Koozali.org: home of the SME Server

Ransomware/CTB-Locker ClamAV signature

guest22

Re: Ransomware/CTB-Locker ClamAV signature
« Reply #15 on: February 24, 2015, 03:28:25 PM »
yes.. sorry for the delay

you have to manually edit .conf file in /etc/clamav-unofficial-sigs (IIRC)


I think you are right. The RPM is being installed, but you have to incorporate various things into the config file to make the new data effective. That's all I could see.

Offline Stefano

  • *
  • 10,836
  • +2/-0
Re: Ransomware/CTB-Locker ClamAV signature
« Reply #16 on: February 24, 2015, 03:44:38 PM »
ok..

first of all let's create a copy of the original .conf file

Code: [Select]
cd /etc/clamav-unofficial-sigs
cp clamav-unofficial-sigs.conf clamav-unofficial-sigs.orig


in the same directory, create a clamav-unofficial-sigs.conf.patch file with:
Code: [Select]
nano clamav-unofficial-sigs.conf.patch

and fill it with the following content:
Code: [Select]
diff -Nur old/clamav-unofficial-sigs.conf new/clamav-unofficial-sigs.conf
--- old/clamav-unofficial-sigs.conf   2015-02-24 15:32:56.182269840 +0100
+++ new/clamav-unofficial-sigs.conf   2015-02-24 15:33:06.193721634 +0100
@@ -37,15 +37,15 @@
 # Set the appropriate ClamD user and group accounts for your system.
 # If you do not want the script to set user and group permissions on
 # files and directories, comment the next two variables.
-clam_user="clam"
-clam_group="clam"
+clam_user="clamav"
+clam_group="clamav"
 
 # Set path to ClamAV database files location.  If unsure, check
 # your clamd.conf file for the "DatabaseDirectory" path setting.
-clam_dbs="/var/lib/clamav"
+clam_dbs="/var/clamav"
 
 # Set path to clamd.pid file (see clamd.conf for path location).
-clamd_pid="/var/run/clamav/clamd.pid"
+#clamd_pid="/var/run/clamav/clamd.pid"
 
 # To enable "ham" (non-spam) directory scanning and removal of
 # signatures that trigger on ham messages, uncomment the following
@@ -54,7 +54,7 @@
 
 # If you would like to reload the clamd databases after an update,
 # change the following variable to "yes".
-reload_dbs="no"
+reload_dbs="yes"
 
 # Set the reload or restart option if the "reload_dbs" variable above
 # is set to "yes" (only select 'ONE' of the following variables or the
@@ -76,7 +76,7 @@
 # the script will still run).  You will also need to set the correct
 # path to your clamd socket file (if unsure of the path, check the
 # "LocalSocket" setting in your clamd.conf file for socket location).
-#clamd_socket="/var/run/clamd.socket"
+clamd_socket="/var/clamav/clamd.socket"
 
 # If you would like to attempt to restart ClamD if detected not running,
 # uncomment the next 2 lines.  Confirm the path to the "clamd_lock" file

save and exit, then
Code: [Select]
cd /etc/clamav-unofficial-sigs
patch clamav-unofficial-sigs.conf clamav-unofficial-sigs.conf.patch

done :)

I tested a bit the patch, and it's working for me.. YMMV

take a look in /var/log/clamav-unofficial-sigs dir if everything is working fine

Offline brianr

  • *
  • 988
  • +2/-0
Re: Ransomware/CTB-Locker ClamAV signature
« Reply #17 on: February 24, 2015, 04:55:34 PM »
@brianr,
Which other sources of signatures do you use?

No others (yet!)
Brian j Read
(retired, for a second time, still got 2 installations though)
The instrument I am playing is my favourite Melodeon.
.........

Offline swany

  • 2
  • +0/-0
Re: Ransomware/CTB-Locker ClamAV signature
« Reply #18 on: December 08, 2015, 11:24:31 AM »
I want block all listed file mask in mail attachment, i add to /var/clamav/my_base.cdb

ScanMailX.Blocked.Attached_Files.CL_TYPE_MAIL.js:CL_TYPE_MAIL:*:(?i)\.js$:*:*:*:*:*:*
ScanMailX.Blocked.Attached_Files.CL_TYPE_MAIL.exe:CL_TYPE_MAIL:*:(?i)\.exe$:*:*:*:*:*:*
ScanMailX.Blocked.Attached_Files.CL_TYPE_MAIL.dll:CL_TYPE_MAIL:*:(?i)\.dll$:*:*:*:*:*:*
ScanMailX.Blocked.Attached_Files.CL_TYPE_MAIL.vbs:CL_TYPE_MAIL:*:(?i)\.vbs$:*:*:*:*:*:*
ScanMailX.Blocked.Attached_Files.CL_TYPE_MAIL.pif:CL_TYPE_MAIL:*:(?i)\.pif$:*:*:*:*:*:*
ScanMailX.Blocked.Attached_Files.CL_TYPE_MAIL.com:CL_TYPE_MAIL:*:(?i)\.com$:*:*:*:*:*:*
ScanMailX.Blocked.Attached_Files:*:*:\.(ade|adp|bat|chm|cmd|com|cpl|exe|hta|ins|isp|js|jse|lib|lnk|mde|msc|msp|mst|pif|scr|sct|shb|sys|vb|vbe|vbs|)$:*:*:*:*:*:*

If i sent
АА file_name.js
it's BLOCKED

But if i sent
АА file_name.xlsx_ .js
it's OK

АА - non unicode simbols

Did someone help me?
« Last Edit: December 08, 2015, 01:14:26 PM by swany »

Offline Daniel B.

  • *
  • 1,699
  • +0/-0
    • Firewall Services, la sécurité des réseaux
Re: Ransomware/CTB-Locker ClamAV signature
« Reply #19 on: December 08, 2015, 11:52:07 AM »
Please open a new topic
C'est la fin du monde !!! :lol:

Offline Stefano

  • *
  • 10,836
  • +2/-0
Re: Ransomware/CTB-Locker ClamAV signature
« Reply #20 on: December 08, 2015, 01:11:13 PM »
Please open a new topic

and please don't delete post's content!

guest22

Re: Ransomware/CTB-Locker ClamAV signature
« Reply #21 on: December 08, 2015, 02:17:46 PM »
And please do not cross post.

Offline Stefano

  • *
  • 10,836
  • +2/-0
Re: Ransomware/CTB-Locker ClamAV signature
« Reply #22 on: December 08, 2015, 02:33:32 PM »
And please do not cross post.

he was requested to open a new topic, so no cross post IMO.. am I missing anything?

TIA

guest22

Re: Ransomware/CTB-Locker ClamAV signature
« Reply #23 on: December 08, 2015, 02:48:25 PM »
You are correct. He did open a new topic, which I mistakingly held for a cross post.