Jump to: navigation, search
MithiWiki Home > ConnectXf Home > ConnectXf Administration > Configuration > Adding Custom Virus Signatures manually in ClamAV


Troubleshooting Icon.png
Troubleshooting
Product ConnectXf
Version All
Applies to Administrators
Level Advanced



Sometimes, ClamAV doesn't provide signature updates for the recent viruses/trojans/worms. Therefore, to create custom antivirus for ClamAV Antivirus, we need to follow the given mentioned steps carefully.

NOTE: The following is performed on CentOS 6, so Windows version might vary with the commands executed on linux.


1. Download or extract the attachment from the malicious email received.

(NOTE: Just save the attachment by downloading it from the desktop client or web client ).

What you now have is the file you want to block. If it’s zipped, compressed or in any other kind of container then unzip it or extract it as ClamAV can see inside these archives if you configured it to do so and you have the right tools installed (like unzip under Linux for example).


2. Next create a signature of the file using ClamAV’s sigtool

cat FAX752095.scr | sigtool --hex-dump | head -c 2048 > customsig.ndb

In the above command, FAX752095.scr is the malicious file and we have generated the hex value of the file using sigtool --hex-dump command. Since the signature generated is huge, we have taken only the first 2 KB.

We have saved the generated signature in customsig.ndb. In theory, you need to take a signature of a unique portion of the file. Signature can also be taken from an off-set within the file, not necessarily have to be from the start of the file.


3. You should edit customsig.ndb and prefix the content with the appropriate Name, Type and Offset in the following format:

Name:Type:Offset:HEX_OUTPUT

Such as:

Trojan.Win32.Emold.A:1:*:4d5a80000100000004001000ffff000040010000000000004000000000000000000000000000000000000000

Where

  • Name is the virus name.
  • Type is one of the following:
0 = any file
1 = Portable Executable (ie Windows exe)
2 = OLE2 component (e.g. a VBA script)
3 = HTML (normalised)
4 = Mail file
5 = Graphics
6 = ELF
7 = ASCII text file (normalised)
  • Since we donot know where is the hex string occur in the file, we set the Offset to *.

For most purposes, a type of 0 (or 1 for a Windows exe), and an offset of * will suffice.


4. Enter a suitable and recognizable name for the virus/trojan/worm. You can look up at www.virustotal.com to know the nomenclature of the file.


5. Now, test the signature against your suspect file:

clamscan -d customsig.ndb FAX752095.scr

Here we are specifying the antivirus database by option -d DATABASE_NAME.

To use clamscan without -d option, we need to copy the .ndb file in the clamav database directory.

For us, it's /var/clamav/


6. After copying the signature file, we need to restart clamav service on the system. After restarting, run the command without -d option:

clamscan FAX752095.scr


7. You can add each new signature in the last line into the customsig.ndb file.

Ensure to test it first from a standalone sig file so that we get to know it is working properly as expected without causing any issues in the operation of the main ClamAV installation.

After the above steps have been done, Try sending a mail with the attachment and check in the logs, the mail must have been quarantined.