Even it its unsegmented form, clamav detects much more than virus/malware payloads. In fact here the "other" is the majority that ends up in quarantine. Further, they are all treated as if they are really malware payloads and not spam/phish/fraud/mules/etc email. With the addition "unofficial" and/or local signatures, this ratio just increases. Additionally, many of these samples in quarantine should be used when rebuilding the spam.db.
I feel that current processing is to simplistic and is inappropriate to the sophistication that the rest of assp has become. I propose that assp apply rules to the clamd result to determine what should be done. This would be similar to the current way that DNSBL's are handled. I envision: test=>what,weight where test is a regex; what is VIRUS for quarantine, SPAM for phishing, spam, etc., OK is an OK file (future clamd functionality), WHITELIST identifies a signature that needs to be ignored; and weight is a score modifier. Examples could be: MBL_=>VIRUS,1.00 MSRBL-SPAM=>SPAM,1.00 Phish.*heuristic=>SPAM,0.80 Sanesecurity\.Junk\.9851=>WHITELIST,0 netCDF=>OK,0 Just my thoughts. Sorry I am not too proficient in Perl to help in any other way than ideas at this time. Tom ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H _______________________________________________ Assp-test mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/assp-test
