Adding clamav-unofficial-sigs

April 12, 2025 by Roberto Puzzanghera 4 comments

  • More info here
  • Version: 7.2.5

The clamav-unofficial-sigs script provides a simple way to download, test, and update third-party signature databases provided by Sanesecurity, FOXHOLE, OITC, Scamnailer, BOFHLAND, CRDF, Porcupine, Securiteinfo, MalwarePatrol, Yara-Rules Project, urlhaus, etc. The script will also generate and install cron, logrotate, and man files.

Download the script and the config files

cd /usr/local/sbin/
wget https://raw.githubusercontent.com/extremeshok/clamav-unofficial-sigs/master/clamav-unofficial-sigs.sh
chmod 755 /usr/local/sbin/clamav-unofficial-sigs.sh
mkdir -p /etc/clamav-unofficial-sigs/

cd /etc/clamav-unofficial-sigs/
wget https://raw.githubusercontent.com/extremeshok/clamav-unofficial-sigs/master/config/master.conf
wget https://raw.githubusercontent.com/extremeshok/clamav-unofficial-sigs/master/config/user.conf

Select your operating system config from https://github.com/extremeshok/clamav-unofficial-sigs/tree/master/config/ (adjust os_conf to your needs)

os_conf="os.slackware.conf"
wget "https://raw.githubusercontent.com/extremeshok/clamav-unofficial-sigs/master/config/os/${os_conf}"
ln -s ${os_conf} os.conf

user.conf will always override os.conf and master.conf, os.conf will override master.conf. Of course it's not a good idea to make changes in master.conf.

Now disable email/bank_rule.yar, which is deprecated

cat >> user.conf << EOF

# ======================== 
# Yara Rules Project Database(s) 
# ======================== 
declare -a yararulesproject_dbs=( 
email/bank_rule.yar|DISABLED 
) #END yararulesproject DATABASES
EOF

Create the folder  for urlhaus.ndb in /var/lib/clamav-unofficial-sigs/urlhaus.ndb (delete if the file already exists). This will solve a connection error (thanks Shailendra Shukla for the advise):

mkdir -p /var/lib/clamav-unofficial-sigs/dbs-uh
chown clamav:clamav /var/lib/clamav-unofficial-sigs/dbs-uh

Check your os.*.conf file and create the following lines if not already present. Be aware that your clamdctl script must have a restart function, if this is not the case update it.

clamd_restart_opt="/usr/local/bin/clamdctl restart"
clamscan_bin="/usr/local/bin/clamscan"

Now run the script as root

/usr/local/sbin/clamav-unofficial-sigs.sh --force

Install logrotate and man files

/usr/local/sbin/clamav-unofficial-sigs.sh --install-logrotate
/usr/local/sbin/clamav-unofficial-sigs.sh --install-man

Install configs. This is for those using cron

/usr/local/sbin/clamav-unofficial-sigs.sh --install-cron

and this is for systemd users

mkdir -p /etc/systemd/system/
wget https://raw.githubusercontent.com/extremeshok/clamav-unofficial-sigs/master/systemd/clamav-unofficial-sigs.service -O /etc/systemd/system/clamav-unofficial-sigs.service
wget https://raw.githubusercontent.com/extremeshok/clamav-unofficial-sigs/master/systemd/clamav-unofficial-sigs.timer -O /etc/systemd/system/clamav-unofficial-sigs.timer

systemctl enable clamav-unofficial-sigs.service
systemctl enable clamav-unofficial-sigs.timer
systemctl start clamav-unofficial-sigs.timer

Run the following command to display which signatures have been loaded by clamav and check for errors. If the list contains the new databases the installation went well.

clamscan --debug 2>&1 /dev/null | grep "loaded"

Upgrade

Check your installed version:

# /usr/local/sbin/clamav-unofficial-sigs.sh --version 
################################################################################ 
eXtremeSHOK.com ClamAV Unofficial Signature Updater 
Version: v7.2.5 (2021-03-20) 
Required Configuration Version: v96 
Copyright (c) Adrian Jon Kriel :: admin@extremeshok.com 
################################################################################

Run the update:

# clamav-unofficial-sigs.sh --upgrade 
################################################################################ 
eXtremeSHOK.com ClamAV Unofficial Signature Updater 
Version: v7.2.5 (2021-03-20) 
Required Configuration Version: v96 
Copyright (c) Adrian Jon Kriel :: admin@extremeshok.com 
################################################################################ 
Loading config: /etc/clamav-unofficial-sigs/master.conf 
Loading config: /etc/clamav-unofficial-sigs/os.slackware.conf 
Loading config: /etc/clamav-unofficial-sigs/user.conf 
Checking for updates ...

Comments

clamav-unofficial-sigs config update

Hi Roberto, 

      There are a few updates regarding clamav-unofficial-sigs config files . Upon investingating the setup it is come to notice a few points

1.  The urlhaus.ndb file does not get downloaded on a fresh install , below are the log erros

Apr 12 10:32:42 WARNING: Failed connection to https://urlhaus.abuse.ch/downloads - SKIPPED urlhaus urlhaus.ndb update
Apr 12 11:34:15 WARNING: Failed connection to https://urlhaus.abuse.ch/downloads - SKIPPED urlhaus urlhaus.ndb update

This is because the script does not create the necessary folder for the urlhaus.ndb file in /var/lib/clamav-unofficial-sigs/

For the update we need to manually create the folder in the above path i.e mkdir dbs-uh ,  once this is done the file gets downloaded and updated , below is the log

Apr 12 14:30:02 URLhaus Database File Updates
Apr 12 14:30:02 Checking for urlhaus updates...
Apr 12 14:30:02 Checking for updated urlhaus database file: urlhaus.ndb
Apr 12 14:30:08 Testing updated urlhaus database file: urlhaus.ndb
Apr 12 14:30:08 Clamscan reports urlhaus urlhaus.ndb database integrity tested good
Apr 12 14:30:08 Successfully updated urlhaus production database file: urlhaus.ndb

2.  yararulesproject bank_rule.yar

This  is deprecated/bank_rule.yar  and no longer maintained ,  to overcome the error in the log we need to disable this rule in the master.conf file /etc/clamav-unofficial-sigs/master.conf around line 430 , I have modified it as below 

# Identification of malicious e-mails.
email/bank_rule.yar|DISABLED
#deprecated/bank_rule.yar|MEDIUM

With this all the Warning and Errors in the clamav-unofficial-sigs log files dissappear.  

Though point no 2 is just related to warnings but Point No 1 is important as it is related to malicious URLs tracked on URLhaus.  Maybe you can cross check my findings on a fresh install of clamav-unofficial-sigs.

Reply |

clamav-unofficial-sigs config update

Thank you, updated. Let's overwrite master.conf using user.conf, otherwise the correction won't be preserved on updates

Reply |

clamav-unofficial-sigs config update

Small typo error in the guide above  for urlhaus.ndb 

Current

mkdir -p /var/lib/clamav-unofficial-sigs/urlhaus.ndb

Kindly change as below

mkdir -p /var/lib/clamav-unofficial-sigs/dbs-uh
chown clamav:clamav /var/lib/clamav-unofficial-sigs/dbs-uh

Cheers

Reply |

clamav-unofficial-sigs config update

thank you. Corrected

Reply |