If you have deployed ClamAVPlugin and now you want to get a different score based on threat type, you can replace your clamav.cf with the following version.

Security Warning

Note that, since ClamAV reports only one threat type for each email even if the email has more threats, if you assign different scores to different threats you could only get the lowest score of these threats, leading to email bypass! For example, if you set a score of 20.0 to virus and a score of 2.0 to MSRBL and an email has both, you could get only the 2.0 score!

Score should take in account ClamAV priorities:

  • phishing signatures have a higher priority than phishing heuristics;
  • TODO: find and add other priorities in ClamAV.

Code

clamav.cf:

loadplugin ClamAV clamav.pm
full CLAMAV eval:check_clamav()
describe CLAMAV Clam AntiVirus detected something...
score CLAMAV 0.001

# Run CLAMAV early so all the rules here will see the results
priority CLAMAV -10

# Look for specific types of ClamAV detections
header __CLAMAV_PHISH X-Spam-Virus =~ /Yes.{1,30}Phishing/i
header __CLAMAV_PHISH_HEUR X-Spam-Virus =~ /Yes.{1,30}Phishing\.Heuristics\.Email/
header __CLAMAV_SANE X-Spam-Virus =~ /Yes.{1,30}Sanesecurity/i
header __CLAMAV_MBL X-Spam-Virus =~ /Yes.{1,30}MBL/
header __CLAMAV_MSRBL X-Spam-Virus =~ /Yes.{1,30}MSRBL/
header __CLAMAV_VX X-Spam-Virus =~ /Yes.{1,30}VX\./

# Work out what ClamAV detected and score accordingly

# ClamAV general signatures
meta CLAMAV_VIRUS (CLAMAV && !__CLAMAV_PHISH && !__CLAMAV_SANE && !__CLAMAV_MBL && !__CLAMAV_MSRBL && !__CLAMAV_VX)
describe CLAMAV_VIRUS Virus found by ClamAV default signatures
score CLAMAV_VIRUS 20.0

# ClamAV phishing signatures
meta CLAMAV_PHISH (CLAMAV && __CLAMAV_PHISH && !__CLAMAV_SANE && !__CLAMAV_PHISH_HEUR)
describe CLAMAV_PHISH Phishing email found by ClamAV default signatures
score CLAMAV_PHISH 10.0

# ClamAV phishing with heuristic engine (not signatures based, may lead to false positives)
# Available since ClamAV 0.91
meta CLAMAV_PHISH_HEUR (CLAMAV && __CLAMAV_PHISH_HEUR)
describe CLAMAV_PHISH_HEUR Phishing email found by ClamAV heuristic engine
score CLAMAV_PHISH_HEUR 2.0

# ClamAV SaneSecurity signatures from http://www.sanesecurity.com/clamav/
meta CLAMAV_SANE (CLAMAV && __CLAMAV_SANE)
describe CLAMAV_SANE SPAM found by ClamAV SaneSecurity signatures
score CLAMAV_SANE 7.5

# ClamAV MBL signatures from http://www.malware.com.br/
meta CLAMAV_MBL (CLAMAV && __CLAMAV_MBL)
describe CLAMAV_MBL Malware found by ClamAV MBL signatures
score CLAMAV_MBL 7.5

# ClamAV MSRBL signatures from http://www.msrbl.com/
meta CLAMAV_MSRBL (CLAMAV && __CLAMAV_MSRBL)
describe CLAMAV_MSRBL SPAM found by ClamAV MSRBL signatures
score CLAMAV_MSRBL 2.0

# ClamAV SecuriteInfo.com VX malware signatures from
# http://www.securiteinfo.com/services/clamav_unofficial_malwares_signatures.shtml
meta CLAMAV_VX (CLAMAV && __CLAMAV_VX)
describe CLAMAV_VX Malware found by SecuriteInfo.com VX signatures
score CLAMAV_VX 5.0
  • No labels