On Tue, Jun 13, 2017 at 09:37:36AM +0000, Paul Moreno wrote: > Hi All, > > I'm in the process of providing a recommendation to a client on the use of > ClamAV. From what I've read in various forums and online material, ClamAV > appears to be better suited for mail systems, such as postfix, and Windows > hosts. Can anyone comment on the reliability and accuracy of using it on > a Linux operating system? I understand Linux "malware" would more or less > be in the form of custom scripts, library exploits, and other > vulnerabilities that lack signatures to detect against.
Consider these sigs in addition: http://sanesecurity.com/usage/signatures/ - malwarehash.hsb hackingteam.hsb rogue.hdb winnow_malware.hdb winnow_extended_malware.hdb malware.expert.hdb porcupine.hsb sanesecurity.ftm https://www.securiteinfo.com/services/anti-spam-anti-virus/improve-detection-rate-of-zero-day-malwares-for-clamav.shtml - securiteinfo.hdb securiteinfoascii.hdb (we just use the basic free one) malware detect sigpack http://cdn.rfxn.com/downloads/maldet-sigpack.tgz - rfxn.hdb rfxn.ndb rfxn.yara yara rules https://github.com/Yara-Rules/rules/archive/master.zip - CVE_Rules Exploit-Kits Webshells rootkit hunter - rkhunter.ldb That what I've come up for a bunch of Linux and Solaris boxes. Some occasional FPs, java stuff etc that you might seem on this list. But no biggies, it's just a report to read through. Obviously we don't block or use realtime scanning. It's ok stuff for zero cost. Well it does use 1GB memory and 1 core all night heh.. and requires doing all the scripts for sig updates and repacking .cud for local mirror, custom yum updated scan scripts for clients that handle per-server exclude-lists etc.. If anyone has hints for more sigs feel free to chime in.. _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
