I use the Sane signatures in 'SuspiciousVirus' assp-do-not-optimize-regex # Worm65=>2 eicar=>1.5 Sanesecurity\.SpamImg\.14=>1.5 winnow\.malware\.37=>3 Sanesecurity\.Lott\.34=>1 Sanesecurity\.Junk\.20=>35 Sanesecurity\.Junk\.\d+=>10 UNOFFICIAL=>51
No reports are sent for 'SuspiciousVirus'. My PenaltyBox high watermark is 50. 'vsValencePB' is set to 25. Thomas Von: K Post <nntp.p...@gmail.com> An: ASSP development mailing list <assp-test@lists.sourceforge.net> Datum: 29.04.2015 21:30 Betreff: [Assp-test] ClamAV best practices with Sane Sigs I just performed a test sending test messages which should be detected by the Sane signatures as outlined here: http://sanesecurity.com/support/signature-testing/ Test 1 (HTML Body) is caught by ClamAV. I, as the administrator, get a notification sent to EmailVirusReportTo. It looks good, but the email itself is missing the TO and SUBJECT line. It appears with a blank subject and no from address in Outlook. It shows the full message, including the body bit that was caught by ClamAV/Sane. Also, the option says: If set an email containing the Message ID, Remote IP, Message Subject, Sender email address, Recipient email address, and the virus detected will be sent to this address. For example: ad...@domain.com However, it's also sending the BODY of the email. I've got EmailVirusReportsHeader selected, but I didn't expect to see the body because of that. Bug? Maybe I'm just not understanding the option? The recipient gets the message, but the body is stripped out (GREAT) but replaced with: Attachment 'FILENAME' has been removed from this message. Potential virus detected. That's what I have for ASSP_AFCReplViriPartsText. It's acutally says "FILENAME" I guess there's no file name to replace since it's inline. Can the AFC plugin be changed to only say what file was removed if there was actually a file removed? And last, if I use the Sane signatures to help detect UCE / phishing, will the alert be sent to the admin every time something's caught? I was hoping to only get an alert if an actual virus was detected. AND, if Sane catches UCE/phishing, does the recipient get the AFCRepliriPartsText or not? Hope not. Looking for basic best practices. Thanks ------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y _______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test DISCLAIMER: ******************************************************* This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the individual to whom it is addressed. This email was multiple times scanned for viruses. There should be no known virus in this email! ******************************************************* ------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y _______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
