Identifying the exact nature of a signature, just from the name, is a major pain. Especially when you throw in the 3rd party signatures. The location in the signature name of the authority it came from varies from group to group (and isn't present in the ClamAV signatures at all). Whether it's virus/malware/trojan/worm or just a phishing/fraud or spam signature is handled differently by each authority. It's just a _MESS_, on the part of _ALL_ of the signature authorities, including ClamAV's official signatures.
I'd like to see better organization on this front. My suggestion is: A signature name is a dot separated 4-tuple or 5-tuple, with the following fields: - the first field is the signature source: ClamAV, Sanesecurity, MBL, MSRBL, etc. - the second field is the signature category: Virus, Worm, Malware, Trojan, Exploit, Scam or Fraud or Phishing, Spam, Archive, etc. - the third field is the platform/mechanism abused: Win32, MacOSX-x86, MacOSX-ppc, Linux-x86, Solaris-x86, Solaris-Sparc, FreeBSD-x86, NetBSD-x86, NetBSD-all, Image, PDF, MS-Macro, HTML, Zip, etc. - the optional fourth field is a signature sub-category Stock, Spyware, virus-family-name, etc. - the last field is an exact signature ID Further, the first 3 fields would need to be universally agreed upon (dictated by ClamAV, IMO). So, this: Email.Stk.Gen588.Sanesecurity.07071604.pdf becomes: Sanesecurity.Spam.PDF.Stock.Gen588-07071604 This: Worm.Mydoom.M becomes: ClamAV.Worm.Win32.Mydoom.M This: HTML.Phishing.Bank-3 becomes: ClamAV.Fraud.HTML.Bank.3 or: ClamAV.Phishing.HTML.Bank.3 This: Zip.ExceededFilesLimit becomes: ClamAV.Archive.Zip.Exceeded.FilesLimit (which might also mean there'd be ClamAV.Archive.Zip.Exceeded.Size ClamAV.Archive.Zip.Encrypted or even ClamAV.Archive.Rar.NotAllowed, if all rar files are blocked) This would make it a LOT easier to decide how to handle a given match in a programmatic manner. For example, if I have a sendmail-milter and I want to reject viruses, worms, and malware, but I want to merely mark a header for things like Phishing/Fraud Scams or Spam, I could do something like: if ($virusname =~ /\.(Scam|Fraud|Spam)\./) { add_a_header_and_accept(); } else { send_smtp_5xx_response(); } Or, perhaps I want to do it by signature authority, because I've heard some signature authorities might have false positives: if ($virusname =~ /^ClamAV\./) { send_smtp_5xx_response(); } elsif ($virusname =~ /^Sanesecurity\./) { do_sanesecurity_action(); } elsif ($virusname =~ /^MBL\./) { do_mbl_action(); } elsif ($virusname =~ /^MSRBL\.) { do_msrbl_action(); } else { # some new signature authority I haven't specifically handled yet add_a_header_and_accept(); } The point is, whether you go with my suggestion or some other idea, imposing _SOME_ kind of structure on the signature names is, IMO, necessary. It needs to be formalized, and required of all signature authorities. When someone wants to add a new possibly value to the first 3 fields of the tuple, I'd suggest that it have to be blessed by some group (the clamav developers? a side-group with some of the clamav developers and some of the other authority members, whatever). _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html