Atomic CLAMAV Signatures¶
About the Signatures¶
The signatures are only available to Real Time license holders.
Installation of the signatures assumes a certain level of comfort with configuring and installing clamav. If you are not comfortable with configuring and installing clamav yourself, you should contact someone that is, or use our Atomic Endpoint Defender product which does this automatically for you, and does not require you to configure or install anything.
The Real Time Atomic CLAMAV Signatures are licensed by the server. For each license you can also run the rules on one Development and one QA server.
If you require additional licenses please log into the AtomiCorp License Manager. You can add additional systems there, you can control your payment methods and you can also sign up to become an affiliate.
What does each signature ruleset do?¶
The Atomicorp CLAMAV Signatures are broken into families - we recommend you load all the rule families. They work well together, and its safe to use all the rules on a box. We run every signature on all our boxes and have been since we first started publishing them almost ten years ago.
- AED-blacklist.ldb - This ruleset contains currently known malicious domains detected by our honeypots.
- AED.hdb - Known malware signatures.
- AED-h.ndb - Heuristic signatures that look for known malware techniques.
- AED-honeypot.hdb - Automatically generate malware signatures from honeypots.
- AED-honeypot-hex.ndb - Automatically generated heuristic signatures from our honeypots.
- AED.ldb - Advanced Rules using the clamav logic engine.
- AED-advanced.ldb - This includes advanced signatures for malicious sources and domains.
- policy.zmd - Contains policy rules to block certain types of suspicious archives. For example, this contains rules to block .zip files that contain a .exe.
Third Party Signatures¶
The signatures also include a tested and tuned subset of signatures from the following third parties with their permission:
Easy One Step Installation¶
- Install AED. This installs everything: clamav, the real time malware protection system, upload scanners, the signatures, the GUI, rule/signature manager and all of AED components, plus it includes the subscription to the real time signatures and will automatically keep the signatures up to date.
A manual installation is “Do it Yourself”. Its not possible to cover ever possible clamav installation, so this installation guide assumes you already have clamav installed and working. If you require assistance with setting up, configuring and installing clamav please purchase an AED license. Rules only licenses do not include support for installing, configuring, and setting up clamav.
Step 1: Download Signatures
- If you have not already setup a subscription to the Real Time rules (only $14.95 a month, or $99.95 a year), you can do so here: https://www.atomicorp.com/acshop.html
- Once your account is setup, you can download the Real Time rules here: https://www.atomicorp.com/channels/rules/subscription/
Step 2: Install the signatures
Most OSes put the clamav signatures in either: /var/clamav OR /var/lib/clamav
Extract the rules into a directory by running the following commands:cd /var/clamav tar zxvf clamav-201011111138.tar.gz
If you do not have a /var/clamav or /var/lib/clamav directory this means 1) you do not have clamav installed, 2) you are using a third party version of clamav that does not store its signatures in the standard locations for Linux. Please contact your OS vendor for assistance, or install AED.
Step 3: Ensure the signatures can be read
For most systems, this means “world readable”. Run the following command to configure this:chmod og+r AED*
Step 4: Reload Clamd
Run the following command to reload Clamd:/etc/init.d/clamd reload
You will need to do this each time you add new signatures to clamd.