[Assp-test] ClamAV best practices with Sane Sigs

Wed, 29 Apr 2015 12:30:40 -0700 

I just performed a test sending test messages which should be detected by
the Sane signatures as outlined here:
http://sanesecurity.com/support/signature-testing/

Test 1 (HTML Body) is caught by ClamAV.

I, as the administrator, get a notification sent to EmailVirusReportTo.

It looks good, but the email itself is missing the TO and SUBJECT line.  It
appears with a blank subject and no from address in Outlook.  It shows the
full message, including the body bit that was caught by ClamAV/Sane.

Also, the option says:
       If set an email containing the Message ID, Remote IP, Message
Subject, Sender email address, Recipient email address, and the virus
detected will be sent to this address. For example: ad...@domain.com
However, it's also sending the BODY of the email.  I've got
EmailVirusReportsHeader selected, but I didn't expect to see the body
because of that.  Bug?  Maybe I'm just not understanding the option?

The recipient gets the message, but the body is stripped out (GREAT) but
replaced with:
Attachment 'FILENAME' has been removed from this message.  Potential virus
detected.
That's what I have for ASSP_AFCReplViriPartsText.  It's acutally says
"FILENAME" I guess there's no file name to replace since it's inline.  Can
the AFC plugin be changed to only say what file was removed if there was
actually a file removed?

And last, if I use the Sane signatures to help detect UCE / phishing, will
the alert be sent to the admin every time something's caught?  I was hoping
to only get an alert if an actual virus was detected.  AND, if Sane catches
UCE/phishing, does the recipient get the AFCRepliriPartsText or not?  Hope
not.

Looking for basic best practices.

Thanks
------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Reply via email to