RE: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks
How do I get clamav to not cc the intended user with the virus notification message? Thanks Mark Penkower At 01:51 PM 11/15/2004, you wrote: Brian Morrison [EMAIL PROTECTED] wrote: 2) It takes extra work for someone to make the decision, create the separate databases etc. Diego d'Ambra [EMAIL PROTECTED] wrote: Julian Mehnle wrote: The definition of what _I_ would like ClamAV to detect is: anything that poses a technical thread, no matter whether it also poses a social/fraud threat or not. That's a clear enough criterion, isn't it? Creating such a system has a dramatic impact on the work needed to classify a suspicious sample. These samples often contains weird Jave, HTML etc. that must be decoded and tested with different software versions to ensure no exploit is being triggered and/or harmful content installed. I can't see why discriminating technical attacks from social engineering attacks would be extra work. After all, when drafting a signature for a new attack, a name for the attack has to be chosen. If you know you're going to file it as HTML.Phishing.Bank-12, you have already distinguished between a technical attack and a social engineering one. If your point is that classifying new attacks can be a difficult task, well, though luck, that's how it is. In order to find a good name for the attack, you have to do the classifying properly anyway. So where's the extra work? And don't tell me creating the database files from the signatures isn't already a largely automated process. ;-) ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users NOTICE TO RECIPIENT: This e-mail is meant only for the intended recipient(s) of the transmission, and contains confidential information which is proprietary to Royce Associates, LLC. Any unauthorized use, copying, distribution, or dissemination is strictly prohibited. All rights to this information are reserved by Royce Associates, LLC. If you are not the intended recipient, please contact the sender by reply e-mail and please delete this e-mail from your system and destroy any copies. ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks
On Mon, 29 Nov 2004 13:50:40 -0500 in [EMAIL PROTECTED] Mark Penkower [EMAIL PROTECTED] wrote: How do I get clamav to not cc the intended user with the virus notification message? ClamAV doesn't do that, it is your MTA that does it. -- Brian Morrison bdm at fenrir dot org dot uk GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks
Give the --postmaster-only option to clamav-milter. -Nigel On Mon, 2004-11-29 at 18:50, Mark Penkower wrote: How do I get clamav to not cc the intended user with the virus notification message? Thanks Mark Penkower At 01:51 PM 11/15/2004, you wrote: Brian Morrison [EMAIL PROTECTED] wrote: 2) It takes extra work for someone to make the decision, create the separate databases etc. Diego d'Ambra [EMAIL PROTECTED] wrote: Julian Mehnle wrote: The definition of what _I_ would like ClamAV to detect is: anything that poses a technical thread, no matter whether it also poses a social/fraud threat or not. That's a clear enough criterion, isn't it? Creating such a system has a dramatic impact on the work needed to classify a suspicious sample. These samples often contains weird Jave, HTML etc. that must be decoded and tested with different software versions to ensure no exploit is being triggered and/or harmful content installed. I can't see why discriminating technical attacks from social engineering attacks would be extra work. After all, when drafting a signature for a new attack, a name for the attack has to be chosen. If you know you're going to file it as HTML.Phishing.Bank-12, you have already distinguished between a technical attack and a social engineering one. If your point is that classifying new attacks can be a difficult task, well, though luck, that's how it is. In order to find a good name for the attack, you have to do the classifying properly anyway. So where's the extra work? And don't tell me creating the database files from the signatures isn't already a largely automated process. ;-) ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users NOTICE TO RECIPIENT: This e-mail is meant only for the intended recipient(s) of the transmission, and contains confidential information which is proprietary to Royce Associates, LLC. Any unauthorized use, copying, distribution, or dissemination is strictly prohibited. All rights to this information are reserved by Royce Associates, LLC. If you are not the intended recipient, please contact the sender by reply e-mail and please delete this e-mail from your system and destroy any copies. __ ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks
On Tue, 16 Nov 2004 01:31:22 +0100 in [EMAIL PROTECTED] Julian Mehnle [EMAIL PROTECTED] wrote: If people require machines as desperately as that to prevent themselves from falling for fraud attempts, humanity is truly doomed. It always has been. Never mind the quality, feel the *width*. -- Brian Morrison bdm at fenrir dot org dot uk GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks
On Tue, 16 Nov 2004 at 1:31:22 +0100, Julian Mehnle wrote: If people require machines as desperately as that to prevent themselves from falling for fraud attempts, humanity is truly doomed. It already is ;-) . Anybody who doubts it can have a look: http://www.manbottle.com/humor/Further_proof_that_the_human_race_is_doomed.htm http://www.doheth.co.uk/funny/doomed.php -- Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only [EMAIL PROTECTED] http://www.lodz.tpsa.pl/iso/ | ones and zeros. [EMAIL PROTECTED] http://www.ClamAV.net/ A GPL virus scanner ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks
On Tue, 16 Nov 2004, Julian Mehnle wrote: If people require machines as desperately as that to prevent themselves from falling for fraud attempts... ...then they're pretty much behaving in the manner humanity always has and always will. To those of you who argue that ClamAV should detect phishing attacks even though tools like SpamAssassin are designed and inherently better suited for doing that, I'd like to say that you will never really be able to abandon SpamAssassin Co. anyway. Again, I don't think that's what the ClamAV team is trying to accomplish here. They're just going after the most active phishing threats out there, not trying to completely prevent your system from any sort of unwanted e-mail (or even every possible phishing attack). I understand that you want your users to have the right to screw themselves, which I understand from a philosophical standpoint, despite the fact that I think it's terribly silly. But, you aren't demanding that everyone else be terribly silly, so I don't see any problem with your request. Given the way things have happened in the past, I wouldn't be surprised if this functionality were quietly added in the next CVS release while everyone keeps arguing about how many clicks it takes to make something a virus. The argument I DON'T think much of is the slippery slope argument, mostly for this reason...interspersed between all the discussion in this thread are tons of confirmation messages in my inbox, letting me know that ClamAV has nailed tons of phishing messages that wouldn't have otherwise been caught. Job well done. There are dozens (hundreds?) of new viruses and tronjans added to the database every week that most of our systems will never see, but no one complains about the resource hit those are making, because we all know that on the off-chance we ever get one of these rare beasts, we'd be very happy ClamAV was there to stop it. The argument that phishing attacks are a bunch of one-offs that you'll never see again is not backed up by my data. The very first anti-phishing signature added to the database got nabbed a few specimens just today. Maybe in a month they'll be gone forever, but such is the way of worm flare-ups these days as well. Despite all the hyperbole, what's really happened here is that a small amount of work (ie, a few signatures) has been done that will save a disproportiately huge amount of headaches in the sys admin community. There's no point in claiming the sky is falling, just yet, anyway. I think this is a worthwhile discussion to have, and philosophical ideals are important, but we should also take a peek at the real world from time to time as well. We should be watchful of any drastic turns in ClamAV development, but we haven't seen any of those yet. Jeffrey Moskot System Administrator [EMAIL PROTECTED] ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks
On Tue, 16 Nov 2004, Julian Mehnle wrote: Announcingple require machines as desperately as that to prevent themselves from falling for fraud attempts... ...then they're pretty much behaving in the manner humanity always has and always will. To those of you who argue that ClamAV should detect phishing attacks even though tools like SpamAssassin are designed and inherently better suited for doing that, I'd like to say that you will never really be able to abandon SpamAssassin Co. anyway. Anouncing a NEW phishing threat ... this is an excerpt from winXP news ... how to disable the Windows Scripting Host (WSH) to prevent an insidious new phishing technique that uses a script to redirect you to a fraudulent Web site when you log on to do online banking. So some of the phishing attacks now use scripts -- Ken Jones [EMAIL PROTECTED] ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks
Matt [EMAIL PROTECTED] wrote: Trog wrote: I'm not trying to scare you away, I really don't care what you do. I've told you how you can easily do what you want, using ClamAV. As Trog has already mentioned, you can simply remove the phishing signatures from the database. This is not trying to scare you away. It is a simple workaround to your specific needs at this moment. Or, as Tomasz and I have both mentioned, you can easily bypass this in your filtering software. This discussion is not a vendetta against the idea, but everyone is entitled to their own opinion, so it is of no use getting touchy when someone offers alternative advice, or a personal opinion. Pardon me, Trog offered me two options, of which user another product was the first. If that isn't scaring me away for you, then I don't know what is. I just explained why Thomasz' suggesting is suboptimal in another message of mine. I might be able to remove the signatures I don't want, but I would still have to know if there is an authoritative hierarchy of signature names from which I can see what hierarchy branches ('HTML.Phishing.*', etc.) I would have to remove. Is there one? But I think this is overly complicated. Maybe it would be better for the official ClamAV signature databases to be modular, i.e. have one for technical attacks and one for social engineering attacks. That way people who only use one of them wouldn't have to download both. ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks
Julian Mehnle wrote: Pardon me, Trog offered me two options, of which user another product was the first. If that isn't scaring me away for you, then I don't know what is. That was just another alternative :) I might be able to remove the signatures I don't want, but I would still have to know if there is an authoritative hierarchy of signature names from which I can see what hierarchy branches ('HTML.Phishing.*', etc.) I would have to remove. Is there one? sigtool -l | egrep '*.Phishing.*' That will show you all the phishing signatures in the database. Matt ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks
On Mon, 15 Nov 2004 16:02:03 +0100 Julian Mehnle [EMAIL PROTECTED] wrote: Matt [EMAIL PROTECTED] wrote: Julian Mehnle wrote: I might be able to remove the signatures I don't want, but I would still have to know if there is an authoritative hierarchy of signature names from which I can see what hierarchy branches ('HTML.Phishing.*', etc.) I would have to remove. Is there one? sigtool -l | egrep '*.Phishing.*' That will show you all the phishing signatures in the database. Thanks, but the point of my question was that I wanted to know whether there are more social engineering signature in the database than just phishing ones. Yes, there are. E.g. HTML.Mydoom.email-gen-1 and others... -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Mon Nov 15 16:05:05 CET 2004 pgpF4WYeD0qk6.pgp Description: PGP signature ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks
Tomasz Kojm [EMAIL PROTECTED] wrote: Julian Mehnle [EMAIL PROTECTED] wrote: Thanks, but the point of my question was that I wanted to know whether there are more social engineering signature in the database than just phishing ones. Yes, there are. E.g. HTML.Mydoom.email-gen-1 and others... Just why is it that I can't get rid of the feeling that I'm not wanted here... Of course I meant signatures for pure social engineering with no technical threat component. ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks
Julian Mehnle wrote: Thanks, but the point of my question was that I wanted to know whether there are more social engineering signature in the database than just phishing ones. Apologies. I misinterpreted that question. Yes, there are. E.g. HTML.Mydoom.email-gen-1 and others... Just why is it that I can't get rid of the feeling that I'm not wanted here... Of course I meant signatures for pure social engineering with no technical threat component. Glad to know I'm not the only paranoid on the list :) The problem is that, as yourself and others have mentioned, the distinction between the different categories are dependant upon personal interpretation. What one classes as social engineering, someone else may class as, for example, malware. Even though they can technically be the same thing, perceptions vary, thereby making it a nigh on impossible question to answer. Matt ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks
Julian Mehnle wrote: Dennis Skinner [EMAIL PROTECTED] wrote: Julian Mehnle wrote: Besides, if mail servers started using SPF (or similar authentication techniques) to verify envelope sender addresses, whoever publishes SPF records for his domains would be Not to start another flame war, but I find it interesting that you take such a hard-nosed approach to what is and is not technically a virus, Am I? I'm just saying that I think that a distinction between technical attacks and social engineering attacks is possible and meaningful (even if not everyone would make use of that distinction). That has nothing to do with being hard-nosed, has it? I hate to butt into a discussion, but I would have to agree. I use SpamAssassin and ClamAV, I don't need or want them doing the same job. I've seen this same discussion on the SpamAssassin list where users wanted rules to stop Viruses with SA, and the general reponse was No, SA is a spam filter, get ClamAV if you want to stop Viruses DAve -- Systems Administrator http://www.tls.net Get rid of Unwanted Emails...get TLS Spam Blocker! ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks
Matt [EMAIL PROTECTED] wrote: The problem is that, as yourself and others have mentioned, the distinction between the different categories are dependant upon personal interpretation. What one classes as social engineering, someone else may class as, for example, malware. Even though they can technically be the same thing, perceptions vary, thereby making it a nigh on impossible question to answer. Following that logic, any distinction between spam and malware would be artificial, too. Sorry, but I don't subscribe to this sort of nihilism. ;-) I have not tried to make a distinction between social engineering and malware. Those are orthogonal concepts. But there definitely is a distinction between technical attacks and social engineering attacks, even though they're somewhat overlapping. ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks
On Mon, 15 Nov 2004 17:48:35 +0100 in [EMAIL PROTECTED] Julian Mehnle [EMAIL PROTECTED] wrote: But there definitely is a distinction between technical attacks and social engineering attacks, even though they're somewhat overlapping. I can't see logically how things that are distinct can also be overlapping. Is that really the description you want to use? -- Brian Morrison bdm at fenrir dot org dot uk GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks
On Mon, 15 Nov 2004 17:53:31 +0100 in [EMAIL PROTECTED] Julian Mehnle [EMAIL PROTECTED] wrote: Trog [EMAIL PROTECTED] wrote: Please give a full definition of Spam and Malware/Viruses that do not intersect, and will never intersect for all future Spam and Malware such that we can be sure we know what you are requesting. The definition of what _I_ would like ClamAV to detect is: anything that poses a technical thread, no matter whether it also poses a social/fraud threat or not. That's a clear enough criterion, isn't it? That depends on your definition of 'technical' doesn't it? -- Brian Morrison bdm at fenrir dot org dot uk GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks
On Mon, 2004-11-15 at 16:53, Julian Mehnle wrote: Trog [EMAIL PROTECTED] wrote: Please give a full definition of Spam and Malware/Viruses that do not intersect, and will never intersect for all future Spam and Malware such that we can be sure we know what you are requesting. The definition of what _I_ would like ClamAV to detect is: anything that poses a technical thread, no matter whether it also poses a social/fraud threat or not. That's a clear enough criterion, isn't it? And that's fine. It's not what I asked for, but thats ok too. So, you can know go and put the effort in to achieving your requirements. Let us know how you get on. -trog signature.asc Description: This is a digitally signed message part ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks
Brian Morrison [EMAIL PROTECTED] wrote: What I am suggesting is that, because you appear to have a requirement that is significantly different from nearly everyone else that has responded in this thread, (I don't think you're judging the proportions correctly.) you are in the best position to roll your own solution rather than suggesting that ClamAV is changed to accommodate your requirement. [...] I find it really hard to understand why you want to do it as well, I find that ClamAV kills the obvious signature-based phishing attacks and SA spots those that ClamAV doesn't. Two lines of defence is fine by me. What I don't understand is that no one seems to be willing to discuss my proposal of making the signature database modular, i.e. offer social engineering attack signatures separately from technical attack ones for download and installation. That would solve my and others' problem nicely, and would take _nothing_ away from those who don't care what ClamAV detects. ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks
On Nov 15, 2004, at 11:48 AM, Julian Mehnle wrote: Matt [EMAIL PROTECTED] wrote: The problem is that, as yourself and others have mentioned, the distinction between the different categories are dependant upon personal interpretation. What one classes as social engineering, someone else may class as, for example, malware. Even though they can technically be the same thing, perceptions vary, thereby making it a nigh on impossible question to answer. Following that logic, any distinction between spam and malware would be artificial, too. Sorry, but I don't subscribe to this sort of nihilism. ;-) Because there is still a difference...commonly accepted definitions are watering them down though :-) Malware...bad software with bad intentions. I think the line is pretty easy to find between viruses/worms and trojans and spam/UCE/UBE and social engineering attacks. The lines blur as they start using each other to their own advantage (viruses spreading spam from infected machines, for example) but it's clear enough that the actual virus or worm is the executable code or script, while the click here for amazing rates! is simply spam, and the techniques for fighting spam can be quite different from those used to stop an infectious file attachment. I have not tried to make a distinction between social engineering and malware. Those are orthogonal concepts. But there definitely is a distinction between technical attacks and social engineering attacks, even though they're somewhat overlapping. Very correct. There's a difference between me taking your wallet and me telling you about a wonderful investment opportunity where you can double...no...triple your money in two weeks! If it takes advantage of a bug in the OS or contains executable code or scripts that carry the intention of infecting...spreading/running without the user's knowledge...then I would think it's Clam's job to stop it. If it's someone trying to triple my money or beg for a place to hide a billion dollars while the sender's government falls, it's SA's job to stop it. If I wanted overlap, I'd install multiple spam filters and multiple virus filters, I don't need multiple spirus filters to try to diagnose and maintain :-) -Bart ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks
On Nov 15, 2004, at 11:48 AM, Trog wrote: Not one of the Clam developers have proposed adding general spam detection to ClamAV. You're right. This was an idea being proposed, I thought...a suggestion. Isn't this something worth going over on a users list as discussion? Sorry if not... :-/ -Bart ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks
Trog [EMAIL PROTECTED] wrote: What you don't seem to understand is that the distinction between technical attacks and social engineering attacks is irrelevant, because thats not what *any* anti-virus product has as a requirement. So now you're declaring _my_ requirements irrelevant. I'm not surprised. If you want to impose your own requirements, then *you* will have to put in the work to fulfil them. So where do you take it from that I would not be willing to do so? I am just trying to find a solution that can be incorporated in the official ClamAV distribution so that not just me (and it's not just me who has that requirement, read some other postings) can benefit from it. The rest of us don't much care. Speak only for yourself. :-) ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks
On Nov 15, 2004, at 11:54 AM, Brian Morrison wrote: On Mon, 15 Nov 2004 17:48:35 +0100 in [EMAIL PROTECTED] Julian Mehnle [EMAIL PROTECTED] wrote: But there definitely is a distinction between technical attacks and social engineering attacks, even though they're somewhat overlapping. I can't see logically how things that are distinct can also be overlapping. Is that really the description you want to use? You get a mail... If it has an attachment that will run in the background on your computer for the express reason of propagating itself, it's for clam. If it has an attachment that will spread to other computers to cause harm, it's for clam. If it was sent to you by a worm with itself as a payload, it's for clam. If viewing the message takes advantage of an OS bug to alter the computer without your knowledge, it's for clam. If it's a bunch of flashy graphics telling you to visit a website for fantastic deals on hiding money from third world countries while getting fantastic mortgage rates on your pen1s enlargement ointment, it's for a spam filter. If it only does harm if you follow a link and then consciously give your account information, be it ebay or bank or paypal, to a third party site, it's for the spam filter. howzat? :-) -Bart ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks
Brian Morrison [EMAIL PROTECTED] wrote: Julian Mehnle [EMAIL PROTECTED] wrote: Trog [EMAIL PROTECTED] wrote: Please give a full definition of Spam and Malware/Viruses that do not intersect, and will never intersect for all future Spam and Malware such that we can be sure we know what you are requesting. The definition of what _I_ would like ClamAV to detect is: anything that poses a technical thread, no matter whether it also poses a social/fraud threat or not. That's a clear enough criterion, isn't it? That depends on your definition of 'technical' doesn't it? technical := affecting the technical systems involved in storing and transporting the data items subject to being scanned by ClamAV. technical threat := (go figure...) ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks
On Mon, 2004-11-15 at 12:12 -0500, Bart Silverstrim wrote: If it's a bunch of flashy graphics telling you to visit a website for fantastic deals on hiding money from third world countries while getting fantastic mortgage rates on your pen1s enlargement ointment, it's for a spam filter. If it only does harm if you follow a link and then consciously give your account information, be it ebay or bank or paypal, to a third party site, it's for the spam filter. howzat? :-) How about an e-mail that contains a link that takes one to a webpage that exploits the web browser to install a program that will intercept the account information the next time the actual site is visited? ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks
On Mon, 2004-11-15 at 18:00 +0100, Julian Mehnle wrote: Brian Morrison [EMAIL PROTECTED] wrote: What I am suggesting is that, because you appear to have a requirement that is significantly different from nearly everyone else that has responded in this thread, What I don't understand is that no one seems to be willing to discuss my proposal of making the signature database modular, i.e. offer social engineering attack signatures separately from technical attack ones for download and installation. That would solve my and others' problem nicely, and would take _nothing_ away from those who don't care what ClamAV detects. Ah, then we would have all manner of classifications - is it social? Is it Adware? Is it a trojan? Does it promulgate via IRC? or ...? But then the signature writers would have to tag all of the viruses, and decide which of the 47 classes (or multiple, semi-overlapping classes) to split them all into, instead of slamming out a sig to catch the latest mail worm that just killed your network. And, that would require a new format for the signatures - starting off by classifying all 28K legacy signatures, creating a new format that allows people to select the classes they want, going through a 2-month beta period and probably a one-year upgrade period where they have to maintain two distinct formats... And the reason for this effort? So you can report e-mail as spam? Because you have sophisticated users who like poking fun at phishers? Doesn't sound like a useful or simple solution to me. And don't you think there are other people with unprotected boxes who will get the phishes and report them? Or are you the key to the spamcop network, and without your input the system will collapse? clamav kills bad things - that's good, and I'd like it to be able to continue to kill bad things in the same expedient manner that it has in the past. -- Daniel J McDonald, CCIE # 2495, CNX Austin Energy [EMAIL PROTECTED] ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks
Julian Mehnle wrote: technical := affecting the technical systems involved in storing and transporting the data items subject to being scanned by ClamAV. technical threat := (go figure...) Would that include viruses that require action on the part of the recipient? Included in password protected zips? What is the difference between tricking a person into opening a password protected zip (which is not dangerous in its delivered form) and tricking a user into clicking a link that takes them to the virus? How little user interaction is required before it is considered a technical enough? Require the user to open the attachment? Require the user to pop their mail? Technically, most viruses these days are social engineered in some way. Unlike the the boot sector viruses that seem to have gone the way of the floppy disc. Given the new push for integration between the internet and local computers, limiting an AV scanner to only protecting against viruses physically included in an email is a bit short-sighted in my opinion. It's getting to the point where users are unable to distinguish between what is remote and local content. -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com She calls it stick season, this slow disrobing of summer, leaf by leaf, till the bores of tall trees rattle and scrape in the wind. - Eric Pinder ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks
On Nov 15, 2004, at 12:25 PM, Chris Meadors wrote: On Mon, 2004-11-15 at 12:12 -0500, Bart Silverstrim wrote: If it's a bunch of flashy graphics telling you to visit a website for fantastic deals on hiding money from third world countries while getting fantastic mortgage rates on your pen1s enlargement ointment, it's for a spam filter. If it only does harm if you follow a link and then consciously give your account information, be it ebay or bank or paypal, to a third party site, it's for the spam filter. howzat? :-) How about an e-mail that contains a link that takes one to a webpage that exploits the web browser to install a program that will intercept the account information the next time the actual site is visited? Hmm...if it is scripted so no user intervention is necessary for it to run, it's an executable script, so it's clam. If it is something like click here to see Anna Kournakova NUDE! and is just a plain URL, no exploit, then it's spam. Otherwise, you're talking about something that makes just as much sense to integrate Clam into Squid to scan all traffic streaming through the web proxy...keep users from being able to view this site, it contains harmful code for their computer! Actually if this is a threat, maybe more work should be put into making the file-access-scanner daemon more stable and keeping definitions on the users Windows machine updated for their Windows AV scanner. The actual harm to the computer in your example still came from the user doing something beyond reasonable safety...being duped into going to a website. The mail itself was harmless. The bug should be patched in the browser so it shouldn't happen. The program getting on the system is no different from any other spyware vector installation. ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks
On Nov 15, 2004, at 12:29 PM, Daniel J McDonald wrote: clamav kills bad things - that's good, and I'd like it to be able to continue to kill bad things in the same expedient manner that it has in the past. That's not entirely true. There are people who installed it on Windows and Windows still booted afterwards. :-) -Bart ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks
Chris Meadors [EMAIL PROTECTED] wrote: How about an e-mail that contains a link that takes one to a webpage that exploits the web browser to install a program that will intercept the account information the next time the actual site is visited? That's social engineering. I know some of you would like that to be detected, but still it is not directly a technical threat but simply social engineering. But I'm not even saying ClamAV shouldn't have the capacity to detect that, I'm just saying I would like to have some option to disable it for my setup. ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks
Julian Mehnle wrote: The definition of what _I_ would like ClamAV to detect is: anything that poses a technical thread, no matter whether it also poses a social/fraud threat or not. That's a clear enough criterion, isn't it? Again, that can be interpreted in different ways :) What is a technical threat? 1) Something which causes damage on the destination machine? 2) Something which pops up an annoying, but otherwise harmless message? 3) Something which replicates and just uses some of your bandwidth to propogate? 4) Something which prompts a luser to click on a weblink, and download a programme which, theoretically, has then bypassed segments of your filtering? This not meant as tardiness, but just to point out that the distinction is so blurry. Add to that personal and differing technical concepts and opinions, and the definition again changes. At the end of the day, the developers design it as they see fit. (Thanks for the software, chaps). If the standard database was segregated, some people would inevitably cock up their configs and run with partial protection. This can cause problems not only for themselves, but others, in the case of propogation. There is also the fact, and I am sure that I am not alone, in being very draconian. You control the machines, the users get what they are given :) A better proposition to your predicament would probably be to write an external programme/script which can remove user defined criterion from the database, thereby allowing for personal customisation. This would allow the standard database to cover everything as it does already. The benefit being that someone who does know enough about their requirements to then remove specific portions would not then be shooting themselves in the foot. Matt ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks
On Nov 15, 2004, at 12:32 PM, Dennis Skinner wrote: How little user interaction is required before it is considered a technical enough? Require the user to open the attachment? Require the user to pop their mail? Technically, most viruses these days are social engineered in some way. Unlike the the boot sector viruses that seem to have gone the way of the floppy disc. Given the new push for integration between the internet and local computers, limiting an AV scanner to only protecting against viruses physically included in an email is a bit short-sighted in my opinion. It's getting to the point where users are unable to distinguish between what is remote and local content. Well...how about this counterproposal... Let's make ClamAV into a filter that takes ALL mail, strips HTML, converts it into plain text, and strips all scripting out of the message whatsoever, as well as attachments? It could move them to a configured mail website where you click a link that Clam inserts into the mail message (plain old URL) if you're interested in getting it, and you can browse whatever graphics or attachments were meant for that message and were instead stripped? Of course this would mean setting up a web server and database server, but those tools exist already. This way it doesn't matter what new threat comes out, your mail is already defanged, demangled, demimed and sanitized for the user's protection! It could protect from click traps, malware attachments, script exploits...users just lose their dancing icons and pretty pretty backgrounds. It could also make previously hidden text visible from spam. On one hand, it's sarcastic as heck. On the other, it might not be a bad idea. -Bart ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks
On Nov 15, 2004, at 12:43 PM, Matt wrote: If the standard database was segregated, some people would inevitably cock up their configs and run with partial protection. This can cause problems not only for themselves, but others, in the case of propogation. Whitelist all traffic you want to allow! Mail servers, web sites...there must be a way. After reading how Lexmark is apparently having their *drivers* phone home, and the number of emails from spammers that may link to pages where users happily click away their lifesavingsand...there's just getting to be too much. It is getting utterly hopeless to have some kind of order arise from the UBE/UCE/Spam/Spim/trojan/virus/worm/scammer/ad content/spyware/etc. muck and mire we're currently dealing with. I need a new career :-( There is also the fact, and I am sure that I am not alone, in being very draconian. You control the machines, the users get what they are given :) This is why UNIX had the modular black box model, as I recall...take the app, make it focus on it's task, and if you need other functionality, it was done in another app. Chain together. Repeat as necessary. Some...many...ISPs would want a scoring system for spam so users can have an opportunity to filter themselves or decide their tolerance and training levels. Others, like my school, need to make decisions FOR everyone because there's too many users that just don't take the time to learn how to use it. We have too much user turnover and it's impractical with our human resources to keep people up to speed when they really don't give a hoot about such things. Some people don't like their messages being filtered at all...they prefer it done by themselves at the desktop. Some people combine it, some at the server, some at the desktop. The modular model makes all these possible with ClamAV without ClamAV being twisted or bent to fit. It plugs in and does it's job, nothing more nothing less. ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks
Dennis Skinner [EMAIL PROTECTED] wrote: Julian Mehnle wrote: technical := affecting the technical systems involved in storing and transporting the data items subject to being scanned by ClamAV. technical threat := (go figure...) Would that include viruses that require action on the part of the recipient? Included in password protected zips? What is the difference between tricking a person into opening a password protected zip (which is not dangerous in its delivered form) and tricking a user into clicking a link that takes them to the virus? Counter question: What do have the following in common: 1. tricking a user into clicking a link that takes him to a virus, and 2. tricking a user into clicking a link that takes him to a web page that tricks him into clicking on a link that takes him to the virus? Answer: It's not ClamAV's responsibility to protect the user from immediate threats that are outside of its sphere of action. This problem shouldn't be decided from an end-user's point of view. If _that_ were the criterion, ClamAV should also prevent the wrong device drivers from being installed on my PC. ClamAV could block a lot of stuff that somehow coult put the user in danger, but that would be an endless undertaking. Besides, the more indirect the threat gets, the more people will disagree on its dangerousness. ClamAV should be responsible for detecting objects that are immediately dangerous to the user (executables, JPEG exploits, etc.). The user's web browser is responsible not to allow untrusted objects from web pages to be executed. Those objects don't go through ClamAV as an e-mail scanner, and thus ClamAV as an e-mail scanner should not deploy measures to keep the user from getting in those object's vicinity. ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks
Hanford, Seth [EMAIL PROTECTED] wrote: I agree with Julian that Clam does not seem the logical solution to Spam messages. Please note that I have never talked about ClamAV unwantedly detecting _spam_. I just talked about social engineering in general and about phishing in particular. ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks
Julian Mehnle wrote: Counter question: What do have the following in common: 1. tricking a user into clicking a link that takes him to a virus, and 2. tricking a user into clicking a link that takes him to a web page that tricks him into clicking on a link that takes him to the virus? Answer: It's not ClamAV's responsibility to protect the user from immediate threats that are outside of its sphere of action. And a password protected zipped virus could be considered outside ClamAV's sphere too. We should not block those because it would be the job of the unzip program to protect the user, right? Oh wait! Don't catch doc macro viruses because that is MSWord's job to protect the user. I think your slope is just as slippery as mine :) -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com Fall is my favorite season in Los Angeles, watching the birds change color and fall from the trees. - David Letterman ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks
Dennis Skinner [EMAIL PROTECTED] wrote: Julian Mehnle wrote: Counter question: What do have the following in common: 1. tricking a user into clicking a link that takes him to a virus, and 2. tricking a user into clicking a link that takes him to a web page that tricks him into clicking on a link that takes him to the virus? Answer: It's not ClamAV's responsibility to protect the user from immediate threats that are outside of its sphere of action. And a password protected zipped virus could be considered outside ClamAV's sphere too. We should not block those because it would be the job of the unzip program to protect the user, right? No, because the unzip program can't ever be expected to provide reasonable protection, plus it is just acting as a component of ClamAV, plus the user never operates the unzip program directly. E-Mail virus scanners can reasonably be expected to scan e-mails for malware, web browsers can reasonable be expected to prevent users from executing code from unknown websites. What those two have in common is that they are responsible for not letting dangerous objects onto the user's system. Oh wait! Don't catch doc macro viruses because that is MSWord's job to protect the user. No, because then, the dangerous object already _is_ on the user's system. Current versions of Microsoft Word do warn the user before executing untrusted macros, but it is still not really Word's responsibility. Microsoft probably decided to build protection against untrusted macros into Word for the same reason some ClamAV fans want to have phishing protection in ClamAV: because they want to accomodate ignorant users and are willing to do nearly all they can to protect them from possible dangers. One could consider this a good thing, but it leads to a world where every software tries to do everything security-wise, and even if someone wanted to disable a certain security measure, he can't because ten other programs will take over the job and offer their protection instead. Good software needs to have a somewhat clear definition of what it is responsible to do and what not, so the I take every protection I can get argument doesn't hold. I think your slope is just as slippery as mine :) I don't think so. :-) ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks
Trog wrote: On Mon, 2004-11-15 at 16:39, Dave Goodrich wrote: Julian Mehnle wrote: Am I? I'm just saying that I think that a distinction between technical attacks and social engineering attacks is possible and meaningful (even if not everyone would make use of that distinction). That has nothing to do with being hard-nosed, has it? I hate to butt into a discussion, but I would have to agree. I use SpamAssassin and ClamAV, I don't need or want them doing the same job. I've seen this same discussion on the SpamAssassin list where users wanted rules to stop Viruses with SA, and the general reponse was No, SA is a spam filter, get ClamAV if you want to stop Viruses Please give a full definition of Spam and Malware/Viruses that do not intersect, and will never intersect for all future Spam and Malware such that we can be sure we know what you are requesting. rant I cannot protect my users from spam or viruses. I do not think any sysadmin can realisticly protect the user. I am only interested in protecting my own network. After three years of dealing with spam and viruses I truely believe that the average user would climb a ladder, swing on a rope, drop from a helicopter, all to touch the stovetop and see if it was hot. /rant I believe a virus is a file capable of performing a task not implicitly requested by the user of the destination machine. Whether the user clicks or not is irrelevent, thanks to MS this is taken care of for them. A spam is any email message not reqested or desired by the user of the destination machine. So my point was this, a Virus is a file, in hand, it is here, I have it, I want to know if I should let the destination machine have it. ClamAV scans a file in it's posession against a known signature db. Does it match? YES or NO. ClamAV does this very well. Spam is a email message, it might not be a message the destination machine wants to receive, it might provide access to a payload, it might not. But I don't have the proposed/suspected/feared payload. Should I let the destination machine have the message or not? SA scans a message for known traits, and finding enough known traits, scores the message as spam (in the _opinion_ of the person who weighted those traits). SpamAssassin does this very well. I believe that is specific enough. YMMV. Not one of the Clam developers have proposed adding general spam detection to ClamAV. I never said the developers were. I only agreed that a distinction between social and technical attacks was meaningful and relevent. My comment on the discussions I have seen on the SA list were simply and example as to the fact that the SA developers see a distinction. Please don't associate me with a group, I don't choose sides. If we(my company, the user) determine that ClamAV needs to gain/lose a feature, we will either offer to pay the developers to implement it, or implement it ourselves and give the code back. We would not argue with developers. I believed the thread was a discussion, I joined the discussion and offered an opinion. That is all. DAve -- Systems Administrator http://www.tls.net Get rid of Unwanted Emails...get TLS Spam Blocker! ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks
Bart Silverstrim wrote: I find it interesting though that I've yet to hear from anyone commenting on my proposal to create a filter that will extract and convert all emails into pure text, or reformat it so only certain things can get through as an attachment with a pure text message so it would be defanged of scripts, web content, potential scripting exploits, etc...I'm honestly beginning to wonder how hard that would be to make and whether it may be of use for some sites. Draconian, yet it would be extremely handy in stopping the maliciousness of viruses or spam tricks...dynamically rewriting all email to a standard format. I believe you can do this with Can-It Pro. http://www.roaringpenguin.com/ They're the authors of MIMEDefang. Can-It is their commercial product, and a much more thorough solution. -- Kelson Vibber SpeedGate Communications www.speed.net ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks
Thanks, but the point of my question was that I wanted to know whether there are more social engineering signature in the database than just phishing ones. Getting back to the somewhat original question, if you download the signatures.pdf from the Clam website, that gives you a general listing of the different classes of various virii/malware naming conventions. That should give you an idea of which parts of the database you may wish to remove. Matt ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks
Ken Jones [EMAIL PROTECTED] wrote: Knowing two freinds that have responded to phising emails and what it took afterwards to correct the problem . they would beg you to remove the possability of this threat. Bit Fuzzy [EMAIL PROTECTED] wrote: I'm sorry, but I personally know 7 people who fell prey to this practice, and I've gotten emails from users thanking us for the addition. Set it up as an option if needed, but as a network administrator, I'd rather be on the safe side and allow them to view the email held if they desire, than to find out that because it got through and put a hard working family in to financial turmoil. If people require machines as desperately as that to prevent themselves from falling for fraud attempts, humanity is truly doomed. To those of you who argue that ClamAV should detect phishing attacks even though tools like SpamAssassin are designed and inherently better suited for doing that, I'd like to say that you will never really be able to abandon SpamAssassin Co. anyway. ClamAV will never be able to replace SpamAssassin without becoming SpamAssassin. Bit Fuzzy [EMAIL PROTECTED] wrote: I can't believe this one subject can create such a mess. I absolutely concur. Considering that exactly _no one_ here demanded that ClamAV abandon its capacity for detecting phishing attacks, little yellow rubber ducks in PNG images, or whatever else, the uproar is truly ludicrous. What was actually requested is that there be an _option_ not to scan for certain classes of malware. No one would be disadvantaged by that. Oh well, I can only hope that the ClamAV developers won't let themselves be deceived by specious counter-arguments such as configurability is bad because admins might goof up their config and then be insecure, and will consider adding configurability for what to detect, or making the sig database modular. Everything else on the topic has been said, I think. ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks
Matt [EMAIL PROTECTED] wrote: Thanks, but the point of my question was that I wanted to know whether there are more social engineering signature in the database than just phishing ones. Getting back to the somewhat original question, if you download the signatures.pdf from the Clam website, that gives you a general listing of the different classes of various virii/malware naming conventions. That should give you an idea of which parts of the database you may wish to remove. Thanks for your constructive reply. If you mean section 3.5, unfortunately there is not mention of the Phishing prefix, so obviously this list is not complete. The fact that a Joke prefix (for hoaxes) is also listed there makes me worry how many more supposed malware categories are unconditionally detected by ClamAV which I would not want to be detected as malware... Also please keep in mind that a modular sig db would relieve ClamAV users from downloading signatures they don't plan using. Having to remove unwanted sigs yourself requires you to download all existing sigs. ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks
Hi all, since ClamAV reached v0.80, I am using it to scan and reject e-mail messages. Today I noticed that ClamAV also detects phishing attacks. Phishing is pure social engineering and poses no threat whatsoever in a technical sense. How can I configure ClamAV not to try to detect phishing and other social engineering attacks? ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks
Julian Mehnle wrote: How can I configure ClamAV not to try to detect phishing and other social engineering attacks? Why? Your prerogative, obviously, but I am just curious. Matt ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks
On Sun, 14 Nov 2004 13:58:53 +0100 Julian Mehnle [EMAIL PROTECTED] wrote: Hi all, since ClamAV reached v0.80, I am using it to scan and reject e-mail messages. Today I noticed that ClamAV also detects phishing attacks. Phishing is pure social engineering and poses no threat whatsoever in a technical sense. How can I configure ClamAV not to try to detect phishing and other social engineering attacks? Modify your mail scanner to pass HTML.Phishing.* through. -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Sun Nov 14 14:26:03 CET 2004 pgptEjgKqKQ0U.pgp Description: PGP signature ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks
BitFuzzy [EMAIL PROTECTED] wrote: So blocking [social engineering attacks] can only be seen as a good thing. I disagree, and I already explained why. I don't even request that ClamAV completely stop detecting such stuff, I just request that I have the option of disabling it. ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks
This is a me too. I am ABSOLUTELY in love with ClamAV due to the fact it has gone beyond what most commercial AV players are doing, and is incorporating scanning for phishing and spyware. If you follow the industry, you will see that most AV vendors are bringing out *separate* products to detect spyware - i.e they want us the consumers to pay TWICE to gain full protection. I think it's a crock - and I'm glad to see the ClamAV developers do too. Viruses/trojans/phishing/spyware - it's all rubbish I would rather was not in my end-users mailboxes. -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users