We use this script to download and use multiple ClamAV definitions: https://github.com/extremeshok/clamav-unofficial-sigs
-----Original Message----- From: K Post [mailto:nntp.p...@gmail.com] Sent: 27 September 2016 15:51 To: For Users of ASSP Subject: Re: [Assp-user] get more protection from ransomeware I concur with this great tip. I've been using foxhole js and file for a while now with great success. I'm afraid of foxhole_all.cdb, as they say there's a high likelihood of false positives. Has that not been your experience? I don't quite understand the point of your own signatures. Doesn't ASSP_AFC take care of this? Are these signatures better or preferred? I guess I'm uncertain how they work, why you have them (or need / want them) and what the difference between zmd and md files are besides one seeming to work on zip when the other is for rar. And what are they looking for? A zip with a jpg in it is flagged as bad by this? On Tue, Sep 27, 2016 at 10:23 AM, Thomas Eckardt <thomas.ecka...@thockar.com > wrote: > Hi all, > > who ever uses ClamAV with assp should have a look in to the > sanesecurity signatures. > > http://www.sanesecurity.co.uk/databases.htm > > who ever still uses this signatures should have a look in to the > ClamSup.ini file. > There are several lines exluded from the download - what I mean are: > > # > # Foxhole double-extension, filename and dangerous attachment blocking > sigs are disabled by default # see > http://sanesecurity.com/foxhole-databases/ for more details about > their use # # SaneSecurity foxhole_generic.cdb - Foxhole_Generic sigs > [MEDIUM FP RISK] > -rsync://rsync.sanesecurity.net/sanesecurity;foxhole_generic.cdb;N;Y;Y > ;N;N # SaneSecurity foxhole_filename.cdb - Foxhole_filename sigs > [MEDIUM FP RISK] -rsync://rsync.sanesecurity.net/sanesecurity;foxhole_ > filename.cdb;N;Y;Y;N;N > # SaneSecurity foxhole_all.cdb - Foxhole_all sigs [HIGH FP RISK] > -rsync://rsync.sanesecurity.net/sanesecurity;foxhole_all.cdb;N;Y;Y;N;N > > I recommend to use this signatures - simply remove the (-) in front of > 'rsync'. > > I also created my own small signature files 'bad_extenson.zmd' and > 'bad_extenson.rmd' - with the following content: > > bad_extenson.zmd: > > Sanesecurity.Blocked.Zip.xxx.exe:0:(?i)\.(docx?|xlsx?|ppdx? > |wpd|txt|jpg|jpeg|htm|html|pdf|pif|scr)\.exe$:*:*:*:*:*:* > Sanesecurity.Blocked.Zip.xxx.js:0:(?i)\.(docx?|xlsx?|ppdx?| > wpd|txt|jpg|jpeg|htm|html|pdf|pif|scr)\.js$:*:*:*:*:*:* > Sanesecurity.Blocked.Zip.xxx.wsh:0:(?i)\.(docx?|xlsx?|ppdx? > |wpd|txt|jpg|jpeg|htm|html|pdf|pif|scr)\.wsh$:*:*:*:*:*:* > Sanesecurity.Blocked.Zip.xxx.ps1:0:(?i)\.(docx?|xlsx?|ppdx? > |wpd|txt|jpg|jpeg|htm|html|pdf|pif|scr)\.ps1$:*:*:*:*:*:* > > bad_extenson.rmd > > Sanesecurity.Blocked.Rar.xxx.exe:0:(?i)\.(docx?|xlsx?|ppdx? > |wpd|txt|jpg|jpeg|htm|html|pdf|pif|scr)\.exe$:*:*:*:*:*:* > Sanesecurity.Blocked.Rar.xxx.js:0:(?i)\.(docx?|xlsx?|ppdx?| > wpd|txt|jpg|jpeg|htm|html|pdf|pif|scr)\.js$:*:*:*:*:*:* > Sanesecurity.Blocked.Rar.xxx.wsh:0:(?i)\.(docx?|xlsx?|ppdx? > |wpd|txt|jpg|jpeg|htm|html|pdf|pif|scr)\.wsh$:*:*:*:*:*:* > Sanesecurity.Blocked.Rar.xxx.ps1:0:(?i)\.(docx?|xlsx?|ppdx? > |wpd|txt|jpg|jpeg|htm|html|pdf|pif|scr)\.ps1$:*:*:*:*:*:* > > Both are old style files and can be used with older ClamAV version. > If you want to create your own signature files, have a look in to the > Foxhole signatures - it is very easy. > > Thomas > > > DISCLAIMER: > ******************************************************* > This email and any files transmitted with it may be confidential, > legally privileged and protected in law and are intended solely for > the use of the > > individual to whom it is addressed. > This email was multiple times scanned for viruses. There should be no > known virus in this email! > ******************************************************* > > > ------------------------------------------------------------ > ------------------ > > _______________________________________________ > Assp-user mailing list > Assp-user@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/assp-user > > ------------------------------------------------------------------------------ _______________________________________________ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user
