CSIM Technical Notes

OK, so I think I have a better understanding of ClamAV Unofficial signatures. It is all based upon the shell script by eXtremeSHOK.com.

In the configuration file, it is clear that /var/db/clamav-unofficial-sigs is only a working directory, but the signatures will end-up in /var/db/clamav. A working directory, so there is no reason to run a second instance of ClamAV from that directory; the first and only needed instance of ClamAV will pick-up the new unofficial signatures when they are installed in the signature directory.

So I killed the second instance of ClamAV (launched from /etc/rc.local). But I kept clamd-un.conf, just in case.

Now the problem with Malware Patrol: because malware is being distributed from Google Drive root they flag anything that contains the string https://drive.google.com. It cannot work for us as it will flag any email that mention a document stored in Google Drive and cause disruption in our work.

The solution I have implemented is to have a Perl script (/usr/local/bin/clamav-unofficial-sigs-post.pl) that is called by the ClamAV Unofficial script where it would call clamdscan --reload. My Perl script removes the signatures for Google Drive and executes the reload.

My Perl script is a dirty hack as I have started developping it based on the assumption that ClamAV signature reload was triggered by a signal. The skeleton f that is still in the script. All locations and stings are hard coded to fit my needs.And it can be modified is some future white listing must be applied.