From aed4f9a06f2da6deb00733af70f25f9d13ec5e37 Mon Sep 17 00:00:00 2001
From: "eXtremeSHOK.com" <admin@extremeshok.com>
Date: Thu, 21 Jul 2016 12:19:10 +0200
Subject: [PATCH 1/3] Update yararules. bump config to version 69

---
 config/master.conf | 41 +++++++++++++++++++++++------------------
 1 file changed, 23 insertions(+), 18 deletions(-)

diff --git a/config/master.conf b/config/master.conf
index 23500761..b7616316 100644
--- a/config/master.conf
+++ b/config/master.conf
@@ -307,26 +307,31 @@ yararulesproject_dbs="
 # use subdir/file
 # LOW
 email/EMAIL_Cryptowall.yar|LOW # CryptoWall Resume phish
-antidebug_antivm.yar|LOW # anti debug and anti virtualization techniques used by malware 
-Exploit-Kits/Angler_EK.yar|LOW # Angler Exploit Kit Redirector
-Exploit-Kits/Blackhole_EK.yar|LOW # BlackHole2 Exploit Kit Detection
-Exploit-Kits/BleedingLife_EK.yar|LOW # BleedingLife2 Exploit Kit Detection
-Exploit-Kits/Crimepack_EK.yar|LOW # CrimePack Exploit Kit Detection
-Exploit-Kits/Eleonore_EK.yar|LOW # Eleonore Exploit Kit Detection
-Exploit-Kits/Fragus_EK.yar|LOW # Fragus Exploit Kit Detection
-Exploit-Kits/Phoenix_EK.yar|LOW # Phoenix Exploit Kit Detection
-Exploit-Kits/Sakura_EK.yar|LOW # Sakura Exploit Kit Detection
-Exploit-Kits/ZeroAcces_EK.yar|LOW # ZeroAccess Exploit Kit Detection
-Exploit-Kits/Zerox88_EK.yar|LOW # 0x88 Exploit Kit Detection
-Exploit-Kits/Zeus_EK.yar|LOW # Zeus Exploit Kit Detection
+Antidebug_AntiVM/antidebug_antivm.yar|LOW # anti debug and anti virtualization techniques used by malware 
+Exploit-Kits/EK_Angler.yar|LOW # Angler Exploit Kit Redirector
+Exploit-Kits/EK_Blackhole.yar|LOW # BlackHole2 Exploit Kit Detection
+Exploit-Kits/EK_BleedingLife.yar|LOW # BleedingLife2 Exploit Kit Detection
+Exploit-Kits/EK_Crimepack.yar|LOW # CrimePack Exploit Kit Detection
+Exploit-Kits/EK_Eleonore.yar|LOW # Eleonore Exploit Kit Detection
+Exploit-Kits/EK_Fragus.yar|LOW # Fragus Exploit Kit Detection
+Exploit-Kits/EK_Phoenix.yar|LOW # Phoenix Exploit Kit Detection
+Exploit-Kits/EK_Sakura.yar|LOW # Sakura Exploit Kit Detection
+Exploit-Kits/EK_ZeroAcces.yar|LOW # ZeroAccess Exploit Kit Detection
+Exploit-Kits/EK_Zerox88.yar|LOW # 0x88 Exploit Kit Detection
+Exploit-Kits/EK_Zeus.yar|LOW # Zeus Exploit Kit Detection
 # MEDIUM
-Exploit-Kits/Javascript_exploit_and_obfuscation.yar|MEDIUM # JavaScript Obfuscation Detection
-Malicious_Documents/malicious_document.yar|MEDIUM # documents with malicious code
-Malicious_Documents/DecodedPDF_CVE_2010_1297.yar|MEDIUM # PDF CVE 2010 1297
+Malicious_Documents/maldoc_somerules.yar|MEDIUM # documents with malicious code
 Malicious_Documents/Maldoc_Hidden_PE_file.yar|MEDIUM # Detect a hidden PE file inside a sequence of numbers (comma separated)
-packer.yar|MEDIUM # well-known sofware packers
+Packers/Javascript_exploit_and_obfuscation.yar|MEDIUM # JavaScript Obfuscation Detection
+Packers/packer.yar|MEDIUM # well-known sofware packers
+CVE_Rules/CVE-2010-0805.yar|MEDIUM # CVE 2010 0805
+CVE_Rules/CVE-2010-0887.yar|MEDIUM # CVE 2010 0887
+CVE_Rules/CVE-2010-1297.yar|MEDIUM # CVE 2010 1297
+CVE_Rules/CVE-2013-0074.yar|MEDIUM # CVE 2013 0074
+CVE_Rules/CVE-2013-0422.yar|MEDIUM # CVE 2013 0422
+CVE_Rules/CVE-2015-5119.yar|MEDIUM # CVE 2015 5119
 # HIGH
-crypto.yar|HIGH # detect the existence of cryptographic algoritms
+Crypto/crypto.yar|HIGH # detect the existence of cryptographic algoritms
 " #END yararulesproject DATABASES
 
 # =========================
@@ -514,6 +519,6 @@ yararulesproject_url="https://raw.githubusercontent.com/Yara-Rules/rules/master"
 
 # ========================
 # DO NOT EDIT !
-config_version="68"
+config_version="69"
 
 # https://eXtremeSHOK.com ######################################################

From 0168cb38853e0503e59a6c698047eed2876e8ab4 Mon Sep 17 00:00:00 2001
From: "eXtremeSHOK.com" <admin@extremeshok.com>
Date: Thu, 21 Jul 2016 14:10:28 +0200
Subject: [PATCH 2/3] do not allow installation when options pkg_mgr or pkg_rm
 are defined

---
 clamav-unofficial-sigs.sh | 68 ++++++++++++++++++++++++++++++++++++---
 1 file changed, 63 insertions(+), 5 deletions(-)

diff --git a/clamav-unofficial-sigs.sh b/clamav-unofficial-sigs.sh
index 73bcf5f4..f6b8e8b6 100644
--- a/clamav-unofficial-sigs.sh
+++ b/clamav-unofficial-sigs.sh
@@ -244,7 +244,7 @@ function xshok_pretty_echo_and_log () { #"string" "repeating" "count" "type"
 }
 
 # function to check if the $2 value is not null and does not start with -
-function xshok_check_s2 () {
+function xshok_check_s2 () { #value1 #value2
   if [ "$1" ] ; then
     if [[ "$1" =~ ^-.* ]] ; then
       xshok_pretty_echo_and_log "ERROR: Missing value for option or value begins with -" "="
@@ -262,7 +262,7 @@ function xshok_check_s2 () {
 # array=("one" "two" "three")
 # xshok_array_count $array
 # 3
-function xshok_array_count () {
+function xshok_array_count () { #array
   k_array=( "$@" )
   if [ -n "${k_array[*]}" ] ; then
     i="0"
@@ -274,6 +274,45 @@ function xshok_array_count () {
     echo "0"
   fi
 }
+# function to auto update
+function xshok_auto_update() { #version
+  xshok_pretty_echo_and_log "Performing automatic update..."
+
+  # Download new version
+  echo -n "Downloading latest version..."
+  if ! wget --quiet --output-document="$0.tmp" $UPDATE_BASE/$SELF ; then
+    echo "Failed: Error while trying to wget new version!"
+    echo "File requested: $UPDATE_BASE/$SELF"
+    exit 1
+  fi
+  echo "Done."
+
+  # Copy over modes from old version
+  OCTAL_MODE=$(stat -c '%a' $SELF)
+  if ! chmod $OCTAL_MODE "$0.tmp" ; then
+    echo "Failed: Error while trying to set mode on $0.tmp."
+    exit 1
+  fi
+
+  # Generate the update script
+  cat > xshok_update_script.sh << EOF
+#!/bin/bash
+# Overwrite old file with new
+if mv "$0.tmp" "$0"; then
+  echo "Done. Update complete."
+  rm \$0
+else
+  echo "Failed! The update was not completed."
+fi
+EOF
+
+
+  echo -n "Inserting update process..."
+  
+  #replaced with $0, so code will update and then call itself with the same parameters it had
+  #exec /bin/bash xshok_update_script.sh
+  exec "$0" "$@"
+}
 
 #function to handle list of database files
 function clamav_files () {
@@ -347,6 +386,13 @@ function xshok_database () { #database #rating
 
 #generates a man config and installs it
 function install_man () {
+
+  if [ -n "$pkg_mgr" ] || [ -n "$pkg_rm" ] ; then
+    echo "This script (clamav-unofficial-sigs) was installed on the system via '$pkg_mgr'"
+    exit 1
+  fi
+
+
   echo ""
   echo "Generating man file for install...."
   
@@ -408,6 +454,12 @@ EOF
 
 #generates a logrotate config and installs it
 function install_logrotate () {
+
+  if [ -n "$pkg_mgr" ] || [ -n "$pkg_rm" ] ; then
+    echo "This script (clamav-unofficial-sigs) was installed on the system via '$pkg_mgr'"
+    exit 1
+  fi
+
   echo ""
   echo "Generating logrotate file for install...."
   
@@ -474,6 +526,12 @@ EOF
 
 #generates a cron config and installs it
 function install_cron () {
+
+  if [ -n "$pkg_mgr" ] || [ -n "$pkg_rm" ] ; then
+    echo "This script (clamav-unofficial-sigs) was installed on the system via '$pkg_mgr'"
+    exit 1
+  fi
+
   echo ""
   echo "Generating cron file for install...."
   
@@ -780,7 +838,7 @@ function make_signature_database_from_ascii_file () {
 #Remove the clamav-unofficial-sigs script
 function remove_script () {
   echo ""
-  if [ -n "$pkg_mgr" ] && [ -n "$pkg_rm" ] ; then
+  if [ -n "$pkg_mgr" ] || [ -n "$pkg_rm" ] ; then
     echo "This script (clamav-unofficial-sigs) was installed on the system via '$pkg_mgr'"
     echo "use '$pkg_rm' to remove the script and all of its associated files and databases from the system."
 
@@ -1172,8 +1230,8 @@ EOF
 ################################################################################
 
 #Script Info
-script_version="5.4"
-script_version_date="15 July 2016"
+script_version="5.4.1"
+script_version_date="20 July 2016"
 minimum_required_config_version="65"
 minimum_yara_clamav_version="0.99"
 

From f08bb6ce56f4e7450985faff1b8b984455101f51 Mon Sep 17 00:00:00 2001
From: "eXtremeSHOK.com" <admin@extremeshok.com>
Date: Thu, 21 Jul 2016 14:18:17 +0200
Subject: [PATCH 3/3] prepare 5.4.1

---
 README.md | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index fdd98a77..3e21ade2 100644
--- a/README.md
+++ b/README.md
@@ -99,7 +99,14 @@ Usage of free Linux Malware Detect clamav signatures: https://www.rfxn.com/proje
 
 ## Change Log
 
-### Version 5.4 (updated 2016-06-15)
+### Version 5.4.1 (updated 2016-06-20)
+ - eXtremeSHOK.com Maintenance
+ - Disable installation when either pkg_mgr or pkg_rm is defined.
+ - Minor refactoring
+ - Update master.conf with the new Yara-rules project file names 
+ - Incremented the config to version 69
+ 
+### Version 5.4
  - eXtremeSHOK.com Maintenance
  - Added Solaris 10 and 11 configs
  - When under Solaris we define our own which function