There are around 1545 PHP signatures from Malware Expert that are quite helpful for new infections and ones that we might miss when cleaning up infected sites.

The setup is simple and the rules/signatures are updated regularly, they stack with the default ClamAV signatures so they are good to have. This article will explain the setup of the rules for users that are confused with the setup.

Install epel-release

yum install epel-release

Install ClamAV

yum install clamav

Add the Malware Expert signatures – https://malware.expert/signatures/

vi etc/freshclam.conf

Append the sources at the end of the etc/freshclam.conf

DatabaseCustomURL http://cdn.malware.expert/malware.expert.ndb
DatabaseCustomURL http://cdn.malware.expert/malware.expert.hdb
DatabaseCustomURL http://cdn.malware.expert/malware.expert.ldb
DatabaseCustomURL http://cdn.malware.expert/malware.expert.fp

Download the new signatures

➜  clamav sudo freshclam
ClamAV update process started at Sun Apr 14 14:41:12 2019
Downloading malware.expert.ndb [100%]
malware.expert.ndb updated (version: custom database, sigs: 941)
Downloading malware.expert.hdb [100%]
malware.expert.hdb updated (version: custom database, sigs: 413)
Downloading malware.expert.ldb [100%]
malware.expert.ldb updated (version: custom database, sigs: 142)
Downloading malware.expert.fp [100%]
malware.expert.fp updated (version: custom database, sigs: 47)
main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)
daily.cvd is up to date (version: 25419, sigs: 1549194, f-level: 63, builder: raynman)
bytecode.cvd is up to date (version: 328, sigs: 94, f-level: 63, builder: neo)
Database updated (6117080 signatures) from database.clamav.net

The location of the downloaded signatures is – /var/lib/clamav

➜  clamav ll
total 152M
-rw-r--r--. 1 clamupdate clamupdate 196K Apr 14 14:21 bytecode.cvd
-rw-r--r--. 1 clamupdate clamupdate  39M Apr 14 14:21 daily.cvd
-rw-r--r--. 1 clamupdate clamupdate 113M Apr 14 14:20 main.cvd
-rw-r--r--. 1 clamupdate clamupdate 2.6K Apr 14 14:41 malware.expert.fp
-rw-r--r--. 1 clamupdate clamupdate  30K Apr 14 14:41 malware.expert.hdb
-rw-r--r--. 1 clamupdate clamupdate  21K Apr 14 14:41 malware.expert.ldb
-rw-r--r--. 1 clamupdate clamupdate 129K Apr 14 14:41 malware.expert.ndb
-rw-------. 1 clamupdate clamupdate   64 Apr 14 15:00 mirrors.dat

Let’s test out the new signatures:

clamscan -r -i

i - show only infected
r - recursive scan of all directories
/public_html/wp-content/uploads/fef42cds.php: {HEX}Malware.Expert.generic.malware.11.UNOFFICIAL FOUND
/public_html/wp-content/themes/twentyseventeen/header.php: {HEX}Malware.Expert.generic.malware.60.UNOFFICIAL FOUND
/public_html/index.php: {HEX}Malware.Expert.generic.malware.50.UNOFFICIAL FOUND
/public_html/wp-config.php: {HEX}Malware.Expert.generic.malware.57.UNOFFICIAL FOUND

----------- SCAN SUMMARY -----------
Known viruses: 6108547
Engine version: 0.101.2
Scanned directories: 1338
Scanned files: 8108
Infected files: 4
Data scanned: 390.79 MB

That’s all.

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.