This How-To describes how you can drastically improve the detection rates of clamAV. Mainly written for integration into your existing mail server setup, but clamAV works system-wide.
In my opinion virus scanners are Snake-Oil and that they add another attack vector to a system where none has to be. Virus scanners can naturally only detect known threats.
Unfortunately, virus scanners are treated like a religion of their own and if a computer is infected, the question of the virus scanner is no longer far off. If you still want to use a virus scanner – for known threats – the choice of open source software is very limited. The most widespread virus scanner is probably the one with the worst detection rate of all known scanners in the world. This is particularly due to the fact that there are not many virus signatures in clamAV. Thanks to the work of eXtremeSHOK, is is particularly convenient to add several signatures for detection and thus drastically improve the detection rates.
At the beginning we need a working mail server setup with rspamd, as described by Thomas Leistner. I haven’t seen a better how-to for setting up a mail server yet. My How-To refers to Debian Linux, but should also work on other platforms like CentOS or Ubuntu.
install clamAV:
apt install clamav clamav-daemon
Create /etc/rspamd/local.d/antivirus.conf:
echo -e "first {\n attachments_only = false;\n symbol = "CLAM_VIRUS";\n type = "clamav";\n action = "reject";\n log_clean = true;\n servers = "/var/run/clamav/clamd.ctl";\n}" > /etc/rspamd/local.d/antivirus.conf
Clone with git or wget a release from https://github.com/extremeshok/clamav-unofficial-sigs/releases:
git clone https://github.com/extremeshok/clamav-unofficial-sigs.git
Copy the scrip to /usr/local/sbin and chmod to 775
cp clamav-unofficial-sigs.sh /usr/local/sbin/clamav-unofficial-sigs.sh
chmod 775 /usr/local/sbin/clamav-unofficial-sigs.sh
Create a config directory and copy example config depending to your OS
mkdir /etc/clamav-unofficial-sigs/
cp config/YOUR_OS.conf /etc/clamav-unofficial-sigs/os.conf
Copy two more config files and enable
cp config/{master.conf,user.conf} /etc/clamav-unofficial-sigs/
Enable clamav-unofficial-sigs script
sed -i s/#user_configuration_complete="yes"/user_configuration_complete="yes"/g' /etc/clamav-unofficial-sigs/user.conf
Install logrotate script, man pages and systemd files
clamav-unofficial-sigs.sh --install-logrotate
clamav-unofficial-sigs.sh --install-man
cp systemd/* /etc/systemd/
Run clamav-unofficial-sigs.sh the first time and get new virus signatures
clamav-unofficial-sigs.sh
Restart and enable services
systemctl enable clamav-daemon.service
systemctl restart clamav-daemon.service
systemctl enable clamav-freshclam.service
systemctl restart clamav-freshclam.service
systemctl restart rspamd.service
That’s it!
We can test our set up with a signature-test by sending an e-mail with a attachment.
wget -O virus.test https://secure.eicar.org/eicar.com