Role that installs clamav end/or clamav-milter.

This commit is contained in:
Andrea Dell'Amico 2019-12-18 15:47:03 +01:00
parent f6dcee2182
commit 9d6370b776
8 changed files with 1446 additions and 0 deletions

View File

@ -0,0 +1,89 @@
---
#
# clamd wants a lot of RAM at startup time. Ensure to have at least 4GB of available memory
#
clamav_install: True
clamav_milter_install: False
clamav_unofficial_sigs_install: '{{ clamav_install }}'
clamav_rh_pkgs:
- clamd
- clamav-filesystem
- clamav
- clamav-data
- clamav-lib
- clamav-update
clamav_milter_rh_pkgs:
- clamav-milter
clamav_unofficial_sigs_rh_pkgs:
- clamav-unofficial-sigs
clamav_clamd_user: clamscan
clamav_clamd_conf_file: '/etc/clamd.d/scan.conf'
clamav_clamd_verbose_logging: 'yes'
clamav_clamd_extended_info: 'yes'
clamav_clamd_pidfile: '/run/clamd.scan/clamd.pid'
clamav_clamd_tmp: '/var/tmp'
clamav_clamd_official_db_only: 'no'
clamav_clamd_use_local_socket: True
clamav_clamd_local_socket: '/run/clamd.scan/clamd.sock'
clamav_clamd_use_net_socket: False
clamav_clamd_net_socket_port: 3310
clamav_clamd_net_main_socket_addr: '127.0.0.1'
clamav_clamd_net_socket_addrs:
- '{{ clamav_clamd_net_main_socket_addr }}'
# Set this to your MTA max message size. Expressed in MB (M)
clamav_clamd_stream_max_lenght: 25
clamav_clamd_detect_pua: True
clamav_clamd_heuristic_alert: 'yes'
clamav_clamd_heuristic_has_precedence: 'no'
clamav_clamd_additional_doc_scanning: True
clamav_clamd_email_scan: 'yes'
clamav_clamd_html_scan: 'yes'
clamav_clamd_archives_scan: 'yes'
clamav_clamd_max_scan_time: 120000
# Options: None, TrustSigned, Paranoid. Stick to the default
clamav_clamd_bytecode_security: 'TrustSigned'
clamav_additional_signatures_use_proxy: False
clamav_additional_signatures_use_proxy_auth: False
clamav_additional_signatures_proxy_host: ''
clamav_additional_signatures_proxy_port: 3128
clamav_additional_signatures_proxy_user: ''
clamav_additional_signatures_proxy_pwd: ''
# Freshclam
clamav_freshclam_check_frequency: 12
clamav_freshclam_use_proxy: False
clamav_freshclam_use_proxy_auth: False
clamav_freshclam_proxy_host: ''
clamav_freshclam_proxy_port: 3128
clamav_freshclam_proxy_user: ''
clamav_freshclam_proxy_pwd: ''
clamav_freshclam_reload_clamd: True
clamav_freshclam_enable_safebrowsing: 'no'
clamav_freshclam_enable_bytecode: 'yes'
#clamav_freshclam_additional_databases:
# - ''
# - ''
# tcp example: inet:7357@127.0.0.1
clamav_milter_socket: 'local:/run/clamav-milter/clamav-milter.socket'
clamav_milter_use_whitelist_file: False
clamav_milter_whitelist_file: '/etc/mail/clamav-whitelist'
clamav_milter_use_skip_authenticated_file: False
clamav_milter_skip_authenticated_file: '/etc/mail/clamav-skip-authenticated'
clamav_milter_onclean_action: 'Accept'
clamav_milter_oninfected_action: 'Reject'
clamav_milter_onfail_action: 'Defer'
clamav_milter_send_reject_msg: True
clamav_milter_reject_msg: 'Virus %v present, email rejected!'
clamav_milter_add_header: True
clamav_milter_add_header_action: 'Add'
clamav_milter_report_hostname: '{{ ansible_fqdn }}'
clamav_milter_clamd_net_socket_addrs:
- { addr: '{{ clamav_clamd_net_main_socket_addr }}', port: '{{ clamav_clamd_net_socket_port }}' }

View File

@ -0,0 +1,9 @@
---
- name: Reload clamd
service: name=clamd@scan state=reloaded enabled=yes
- name: Restart clamd
service: name=clamd@scan state=restarted enabled=yes
- name: Restart clamav-milter
service: name=clamav-milter state=restarted enabled=yes

View File

@ -0,0 +1,55 @@
---
- name: Install the clamav packages
block:
- name: Install the clamav packages on RH based systems
yum: pkg={{ clamav_rh_pkgs }} state=present
when: clamav_install | bool
- name: Install the clamav unofficial signature packages on RH based systems
yum: pkg={{ clamav_unofficial_sigs_rh_pkgs }} state=present
when: clamav_unofficial_sigs_install | bool
- name: Install the clamav milter packages on RH based systems
yum: pkg={{ clamav_milter_rh_pkgs}} state=present
when: clamav_milter_install | bool
when: ansible_distribution_file_variety == "RedHat"
tags: [ 'clamav', 'clamav_clamd' ]
- name: Configure freshclam and clamd
block:
- name: Install the clamd configuration
template: src=scan.conf.j2 dest={{ clamav_clamd_conf_file }} owner=root group=root mode=0444
notify: Reload clamd
- name: Install the freshclam configuration
template: src=freshclam.conf.j2 dest=/etc/freshclam.conf owner=root group=root mode=0400
- name: Ensure that the clamd service is running and enabled
service: name=clamd@scan state=started enabled=yes
when: clamav_install | bool
tags: [ 'clamav', 'clamav_clamd', 'clamav_config' ]
- name: Configure clamav unofficial sigs
block:
- name: Install the unofficial sigs configuration files
template: src={{ item }}.j2 dest=/etc/clamav-unofficial-sigs/{{ item }} owner=root group=root mode=0444
with_items:
- os.conf
- user.conf
when: clamav_unofficial_sigs_install | bool
tags: [ 'clamav', 'clamav_clamd', 'clamav_config' ]
- name: Configure clamav milter
block:
- name: Install the clamav milter configuration
template: src=clamav-milter.conf.j2 dest=/etc/mail/clamav-milter.conf owner=root group=root mode=0444
notify: Restart clamav-milter
- name: Ensure that clamav milter is running and enabled
service: name=clamav-milter state=started enabled=yes
when: clamav_milter_install | bool
tags: [ 'clamav', 'clamav_clamd', 'clamav_config' ]

View File

@ -0,0 +1,302 @@
##
## Example config file for clamav-milter
##
##
## Main options
##
# Define the interface through which we communicate with sendmail
# This option is mandatory! Possible formats are:
# [[unix|local]:]/path/to/file - to specify a unix domain socket
# inet:port@[hostname|ip-address] - to specify an ipv4 socket
# inet6:port@[hostname|ip-address] - to specify an ipv6 socket
#
# Default: no default
#MilterSocket local:/run/clamav-milter/clamav-milter.socket
MilterSocket {{ clamav_milter_socket }}
# Define the group ownership for the (unix) milter socket.
# Default: disabled (the primary group of the user running clamd)
#MilterSocketGroup virusgroup
# Sets the permissions on the (unix) milter socket to the specified mode.
# Default: disabled (obey umask)
MilterSocketMode 660
# Remove stale socket after unclean shutdown.
#
# Default: yes
FixStaleSocket yes
# Run as another user (clamav-milter must be started by root for this option
# to work)
#
# Default: unset (don't drop privileges)
User clamilt
# Waiting for data from clamd will timeout after this time (seconds).
# Value of 0 disables the timeout.
#
# Default: 120
#ReadTimeout 300
# Don't fork into background.
#
# Default: no
#Foreground yes
# Chroot to the specified directory.
# Chrooting is performed just after reading the config file and before
# dropping privileges.
#
# Default: unset (don't chroot)
#Chroot /newroot
# This option allows you to save a process identifier of the listening
# daemon (main thread).
#
# Default: disabled
PidFile /run/clamav-milter/clamav-milter.pid
# Optional path to the global temporary directory.
# Default: system specific (usually /tmp or /var/tmp).
#
TemporaryDirectory /var/tmp
##
## Clamd options
##
# Define the clamd socket to connect to for scanning.
# This option is mandatory! Syntax:
# ClamdSocket unix:path
# ClamdSocket tcp:host:port
# The first syntax specifies a local unix socket (needs an absolute path) e.g.:
# ClamdSocket unix:/var/run/clamd/clamd.socket
# The second syntax specifies a tcp local or remote tcp socket: the
# host can be a hostname or an ip address; the ":port" field is only required
# for IPv6 addresses, otherwise it defaults to 3310, e.g.:
# ClamdSocket tcp:192.168.0.1
#
# This option can be repeated several times with different sockets or even
# with the same socket: clamd servers will be selected in a round-robin
# fashion.
#
# Default: no default
{% if clamav_clamd_use_local_socket %}
ClamdSocket unix:{{ clamav_clamd_local_socket }}
{% elif clamav_clamd_use_net_socket %}
{% for clamsock in clamav_milter_clamd_net_socket_addrs %}
ClamdSocket tcp:{{ clamsock.addr }}:{{ clamsock.port }}
{% endfor %}
{% endif %}
##
## Exclusions
##
# Messages originating from these hosts/networks will not be scanned
# This option takes a host(name)/mask pair in CIRD notation and can be
# repeated several times. If "/mask" is omitted, a host is assumed.
# To specify a locally originated, non-smtp, email use the keyword "local"
#
# Default: unset (scan everything regardless of the origin)
#LocalNet local
#LocalNet 192.168.0.0/24
#LocalNet 1111:2222:3333::/48
# This option specifies a file which contains a list of basic POSIX regular
# expressions. Addresses (sent to or from - see below) matching these regexes
# will not be scanned. Optionally each line can start with the string "From:"
# or "To:" (note: no whitespace after the colon) indicating if it is,
# respectively, the sender or recipient that is to be whitelisted.
# If the field is missing, "To:" is assumed.
# Lines starting with #, : or ! are ignored.
#
# Default unset (no exclusion applied)
#Whitelist /etc/whitelisted_addresses
{% if clamav_milter_use_whitelist_file %}
Whitelist {{ clamav_milter_whitelist_file }}
{% endif %}
# Messages from authenticated SMTP users matching this extended POSIX
# regular expression (egrep-like) will not be scanned.
# As an alternative, a file containing a plain (not regex) list of names (one
# per line) can be specified using the prefix "file:".
# e.g. SkipAuthenticated file:/etc/good_guys
#
# Note: this is the AUTH login name!
#
# Default: unset (no whitelisting based on SMTP auth)
{% if clamav_milter_use_skip_authenticated_file %}
SkipAuthenticated file:{{ clamav_milter_skip_authenticated_file }}
{% endif %}
# Messages larger than this value won't be scanned.
# Make sure this value is lower or equal than StreamMaxLength in clamd.conf
#
# Default: 25M
MaxFileSize {{ clamav_clamd_stream_max_lenght }}M
##
## Actions
##
# The following group of options controls the delivery process under
# different circumstances.
# The following actions are available:
# - Accept
# The message is accepted for delivery
# - Reject
# Immediately refuse delivery (a 5xx error is returned to the peer)
# - Defer
# Return a temporary failure message (4xx) to the peer
# - Blackhole (not available for OnFail)
# Like Accept but the message is sent to oblivion
# - Quarantine (not available for OnFail)
# Like Accept but message is quarantined instead of being delivered
#
# NOTE: In Sendmail the quarantine queue can be examined via mailq -qQ
# For Postfix this causes the message to be placed on hold
#
# Action to be performed on clean messages (mostly useful for testing)
# Default: Accept
OnClean {{ clamav_milter_onclean_action }}
# Action to be performed on infected messages
# Default: Quarantine
#OnInfected Quarantine
OnInfected {{ clamav_milter_oninfected_action }}
# Action to be performed on error conditions (this includes failure to
# allocate data structures, no scanners available, network timeouts,
# unknown scanner replies and the like)
# Default: Defer
OnFail {{ clamav_milter_onfail_action }}
# This option allows to set a specific rejection reason for infected messages
# and it's therefore only useful together with "OnInfected Reject"
# The string "%v", if present, will be replaced with the virus name.
# Default: MTA specific
{% if clamav_milter_send_reject_msg %}
RejectMsg "{{ clamav_milter_reject_msg }}"
{% endif %}
{% if clamav_milter_add_header %}
# If this option is set to "Replace" (or "Yes"), an "X-Virus-Scanned" and an
# "X-Virus-Status" headers will be attached to each processed message, possibly
# replacing existing headers.
# If it is set to Add, the X-Virus headers are added possibly on top of the
# existing ones.
# Note that while "Replace" can potentially break DKIM signatures, "Add" may
# confuse procmail and similar filters.
# Default: no
AddHeader {{ clamav_milter_add_header_action }}
# When AddHeader is in use, this option allows to arbitrary set the reported
# hostname. This may be desirable in order to avoid leaking internal names.
# If unset the real machine name is used.
# Default: disabled
ReportHostname {{ clamav_milter_report_hostname }}
{% endif %}
# Execute a command (possibly searching PATH) when an infected message is
# found.
# The following parameters are passed to the invoked program in this order:
# virus name, queue id, sender, destination, subject, message id, message date.
# Note #1: this requires MTA macroes to be available (see LogInfected below)
# Note #2: the process is invoked in the context of clamav-milter
# Note #3: clamav-milter will wait for the process to exit. Be quick or fork to
# avoid unnecessary delays in email delivery
# Default: disabled
#VirusAction /usr/local/bin/my_infected_message_handler
##
## Logging options
##
# Uncomment this option to enable logging.
# LogFile must be writable for the user running daemon.
# A full path is required.
#
# Default: disabled
#LogFile /var/log/clamav-milter.log
# By default the log file is locked for writing - the lock protects against
# running clamav-milter multiple times.
# This option disables log file locking.
#
# Default: no
#LogFileUnlock yes
# Maximum size of the log file.
# Value of 0 disables the limit.
# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)
# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size
# in bytes just don't use modifiers. If LogFileMaxSize is enabled, log
# rotation (the LogRotate option) will always be enabled.
#
# Default: 1M
#LogFileMaxSize 2M
# Log time with each message.
#
# Default: no
#LogTime yes
# Use system logger (can work together with LogFile).
#
# Default: no
LogSyslog yes
# Specify the type of syslog messages - please refer to 'man syslog'
# for facility names.
#
# Default: LOG_LOCAL6
#LogFacility LOG_MAIL
# Enable verbose logging.
#
# Default: no
LogVerbose yes
# Enable log rotation. Always enabled when LogFileMaxSize is enabled.
# Default: no
#LogRotate yes
# This option allows to tune what is logged when a message is infected.
# Possible values are Off (the default - nothing is logged),
# Basic (minimal info logged), Full (verbose info logged)
# Note:
# For this to work properly in sendmail, make sure the msg_id, mail_addr,
# rcpt_addr and i macroes are available in eom. In other words add a line like:
# Milter.macros.eom={msg_id}, {mail_addr}, {rcpt_addr}, i
# to your .cf file. Alternatively use the macro:
# define(`confMILTER_MACROS_EOM', `{msg_id}, {mail_addr}, {rcpt_addr}, i')
# Postfix should be working fine with the default settings.
#
# Default: disabled
LogInfected Basic
# This option allows to tune what is logged when no threat is found in
# a scanned message.
# See LogInfected for possible values and caveats.
# Useful in debugging but drastically increases the log size.
# Default: disabled
LogClean Basic
# This option affects the behaviour of LogInfected, LogClean and VirusAction
# when a message with multiple recipients is scanned:
# If SupportMultipleRecipients is off (the default)
# then one single log entry is generated for the message and, in case the
# message is determined to be malicious, the command indicated by VirusAction
# is executed just once. In both cases only the last recipient is reported.
# If SupportMultipleRecipients is on:
# then one line is logged for each recipient and the command indicated
# by VirusAction is also executed once for each recipient.
#
# Note: although it's probably a good idea to enable this option, the default
# value
# is currently set to off for legacy reasons.
# Default: no
SupportMultipleRecipients no

View File

@ -0,0 +1,193 @@
# Path to the database directory.
# WARNING: It must match clamd.conf's directive!
# Default: hardcoded (depends on installation options)
DatabaseDirectory /var/lib/clamav
# Path to the log file (make sure it has proper permissions)
# Default: disabled
#UpdateLogFile /var/log/freshclam.log
# Maximum size of the log file.
# Value of 0 disables the limit.
# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)
# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes).
# in bytes just don't use modifiers. If LogFileMaxSize is enabled,
# log rotation (the LogRotate option) will always be enabled.
# Default: 1M
#LogFileMaxSize 2M
# Log time with each message.
# Default: no
#LogTime yes
# Enable verbose logging.
# Default: no
#LogVerbose yes
# Use system logger (can work together with UpdateLogFile).
# Default: no
LogSyslog yes
# Specify the type of syslog messages - please refer to 'man syslog'
# for facility names.
# Default: LOG_LOCAL6
#LogFacility LOG_MAIL
# Enable log rotation. Always enabled when LogFileMaxSize is enabled.
# Default: no
#LogRotate yes
# This option allows you to save the process identifier of the daemon
# Default: disabled
#PidFile /var/run/freshclam.pid
# By default when started freshclam drops privileges and switches to the
# "clamav" user. This directive allows you to change the database owner.
# Default: clamav (may depend on installation options)
#DatabaseOwner clamupdate
# Use DNS to verify virus database version. Freshclam uses DNS TXT records
# to verify database and software versions. With this directive you can change
# the database verification domain.
# WARNING: Do not touch it unless you're configuring freshclam to use your
# own database verification domain.
# Default: current.cvd.clamav.net
#DNSDatabaseInfo current.cvd.clamav.net
# database.clamav.net is now the primary domain name to be used world-wide.
# Now that CloudFlare is being used as our Content Delivery Network (CDN),
# this one domain name works world-wide to direct freshclam to the closest
# geographic endpoint.
DatabaseMirror database.clamav.net
# How many attempts to make before giving up.
# Default: 3 (per mirror)
#MaxAttempts 5
# With this option you can control scripted updates. It's highly recommended
# to keep it enabled.
# Default: yes
ScriptedUpdates yes
# By default freshclam will keep the local databases (.cld) uncompressed to
# make their handling faster. With this option you can enable the compression;
# the change will take effect with the next database update.
# Default: no
#CompressLocalDatabase no
# With this option you can provide custom sources (http:// or file://) for
# database files. This option can be used multiple times.
# Default: no custom URLs
#DatabaseCustomURL http://myserver.com/mysigs.ndb
#DatabaseCustomURL file:///mnt/nfs/local.hdb
# This option allows you to easily point freshclam to private mirrors.
# If PrivateMirror is set, freshclam does not attempt to use DNS
# to determine whether its databases are out-of-date, instead it will
# use the If-Modified-Since request or directly check the headers of the
# remote database files. For each database, freshclam first attempts
# to download the CLD file. If that fails, it tries to download the
# CVD file. This option overrides DatabaseMirror, DNSDatabaseInfo
# and ScriptedUpdates. It can be used multiple times to provide
# fall-back mirrors.
# Default: disabled
#PrivateMirror mirror1.mynetwork.com
#PrivateMirror mirror2.mynetwork.com
# Number of database checks per day.
# Default: 12 (every two hours)
Checks {{ clamav_freshclam_check_frequency }}
{% if clamav_freshclam_use_proxy %}
# Proxy settings
# Default: disabled
HTTPProxyServer {{ clamav_freshclam_proxy_host }}
HTTPProxyPort {{ clamav_freshclam_proxy_port }}
{% if clamav_freshclam_use_proxy_auth %}
HTTPProxyUsername {{ clamav_freshclam_proxy_user }}
HTTPProxyPassword {{ clamav_freshclam_proxy_pwd }}
{% endif %}
{% endif %}
# If your servers are behind a firewall/proxy which applies User-Agent
# filtering you can use this option to force the use of a different
# User-Agent header.
# Default: clamav/version_number
#HTTPUserAgent SomeUserAgentIdString
# Use aaa.bbb.ccc.ddd as client address for downloading databases. Useful for
# multi-homed systems.
# Default: Use OS'es default outgoing IP address.
#LocalIPAddress aaa.bbb.ccc.ddd
{% if clamav_freshclam_reload_clamd %}
# Send the RELOAD command to clamd.
# Default: no
NotifyClamd {{ clamav_clamd_conf_file }}
{% endif %}
# Run command after successful database update.
# Default: disabled
#OnUpdateExecute command
# Run command when database update process fails.
# Default: disabled
#OnErrorExecute command
# Run command when freshclam reports outdated version.
# In the command string %v will be replaced by the new version number.
# Default: disabled
#OnOutdatedExecute command
# Don't fork into background.
# Default: no
#Foreground yes
# Enable debug messages in libclamav.
# Default: no
#Debug yes
# Timeout in seconds when connecting to database server.
# Default: 30
#ConnectTimeout 60
# Timeout in seconds when reading from database server.
# Default: 30
#ReceiveTimeout 60
# With this option enabled, freshclam will attempt to load new
# databases into memory to make sure they are properly handled
# by libclamav before replacing the old ones.
# Default: yes
#TestDatabases yes
# This option enables support for Google Safe Browsing. When activated for
# the first time, freshclam will download a new database file
# (safebrowsing.cvd) which will be automatically loaded by clamd and
# clamscan during the next reload, provided that the heuristic phishing
# detection is turned on. This database includes information about websites
# that may be phishing sites or possible sources of malware. When using this
# option, it's mandatory to run freshclam at least every 30 minutes.
# Freshclam uses the ClamAV's mirror infrastructure to distribute the
# database and its updates but all the contents are provided under Google's
# terms of use. See https://www.google.com/transparencyreport/safebrowsing
# and https://www.clamav.net/documents/safebrowsing
# for more information.
# Default: disabled
SafeBrowsing {{ clamav_freshclam_enable_safebrowsing }}
# This option enables downloading of bytecode.cvd, which includes additional
# detection mechanisms and improvements to the ClamAV engine.
# Default: enabled
Bytecode {{ clamav_freshclam_enable_bytecode }}
{% if clamav_freshclam_additional_databases is defined %}
# Download an additional 3rd party signature database distributed through
# the ClamAV mirrors.
# This option can be used multiple times.
#ExtraDatabase dbname1
#ExtraDatabase dbname2
{% for clamdb in clamav_freshclam_additional_databases %}
ExtraDatabase {{ clamdb }}
{% endfor %}
{% endif %}

View File

@ -0,0 +1,41 @@
# This file contains os configuration settings for clamav-unofficial-sigs.sh
###################
# This is property of eXtremeSHOK.com
# You are free to use, modify and distribute, however you may not remove this notice.
# Copyright (c) Adrian Jon Kriel :: admin@extremeshok.com
# License: BSD (Berkeley Software Distribution)
##################
#
# Script updates can be found at: https://github.com/extremeshok/clamav-unofficial-sigs
#
##################
#
# NOT COMPATIBLE WITH VERSION 3.XX / 4.XX CONFIG
#
################################################################################
# SEE MASTER.CONF FOR CONFIG EXPLANATIONS
################################################################################
# Rename to os.conf to enable this file
################################################################################
# RHEL/CentOS 7, using ClamAV packages from EPEL
clam_user="{{ clamav_clamd_user }}"
clam_group="{{ clamav_clamd_user }}"
clam_dbs="/var/lib/clamav"
clamd_pid="{{ clamav_clamd_pidfile }}"
clamd_restart_opt="systemctl try-restart clamd@scan"
{% if clamav_clamd_use_local_socket %}
clamd_socket="{{ clamav_clamd_local_socket }}"
{% endif %}
clamd_reload_opt="clamdscan --config-file={{ clamav_clamd_conf_file }} --reload"
# By default clamupdate has no permissions to run service restarts
reload_dbs="no"
# https://eXtremeSHOK.com ######################################################

View File

@ -0,0 +1,688 @@
# Use system logger (can work together with LogFile).
# Default: no
LogSyslog yes
# Specify the type of syslog messages - please refer to 'man syslog'
# for facility names.
# Default: LOG_LOCAL6
#LogFacility LOG_MAIL
# Enable verbose logging.
# Default: no
LogVerbose {{ clamav_clamd_verbose_logging }}
# Log additional information about the infected file, such as its
# size and hash, together with the virus name.
ExtendedDetectionInfo {{ clamav_clamd_extended_info }}
# This option allows you to save a process identifier of the listening
# daemon (main thread).
# Default: disabled
PidFile {{ clamav_clamd_pidfile }}
# Optional path to the global temporary directory.
# Default: system specific (usually /tmp or /var/tmp).
TemporaryDirectory {{ clamav_clamd_tmp }}
# Path to the database directory.
# Default: hardcoded (depends on installation options)
DatabaseDirectory /var/lib/clamav
# Only load the official signatures published by the ClamAV project.
# Default: no
OfficialDatabaseOnly {{ clamav_clamd_official_db_only }}
# The daemon can work in local mode, network mode or both.
# Due to security reasons we recommend the local mode.
{% if clamav_clamd_use_local_socket %}
# Path to a local socket file the daemon will listen on.
# Default: disabled (must be specified by a user)
LocalSocket {{ clamav_clamd_local_socket }}
# Sets the group ownership on the unix socket.
# Default: disabled (the primary group of the user running clamd)
LocalSocketGroup virusgroup
# Sets the permissions on the unix socket to the specified mode.
# Default: disabled (socket is world accessible)
LocalSocketMode 660
# Remove stale socket after unclean shutdown.
# Default: yes
FixStaleSocket yes
{% endif %}
{% if clamav_clamd_use_net_socket %}
# TCP port address.
# Default: no
TCPSocket {{ clamav_clamd_net_socket_port }}
# TCP address.
# By default we bind to INADDR_ANY, probably not wise.
# Enable the following to provide some degree of protection
# from the outside world. This option can be specified multiple
# times if you want to listen on multiple IPs. IPv6 is now supported.
# Default: no
{% for ip in clamav_clamd_net_socket_addrs %}
TCPAddr {{ ip }}
{% endfor %}
# Maximum length the queue of pending connections may grow to.
# Default: 200
#MaxConnectionQueueLength 30
# Clamd uses FTP-like protocol to receive data from remote clients.
# If you are using clamav-milter to balance load between remote clamd daemons
# on firewall servers you may need to tune the options below.
# Close the connection when the data size limit is exceeded.
# The value should match your MTA's limit for a maximum attachment size.
# Default: 25M
StreamMaxLength {{ clamav_clamd_stream_max_lenght }}M
# Limit port range.
# Default: 1024
#StreamMinPort 30000
# Default: 2048
#StreamMaxPort 32000
{% endif %}
# Maximum number of threads running at the same time.
# Default: 10
#MaxThreads 20
# Waiting for data from a client socket will timeout after this time (seconds).
# Default: 120
#ReadTimeout 300
# This option specifies the time (in seconds) after which clamd should
# timeout if a client doesn't provide any initial command after connecting.
# Default: 30
#CommandReadTimeout 30
# This option specifies how long to wait (in milliseconds) if the send buffer
# is full.
# Keep this value low to prevent clamd hanging
#
# Default: 500
#SendBufTimeout 200
# Maximum number of queued items (including those being processed by
# MaxThreads threads)
# It is recommended to have this value at least twice MaxThreads if possible.
# WARNING: you shouldn't increase this too much to avoid running out of file
# descriptors,
# the following condition should hold:
# MaxThreads*MaxRecursion + (MaxQueue - MaxThreads) + 6< RLIMIT_NOFILE (usual
# max is 1024)
#
# Default: 100
#MaxQueue 200
# Waiting for a new job will timeout after this time (seconds).
# Default: 30
#IdleTimeout 60
# Don't scan files and directories matching regex
# This directive can be used multiple times
# Default: scan all
ExcludePath ^/proc/
ExcludePath ^/sys/
# Maximum depth directories are scanned at.
# Default: 15
#MaxDirectoryRecursion 20
# Follow directory symlinks.
# Default: no
#FollowDirectorySymlinks yes
# Follow regular file symlinks.
# Default: no
#FollowFileSymlinks yes
# Scan files and directories on other filesystems.
# Default: yes
#CrossFilesystems yes
# Perform a database check.
# Default: 600 (10 min)
#SelfCheck 600
# Execute a command when virus is found. In the command string %v will
# be replaced with the virus name.
# Default: no
#VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v"
# Run as another user (clamd must be started by root for this option to work)
# Default: don't drop privileges
User {{ clamav_clamd_user }}
# Stop daemon when libclamav reports out of memory condition.
ExitOnOOM yes
# Don't fork into background.
# Default: no
#Foreground yes
# Enable debug messages in libclamav.
# Default: no
#Debug yes
# Do not remove temporary files (for debug purposes).
# Default: no
#LeaveTemporaryFiles yes
# Permit use of the ALLMATCHSCAN command. If set to no, clamd will reject
# any ALLMATCHSCAN command as invalid.
# Default: yes
AllowAllMatchScan yes
{% if clamav_clamd_detect_pua %}
# Detect Possibly Unwanted Applications.
# Default: no
DetectPUA yes
# Exclude a specific PUA category. This directive can be used multiple times.
# See https://github.com/vrtadmin/clamav-faq/blob/master/faq/faq-pua.md for
# the complete list of PUA categories.
# Default: Load all categories (if DetectPUA is activated)
#ExcludePUA NetTool
#ExcludePUA PWTool
# Only include a specific PUA category. This directive can be used multiple
# times.
# Default: Load all categories (if DetectPUA is activated)
IncludePUA Spy
IncludePUA Scanner
IncludePUA RAT
{% endif %}
# This option causes memory or nested map scans to dump the content to disk.
# If you turn on this option, more data is written to disk and is available
# when the LeaveTemporaryFiles option is enabled.
#ForceToDisk yes
# This option allows you to disable the caching feature of the engine. By
# default, the engine will store an MD5 in a cache of any files that are
# not flagged as virus or that hit limits checks. Disabling the cache will
# have a negative performance impact on large scans.
# Default: no
DisableCache no
# In some cases (eg. complex malware, exploits in graphic files, and others),
# ClamAV uses special algorithms to detect abnormal patterns and behaviors that
# may be malicious. This option enables alerting on such heuristically
# detected potential threats.
# Default: yes
HeuristicAlerts {{ clamav_clamd_heuristic_alert }}
# Allow heuristic alerts to take precedence.
# When enabled, if a heuristic scan (such as phishingScan) detects
# a possible virus/phish it will stop scan immediately. Recommended, saves CPU
# scan-time.
# When disabled, virus/phish detected by heuristic scans will be reported only at
# the end of a scan. If an archive contains both a heuristically detected
# virus/phish, and a real malware, the real malware will be reported
#
# Keep this disabled if you intend to handle "*.Heuristics.*" viruses
# differently from "real" malware.
# If a non-heuristically-detected virus (signature-based) is found first,
# the scan is interrupted immediately, regardless of this config option.
#
# Default: no
HeuristicScanPrecedence {{ clamav_clamd_heuristic_has_precedence }}
##
## Heuristic Alerts
##
# With this option clamav will try to detect broken executables (both PE and
# ELF) and alert on them with the Broken.Executable heuristic signature.
# Default: no
#AlertBrokenExecutables yes
# Alert on encrypted archives _and_ documents with heuristic signature (encrypted .zip, .7zip, .rar, .pdf).
# Default: no
#AlertEncrypted yes
# Alert on encrypted archives with heuristic signature (encrypted .zip, .7zip, .rar).
# Default: no
#AlertEncryptedArchive yes
# Alert on encrypted archives with heuristic signature (encrypted .pdf).
# Default: no
#AlertEncryptedDoc yes
# With this option enabled OLE2 files containing VBA macros, which were not
# detected by signatures will be marked as "Heuristics.OLE2.ContainsMacros".
# Default: no
#AlertOLE2Macros yes
# Alert on SSL mismatches in URLs, even if the URL isn't in the database.
# This can lead to false positives.
# Default: no
#AlertPhishingSSLMismatch yes
# Alert on cloaked URLs, even if URL isn't in database.
# This can lead to false positives.
# Default: no
#AlertPhishingCloak yes
# Alert on raw DMG image files containing partition intersections
# Default: no
#AlertPartitionIntersection yes
##
## Executable files
##
# PE stands for Portable Executable - it's an executable file format used
# in all 32 and 64-bit versions of Windows operating systems. This option
# allows ClamAV to perform a deeper analysis of executable files and it's also
# required for decompression of popular executable packers such as UPX, FSG,
# and Petite. If you turn off this option, the original files will still be
# scanned, but without additional processing.
# Default: yes
#ScanPE yes
# Certain PE files contain an authenticode signature. By default, we check
# the signature chain in the PE file against a database of trusted and
# revoked certificates if the file being scanned is marked as a virus.
# If any certificate in the chain validates against any trusted root, but
# does not match any revoked certificate, the file is marked as whitelisted.
# If the file does match a revoked certificate, the file is marked as virus.
# The following setting completely turns off authenticode verification.
# Default: no
#DisableCertCheck yes
# Executable and Linking Format is a standard format for UN*X executables.
# This option allows you to control the scanning of ELF files.
# If you turn off this option, the original files will still be scanned, but
# without additional processing.
# Default: yes
#ScanELF yes
{% if clamav_clamd_additional_doc_scanning %}
##
## Documents
##
# This option enables scanning of OLE2 files, such as Microsoft Office
# documents and .msi files.
# If you turn off this option, the original files will still be scanned, but
# without additional processing.
# Default: yes
ScanOLE2 yes
# This option enables scanning within PDF files.
# If you turn off this option, the original files will still be scanned, but
# without decoding and additional processing.
# Default: yes
ScanPDF yes
# This option enables scanning within SWF files.
# If you turn off this option, the original files will still be scanned, but
# without decoding and additional processing.
# Default: yes
ScanSWF yes
# This option enables scanning xml-based document files supported by libclamav.
# If you turn off this option, the original files will still be scanned, but
# without additional processing.
# Default: yes
ScanXMLDOCS yes
# This option enables scanning of HWP3 files.
# If you turn off this option, the original files will still be scanned, but
# without additional processing.
# Default: yes
ScanHWP3 yes
{% endif %}
##
## Mail files
##
# Enable internal e-mail scanner.
# If you turn off this option, the original files will still be scanned, but
# without parsing individual messages/attachments.
# Default: yes
ScanMail {{ clamav_clamd_email_scan }}
# Scan RFC1341 messages split over many emails.
# You will need to periodically clean up $TemporaryDirectory/clamav-partial
# directory.
# WARNING: This option may open your system to a DoS attack.
# Never use it on loaded servers.
# Default: no
ScanPartialMessages yes
# With this option enabled ClamAV will try to detect phishing attempts by using
# HTML.Phishing and Email.Phishing NDB signatures.
# Default: yes
PhishingSignatures yes
# With this option enabled ClamAV will try to detect phishing attempts by
# analyzing URLs found in emails using WDB and PDB signature databases.
# Default: yes
PhishingScanURLs yes
##
## Data Loss Prevention (DLP)
##
# Enable the DLP module
# Default: No
#StructuredDataDetection yes
# This option sets the lowest number of Credit Card numbers found in a file
# to generate a detect.
# Default: 3
#StructuredMinCreditCardCount 5
# This option sets the lowest number of Social Security Numbers found
# in a file to generate a detect.
# Default: 3
#StructuredMinSSNCount 5
# With this option enabled the DLP module will search for valid
# SSNs formatted as xxx-yy-zzzz
# Default: yes
#StructuredSSNFormatNormal yes
# With this option enabled the DLP module will search for valid
# SSNs formatted as xxxyyzzzz
# Default: no
#StructuredSSNFormatStripped yes
##
## HTML
##
# Perform HTML normalisation and decryption of MS Script Encoder code.
# Default: yes
# If you turn off this option, the original files will still be scanned, but
# without additional processing.
ScanHTML {{ clamav_clamd_html_scan }}
##
## Archives
##
# ClamAV can scan within archives and compressed files.
# If you turn off this option, the original files will still be scanned, but
# without unpacking and additional processing.
# Default: yes
ScanArchive {{ clamav_clamd_archives_scan }}
##
## Limits
##
# The options below protect your system against Denial of Service attacks
# using archive bombs.
# This option sets the maximum amount of time to a scan may take.
# In this version, this field only affects the scan time of ZIP archives.
# Value of 0 disables the limit
# Note: disabling this limit or setting it too high may result allow scanning
# of certain files to lock up the scanning process/threads resulting in a Denial
# of Service.
# Time is in milliseconds.
# Default: 120000
MaxScanTime {{ clamav_clamd_max_scan_time }}
# This option sets the maximum amount of data to be scanned for each input
# file.
# Archives and other containers are recursively extracted and scanned up to
# this value.
# Value of 0 disables the limit
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Default: 100M
MaxScanSize {{ clamav_clamd_stream_max_lenght }}M
# Files larger than this limit won't be scanned. Affects the input file itself
# as well as files contained inside it (when the input file is an archive, a
# document or some other kind of container).
# Value of 0 disables the limit.
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Default: 25M
#MaxFileSize 30M
# Nested archives are scanned recursively, e.g. if a Zip archive contains a RAR
# file, all files within it will also be scanned. This options specifies how
# deeply the process should be continued.
# Note: setting this limit too high may result in severe damage to the system.
# Default: 16
MaxRecursion 10
# Number of files to be scanned within an archive, a document, or any other
# container file.
# Value of 0 disables the limit.
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Default: 10000
#MaxFiles 15000
# Maximum size of a file to check for embedded PE. Files larger than this value
# will skip the additional analysis step.
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Default: 10M
#MaxEmbeddedPE 10M
# Maximum size of a HTML file to normalize. HTML files larger than this value
# will not be normalized or scanned.
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Default: 10M
#MaxHTMLNormalize 10M
# Maximum size of a normalized HTML file to scan. HTML files larger than this
# value after normalization will not be scanned.
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Default: 2M
#MaxHTMLNoTags 2M
# Maximum size of a script file to normalize. Script content larger than this
# value will not be normalized or scanned.
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Default: 5M
#MaxScriptNormalize 5M
# Maximum size of a ZIP file to reanalyze type recognition. ZIP files larger
# than this value will skip the step to potentially reanalyze as PE.
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Default: 1M
#MaxZipTypeRcg 1M
# This option sets the maximum number of partitions of a raw disk image to be
# scanned.
# Raw disk images with more partitions than this value will have up to
# the value number partitions scanned. Negative values are not allowed.
# Note: setting this limit too high may result in severe damage or impact
# performance.
# Default: 50
#MaxPartitions 128
# This option sets the maximum number of icons within a PE to be scanned.
# PE files with more icons than this value will have up to the value number
# icons scanned.
# Negative values are not allowed.
# WARNING: setting this limit too high may result in severe damage or impact
# performance.
# Default: 100
#MaxIconsPE 200
# This option sets the maximum recursive calls for HWP3 parsing during
# scanning. HWP3 files using more than this limit will be terminated and
# alert the user.
# Scans will be unable to scan any HWP3 attachments if the recursive limit
# is reached.
# Negative values are not allowed.
# WARNING: setting this limit too high may result in severe damage or impact
# performance.
# Default: 16
#MaxRecHWP3 16
# This option sets the maximum calls to the PCRE match function during
# an instance of regex matching.
# Instances using more than this limit will be terminated and alert the user
# but the scan will continue.
# For more information on match_limit, see the PCRE documentation.
# Negative values are not allowed.
# WARNING: setting this limit too high may severely impact performance.
# Default: 100000
#PCREMatchLimit 20000
# This option sets the maximum recursive calls to the PCRE match function
# during an instance of regex matching.
# Instances using more than this limit will be terminated and alert the user
# but the scan will continue.
# For more information on match_limit_recursion, see the PCRE documentation.
# Negative values are not allowed and values > PCREMatchLimit are superfluous.
# WARNING: setting this limit too high may severely impact performance.
# Default: 2000
#PCRERecMatchLimit 10000
# This option sets the maximum filesize for which PCRE subsigs will be
# executed. Files exceeding this limit will not have PCRE subsigs executed
# unless a subsig is encompassed to a smaller buffer.
# Negative values are not allowed.
# Setting this value to zero disables the limit.
# WARNING: setting this limit too high or disabling it may severely impact
# performance.
# Default: 25M
#PCREMaxFileSize 100M
# When AlertExceedsMax is set, files exceeding the MaxFileSize, MaxScanSize, or
# MaxRecursion limit will be flagged with the virus
# "Heuristics.Limits.Exceeded".
# Default: no
AlertExceedsMax yes
##
## On-access Scan Settings
##
# Enable on-access scanning. Currently, this is supported via fanotify.
# Clamuko/Dazuko support has been deprecated.
# Default: no
#ScanOnAccess yes
# Set the mount point to be scanned. The mount point specified, or the mount
# point containing the specified directory will be watched. If any directories
# are specified, this option will preempt the DDD system. This will notify
# only. It can be used multiple times.
# (On-access scan only)
# Default: disabled
#OnAccessMountPath /
#OnAccessMountPath /home/user
# Don't scan files larger than OnAccessMaxFileSize
# Value of 0 disables the limit.
# Default: 5M
#OnAccessMaxFileSize 10M
# Set the include paths (all files inside them will be scanned). You can have
# multiple OnAccessIncludePath directives but each directory must be added
# in a separate line. (On-access scan only)
# Default: disabled
#OnAccessIncludePath /home
#OnAccessIncludePath /students
# Set the exclude paths. All subdirectories are also excluded.
# (On-access scan only)
# Default: disabled
#OnAccessExcludePath /home/bofh
# With this option you can whitelist the root UID (0). Processes run under
# root with be able to access all files without triggering scans or
# permission denied events.
# Note that if clamd cannot check the uid of the process that generated an
# on-access scan event (e.g., because OnAccessPrevention was not enabled, and
# the process already exited), clamd will perform a scan. Thus, setting
# OnAccessExcludeRootUID is not *guaranteed* to prevent every access by the
# root user from triggering a scan (unless OnAccessPrevention is enabled).
# Default: no
#OnAccessExcludeRootUID no
# With this option you can whitelist specific UIDs. Processes with these UIDs
# will be able to access all files without triggering scans or permission
# denied events.
# This option can be used multiple times (one per line).
# Using a value of 0 on any line will disable this option entirely.
# To whitelist the root UID (0) please enable the OnAccessExcludeRootUID
# option.
# Also note that if clamd cannot check the uid of the process that generated an
# on-access scan event (e.g., because OnAccessPrevention was not enabled, and
# the process already exited), clamd will perform a scan. Thus, setting
# OnAccessExcludeUID is not *guaranteed* to prevent every access by the
# specified uid from triggering a scan (unless OnAccessPrevention is enabled).
# Default: disabled
#OnAccessExcludeUID -1
# Toggles dynamic directory determination. Allows for recursively watching
# include paths.
# (On-access scan only)
# Default: no
#OnAccessDisableDDD yes
# Modifies fanotify blocking behaviour when handling permission events.
# If off, fanotify will only notify if the file scanned is a virus,
# and not perform any blocking.
# (On-access scan only)
# Default: no
#OnAccessPrevention yes
# Toggles extra scanning and notifications when a file or directory is
# created or moved.
# Requires the DDD system to kick-off extra scans.
# NOTE: This feature is disabled until a thread resource leak bug
# in the OnAccessExtraScanning code can be resolved.
# (On-access scan only)
# Default: no
#OnAccessExtraScanning yes
##
## Bytecode
##
# With this option enabled ClamAV will load bytecode from the database.
# It is highly recommended you keep this option on, otherwise you'll miss
# detections for many new viruses.
# Default: yes
Bytecode yes
# Set bytecode security level.
# Possible values:
# None - No security at all, meant for debugging.
# DO NOT USE THIS ON PRODUCTION SYSTEMS.
# This value is only available if clamav was built
# with --enable-debug!
# TrustSigned - Trust bytecode loaded from signed .c[lv]d files, insert
# runtime safety checks for bytecode loaded from other sources.
# Paranoid - Don't trust any bytecode, insert runtime checks for all.
# Recommended: TrustSigned, because bytecode in .cvd files already has these
# checks.
# Note that by default only signed bytecode is loaded, currently you can only
# load unsigned bytecode in --enable-debug mode.
#
# Default: TrustSigned
BytecodeSecurity {{ clamav_clamd_bytecode_security }}
# Set bytecode timeout in milliseconds.
#
# Default: 5000
# BytecodeTimeout 1000
##
## Statistics gathering and submitting
##

View File

@ -0,0 +1,69 @@
# This file contains user configuration settings for clamav-unofficial-sigs.sh
###################
# This is property of eXtremeSHOK.com
# You are free to use, modify and distribute, however you may not remove this notice.
# Copyright (c) Adrian Jon Kriel :: admin@extremeshok.com
# License: BSD (Berkeley Software Distribution)
##################
#
# Script updates can be found at: https://github.com/extremeshok/clamav-unofficial-sigs
#
##################
#
# NOT COMPATIBLE WITH VERSION 3.XX / 4.XX CONFIG
#
################################################################################
# SEE MASTER.CONF FOR CONFIG EXPLANATIONS
################################################################################
# Values in this file will always override those in the master.conf and os.conf files.
# This is useful to specify your authorisation/receipt codes and to always force certain options.
# Please note, it is your responsibility to manage the contents of this file.
# Values provided here are just examples, feel free to use any values from the main config file.
#malwarepatrol_receipt_code="YOUR-RECEIPT-NUMBER"
#malwarepatrol_product_code="8"
#malwarepatrol_list="clamav_basic" # clamav_basic or clamav_ext
#malwarepatrol_free="yes"
#securiteinfo_authorisation_signature="YOUR-SIGNATURE-NUMBER"
# Default dbs rating (Default: MEDIUM)
# valid rating: LOW, MEDIUM, HIGH
#default_dbs_rating="HIGH"
# Per Database
# These ratings will override the global rating for the specific database
# valid rating: LOW, MEDIUM, HIGH, DISABLE
#sanesecurity_dbs_rating="HIGH"
#securiteinfo_dbs_rating="HIGH"
#linuxmalwaredetect_dbs_rating="HIGH"
#yararulesproject_dbs_rating="HIGH"
# =========================
# Additional signature databases
# =========================
#declare -a additional_dbs=(
# ftp://ftp.example.net/pub/sigs.ndb
# http://www.example.org/sigs.ldb
#) #END ADDITIONAL DATABASES
# Uncomment the following line to enable the script
user_configuration_complete="yes"
{% if clamav_additional_signatures_use_proxy %}
# Proxy Support
# If necessary to proxy database downloads, define the rsync, curl, wget, dig, hosr proxy settings here.
#rsync_proxy="username:password@proxy_host:proxy_port"
{% if clamav_additional_signatures_use_proxy_auth %}
curl_proxy="--proxy http://{{ clamav_additional_signatures_proxy_user }}:{{ clamav_additional_signatures_proxy_pwd }}@{{ clamav_additional_signatures_proxy_host }}:{{ clamav_additional_signatures_proxy_port }}"
wget_proxy="-e http_proxy=http://{{ clamav_additional_signatures_proxy_user }}:{{ clamav_additional_signatures_proxy_pwd }}@{{ clamav_additional_signatures_proxy_host }}:{{ clamav_additional_signatures_proxy_port }} -e https_proxy=https://{{ clamav_additional_signatures_proxy_user }}:{{ clamav_additional_signatures_proxy_pwd }}@{{ clamav_additional_signatures_proxy_host }}:{{ clamav_additional_signatures_proxy_port }}"
{% else %}
curl_proxy="--proxy http://{{ clamav_additional_signatures_proxy_host }}:{{ clamav_additional_signatures_proxy_port }}"
wget_proxy="-e http_proxy=http://{{ clamav_additional_signatures_proxy_host }}:{{ clamav_additional_signatures_proxy_port }} -e https_proxy=https://{{ clamav_additional_signatures_proxy_host }}:{{ clamav_additional_signatures_proxy_port }}"
{% endif %}
#dig_proxy="@proxy_host -p proxy_host:proxy_port"
#host_proxy="@proxy_host" #does not support port
{% endif %}
# https://eXtremeSHOK.com ######################################################