On Winodws, we use ClamWin/ClamAV Sigupdate 0.8 beta from http://sanesecurity.com/usage/windows-scripts/ It works perfectly for those sigs from Sane.
On Tue, Sep 27, 2016 at 11:38 AM, Michael Seward <michaelsew...@tengroup.com > wrote: > We use this script to download and use multiple ClamAV definitions: > > https://github.com/extremeshok/clamav-unofficial-sigs > > -----Original Message----- > From: K Post [mailto:nntp.p...@gmail.com] > Sent: 27 September 2016 15:51 > To: For Users of ASSP > Subject: Re: [Assp-user] get more protection from ransomeware > > I concur with this great tip. > > I've been using foxhole js and file for a while now with great success. > I'm afraid of foxhole_all.cdb, as they say there's a high likelihood of > false positives. Has that not been your experience? > > I don't quite understand the point of your own signatures. Doesn't > ASSP_AFC take care of this? Are these signatures better or preferred? I > guess I'm uncertain how they work, why you have them (or need / want them) > and what the difference between zmd and md files are besides one seeming to > work on zip when the other is for rar. And what are they looking for? A > zip with a jpg in it is flagged as bad by this? > > > > > > > > On Tue, Sep 27, 2016 at 10:23 AM, Thomas Eckardt < > thomas.ecka...@thockar.com > > wrote: > > > Hi all, > > > > who ever uses ClamAV with assp should have a look in to the > > sanesecurity signatures. > > > > http://www.sanesecurity.co.uk/databases.htm > > > > who ever still uses this signatures should have a look in to the > > ClamSup.ini file. > > There are several lines exluded from the download - what I mean are: > > > > # > > # Foxhole double-extension, filename and dangerous attachment blocking > > sigs are disabled by default # see > > http://sanesecurity.com/foxhole-databases/ for more details about > > their use # # SaneSecurity foxhole_generic.cdb - Foxhole_Generic sigs > > [MEDIUM FP RISK] > > -rsync://rsync.sanesecurity.net/sanesecurity;foxhole_generic.cdb;N;Y;Y > > ;N;N # SaneSecurity foxhole_filename.cdb - Foxhole_filename sigs > > [MEDIUM FP RISK] -rsync://rsync.sanesecurity.net/sanesecurity;foxhole_ > > filename.cdb;N;Y;Y;N;N > > # SaneSecurity foxhole_all.cdb - Foxhole_all sigs [HIGH FP RISK] > > -rsync://rsync.sanesecurity.net/sanesecurity;foxhole_all.cdb;N;Y;Y;N;N > > > > I recommend to use this signatures - simply remove the (-) in front of > > 'rsync'. > > > > I also created my own small signature files 'bad_extenson.zmd' and > > 'bad_extenson.rmd' - with the following content: > > > > bad_extenson.zmd: > > > > Sanesecurity.Blocked.Zip.xxx.exe:0:(?i)\.(docx?|xlsx?|ppdx? > > |wpd|txt|jpg|jpeg|htm|html|pdf|pif|scr)\.exe$:*:*:*:*:*:* > > Sanesecurity.Blocked.Zip.xxx.js:0:(?i)\.(docx?|xlsx?|ppdx?| > > wpd|txt|jpg|jpeg|htm|html|pdf|pif|scr)\.js$:*:*:*:*:*:* > > Sanesecurity.Blocked.Zip.xxx.wsh:0:(?i)\.(docx?|xlsx?|ppdx? > > |wpd|txt|jpg|jpeg|htm|html|pdf|pif|scr)\.wsh$:*:*:*:*:*:* > > Sanesecurity.Blocked.Zip.xxx.ps1:0:(?i)\.(docx?|xlsx?|ppdx? > > |wpd|txt|jpg|jpeg|htm|html|pdf|pif|scr)\.ps1$:*:*:*:*:*:* > > > > bad_extenson.rmd > > > > Sanesecurity.Blocked.Rar.xxx.exe:0:(?i)\.(docx?|xlsx?|ppdx? > > |wpd|txt|jpg|jpeg|htm|html|pdf|pif|scr)\.exe$:*:*:*:*:*:* > > Sanesecurity.Blocked.Rar.xxx.js:0:(?i)\.(docx?|xlsx?|ppdx?| > > wpd|txt|jpg|jpeg|htm|html|pdf|pif|scr)\.js$:*:*:*:*:*:* > > Sanesecurity.Blocked.Rar.xxx.wsh:0:(?i)\.(docx?|xlsx?|ppdx? > > |wpd|txt|jpg|jpeg|htm|html|pdf|pif|scr)\.wsh$:*:*:*:*:*:* > > Sanesecurity.Blocked.Rar.xxx.ps1:0:(?i)\.(docx?|xlsx?|ppdx? > > |wpd|txt|jpg|jpeg|htm|html|pdf|pif|scr)\.ps1$:*:*:*:*:*:* > > > > Both are old style files and can be used with older ClamAV version. > > If you want to create your own signature files, have a look in to the > > Foxhole signatures - it is very easy. > > > > Thomas > > > > > > DISCLAIMER: > > ******************************************************* > > This email and any files transmitted with it may be confidential, > > legally privileged and protected in law and are intended solely for > > the use of the > > > > individual to whom it is addressed. > > This email was multiple times scanned for viruses. There should be no > > known virus in this email! > > ******************************************************* > > > > > > ------------------------------------------------------------ > > ------------------ > > > > _______________________________________________ > > Assp-user mailing list > > Assp-user@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/assp-user > > > > > ------------------------------------------------------------ > ------------------ > _______________________________________________ > Assp-user mailing list > Assp-user@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/assp-user >
------------------------------------------------------------------------------
_______________________________________________ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user
