[clamav-users] Prioritise Custom signatures first when scanning

Steven Morgan smorgan at sourcefire.com
Tue Jun 2 17:38:54 UTC 2015 

Unfortunately ClamAV is not structured for this use case. Sounds like it
could be done, but would require writing a custom application using
multiple ClamAV scanning engines.

Steve

On Tue, Jun 2, 2015 at 10:03 AM, Adam Massey <laconizein at gmail.com> wrote:

> hello
> Is there any way to make clamav test custom virus signature files
> before it scans its main signature database?
> I know its one of those "why would you want to do this " questions
>
> In this case I want to block certain macro viruses based on custom sigs
> if stuff isn't found but macros are I want the files to be labelled as
> containing macros via the heuristic scan engine.
> I'm then using a custom virus scan line in exim to label macro
> containing documents as not all of them are going to be malicious.
> I know of legitimate use of macro documents at my employer so blocking
> them isn't an option in this case
> that doesn’t stop our customers opening the really dodgy ones though :(
>
> so the full logic I want is ...
> 1)scan for specific custom viri if found  >Deny Message
> 2)a)if a virus is found from main clamav signature database  > Deny Message
> b)if no custom viri and no main database match  found but macro is  >
> Accept but label message as containing macros (this works flawlessly)
> c)If no virus found and no macro found > Accept Message
>
> I've debugged the exim config by setting it to only scan for my custom
> definition
>
> I've checked the clamav logs and my test file was still being labelled
> as heuristicscontainsmacros
> the only way I can get clamav to detect my custom definition is if i
> turn off heuristic macro detection which destroys the belt and braces
> approach I want to achieve.
> Ive also  turned heuristicscanpreference off and on to no avail.
>
> I am aware it makes perfect sense to scan using the main official
> virus database first then custom definitions but i do think that
> heuristics definitions should be third in the pecking order behind
> definitions found in custom sig files.
>
> any ideas?
> thanks
> Adam Massey
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

More information about the clamav-users mailing list