Jump to content

Add unofficial signatures


ShellfishBustard
 Share

Recommended Posts

Seeing that Immunet uses ClamAv, I always wonder if its possible to load unofficial signature databases into Immunet.

But right now, I solely rely on ClamAv itself whenever I run a full scan of my computer so that I can be sure to detect any other infected files, with those signatures loaded. My unofficial signatures come from providers like URLHaus, Securite, Malware Patrol and Sanesecurity.

If Immunet could have a feature to incorporate their databases, it would be a huge benefit for its users and the community.

Link to comment
Share on other sites

  • 1 month later...

I don't use Immunet much now, because it has proven too buggy recently, and I don't really use Windows anymore, but I have a couple of custom scripts that essentailly do what you're asking for and certainly worked on previous Immunet versions within the last year.

I won't paste the entire code here as my scripts have evolved into a nasty kluge and they're messy and difficult to understand, so I'll just post the important bits here and you can construct your own to suit your needs.

Points to remember:

Immunet stores its ClamAV databases in the installation directory, in a subfolder of a subfolder (i.e. "clamav\[clamav-version]\"). So for instance, the databases will be in something like "C:\Program Files\Immunet\clamav\0.103.3".

While Immunet is running, it protects its installation directory and all subfolders. To copy files into the folder, you need to stop and restart Immunet.

Immunet's service, in the past, has included the version number, changed between "Immunet", "ImmunetProtect", and other names. The only thing that's remained consistent is the fact it contains "Immunet" within its name. So a standard "net stop / net start" command with Immunet's exact service name will be unreliable and will be prone to breakage. You need to instead start or stop any service that contains the string "Immunet" in its name, which should account for these changes.

If you have installed Immunet a while ago and upgraded it many times, there will be multiple clamav-version subfolders (0.102, 0.103, etc) but only the latest one will be the active one that Immunet uses. This is very important because the database will only be read from that folder.

General idea of how it works:

My script uses rsync (Windows port) and/or curl (now part of Windows) as necessary to download the custom databases of SecuriteInfo, Sane Security and others.

The script then tries to deduce the ClamAV installation directory, with the assumption that Immunet itself is installed to its default location ("%ProgramFiles%\Immunet"). It makes the assumption that the last ClamAV directory to be installed will be the latest version.

FOR /F "delims=" %%A IN ('dir/s/b/og/o-d "%ProgramFiles%\Immunet\clamav"') DO (
    SET TEMPVAR=%%A
    GOTO :GetClamDb 
)

:GetClamDb
set db=%TEMPVAR%

I can't remember why I did it with two sections like that. I think I use the "GetClamDb" label as a way of breaking-out of a loop or something elsewhere in the script. Either way, what it effectively does is look for the newest subfolder within the "clamav" folder, and sets the "db" variable to be the path of that folder. So now we know where ClamAV (and its database) are stored, and that value is in the variable %db%.

The script then stops Immunet, which removes protection from the installation directory to make it writeable:

REM Stop the Immunet service, without worrying whether it's called "ImmunetProtect", "Immunet 6.0.8", etc.
wmic service where "name like 'Immunet%%'" call stopservice
REM Now let's give a short delay to give the service chance to shut down.
echo Will hopefully be able to copy files now.
choice /t 10 /n /d y

(please note that if you type this in on the command line, you don't want two "%" symbols after the name "Immunet", just one. You need the two "%" symbols if running this from a batch file).

The script then copies the downloaded database-files to the ClamAV installation directory so they can be used:

rem copy db
xcopy /F /Y /D /G /H /R folder-i-downloaded-the-databases-to\*.* "%db%"
echo Will hopefully be able to restart Immunet now.
rem pause so you can see any error messages etc
choice /t 10 /n /d y

And then all that remains is to restart the Immunet service(s) in the same manner we initially stopped them:

rem restart immunet
rem The less robust way was this: net start "Immunet 6.0.8"
rem now we do the following
wmic service where "name like 'Immunet%%'" call startservice

Please note I've not put any error/failure handing into these snippets of code, it's just to get you started.

Also - you could theoretically use rsync or curl to download the custom databases straight into the ClamAV installation directory, but I prefer to download them to a temp folder somewhere, and then only stop Immunet to copy the changed databases across. That way, Immunet is stopped as little as possible, and you're not being left vulnerable the whole time it takes the custom databases to download. This is particularly important if you're not on a paid SecuriteInfo account, as their free databases appear to be rate-limited to ~384kbps download speed.

If it makes your code any easier to understand or more readable, you could just hard-code everything in, however if installation folders or service names change with software-updates, your code will be broken until you edit it.

I hope this helps.

When I tidy up my installation scripts, I'll post the full code. That said, I don't know when I'll manage it because despite how clunky and botched they are, they work for me. Plus nowadays I do almost all my work on GNU/Linux, and only really boot Windows up to apply updates then shut-down again. I figure it should stay relatively up-to-date just in case I ever need to use it.

  • Like 1
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
 Share

×
×
  • Create New...