Identifying the exact nature of a signature, just from the name, is a
major pain. Especially when you throw in the 3rd party signatures. The
location in the signature name of the authority it came from varies from
group to group (and isn't present in the ClamAV signatures at all).
Whether it's virus/malware/trojan/worm or just a phishing/fraud or spam
signature is handled differently by each authority. It's just a _MESS_,
on the part of _ALL_ of the signature authorities, including ClamAV's
official signatures.
I'd like to see better organization on this front. My suggestion is:
A signature name is a dot separated 4-tuple or 5-tuple, with the
following fields:
- the first field is the signature source:
ClamAV, Sanesecurity, MBL, MSRBL, etc.
- the second field is the signature category:
Virus, Worm, Malware, Trojan, Exploit, Scam or Fraud or Phishing,
Spam, Archive, etc.
- the third field is the platform/mechanism abused:
Win32, MacOSX-x86, MacOSX-ppc, Linux-x86, Solaris-x86,
Solaris-Sparc, FreeBSD-x86, NetBSD-x86, NetBSD-all,
Image, PDF, MS-Macro, HTML, Zip, etc.
- the optional fourth field is a signature sub-category
Stock, Spyware, virus-family-name, etc.
- the last field is an exact signature ID
Further, the first 3 fields would need to be universally agreed upon
(dictated by ClamAV, IMO).
So, this: Email.Stk.Gen588.Sanesecurity.07071604.pdf
becomes: Sanesecurity.Spam.PDF.Stock.Gen588-07071604
This: Worm.Mydoom.M
becomes: ClamAV.Worm.Win32.Mydoom.M
This: HTML.Phishing.Bank-3
becomes: ClamAV.Fraud.HTML.Bank.3
or: ClamAV.Phishing.HTML.Bank.3
This: Zip.ExceededFilesLimit
becomes: ClamAV.Archive.Zip.Exceeded.FilesLimit
(which might also mean there'd be ClamAV.Archive.Zip.Exceeded.Size
ClamAV.Archive.Zip.Encrypted or even ClamAV.Archive.Rar.NotAllowed, if
all rar files are blocked)
This would make it a LOT easier to decide how to handle a given match in
a programmatic manner. For example, if I have a sendmail-milter and I
want to reject viruses, worms, and malware, but I want to merely mark a
header for things like Phishing/Fraud Scams or Spam, I could do
something like:
if ($virusname =~ /\.(Scam|Fraud|Spam)\./) {
add_a_header_and_accept();
}
else {
send_smtp_5xx_response();
}
Or, perhaps I want to do it by signature authority, because I've heard
some signature authorities might have false positives:
if ($virusname =~ /^ClamAV\./) {
send_smtp_5xx_response();
}
elsif ($virusname =~ /^Sanesecurity\./) {
do_sanesecurity_action();
}
elsif ($virusname =~ /^MBL\./) {
do_mbl_action();
}
elsif ($virusname =~ /^MSRBL\.) {
do_msrbl_action();
}
else { # some new signature authority I haven't specifically handled yet
add_a_header_and_accept();
}
The point is, whether you go with my suggestion or some other idea,
imposing _SOME_ kind of structure on the signature names is, IMO,
necessary. It needs to be formalized, and required of all signature
authorities. When someone wants to add a new possibly value to the
first 3 fields of the tuple, I'd suggest that it have to be blessed by
some group (the clamav developers? a side-group with some of the clamav
developers and some of the other authority members, whatever).
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
