Power-Up Series 0x2 - ClamAV and Yara Integration

This release candidate requires Perl 5 Compatible Support for Regular Instructions. You can verify that it's installed on the host Ubuntu system via: $ sudo apt-get install libpcre3 libpcre3-dev

Download & Install the Latest Release Code:
$ cd ~

$ wget http://www.clamav.net/downloads/release_candidate/clamav-0.99-rc1.tar.gz

$ tar zxvf clamav-0.99-rc1.tar.gz && cd clamav-0.99-rc1/

$ ./configure && make && sudo make install

$ sudo cp /usr/local/etc/freshclam.conf.sample /usr/local/etc/freshclam.conf

$ sudo vim cp /usr/local/etc/freshclam.conf

-----

Comment out "Example"

-----

$ sudo cp /usr/local/etc/clamd.conf.sample /usr/local/etc/clamd.conf

$ sudo mkdir -p /usr/local/share/clamav
$ sudo useradd clamav -r -s /sbin/nologin
$ sudo chown -R clamav:clamav /usr/local/share/clamav/

Updating Clam Signatures:
$ sudo /usr/local/bin/freshclam

To verify the authenticity of updates, run these two commands:
$ sigtool --info /usr/local/share/clamav/main.cvd
$ sigtool --info /usr/local/share/clamav/daily.cvd

The file-type extension ".cvd" stands for "ClamAV Virus Database" with the daily file being an incremental update to the main database.

Run '$ sudo ldconfig' if there are errors while loading libclamav.so's shared libraries.

Perform a Recursive Anti-Virus Scan against the File System:

$ sudo /usr/local/bin/clam/clamscan -rio --bell  /

Download Yara Rules & Copy them into the ClamAV Database:

$ cd ~

$ sudo apt-get -y install git
$ git clone https://github.com/Yara-Rules/rules.git

$ cd rules/sudo cp *.yar /usr/local/share/clamav

Alternatively, you can specify a specific Yara rules' file path: $ sudo /usr/local/bin/clamscan -rio --bell --remove=no --leave-temps / ---database ~/rules/packer.yar

WARNING: ENSURE YOU INCLUDE THE "--remove=no" AND "--leave-temps" PARAMETERS AS ANY YARA MATCH WILL RESULT IN THAT FILE BEING QUARANTINED, TO INCLUDE MATCHING SYSTEM FILES!

As a safeguard, create a command alias within the ".bashrc" file and set the Yara file location as its one and only argument.
$ vim ~/.bashrc 
-----
alias yarascan =''sudo /usr/local/bin/clam/clamscan -rio --bell --remove=no --leave-temps / ---database "
-----


Note the addition of the extra space following the "--database" parameter. Simply run yarascan followed by the path to the desired Yara rules: "$ yarascan ~/rules/malware/Zeus.yar" 
You will need to exit the terminal session or logoff/logon in order for the change to take effect. For additional functionality, integrate Talo's Bytecode Compiler:

$ git clone https://github.com/vrtadmin/clamav-bytecode-compiler

$ mkdir obj && cd obj/

$ ../llvm/configure --enable-optimized --enable-targets=host-only --disable-bindings -- prefix=/usr/local/clamav

$ make clambc-only -j4

$ sudo make install-clambc

$ sudo vim /usr/local/etc/clamd.conf

-----
By default, only Talos bytecode signatures are signed. In this configuration, we have the Talos bytecode signatures located under "/usr/local/share/clamav". In order to execute your own custom bytecode signatures, you must add the following line "BytecodeUnsigned yes" and uncomment "BytecodeTimeout 1000" within your clamd.conf file to leverage this functionality.

$ sudo clamscan --remove=no --leave-temp -rio --bytecode=yes /

References:

http://askubuntu.com/questions/140246/how-do-i-resolve-unmet-dependencies-after-adding-a-ppa

http://sublimerobots.com/2015/04/openappid-with-snort-2-9-7-x-on-ubuntu/

http://blog.clamav.net/2015/06/clamav-099b-meets-yara.html

https://www.clamxav.com/BB/viewtopic.php?f=1&t=2891
http://www.cyberciti.biz/faq/debian-ubuntu-linux-install-libpcre3-dev/
http://stackoverflow.com/questions/11466419/how-to-create-bash-alias-with-argument
http://blog.clamav.net/2014/11/brief-re-introduction-to-clamav.html