Thu Oct 8 15:19:50 +07 2020

ClamAV Unofficial and Malware Patrol

OK, so I think I have a better understanding of ClamAV Unofficial signatures. It is all based upon the shell script by eXtremeSHOK.com.

In the configuration file, it is clear that /var/db/clamav-unofficial-sigs is only a working directory, but the signatures will end-up in /var/db/clamav. A working directory, so there is no reason to run a second instance of ClamAV from that directory; the first and only needed instance of ClamAV will pick-up the new unofficial signatures when they are installed in the signature directory.

So I killed the second instance of ClamAV (launched from /etc/rc.local). But I kept clamd-un.conf, just in case.

Now the problem with Malware Patrol: because malware is being distributed from Google Drive root they flag anything that contains the string https://drive.google.com. It cannot work for us as it will flag any email that mention a document stored in Google Drive and cause disruption in our work.

The solution I have implemented is to have a Perl script (/usr/local/bin/clamav-unofficial-sigs-post.pl) that is called by the ClamAV Unofficial script where it would call clamdscan --reload. My Perl script removes the signatures for Google Drive and executes the reload.

My Perl script is a dirty hack as I have started developping it based on the assumption that ClamAV signature reload was triggered by a signal. The skeleton f that is still in the script. All locations and stings are hard coded to fit my needs.And it can be modified is some future white listing must be applied.


Posted by Olivier | Permanent link | File under: administration, mail, anti-virus