Atomic CLAMAV Signatures

About the Signatures

  • The signatures are only available to Real Time license holders.

    Installation of the signatures assumes a certain level of comfort with configuring and installing clamav. If you are not comfortable with configuring and installing clamav yourself, you should contact someone that is, or use our Atomic Endpoint Defender product which does this automatically for you, and does not require you to configure or install anything.


Licensing

  • The Real Time Atomic CLAMAV Signatures are licensed by the server. For each license you can also run the rules on one Development and one QA server.

    If you require additional licenses please log into the AtomiCorp License Manager. You can add additional systems there, you can control your payment methods and you can also sign up to become an affiliate.


What does each signature ruleset do?

  • The Atomicorp CLAMAV Signatures are broken into families - we recommend you load all the rule families. They work well together, and its safe to use all the rules on a box. We run every signature on all our boxes and have been since we first started publishing them almost ten years ago.

    • AED-blacklist.ldb - This ruleset contains currently known malicious domains detected by our honeypots.
    • AED.hdb - Known malware signatures.
    • AED-h.ndb - Heuristic signatures that look for known malware techniques.
    • AED-honeypot.hdb - Automatically generate malware signatures from honeypots.
    • AED-honeypot-hex.ndb - Automatically generated heuristic signatures from our honeypots.
    • AED.ldb - Advanced Rules using the clamav logic engine.
    • AED-advanced.ldb - This includes advanced signatures for malicious sources and domains.
    • policy.zmd - Contains policy rules to block certain types of suspicious archives. For example, this contains rules to block .zip files that contain a .exe.

Third Party Signatures


Easy One Step Installation

  • Install AED. This installs everything: clamav, the real time malware protection system, upload scanners, the signatures, the GUI, rule/signature manager and all of AED components, plus it includes the subscription to the real time signatures and will automatically keep the signatures up to date.

Manual Installation

  • A manual installation is “Do it Yourself”. Its not possible to cover ever possible clamav installation, so this installation guide assumes you already have clamav installed and working. If you require assistance with setting up, configuring and installing clamav please purchase an AED license. Rules only licenses do not include support for installing, configuring, and setting up clamav.

    Step 1: Download Signatures

    Step 2: Install the signatures

    • Most OSes put the clamav signatures in either: /var/clamav OR /var/lib/clamav

    • Extract the rules into a directory by running the following commands:

      cd /var/clamav
      tar zxvf clamav-201011111138.tar.gz
      

    Note

    If you do not have a /var/clamav or /var/lib/clamav directory this means 1) you do not have clamav installed, 2) you are using a third party version of clamav that does not store its signatures in the standard locations for Linux. Please contact your OS vendor for assistance, or install AED.

    Step 3: Ensure the signatures can be read

    • For most systems, this means “world readable”. Run the following command to configure this:

      chmod og+r AED*
      

    Step 4: Reload Clamd

    • Run the following command to reload Clamd:

      /etc/init.d/clamd reload
      

    Note

    You will need to do this each time you add new signatures to clamd.


Frequently Asked Questions (FAQ)

  • Please visit the FAQ for more information.