Codebase list clamav-unofficial-sigs / f644b10
Imported Upstream version 3.5.4 Paul Wise 14 years ago
10 changed file(s) with 417 addition(s) and 122 deletion(s). Raw diff Collapse all Expand all
+75
-1
CHANGELOG less more
11 written by Bill Landry (bill@inetmsg.com). The script provides a simple
22 way to download, test and run the third-party ClamAV signature databases
33 provided by Sanesecurity, MSRBL, SecuriteInfo, MalwarePatrol, and OITC.
4
5 Version 3.5.4 (updated 2009-06-25)
6 - Removed an unnecessary early database reload when a change was
7 detected by the script in the local.ign signature bypass file.
8 - The script was not properly handling exit status when configured
9 with full script output silence and database reloading was
10 disabled. Issue reported by Andreas Prieß.
11 - The script was not detecting bypass signature entry changes in
12 local.ign if the entry did not include the line number in the
13 bypass signature entry. Issue reported by Paul Enlund.
14 - Windows convention is to end each line of text with the carriage
15 return character followed by the newline character. In order to
16 work around this, the script now strips the CRLF from the end of
17 signature lines before testing for changes, modifications, or
18 removal of local.ign bypassed signature entries. Issue reported
19 by Paul Enlund.
20
21 Version 3.5.3 (updated 2009-06-04)
22 - Replaced 'sed -i' (in-place) 'replace/remove' code in the script
23 with similar perl code. It was determined that sed varies too
24 much between OS platforms. The differences between FBSD, Linux,
25 Sun, and HPUX was too problematic to rely on sed for 'in-place'
26 editing. Thanks to Larry Rosenman for testing the new perl code
27 sections on all 4 platforms listed above.
28
29 Version 3.5.2 (updated 2009-06-04)
30 - Renamed the cron and logrotate files, changing the "." to "-" due
31 the fact that some platform (such as Debian) have certain naming
32 restrictions on cron file names that does not allow for the use of
33 a "." in the file name. The documentation has also been updated.
34 Consider renaming your files. Issue reported by Yizhar Hurwitz.
35 - Added the sed "-e" (expression=script) flag to the 4 sed commands
36 that use the "-i" (edit in-place) in the script's "-b" (create
37 signature bypass) flag. Apparently without the sed "-e" flag,
38 FreeBSD intreprets part of the expanded variable as a command.
39 Issue reported by Larry Rosenman.
40 - Replaced a misplaced hard link with the appropriate variable in
41 the signature bypass section of the script. Issue reported by
42 Larry Rosenman.
43 - Added feedback in warning message regarding signature database name
44 misspelling as a possible issue when all rsync mirror sites fail.
45 - Improved the signature bypass code section that monitors hexadecimal
46 signature modifications and removals and keeps local.ign updated.
47
48 Version 3.5.1 (updated 2009-05-30)
49 - Fixed an issue with the script exiting with an error condition if
50 both "clamd_reload" is disabled and all script silence options are
51 enabled. Issue reported by Andreas Prieß.
52 - Fixed a /path/file statement that was pointing to a scan test file
53 that was used while testing the script and then inadvertently left
54 in the released script. Issue reported by Lukasz Czarnowski.
55 - Moved all third-party signature databases labeled as medium and high
56 risk (as defined at http://www.sanesecurity.com/clamav/databases.htm)
57 into comment sections in the configuration file with a pointer to the
58 above URL. This will require script users to consciously enable the
59 usage of these potentially high false-positive risk databases rather
60 than have them enabled by default. Requested by Steve Basford.
61
62 Version 3.5 (updated 2009-05-25)
63 - Added the '-m' flag that will make a hexadecimal signature database
64 file (*.ndb) from a clear text, ascii source file that contains one
65 data string entry per line that will then be converted into signature
66 lines in the new database file.
67 - Added the new INetMsg SpamDomains database to the config file.
68 - Updated the INSTALL, README and manual page.
69
70 Version 3.4 (updated 2009-05-22)
71 - Modified the '-b' (create signature bypass) flag so that the script
72 no longer deletes the local.ign file. The script now tracks changes
73 to any signature bypass entries it creates in local.ign and will
74 remove the signature bypass entry if either the original offending
75 third-party signature being bypassed has been modified or has been
76 removed from the third-party database.
77 - Updated the INSTALL, README and manual page.
478
579 Version 3.3 (updated 2009-05-19)
680 - Updated the MalwarePatrol URL to now use their new download link.
1892 - Repositioned a badly placed 'echo' command that was causing empty
1993 cron emails to be sent even if all silence variables were set in
2094 the config file and no error conditions existed. Issue reported
21 by Andreas PrieB.
95 by Andreas Prieß.
2296 - Added a '-b' switch that can be used to create a bypass signature
2397 for local.ign in order to temporarily resolve false-positive issues
2498 with a third-party signature. The local.ign file will automatically
+6
-3
INSTALL less more
6262 cp clamav-unofficial-sigs.sh /path/to/script_dir (usually something like /usr/local/bin)
6363 cp clamav-unofficial-sigs.conf /path/to/config_dir (/etc & usually something like /usr/local/etc)
6464 cp clamav-unofficial-sigs.8 /path/to/man/man8 (usually something like /usr/local/man/man8)
65 cp clamav-unofficial-sigs.cron /path/to/cron.d (usually something like /etc/cron.d)
66 cp clamav-unofficial-sigs.logrotate /path/to/logrotate.d (usually something like /etc/logrotate.d)
65 cp clamav-unofficial-sigs-cron /path/to/cron.d (usually something like /etc/cron.d)
66 cp clamav-unofficial-sigs-logrotate /path/to/logrotate.d (usually something like /etc/logrotate.d)
6767
6868 ==================
6969 USAGE INFORMATION:
7070 ==================
7171
72 To run at specific time intervals, edit crontab:
72 To run at specific time intervals, either use the include cron file or edit the user crontab:
7373 crontab -e
7474
7575 To run hourly, at 15 minute after the hour (for example), add the following to crontab:
109109 To output script configuration and system information:
110110 /path/to/clamav-unofficial-sigs.sh -i
111111
112 To make a hexadecimal signature database file (*.ndb) from a clear text ascii file:
113 /path/to/clamav-unofficial-sigs.sh -m
114
112115 To completely remove the script and all of its associated files, databases and work directories:
113116 /path/to/clamav-unofficial-sigs.sh -r
114117
+5
-2
README less more
2727
2828 7. clamav-unofficial-sigs.8 - This is the script's manual page.
2929
30 8. clamav-unofficial-sigs.cron - This is the script's cron file used to support automated
30 8. clamav-unofficial-sigs-cron - This is the script's cron file used to support automated
3131 script execution at specified time intervals.
3232
33 9. clamav-unofficial-sigs.logrotate - This is the script's logrotate file, used to rotate
33 9. clamav-unofficial-sigs-logrotate - This is the script's logrotate file, used to rotate
3434 and compress log files at a specified time-interval and to keep the log archives for a
3535 specified time-frame.
3636
5858 - Separate user configuration file, which will allow users to setup their configuration and not
5959 have to redo the configuration with each new script update.
6060 - The script can hexadecimal encode (for usage) and decode (for viewing) virus signatures.
61 - Ability to create a hexadecimal signature database file from a clear text ascii file.
62 - Script logging can be enabled/disabled in the configuration file.
63 - Includes cron, manual, and logrotate files.
6164
6265 The latest version of the script will always be named: clamav-unofficial-sigs.tar.gz
+14
-0
clamav-unofficial-sigs-cron less more
0 # ClamAV Unofficial Signature Databases Update Cron File
1 #
2 # Author: Bill Landry <bill@inetmsg.com>
3 #
4 # This cron file will execute the clamav-unofficial-sigs.sh script that
5 # currently supports updating third-party signature databases provided
6 # by Sanesecurity, MSRBL, SecuriteInfo, MalwarePatrol, and OITC.
7 #
8 # The script is set to run hourly, at 45 minutes past the hour, and the
9 # script itself is set to randomize the actual execution time between
10 # 60 - 600 seconds. Adjust the cron start time, user account to run the
11 # script under, and path information shown below to meet your own needs.
12
13 45 * * * * root /usr/local/bin/clamav-unofficial-sigs.sh -c /usr/local/etc/clamav-unofficial-sigs.conf
+8
-0
clamav-unofficial-sigs-logrotate less more
0 /var/log/clamav-unofficial-sigs.log {
1 weekly
2 rotate 4
3 missingok
4 notifempty
5 compress
6 create 0600 root root
7 }
+8
-4
clamav-unofficial-sigs.8 less more
00 .\" Manual page for clamav-unofficial-sigs.sh
1 .TH clamav-unofficial-sigs 8 "May 19, 2009" "Version 3.3" "SCRIPT COMMANDS"
1 .TH clamav-unofficial-sigs 8 "June 25, 2009" "Version 3.5.4" "SCRIPT COMMANDS"
22 .SH NAME
33 clamav-unofficial-sigs \- Download, test, and install third-party ClamAV signature databases.
44 .SH SYNOPSIS
1313 A summary of the options is shown below.
1414 .TP
1515 .B \-b
16 Add a bypass signature entry to local.ign in order to temporarily resolve a false-positive issue with
17 a third-party signature. The local.ign file will automatically be deleted and the databases reloaded
18 once the local.ign file's timestamp is 24 hours old.
16 Add a bypass signature entry to local.ign in order to temporarily resolve a false-positive issue with a
17 third-party signature. The script will monitor any entries it makes to local.ign and will automatically
18 remove bypass entries if either the original signature has been modified or removed from the database.
1919 .TP
2020 .B \-c FILE-NAME
2121 Source configuration information from a different file.
4242 .B \-i
4343 Print system and script configuration information.
4444 .TP
45 .B \-m
46 Make a hexadecimal signature database file (*.ndb) from a clear text ascii file. Provides support for
47 both full and formatted signatures. Additional information is provided when using the flag.
48 .TP
4549 .B -r
4650 Remove the clamav-unofficial-sigs script and all of its associated
4751 files, databases and work directories from the system.
+40
-23
clamav-unofficial-sigs.conf less more
3434 export PATH
3535
3636 # Set the appropriate ClamD user and group accounts for your system.
37 # If you do not what the script to set user and group permissions on
37 # If you do not want the script to set user and group permissions on
3838 # files and directories, comment the next two variables.
3939 clam_user="clamav"
4040 clam_group="clamav"
107107 # Sanesecurity Database(s)
108108 # ========================
109109 # Add or remove database file names between quote marks as needed. To
110 # disable any of the Sanesecurity database file downloads, remove the
111 # appropriate database file name lines below. To disable Sanesecurity
112 # database downloads, comment all of the following lines.
110 # disable usage of any of the Sanesecurity distributed database files
111 # shown, remove the database file name from the quoted section below.
112 # To disable usage of all Sanesecurity distributed databases, comment
113 # all of the quoted lines below. Only the following "low" risk define
114 # signature databases have been enabled by default (for additional
115 # information about the signature database ratings, see:
116 # http://www.sanesecurity.com/clamav/databases.htm). Finally, make
117 # sure that the database names are spelled correctly or you will
118 # experience issues when the script runs.
113119 ss_dbs="
114120 junk.ndb
115121 jurlbl.ndb
116 jurlbla.ndb
117 lott.ndb
118122 phish.ndb
119123 rogue.hdb
120124 sanesecurity.ftm
121125 scam.ndb
122 spam.ldb
123126 spamimg.hdb
124 spear.ndb
125127 winnow_malware.hdb
126128 winnow_malware_links.ndb
127 winnow_phish_complete.ndb
128 winnow_spam_complete.ndb
129 "
130 # By default the script is using "winnow_phish_complete.ndb" If you wish to
131 # be more conservative, change this to "winnow_phish_complete_url.ndb" above.
132 # Descriptions:
133 # - winnow_phish_complete.ndb - Signatures to detect phishing and other
134 # malicious URLs and compromised hosts. This collection of signatures
135 # are derived in a similar fashion to SURBL and URIBL. For example:
136 # example.com (aggressive).
137 # - winnow_phish_complete_url.ndb - Similar to winnow_phish_complete.ndb,
138 # except that the entire URL/Path is used to derive the signature. For
139 # example: example.com/path/file.html (conservative).
129 "
130 # Additional Sanesecruity distributed database that can be used and
131 # their associated potential fales-positive ratings:
132 #
133 # USE 'ONLY' ONE OF THE FOLLOWING TWO SIGNATURE DATABASES:
134 #
135 # INetMsg-SpamDomains-2w.ndb : HIGH false-positive rating
136 # INetMsg-SpamDomains-2m.ndb : HIGH false-positive rating
137 #
138 # ONE DATABASE CONTAINS THE LAST TWO WEEKS OF COLLECTED SPAM DOMAINS (2w), AND
139 # THE OTHER DATABASE CONTAINS THE LAST TWO MONTHS OF COLLECTED SPAM DOMAINS (2m).
140 #
141 # jurlbla.ndb : HIGH false-positive rating
142 # lott.ndb : MEDIUM false-positive rating
143 # spam.ldb : MEDIUM false-positive rating
144 # spear.ndb : MEDIUM false-positive rating
145 # winnow_spam_complete.ndb : HIGH false-positive rating
146 #
147 # USE 'ONLY' ONE OF THE FOLLOWING TWO SIGNATURE DATABASES:
148 #
149 # winnow_phish_complete.ndb : HIGH false-positive rating
150 # winnow_phish_complete_url.ndb : MEDIUM false-positive rating
151 #
152 # ONE CONTAINS THE COMPLETE URL PATH (MEDIUM RISK), AND THE OTHER
153 # CONTAINS ONLY THE URL, WITHOUT THE FULL PATH (HIGH RISK).
140154
141155 # =================
142156 # MSRBL Database(s)
155169 # ========================
156170 # Add or remove database file names between quote marks as needed. To
157171 # disable any SecuriteInfo database downloads, remove the appropriate
158 # lines below. To disable SecuriteInfo database file downloads,
172 # lines below. To disable all SecuriteInfo database file downloads,
159173 # comment all of the following lines.
160174 si_dbs="
161 antispam.ndb
162175 honeynet.hdb
163176 securiteinfo.hdb
164177 vx.hdb
165178 "
179 # An additional SecuriteInfo database that can be used and its rating
180 # (for additional information about signature database ratings, see:
181 # http://www.sanesecurity.com/clamav/databases.htm):
182 # antispam.ndb : HIGH false-positive rating
166183
167184 # Since the SecuriteInfo databases are only updated a few time each
168185 # month, set a time interval to do database update checks.
+0
-14
clamav-unofficial-sigs.cron less more
0 # ClamAV Unofficial Signature Databases Update Cron File
1 #
2 # Author: Bill Landry <bill@inetmsg.com>
3 #
4 # This cron file will execute the clamav-unofficial-sigs.sh script that
5 # currently supports updating third-party signature databases provided
6 # by Sanesecurity, MSRBL, SecuriteInfo, MalwarePatrol, and OITC.
7 #
8 # The script is set to run hourly, at 45 minutes past the hour, and the
9 # script itself is set to randomize the actual execution time between
10 # 60 - 600 seconds. Adjust the cron start time, user account to run the
11 # script under, and path information shown below to meet your own needs.
12
13 45 * * * * root /usr/local/bin/clamav-unofficial-sigs.sh -c /usr/local/etc/clamav-unofficial-sigs.conf
+0
-8
clamav-unofficial-sigs.logrotate less more
0 /var/log/clamav-unofficial-sigs.log {
1 weekly
2 rotate 4
3 missingok
4 notifempty
5 compress
6 create 0600 root root
7 }
+261
-67
clamav-unofficial-sigs.sh less more
2020
2121 default_config="/etc/clamav-unofficial-sigs.conf"
2222
23 version="v3.3 (updated 2009-05-19)"
23 version="v3.5.4 (updated 2009-06-25)"
2424 output_ver="
2525 `basename $0` $version
2626 "
3030
3131 Usage: `basename $0` [OPTION] [PATH|FILE]
3232
33 -b Add a bypass signature entry to local.ign in order
34 to temporarily resolve a false-positive issue with
35 a third-party signature. The local.ign file will
36 automatically be deleted and the databases reloaded
37 once the local.ign file's timestamp is 24 hours old.
33 -b Add a bypass signature entry to local.ign in order to
34 temporarily resolve a false-positive issue with a specific
35 third-party signature. The script added local.ign entries
36 will automatically be removed if the original signature is
37 either modified or removed from the third-party database.
3838
3939 -c Direct script to use a specific configuration file
4040 e.g.: '-c /path/to/`basename "$default_config"`'
5858
5959 -i Output system and configuration information for
6060 viewing or possible debugging purposes
61
62 -m Make a signature database from an ascii file containing
63 data strings, with one data string per line. Additional
64 information is provided when using this flag.
6165
6266 -r Remove the clamav-unofficial-sigs script and all of
6367 its associated files and databases from the system.
9296 }
9397
9498 # Take input from the commandline and process.
95 while getopts 'bc:defg:hirs:v' option ; do
99 while getopts 'bc:defg:himrs:v' option ; do
96100 case $option in
97101 b) no_default_config
98102 echo "Input a third-party signature name that you wish to bypass due to false-positives"
99 echo "and press enter (do not include '.UNOFFICIAL' in the signature name nor add quote"
103 echo "and press enter (do not include '.UNOFFICIAL' in the signature name nor add quote"
100104 echo "marks to any input string):"
101105 echo ""
102106 read input
104108 then
105109 cd "$clam_dbs"
106110 input=`echo "$input" | tr -d "'" | tr -d '"'`
107 sig_ign=`grep -n "$input:" *.ndb | cut -d ":" -f-3`
111 file_sig=`grep -n "$input:" *.ndb`
112 sig_ign=`echo "$file_sig" | cut -d ":" -f-3`
108113 if [ -n "$sig_ign" ]
109114 then
110115 if ! grep "$sig_ign" local.ign > /dev/null 2>&1
111116 then
112 echo "$sig_ign" >> local.ign
113 perms chown $clam_user:$clam_group local.ign
114 chmod 0644 local.ign
115 $reload_opt
116 echo ""
117 echo "Signature '$input' has been added to local.ign and databases have been reloaded."
118 echo "The local.ign file will automatically be deleted once the file's timestamp is 24 hour old."
117 cp -f local.ign "$config_dir" 2>/dev/null
118 echo "$sig_ign" | tr -d "\r" >> "$config_dir/local.ign"
119 echo "$file_sig" | tr -d "\r" >> "$config_dir/monitor-ign.txt"
120 if clamscan --quiet -d $config_dir/local.ign $config_dir/scan-test.txt
121 then
122 if rsync -cqt $config_dir/local.ign $clam_dbs
123 then
124 perms chown $clam_user:$clam_group local.ign
125 chmod 0644 local.ign "$config_dir/monitor-ign.txt"
126 $reload_opt
127 echo ""
128 echo "Signature '$input' has been added to the local.ign signature bypass"
129 echo "file and databases have been reloaded. The script will track any changes to the"
130 echo "offending third-party signature and will automatically remove the signature bypass"
131 echo "entry if either the signature is modified or removed from the third-party database."
132 else
133 echo ""
134 echo "Failed to successfully update local.ign file - SKIPPING."
135 fi
136 else
137 echo ""
138 echo "Clamscan reports local.ign database integrity is bad - SKIPPING."
139 fi
119140 else
120141 echo ""
121142 echo "Signature '$input' already exists in local.ign - no action taken."
124145 echo ""
125146 echo "Signature '$input' could not be found."
126147 echo ""
127 echo "This script will only create a bypass entry in local.ign for ClamAV"
148 echo "This script will only create a bypass entry in local.ign for ClamAV."
128149 echo "'UNOFFICIAL' third-Party signatures as found in the *.ndb databases."
129150 fi
130151 else
258279 echo ""
259280 exit
260281 ;;
282 m) no_default_config
283 echo "
284 The '-m' script flag provides a way to create a ClamAV hexadecimal signature database (*.ndb) file
285 from a list of data strings stored in a clear-text ascii file, with one data string entry per line.
286
287 - Hexadecimal encoding can be either 'full' or 'formatted' on a per line basis:
288
289 Full line encoding should be used if there are no formatted spacing entries [{}, (), *]
290 included on the line. Prefix unformatted lines with: '-:' (no quote marks).
291
292 Example:
293
294 -:This signature contains no formatted spacing fields
295
296 Encodes to:
297
298 54686973207369676e617475726520636f6e7461696e73206e6f20666f726d61747465642073706163696e67206669656c6473
299
300 Formatted line encoding should be used if there are user added spacing entries [{}, (), *]
301 included on the line. Prefix formatted lines with '=:' (no quote marks).
302
303 Example:
304
305 =:This signature{-10}contains several(5|6|7)formatted spacing*fields
306
307 Encodes to:
308
309 54686973207369676e6174757265{-10}636f6e7461696e73207365766572616c(5|6|7)666f726d61747465642073706163696e67*6669656c6473
310
311 Use 'full' encoding if you want to encode everything on the line [including {}, (), *] and 'formatted'
312 encoding if you want to encode everything on the line except the formatted character spacing fields.
313
314 The prefixes ('-:' and '=:') will be stripped from the line before hexadecimal encoding is done.
315 If no prefix is found at the beginning of the line, full line encoding will be done (default).
316
317 - It is assumed that the signatures will be created for email scanning purposes, thus the '4'
318 target type is used and full file scanning is enabled (see ClamAV signatures.pdf for details).
319
320 - Line numbering will be done automatically by the script.
321 " | sed 's/^ //g'
322 echo -n "Do you wish to continue? (y/n): "
323 read reply
324 if [ "$reply" = "y" -o "$reply" = "Y" ]
325 then
326 echo ""
327 echo -n "Enter the source file as /path/filename: "
328 read source
329 if [ -s "$source" ]
330 then
331 source_file=`basename "$source"`
332 echo ""
333 echo "What signature prefix would you like to use? For example: 'Phish.Domains'"
334 echo "will create signatures that looks like: 'Phish.Domains.1:4:*:HexSigHere'"
335 echo ""
336 echo -n "Enter signature prefix: "
337 read prefix
338 path_file=`echo "$source" | cut -d "." -f-1 | sed 's/$/.ndb/'`
339 db_file=`basename $path_file`
340 rm -f "$path_file"
341 total=`wc -l "$source" | cut -d " " -f1`
342 line_num=1
343 echo ""
344 cat "$source" | while read line ; do
345 line_prefix=`echo "$line" | awk -F ':' '{print $1}'`
346 if [ "$line_prefix" = "-" ]
347 then
348 echo "$line" | cut -d ":" -f2- | perl -pe 's/(.)/sprintf("%02lx", ord $1)/eg' | sed "s/^/$prefix\.$line_num:4:\*:/" >> "$path_file"
349 elif [ "$line_prefix" = "=" ] ; then
350 echo "$line" | cut -d ":" -f2- | perl -pe 's/(\{[^}]*\}|\([^)]*\)|\*)|(.)/defined $1 ? $1 : sprintf("%02lx", ord $2)/eg' | sed "s/^/$prefix\.$line_num:4:\*:/" >> "$path_file"
351 else
352 echo "$line" | perl -pe 's/(.)/sprintf("%02lx", ord $1)/eg' | sed "s/^/$prefix\.$line_num:4:\*:/" >> "$path_file"
353 fi
354 echo -ne "Hexadecimal encoding $source_file line: $line_num of $total\r"
355 line_num=$(($line_num + 1))
356 done
357 else
358 echo ""
359 echo "Source file not found, exiting..."
360 echo ""
361 exit
362 fi
363 echo ""
364 echo ""
365 echo "Signature database file created at: $path_file"
366 if clamscan --quiet -d $path_file $config_dir/scan-test.txt 2>/dev/null
367 then
368 echo ""
369 echo "Clamscan reports database integrity tested good."
370 echo ""
371 echo -n "Would you like to move '$db_file' into '$clam_dbs' and reload databases? (y/n): "
372 read reply
373 if [ "$reply" = "y" -o "$reply" = "Y" ]
374 then
375 if ! cmp -s "$path_file" "$clam_dbs/$db_file"
376 then
377 if rsync -cqt "$path_file" "$clam_dbs"
378 then
379 perms chown $clam_user:$clam_group "$clam_dbs/$db_file"
380 chmod 0644 "$clam_dbs/$db_file"
381 $reload_opt
382 echo ""
383 echo "Signature database '$db_file' was successfully implemented and ClamD databases reloaded."
384 else
385 echo ""
386 echo "Failed to add/update '$db_file', ClamD database not reloaded."
387 fi
388 else
389 echo ""
390 echo "Database '$db_file' has not changed - skipping"
391 fi
392 else
393 echo ""
394 echo "No action taken."
395 fi
396 else
397 echo ""
398 echo "Clamscan reports that '$db_file' signature database integrity tested bad."
399 fi
400 fi
401 echo ""
402 exit
403 ;;
261404 r) no_default_config
262405 if [ -n "$pkg_mgr" -a -n "$pkg_rm" ]
263406 then
278421 rm -f -- "$file"
279422 echo " Removed file: $file"
280423 done
281 cron_file=`find /etc/ -name clamav-unofficial-sigs.cron`
424 cron_file=`find /etc/ -name clamav-unofficial-sigs-cron`
282425 if [ -s "$cron_file" ] ; then
283426 rm -f "$cron_file"
284427 echo " Removed file: $cron_file"
285428 fi
286 log_rotate_file=`find /etc/ -name clamav-unofficial-sigs.logrotate`
429 log_rotate_file=`find /etc/ -name clamav-unofficial-sigs-logrotate`
287430 if [ -s "$log_rotate_file" ] ; then
288431 rm -f "$log_rotate_file"
289432 echo " Removed file: $log_rotate_file"
570713 # Create "purge.txt" file for package maintainers to support package uninstall.
571714 purge="$config_dir/purge.txt"
572715 cp -f "$current_dbs" "$purge"
573 echo "$config_dir/current-dbs.txt" >> $purge
574 echo "$config_dir/db-changes.txt" >> $purge
575 echo "$config_dir/last-mbl-update.txt" >> $purge
576 echo "$config_dir/last-si-update.txt" >> $purge
577 echo "$config_dir/msrbl-include-dbs.txt" >> $purge
578 echo "$config_dir/previous-dbs.txt" >> $purge
579 echo "$config_dir/scan-test.txt" >> $purge
580 echo "$config_dir/ss-include-dbs.txt" >> $purge
581 echo "$gpg_dir/publickey.gpg" >> $purge
582 echo "$gpg_dir/secring.gpg" >> $purge
583 echo "$gpg_dir/ss-keyring.gpg*" >> $purge
584 echo "$gpg_dir/trustdb.gpg" >> $purge
585 echo "$log_file_path/$log_file_name*" >> $purge
716 echo "$config_dir/current-dbs.txt" >> "$purge"
717 echo "$config_dir/db-changes.txt" >> "$purge"
718 echo "$config_dir/last-mbl-update.txt" >> "$purge"
719 echo "$config_dir/last-si-update.txt" >> "$purge"
720 echo "$config_dir/local.ign" >> "$purge"
721 echo "$config_dir/monitor-ign.txt" >> "$purge"
722 echo "$config_dir/msrbl-include-dbs.txt" >> "$purge"
723 echo "$config_dir/previous-dbs.txt" >> "$purge"
724 echo "$config_dir/scan-test.txt" >> "$purge"
725 echo "$config_dir/ss-include-dbs.txt" >> "$purge"
726 echo "$gpg_dir/publickey.gpg" >> "$purge"
727 echo "$gpg_dir/secring.gpg" >> "$purge"
728 echo "$gpg_dir/ss-keyring.gpg*" >> "$purge"
729 echo "$gpg_dir/trustdb.gpg" >> "$purge"
730 echo "$log_file_path/$log_file_name*" >> "$purge"
586731 echo "$purge" >> "$purge"
587732
588733 # Silence rsync output and only report errors - useful if script is run via cron.
738883 log "WARNING - Systems does not support calculating time since epoch, SecuriteInfo and MalwarePatrol updates bypassed"
739884 si_dbs=""
740885 mbl_dbs=""
741 fi
742
743 # Check to see if local.ign file exists and if it's timestamp is 24 hours old, delete the file.
744 if [ -e "$clam_dbs/local.ign" -a -n "$current_time" ] ; then
745 if [ -e "$clam_dbs/local.ign" -a -n "$current_time" ] ; then
746 file_time=`stat -c %Y "$clam_dbs/local.ign"`
747 file_time_plus=$(($file_time + 86400))
748 if [ "$current_time" -gt "$file_time_plus" ] ; then
749 rm -f "$clam_dbs/local.ign"
750 comment ""
751 comment "File 'local.ign' timestamp is older than 24 hours - file deleted"
752 log "INFO - File 'local.ign' timestamp is older than 24 hours - file deleted"
753 do_clamd_reload=3
754 fi
755 fi
756886 fi
757887
758888 ################################################################
834964 done
835965 if [ "$ss_rsync_success" != "1" ] ; then
836966 echo ""
837 echo "Access to all Sanesecurity mirror sites failed - Check for connectivity issues."
838 log "WARNING - Access to all Sanesecurity mirror sites failed - Check for connectivity issues."
967 echo "Access to all Sanesecurity mirror sites failed - Check for connectivity issues"
968 echo "or signature database name(s) misspelled in the script's configuration file."
969 log "WARNING - Access to all Sanesecurity mirror sites failed - Check for connectivity issues"
970 log "WARNING - or signature database name(s) misspelled in the script's configuration file."
839971 fi
840972 fi
841973
9021034 done
9031035 if [ "$msrbl_rsync_success" != "1" ] ; then
9041036 echo ""
905 echo "Access to all MSRBL mirror sites failed - Check for connectivity issues."
906 log "WARNING - Access to all MSRBL mirror sites failed - Check for connectivity issues."
1037 echo "Access to all MSRBL mirror sites failed - Check for connectivity issues or"
1038 echo "signature database name(s) misspelled in the script's configuration file."
1039 log "WARNING - Access to all MSRBL mirror sites failed - Check for connectivity issues or"
1040 log "WARNING - signature database name(s) misspelled in the script's configuration file."
9071041 fi
9081042 fi
9091043
11511285 fi
11521286 fi
11531287
1288 # Check to see if the local.ign file exists, and if it does, check to see if any of the script
1289 # added bypass entries can be removed due to offending signature modifications or removals.
1290 comment ""
1291 comment "======================================================================"
1292 if [ -s "$clam_dbs/local.ign" -a -s "$config_dir/monitor-ign.txt" ] ; then
1293 ign_updated=0
1294 cd "$clam_dbs"
1295 cp -f local.ign "$config_dir/local.ign"
1296 for entry in `cat "$config_dir/monitor-ign.txt" 2>/dev/null` ; do
1297 sig_file=`echo "$entry" | tr -d "\r" | awk -F ":" '{print $1}'`
1298 sig_hex=`echo "$entry" | awk -F ":" '{print $NF}'`
1299 sig_name_old=`echo "$entry" | tr -d "\r" | awk -F ":" '{print $3}'`
1300 sig_ign_old=`grep "$sig_name_old" "$config_dir/local.ign"`
1301 sig_old=`echo "$entry" | tr -d "\r" | cut -d ":" -f3-`
1302 sig_new=`grep -h "$sig_hex" "$sig_file" | tr -d "\r" 2>/dev/null`
1303 sig_mon_new=`grep -H -n "$sig_hex" "$sig_file"`
1304 if [ -n "$sig_new" ]
1305 then
1306 if [ "$sig_old" != "$sig_new" -o "$entry" != "$sig_mon_new" ] ; then
1307 sig_name_new=`echo "$sig_new" | tr -d "\r" | awk -F ":" '{print $1}'`
1308 sig_ign_new=`echo "$sig_mon_new" | cut -d ":" -f1-3`
1309 perl -i -ne "print unless /$sig_ign_old/" "$config_dir/monitor-ign.txt"
1310 echo "$sig_mon_new" >> "$config_dir/monitor-ign.txt"
1311 perl -p -i -e "s/$sig_ign_old/$sig_ign_new/" "$config_dir/local.ign"
1312 comment ""
1313 comment "$sig_name_old hexadecimal is signature unchanged, however signature name and/or line placement"
1314 comment "in $sig_file has change to $sig_name_new - updated local.ign to reflect this change."
1315 log "INFO - $sig_name_old hexadecimal is signature unchanged, however signature name and/or line placement"
1316 log "INFO - in $sig_file has change to $sig_name_new - updated local.ign to reflect this change."
1317 ign_updated=1
1318 fi
1319 else
1320 perl -i -ne "print unless /$sig_ign_old/" "$config_dir/monitor-ign.txt" "$config_dir/local.ign"
1321 comment ""
1322 comment "$sig_name_old signature has been removed from $sig_file, entry removed from local.ign."
1323 log "INFO - $sig_name_old signature has been removed from $sig_file, entry removed from local.ign."
1324 ign_updated=1
1325 fi
1326 done
1327 if [ "$ign_updated" = "1" ] ; then
1328 if clamscan --quiet -d $config_dir/local.ign $config_dir/scan-test.txt
1329 then
1330 if rsync -cqt $config_dir/local.ign $clam_dbs
1331 then
1332 perms chown $clam_user:$clam_group "$clam_dbs/local.ign"
1333 chmod 0644 "$clam_dbs/local.ign" "$config_dir/monitor-ign.txt"
1334 do_clamd_reload=3
1335 else
1336 echo "Failed to successfully update local.ign file - SKIPPING"
1337 log "WARNING - Failed to successfully update local.ign file - SKIPPING"
1338 fi
1339 else
1340 echo "Clamscan reports local.ign database integrity is bad - SKIPPING"
1341 log "WARNING - Clamscan reports local.ign database integrity is bad - SKIPPING"
1342 fi
1343 fi
1344 fi
1345
11541346 # Set appropriate directory and file access permissions
11551347 perms chown -R $clam_user:$clam_group "$clam_dbs"
11561348 if ! find "$clam_dbs" "$work_dir" -type f -exec chmod 0644 {} + 2>/dev/null ; then
11721364 log "WARNING - Check the script's configuration file, 'reload_dbs' enabled but no 'reload_opt' selected"
11731365 elif [ "$reload_dbs" = "yes" -a "$do_clamd_reload" = "1" -a -n "$reload_opt" ] ; then
11741366 comment ""
1175 comment "=================================================="
1176 comment "= Update(s) detected, reloading ClamAV databases ="
1177 comment "=================================================="
1178 log "INFO - Update(s) detected, reloading ClamAV databases"
1367 comment "================================================="
1368 comment "= Update(s) detected, reloaded ClamAV databases ="
1369 comment "================================================="
1370 log "INFO - Update(s) detected, reloaded ClamAV databases"
11791371 $reload_opt
11801372 elif [ "$reload_dbs" = "yes" -a "$do_clamd_reload" = "2" -a -n "$reload_opt" ] ; then
11811373 comment ""
1182 comment "============================================================"
1183 comment "= Database removal(s) detected, reloading ClamAV databases ="
1184 comment "============================================================"
1185 log "INFO - Database removal(s) detected, reloading ClamAV databases"
1374 comment "==========================================================="
1375 comment "= Database removal(s) detected, reloaded ClamAV databases ="
1376 comment "==========================================================="
1377 log "INFO - Database removal(s) detected, reloaded ClamAV databases"
11861378 $reload_opt
11871379 elif [ "$reload_dbs" = "yes" -a "$do_clamd_reload" = "3" -a -n "$reload_opt" ] ; then
11881380 comment ""
1189 comment "============================================================"
1190 comment "= File 'local.ign' was deleted, reloading ClamAV databases ="
1191 comment "============================================================"
1192 log "INFO - File 'local.ign' was deleted, reloading ClamAV databases"
1381 comment "==========================================================="
1382 comment "= File 'local.ign' has changed, reloaded ClamAV databases ="
1383 comment "==========================================================="
1384 log "INFO - File 'local.ign' has changed, reloaded ClamAV databases"
11931385 $reload_opt
11941386 elif [ "$reload_dbs" = "yes" -a -z "$do_clamd_reload" ] ; then
11951387 comment ""
1196 comment "========================================================="
1197 comment "= No update(s) detected, NOT reloading ClamAV databases ="
1198 comment "========================================================="
1199 log "INFO - No update(s) detected, NOT reloading ClamAV databases"
1388 comment "============================================================="
1389 comment "= No update(s) detected, ClamAV databases were not reloaded ="
1390 comment "============================================================="
1391 log "INFO - No update(s) detected, ClamAV databases were not reloaded"
12001392 else
12011393 comment ""
12021394 comment "======================================================================"
1395 log "INFO - Database reloading has been disabled in the configuration file."
1396 true
12031397 fi
12041398
12051399 exit $?