[clamav-users] Google safebrowsing types and usage questions

[G.W. Haywood]

Hi there,

On Fri, 16 Oct 2020, Alex via clamav-users wrote:

> ... I found out the hard way that having a percent sign in the
> password causes the clamav-safebrowsing script to fail.

Perhaps you just need to escape it.

> It appears to have loaded another 3M signatures. Where can I find more
> info about those signatures?

Ask the provider of the signatures?

Try using 'sigtool' on the signature database file?

> I'm especially interested in the types of attacks it is designed to
> stop.

Seems a bit cart-before-horse.

> I've located this URL that appears to describe four categories, but
> is there any more info available?

There may be people here who are more familiar than I am with Google's
safebrowsing and can answer your questions better, but I'm not sure
that you're asking in the right place.

> What is the purpose of the mysql database if the signatures are in a
> GDB file in /var/lib/clamav?

What mysql database is this?

> I'm assuming ...

There's a witticism about that around here somewhere.

> I'd like to replicate the database across all servers to save on
> bandwidth and just have the master be updated. Does this make sense?

Yes.  There's a document about local mirrors on the ClamAV Website
which you should read:

https://www.clamav.net/documents/private-local-mirrors

> ... is it possible to just dump the database without also trying to
> update it?

I don't understand what you're trying to achieve.  Do you mean dump as
in 'mysqldump'?  The ClamAV database files are just flat files, ASCII
text, usually one line per signature.  You can read them with a pager
or a text editor, pipe them through 'grep', and that kind of thing (I
do that quite a lot, mostly in response to questions on this list).
The file formats are documented on the ClamAV Website:

https://www.clamav.net/documents/creating-signatures-for-clamav

> I also still have the old safebrowsing.cld database from the end of
> 2019 (version: 49191, sigs: 2213119, f-level: 63, builder: google).
> Should I delete that?

If it were mine, and it was at risk of being overwritten, I'd move
somewhere it rather than deleting it.

> How much memory needs to be allocated for clamav to store/process 14M
> signatures?

Try running 'top'.  Depends on the signatures of course, and there's
the cart-and-horse thing.  With 11.3M signatures from a great variety
of sources, my own clamd server uses about 1.3GBytes for the clamd
daemon alone (and that's briefly doubled on database reload, but there
are ways around that).  I don't use clamav-milter and the server does
very little else.  It has 4G of RAM.  My *rough* guess for 14M sigs is
about 1.5 GBytes apart from the reloading issue, but it's just a guess
because (a) you haven't said what ClamAV will be doing for you, and
(b) I know very little about your signatures profile.

-- 

73,
Ged.