From dd2b219c9e925389f903edd7b3a6a1e8a1d6e8cf Mon Sep 17 00:00:00 2001 From: Dmitriy Alekseev <1865999+dragoangel@users.noreply.github.com> Date: Thu, 7 Apr 2022 21:50:01 +0300 Subject: [PATCH] Create u_e-clamav-additional_dbs.en.md --- .../ClamAV/u_e-clamav-additional_dbs.en.md | 68 +++++++++++++++++++ 1 file changed, 68 insertions(+) create mode 100644 docs/manual-guides/ClamAV/u_e-clamav-additional_dbs.en.md diff --git a/docs/manual-guides/ClamAV/u_e-clamav-additional_dbs.en.md b/docs/manual-guides/ClamAV/u_e-clamav-additional_dbs.en.md new file mode 100644 index 000000000..b6ff2c899 --- /dev/null +++ b/docs/manual-guides/ClamAV/u_e-clamav-additional_dbs.en.md @@ -0,0 +1,68 @@ +## Additional Databases for ClamAV + +Default ClamAV databases has not great detection level, but it could be enhanced with free or paid signature databases. + +### List of known free databases + +- [SecurityInfo](https://www.securiteinfo.com/) - free ClamAV DBs for testing purposes, required registration after which you can use them from 1 IP +- [InterServer](http://rbluri.interserver.net/) - free to use ClamAV DBs, but they do not fit well for email scanning + +### Enable SecuriteInfo databases + +1. Sign up for a free account at https://www.securiteinfo.com/clients/customers/signup +2. You will receive an email to activate your account and then a follow-up email with your login name +3. Login and navigate to your customer account: https://www.securiteinfo.com/clients/customers/account +4. Click on the Setup tab +5. You will need to get `your_id` from one of the download links, they are individual for every user +7. Add to `data/conf/clamav/freshclam.conf` with replaced `your_id` part: +``` +DatabaseCustomURL https://www.securiteinfo.com/get/signatures/your_id/securiteinfo.hdb +DatabaseCustomURL https://www.securiteinfo.com/get/signatures/your_id/securiteinfo.ign2 +DatabaseCustomURL https://www.securiteinfo.com/get/signatures/your_id/javascript.ndb +DatabaseCustomURL https://www.securiteinfo.com/get/signatures/your_id/spam_marketing.ndb +DatabaseCustomURL https://www.securiteinfo.com/get/signatures/your_id/securiteinfohtml.hdb +DatabaseCustomURL https://www.securiteinfo.com/get/signatures/your_id/securiteinfoascii.hdb +DatabaseCustomURL https://www.securiteinfo.com/get/signatures/your_id/securiteinfopdf.hdb +``` + +8. Adjust `data/conf/clamav/clamd.conf` to align with next settings: +``` +DetectPUA yes +ExcludePUA PUA.Win.Packer +ExcludePUA PUA.Win.Trojan.Packed +ExcludePUA PUA.Win.Trojan.Molebox +ExcludePUA PUA.Win.Packer.Upx +ExcludePUA PUA.Doc.Packed +MaxScanSize 150M +MaxFileSize 100M +MaxRecursion 40 +MaxEmbeddedPE 100M +MaxHTMLNormalize 50M +MaxScriptNormalize 50M +MaxZipTypeRcg 50M +``` +9. Restart ClamAV container: +```bash +docker-compose restart clamd-mailcow +``` + +Please note: + +- You can't use `ExcludePUA` and `IncludePUA` in `clamd.conf` simultaneously, so please comment any `IncludePUA` if you uncommented them before. +- List of databases provided in this example fit most use-cases, but SecuriteInfo also provides other databases. Please check SecuriteInfo FAQ for additional information. +- With the current DB set (including default DBs) ClamAV will consume about 1.3Gb of RAM on your server. +- If you modified `message_size_limit` in Postfix you need to adapt `MaxSize` settings in ClamAV as well. + +### Enable InterServer databases + +1. Add to `data/conf/clamav/freshclam.conf`: +``` +DatabaseCustomURL http://sigs.interserver.net/interserver256.hdb +DatabaseCustomURL http://sigs.interserver.net/interservertopline.db +DatabaseCustomURL http://sigs.interserver.net/shell.ldb +DatabaseCustomURL http://sigs.interserver.net/whitelist.fp +``` +2. Restart ClamAV container: +```bash +docker-compose restart clamd-mailcow +```