search

djdefi / gitavscan

Git Anti-Virus Scan Action - Detect trojans, viruses, malware & other malicious threats.
The Unlicense
38 stars 5 forks source link

Use also clamav-unofficial-sigs DB #25

Open miurahr opened 3 years ago

miurahr commented 3 years ago

Is your feature request related to a problem? Please describe. There are clamav-unofficial-sigs that can be used for scan. It will be nice to check these sigs too.

Describe the solution you'd like

Describe alternatives you've considered

miurahr commented 3 years ago

Generic installation

mkdir -p /usr/local/sbin/
wget https://raw.githubusercontent.com/extremeshok/clamav-unofficial-sigs/master/clamav-unofficial-sigs.sh -O /usr/local/sbin/clamav-unofficial-sigs.sh && chmod 755 /usr/local/sbin/clamav-unofficial-sigs.sh
mkdir -p /etc/clamav-unofficial-sigs/
wget https://raw.githubusercontent.com/extremeshok/clamav-unofficial-sigs/master/config/master.conf -O /etc/clamav-unofficial-sigs/master.conf
wget https://raw.githubusercontent.com/extremeshok/clamav-unofficial-sigs/master/config/user.conf -O /etc/clamav-unofficial-sigs/user.conf

https://github.com/extremeshok/clamav-unofficial-sigs/blob/master/INSTALL.md

djdefi commented 1 year ago

Looks like freshclam could handle this https://wiki.gentoo.org/wiki/ClamAV_Unofficial_Signatures

There are two good approaches to using unofficial signatures on Gentoo (and elsewhere). The first is to use {{Package|app-antivirus/fangfrisch}}, and the second is to use freshclam itself. The eXtremeSHOK clamav-unofficial-sigs script is '''not''' a secure option.

== Using freshclam ==

Freshclam now supports https URLs, so if your unofficial signatures are available direct from an http(s) URL, then adding them to freshclam is easy. For example,

/etc/freshclam.conf

These HTTP mirrors aren't quite official, but I've asked about them

on the sanesecurity mailing list and someone offered them to the public.

DatabaseCustomURL https://mirror.rollernet.us/sanesecurity/badmacro.ndb DatabaseCustomURL https://mirror.rollernet.us/sanesecurity/blurl.ndb DatabaseCustomURL https://mirror.rollernet.us/sanesecurity/junk.ndb DatabaseCustomURL https://mirror.rollernet.us/sanesecurity/jurlbl.ndb DatabaseCustomURL https://mirror.rollernet.us/sanesecurity/jurlbla.ndb DatabaseCustomURL https://mirror.rollernet.us/sanesecurity/lott.ndb

There are only a few downsides to using freshclam:

  • Freshclam can't rename the downloaded file, so if the source file is incorrectly named, freshclam will fail to validate it (because clamav won't know how to read it).
  • Freshclam only supports http(s), so you're out of luck if your database is only served over rsync.
  • There's currently [https://bugzilla.clamav.net/show_bug.cgi?id=12522 a bug in freshclam] that causes it to validate malformed databases, which will crash clamav. So if there's a chance that you'll download a bad database, freshclam may not be the best choice (until that bug is fixed).
rohthegreat commented 1 year ago

SO do you want me to go to the file and change it and hope all goes well @djdefi?