[clamav-users] Use on linux operating systems
Henrik K
hege at hege.li
Tue Jun 13 19:04:07 UTC 2017
On Tue, Jun 13, 2017 at 09:37:36AM +0000, Paul Moreno wrote:
> Hi All,
>
> I'm in the process of providing a recommendation to a client on the use of
> ClamAV. From what I've read in various forums and online material, ClamAV
> appears to be better suited for mail systems, such as postfix, and Windows
> hosts. Can anyone comment on the reliability and accuracy of using it on
> a Linux operating system? I understand Linux "malware" would more or less
> be in the form of custom scripts, library exploits, and other
> vulnerabilities that lack signatures to detect against.
Consider these sigs in addition:
http://sanesecurity.com/usage/signatures/
- malwarehash.hsb hackingteam.hsb rogue.hdb winnow_malware.hdb
winnow_extended_malware.hdb malware.expert.hdb porcupine.hsb sanesecurity.ftm
https://www.securiteinfo.com/services/anti-spam-anti-virus/improve-detection-rate-of-zero-day-malwares-for-clamav.shtml
- securiteinfo.hdb securiteinfoascii.hdb (we just use the basic free one)
malware detect sigpack http://cdn.rfxn.com/downloads/maldet-sigpack.tgz
- rfxn.hdb rfxn.ndb rfxn.yara
yara rules https://github.com/Yara-Rules/rules/archive/master.zip
- CVE_Rules Exploit-Kits Webshells
rootkit hunter
- rkhunter.ldb
That what I've come up for a bunch of Linux and Solaris boxes. Some
occasional FPs, java stuff etc that you might seem on this list. But no
biggies, it's just a report to read through. Obviously we don't block or
use realtime scanning.
It's ok stuff for zero cost. Well it does use 1GB memory and 1 core all
night heh.. and requires doing all the scripts for sig updates and
repacking .cud for local mirror, custom yum updated scan scripts for clients
that handle per-server exclude-lists etc..
If anyone has hints for more sigs feel free to chime in..
More information about the clamav-users
mailing list