Hi! I set up a "perfect Ubuntu server with nginx". After getting a lot of spam I tried to tune the clamav detection. I loaded the newest unofficial signatures by sanesecurity.com . They where all placed in /var/lib/clamav. I then tuned the user config in /etc/amavis/conf.d/50-user of clamav by adding: $bypass_decode_parts = 1; and also I tried to add: @keep_decoded_original_maps = (new_RE( qr’^MAIL$’, # retain full original message for virus checking qr’^MAIL-UNDECIPHERABLE$’, # recheck full mail if it contains undecipherables qr’^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)’i, )); Then I tried to test the new signatures: sanesecurity.com/support/signature-testing/ But this does not work, emails still come to inbox and also mail log shows a amavis entry which tells the mails is "clean". I tried to restart server/services too a lot of times, and the eicar test file amavis detects, so normal signatures work... I also tried adding this to /etc/amavis/conf.d/50-user @virus_name_to_spam_score_maps = (new_RE( # the order matters! [ qr'^Structured\.(SSN|CreditCardNumber)\b' => 0.1 ], [ qr'^(Heuristics\.)?Phishing\.' => 0.1 ], [ qr'^(Email|HTML)\.Phishing\.(?!.*Sanesecurity)' => 0.1 ], [ qr'^Sanesecurity\.(Malware|Badmacro|Foxhole|Rogue|Trojan)\.' => undef ],# keep as infected [ qr'^Sanesecurity\.' => 0.1 ], [ qr'^Sanesecurity.TestSig_' => 0 ], [ qr'^Email\.Spam\.Bounce(\.[^., ]*)*\.Sanesecurity\.' => 0 ], [ qr'^BofhlandMW\.' => undef ],# keep as infected [ qr'^Bofhland\.Malware\.' => undef ],# keep as infected [ qr'^Bofhland\.' => 0.1 ], [ qr'^winnow.malware\.' => undef ],# keep as infected [ qr'^winnow\_' => 0.1 ], [ qr'^PhishTank\.Phishing\.' => 0.1 ], [ qr'^Porcupine\.Malware\.' => undef ],# keep as infected [ qr'^Porcupine\.' => 0.1 ], [ qr'^Email\.Spammail\b' => 0.1 ], [ qr'^Safebrowsing\.' => 0.1 ], [ qr'^winnow\.(phish|spam)\.' => 0.1 ], [ qr'^ScamNailer\.' => 0.1 ], )); But no luck yet. Any ideas how to get the signatures working? I get a lot of spam. About 30-50 virus a day..
Have you checked your /var/log/clamav/ files? Tried enableing verbose logging in clamav? Did you enable PUA aswell? Amavis just calls clamav - and if you feel the signature detection is not working, you might want to check wether amavis calls clamav and clamav is doing it's job. Also keep in mind that freshclam daemon might download new signatures and overwrites manually copied ones.
Hey ztk.me, thanks for your help. Since the Eicar testfile gets detected by amavis (mail log shows detection) clamav should work fine. I doubled checked that I activated spam check in ispconfig, too for that account. And also the "bypass options" in the amavis user config to detect virus and spam is enabled correctly. I think freshclam will only overwrite the official signatures? I see all the sanesecurity files in the signature folder or do they have to get merged into the main files somehow? I thought putting them into the signature folder is enough and clamav will load all signatures from that folder automatically.
If you use different signature file names it should be fine, yes. Have you checked clamav log if it had issues loading the additional files? The Eicar test should work with base clamav signatures, this is not indicating your 3rd party signatures are in the correct directory or clamav was able to load them. Except from a missing reload of clamav / amavis this is the only issue I could think of.
Yes I did a restart of all the services, but I didn't checked clam log yet. I will do so and report. Also I didn't check if OfficialDatabaseOnly is false. Thank you!
