[Clamav-users] third party signatures are given preference ?
I use the official clamav databases plus third party signatures from sanesecurity to scan email for virus - when an email would potentially hit two signatures, it seems to prefer the third party over the official clamav sigs. Is this intentional or am I missing something? A recent example is Email.Trojan.GZC aka Sanesecurity.Malware.8825. /Per Jessen, Zürich ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] third party signatures are given preference ?
On 2009-10-22 10:25, Per Jessen wrote: I use the official clamav databases plus third party signatures from sanesecurity to scan email for virus - when an email would potentially hit two signatures, it seems to prefer the third party over the official clamav sigs. Is this intentional or am I missing something? A recent example is Email.Trojan.GZC aka Sanesecurity.Malware.8825. When one signature matches on a file, the scan stops and the virusname for the matched signature is reported. If the Sanesecurity signature matches first, then that one is reported. This is the sanesecurity signature: Sanesecurity.Malware.8825:4:*:556e666f7274756e6174656c792077652077657265206e6f742061626c6520746f2064656c6976657220706f7374616c207061636b61676520796f752073656e74206f6e*506c65617365207072696e74206f75742074686520696e766f69636520636f707920617474616368656420616e6420636f6c6c65637420746865207061636b616765206174206f7572 This is the Email.Trojan.GZC signature: Email.Trojan.GZC:4:*:506c65617365207072696e74206f75742074686520696e766f69636520636f707920617474616368656420616e6420636f6c6c65637420746865207061636b616765206174206f7572206f696365 The Sanesecurity signature's second part is a prefix of the Email.Trojan.GZC signature, so Email.Trojan.GZC will never match with sanesecurity signatures loaded. Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[Clamav-users] APER
Hope I haven't missed this one being discussed... but ... APER is a project hosted at Google Code (Anti-Phishing Email Reply) that tracks From, Reply-to, and Body URLs that match known phishing attacks. There are a few examples for how to use it ... but I was wondering: Has anyone turned this into a regularly updated set of ClamAV signatures? I've been tasked with implementing it, and I'd love to be able to just plug it into my existing regiment of ClamAV signatures (I currently use MBL, MSRBL, and some (but not all) of the signatures hosted at Sane Security). ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] APER
Hope I haven't missed this one being discussed... but ... Has anyone turned this into a regularly updated set of ClamAV signatures? Hi, Firstly, spear.ndb generated from the APER feed and has been for a while now: http://sanesecurity.co.uk/databases.htm Secondly, I've two more databases coming online soon based on their feeds... watch this space, as they say ;) Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] APER
At 7:02 AM -0700 10/22/09, John Rudd wrote: Hope I haven't missed this one being discussed... but ... APER is a project hosted at Google Code (Anti-Phishing Email Reply) that tracks From, Reply-to, and Body URLs that match known phishing attacks. There are a few examples for how to use it ... but I was wondering: Has anyone turned this into a regularly updated set of ClamAV signatures? I've been tasked with implementing it, and I'd love to be able to just plug it into my existing regiment of ClamAV signatures (I currently use MBL, MSRBL, and some (but not all) of the signatures hosted at Sane Security). John Steve (sane security) was in the process of implementing at least a subset. I have to ask however. You mentioned it contains phish urls as well. I have not been able to find that. However, we track phish urls/domains in winnow_phish_complete.ndb Tom ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] APER
Check out Julian Field's ScamNailer: http://www.scamnailer.info/ 18/10/2009 - New scamnailer.ndb ClamAV signature database is now available from http://www.mailscanner.eu/scamnailer.ndb. This is updated very frequently. Do not download it more than once per hour! Cheers, Phil -- Phil Randal | Networks Engineer NHS Herefordshire Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 email: pran...@herefordshire.gov.uk Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. -Original Message- From: clamav-users-boun...@lists.clamav.net [mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of John Rudd Sent: 22 October 2009 15:03 To: ClamAV users ML Subject: [Clamav-users] APER Hope I haven't missed this one being discussed... but ... APER is a project hosted at Google Code (Anti-Phishing Email Reply) that tracks From, Reply-to, and Body URLs that match known phishing attacks. There are a few examples for how to use it ... but I was wondering: Has anyone turned this into a regularly updated set of ClamAV signatures? I've been tasked with implementing it, and I'd love to be able to just plug it into my existing regiment of ClamAV signatures (I currently use MBL, MSRBL, and some (but not all) of the signatures hosted at Sane Security). ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. You should be aware that Herefordshire Council monitors its email service. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] APER
Check out Julian Field's ScamNailer: http://www.scamnailer.info/ 18/10/2009 - New scamnailer.ndb ClamAV signature database is now available from http://www.mailscanner.eu/scamnailer.ndb. This is updated very frequently. Do not download it more than once per hour! Cheers, Phil While I have a lot of respect for Julian's work (I used to use mailscanner), and it's great to see more anti-phishing resources ... I don't see anything in the descriptions that says it's based on APER. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] APER
I have to ask however. You mentioned it contains phish urls as well. I have not been able to find that. However, we track phish urls/domains in winnow_phish_complete.ndb Tom When you download their distribution, you get 4 files: phishing_cleared_addresses phishing_from_addresses phishing_links phishing_reply_addresses The file phishing_links is what I was referring to. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] APER
Firstly, spear.ndb generated from the APER feed and has been for a while now: http://sanesecurity.co.uk/databases.htm I didn't realize spear.ndb includes APER. That's great news (as we already use spear.ndb) ... looks like implementing APER is pretty straight forward (and low effort) for me :-) is spear using all 3 parts (from, reply, and links)? Just want to be sure, when our director asks. Secondly, I've two more databases coming online soon based on their feeds... watch this space, as they say ;) Great! I look forward to hearing more :-) Cheers, Steve Sanesecurity Thanks! ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] APER
Check out Julian Field's ScamNailer: http://www.scamnailer.info/ 18/10/2009 - New scamnailer.ndb ClamAV signature database is now available from http://www.mailscanner.eu/scamnailer.ndb. This is updated very frequently. Do not download it more than once per hour! Ok, that's the database that I'm in the process of distributing, after discussions with Julian/Tony Finch regarding the .ndb format. I'm also sorting out the phishing_links feed too, it'll no doubt be called spearl.ndb at a guess but again, not ready yet. Few bits to sort out yet, once done you'll be able to sync from the Sanesecurity mirrors. Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[Clamav-users] ExcludePath rears its ugly head again
I thought I'd gotten a handle on this, but it seems to be a moving target: I'm running ClamAV 0.95.2/9926/Thu Oct 22 05:10:50 2009 In /etc/clamd.conf I have the following line: ExcludePath ^/data/fxa/ When I type: [r...@am2-nhdr fxa]# clamdscan /data/fxa/temp.txt I get: /data/fxa/temp.txt: OK Since there's been a bug on this on whether there needs to be a leading slash, I tried changing /etc/clamd.conf so it contained the following; ExcludePath ^//data/fxa/ did the same thing: [r...@am2-nhdr fxa]# clamdscan /data/fxa/temp.txt /data/fxa/temp.txt: OK --- SCAN SUMMARY --- Infected files: 0 Time: 0.033 sec (0 m 0 s) Has anyone gotten ExcludePath to work in a /etc/clamd.conf file with version 0.95.2/9926? Scott Scott Mohnkern ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[Clamav-users] GPLv2 clamdscan mail frontend named scandalo
Sorry if this is a OT for clamav-users, but may be someone will consider this useful. I wrote a simple GPLv2 clamdscan frontend (in C, for linux) that can be mail piped from an external MTA or MUA to create a very fast and efficient mail virus filtering solution. It's a fast, simple and sysadmin friendly mailfilter that pipes your incoming mail to clamdscan, uses clamd daemon to check your mail from viruses and adds mail headers that you can check (for example with maildrop) to see if the mail contains a virus (or phishing signatures). You can download scandalo 1.0 stable from here: http://www.tuxweb.it/?section=progetti/scandalouser_lang=en Install automake, then: # ./configure # make # make install Now lets do it a try: Feed it with a virus... # cat test/test_virus.eml | /usr/local/bin/scandalo From: d...@test.com To: d...@test.com Subject: Test X-VirScanBy: scandalo 1.0 Stable X-Virus-Ret: 1 X-Virus-stream: Eicar-Test-Signature FOUND x5o...@ap[4\pzx54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* Now, feed it with a normal email: # cat test/test_novirus.eml | /usr/local/bin/scandalo From: d...@test.com To: d...@test.com Subject: Test X-VirScanBy: scandalo 1.0 Stable X-Virus-Ret: 0 X-Virus-stream: OK This is not a virus mail. Please let me know if it can be useful to someone. Sorry for the OT, hope this help. This is an example of maildrop rules I use: VIRUSDIR='Virus' # Scan the mail message for viruses xfilter /usr/bin/scandalo if ((/^X-Virus-Ret: 1/) (/^X-Virus-stream: !.*/)) { echo Virus found: $MATCH2. `test -d ./Maildir/.$VIRUSDIR` # make sure .Virus folder exists if( $RETURNCODE == 1 ) { echo Virus maildir does not exist echo Creating Maildir/.$VIRUSDIR # This is used to create the virus maildir if it does not exists. DIRMAKE=`/opt/courier/bin/maildirmake -f $VIRUSDIR ./Maildir` `echo INBOX.$VIRUSDIR ./Maildir/courierimapsubscribed` } to ./Maildir/.$VIRUSDIR/. } Ciao, Dino. - TuxWeb S.r.l. - InfoServices EveryWhere - http://www.tuxweb.it Soluzioni informatiche, sviluppo, applicazioni web, consulenze sistemistiche e su prodotti opensource, corsi Linux e molto altro ancora! Per maggiori informazioni scrivi a i...@tuxweb.it. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] ExcludePath rears its ugly head again
Ignore, after further exploration I realized that the ExcludePath still goes through the files, it just doesn't actually scan them. Scott Mohnkern On Thu, Oct 22, 2009 at 1:28 PM, Scott Mohnkern mohnk...@gmail.com wrote: I thought I'd gotten a handle on this, but it seems to be a moving target: I'm running ClamAV 0.95.2/9926/Thu Oct 22 05:10:50 2009 In /etc/clamd.conf I have the following line: ExcludePath ^/data/fxa/ When I type: [r...@am2-nhdr fxa]# clamdscan /data/fxa/temp.txt I get: /data/fxa/temp.txt: OK Since there's been a bug on this on whether there needs to be a leading slash, I tried changing /etc/clamd.conf so it contained the following; ExcludePath ^//data/fxa/ did the same thing: [r...@am2-nhdr fxa]# clamdscan /data/fxa/temp.txt /data/fxa/temp.txt: OK --- SCAN SUMMARY --- Infected files: 0 Time: 0.033 sec (0 m 0 s) Has anyone gotten ExcludePath to work in a /etc/clamd.conf file with version 0.95.2/9926? Scott Scott Mohnkern ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[Clamav-users] Sorry to back and forth on ExcludePath
But it's definitey not working in .95.2 What I have in /etc/clamd.conf: ExcludePath ^/fs/shared/ when I run clamdscan / it still scans the directory. Scott Mohnkern ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml