Unfortunately ClamAV is not structured for this use case. Sounds like it could be done, but would require writing a custom application using multiple ClamAV scanning engines.
Steve On Tue, Jun 2, 2015 at 10:03 AM, Adam Massey <[email protected]> wrote: > hello > Is there any way to make clamav test custom virus signature files > before it scans its main signature database? > I know its one of those "why would you want to do this " questions > > In this case I want to block certain macro viruses based on custom sigs > if stuff isn't found but macros are I want the files to be labelled as > containing macros via the heuristic scan engine. > I'm then using a custom virus scan line in exim to label macro > containing documents as not all of them are going to be malicious. > I know of legitimate use of macro documents at my employer so blocking > them isn't an option in this case > that doesn’t stop our customers opening the really dodgy ones though :( > > so the full logic I want is ... > 1)scan for specific custom viri if found >Deny Message > 2)a)if a virus is found from main clamav signature database > Deny Message > b)if no custom viri and no main database match found but macro is > > Accept but label message as containing macros (this works flawlessly) > c)If no virus found and no macro found > Accept Message > > I've debugged the exim config by setting it to only scan for my custom > definition > > I've checked the clamav logs and my test file was still being labelled > as heuristicscontainsmacros > the only way I can get clamav to detect my custom definition is if i > turn off heuristic macro detection which destroys the belt and braces > approach I want to achieve. > Ive also turned heuristicscanpreference off and on to no avail. > > I am aware it makes perfect sense to scan using the main official > virus database first then custom definitions but i do think that > heuristics definitions should be third in the pecking order behind > definitions found in custom sig files. > > any ideas? > thanks > Adam Massey > _______________________________________________ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
