.UNOFFICIAL"
forced: reject "clamav: virus found: 
"YARA.Sanesecurity_TestSig_Type4_Bdy_3.UNOFFICIAL"

So this is the comfirmation that clamav works with the new signatures

Thank you so much!

Am 25.11.2021 um 14:10 schrieb G.W. Haywood via Users:
> Hi there,
>
> On Thu, 25 Nov 2021, Andreas Wass - Glas Gasperlmair wrote:
>
>> ... rspamd with clamav works fine, but i want better detecting on 
>> viruses
>> ...
>> ... all the new signatures are in /var/lib/clamav ...
>
> First check that you do *not* have this configuration option:
>
> OfficialDatabaseOnly yes
>
> set in your clamd configuration file.
>
> Then, if you have the unofficial (Sanesecurity etc.) data in the right
> directory - the same directory as the official ClamAV data - and clamd
> is running, and if it is detecting things, you can be sure that it is
> using the unofficial data too.  You can ask how many signatures are in
> use, see the documentation, there will be more if you add more data to
> the signature database.  To test it I would create a small file in the
> same directory which looks for something special.  For example you can
> create a file called 'cryptocurrencyscam.yar' which contains something
> like this:
>
> rule Garbage_spam_indicator_0003        // Crypto-currency scams
> {
>   strings:
>     $ = "bitcoin"                ascii   nocase
>     $ = "discount"               ascii   nocase
>     $ = /we.{1,50}(sell|sale)/   ascii   nocase
>   condition:
>     all of them
> }
>
> To recognize changes in the signature database, clamd must either be
> restarted or it must reload the database as a result of a timeout or a
> command.  You can send the command from the command line, see the man
> page, or one of the database update daemons can send the command.
>
> If you then send yourself a mail containing the text which the rule
> matches you should easily see the result.  Be careful that any mail
> which you send to yourself does get scanned!  Some systems only scan
> incoming mail, for example.
>
> You might then want to delete the test Yara file & restart clamd.
>



More information about the Users mailing list