Request: add clamav-unofficial-sigs to ClamTk

[MikeNavy]

Hi, "clamav-unofficial-sigs" use allows increasing ClamAV detection rate, by adding extra signatures.

See https://github.com/extremeshok/clamav-unofficial-sigs.

The request is simple: add "clamav-unofficial-sigs" to ClamTk.

Regards,

MN

[refi64]

You should probably ask the upstream project instead? It's not clear to me how that would affect us.

[MikeNavy]

Hi, For a reason I don't know, Clamav has never taken into account the unofficial signatures (not provided by Clamav, but provided by other groups). However it is an official project, there is even a "clamav-unofficial-sigs" deb package in Ubuntu (it is a script to download and use those unofficial signatures). Of course, the deb is outdated and the script should be taken from GitHub. If the ability to use unofficial signatures was added to ClamTk flatpak, this would increase Clamav detection rate.

See https://github.com/extremeshok/clamav-unofficial-sigs/blob/master/INSTALL.md for installation instructions.

Regards, MN

PS: the links work now correctly; the "Add a link" tool doesn't work; just paste the link.

[MikeNavy]

@refi64 I don't well understand what you call the upstream project: ClamTk flatpak is a merge of two projects, ClamTk and ClamAV. The flatpak contains both ClamTk GUI executables and ClamAV ones, completed with libraries and Perl.

@ClamTk flatpak maintainers Concerning ClamAV unofficial signatures:

• This is a feature normally supported by ClamAV, through the use of "freshclam.conf" that can be personalized. Examples: DatabaseCustomURL http://myserver.example.com/mysigs.ndb" DatabaseCustomURL https://myserver.example.com/mysigs.ndb DatabaseCustomURL https://myserver.example.com:4567/allow_list.wdb DatabaseCustomURL ftp://myserver.example.com/example.ldb DatabaseCustomURL ftps://myserver.example.com:4567/example.ndb DatabaseCustomURL file:///mnt/nfs/local.hdb

• I have modified freshclam. conf, found in "/var/lib/flatpak/app/com.gitlab.davem.ClamTk/current/active/files/etc". (See attached file, rename it from freshclam.txt to freshclam.conf). freshclam.txt

• But it doesn't work: the extra signatures are not downloaded, only CVD official ones are (saved in "~/.var/app/com.gitlab.davem.ClamTk/data/.clamtk/db". Something prevents downloading the unofficial signatures, and this is not normal.

• Note that without unofficial signatures, ClamAV detection rate is very low (some 55.4 % detected on 400 000 samples, test done by Splunk in 2022, see https://en.wikipedia.org/wiki/Clam_AntiVirus), while i could grow up to 90% when completed by unofficial signatures.

Regards,

MN

[MikeNavy]

Hi, I have made a new attempt and, this time, I could download extra signatures.

I have modified the file: "~/.var/app/com.gitlab.davem.ClamTk/data/.clamtk/db/local.conf". Initial content:

# Local config
DatabaseMirror database.clamav.net
LogSyslog no

Content after changes: local.txt Rename to "local.conf"; read comments about Securiteinfo signatures, registering is needed.

Downloaded signatures after local.conf changes: ~/.var/app/com.gitlab.davem.ClamTk/data/.clamtk/db$ ls

badmacro.ndb                 foxhole_filename.cdb  junk.ndb                   porcupine.ndb          securiteinfopdf.hdb          winnow_extended_malware.hdb
blurl.ndb                    foxhole_generic.cdb   jurlbl.ndb                 rfxn.ndb               shelter.ldb                  winnow_extended_malware_links.ndb
bofhland_cracked_URL.ndb     foxhole_js.cdb        local.conf                 rogue.hdb              sigwhitelist.ign2            winnow_malware.hdb
bofhland_malware_attach.hdb  foxhole_js.ndb        main.cvd                   sanesecurity.ftm       spamattach.hdb               winnow_malware_links.ndb
bofhland_malware_URL.ndb     freshclam.dat         malwarehash.hsb            scam.ndb               spamimg.hdb                  winnow_phish_complete_url.ndb
bofhland_phishing_URL.ndb    freshclam.log         MiscreantPunch099-Low.ldb  securiteinfoascii.hdb  twinclams.ldb                winnow_spam_complete.ndb
bytecode.cvd                 hackingteam.hsb       phish.ndb                  securiteinfo.hdb       winnow.attachments.hdb
clamav.ldb                   indicator_rmm.ldb     phishtank.ndb              securiteinfohtml.hdb   winnow_bad_cw.hdb
daily.cvd                    javascript.ndb        porcupine.hsb              securiteinfo.ign2      winnow.complex.patterns.ldb

My question: When I will use ClamTk flatpak to scan a file or directory, will all the downloaded signatures be used? Or will Clamav official signatures be used only?

Rationale for downloading extra signatures: From https://en.wikipedia.org/wiki/Clam_AntiVirus,

ClamAV was tested against other antivirus products on Shadowserver. In 2011, Shadowserver tested over 25 million samples against ClamAV and numerous other antivirus products. Out of the 25 million samples tested, ClamAV scored 76.60% ranking 12 out of 19, a higher rating than some much more established competitors. In the 2008 AV-TEST of antivirus tools, ClamAV scored poorly in on-demand detection, avoiding false positives, and rootkit detection. In a Shadowserver six-month test between June and December 2011, ClamAV detected over 75.45% of all viruses tested, putting it in fifth place behind AhnLab, Avira, BitDefender and Avast. AhnLab, the top antivirus, detected 80.28%. In 2022 Splunk conducted an efficacy study involving ~400,000 malware samples sourced from MalwareBazaar. The study concluded ClamAV is 59.94% effective overall at detecting commodity malware.

This shows that Clamav detection rate, using official signatures only, has been between ~60% to ~77% on the period 2011-2020.

Adding extra, unofficial signatures can put the detection range up to ~90%.

Waiting for your answers,

Regards,

MN