subject:"\[Clamav\-users\] ClamAV should not try to detect phishing and other social engineering attacks"

RE: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks

2004-11-29 Thread Mark Penkower

How do I get clamav to not cc the intended user with the virus notification
message?

Thanks
Mark Penkower
At 01:51 PM 11/15/2004, you wrote:
Brian Morrison [EMAIL PROTECTED] wrote:
2) It takes extra work for someone to make the decision, create the
separate databases etc.
Diego d'Ambra [EMAIL PROTECTED] wrote:
Julian Mehnle wrote:
The definition of what _I_ would like ClamAV to detect is: anything
that poses a technical thread, no matter whether it also poses a
social/fraud threat or not. That's a clear enough criterion, isn't
it?

Creating such a system has a dramatic impact on the work needed to
classify a suspicious sample. These samples often contains weird Jave,
HTML etc. that must be decoded and tested with different software
versions to ensure no exploit is being triggered and/or harmful content
installed.
I can't see why discriminating technical attacks from social engineering
attacks would be extra work. After all, when drafting a signature for a
new attack, a name for the attack has to be chosen. If you know you're
going to file it as HTML.Phishing.Bank-12, you have already
distinguished between a technical attack and a social engineering one.
If your point is that classifying new attacks can be a difficult task,
well, though luck, that's how it is. In order to find a good name for the
attack, you have to do the classifying properly anyway.
So where's the extra work?
And don't tell me creating the database files from the signatures isn't
already a largely automated process. ;-)
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

NOTICE TO RECIPIENT: This e-mail is meant only for the intended recipient(s) of the transmission, and contains confidential information which is proprietary to Royce Associates, LLC. Any unauthorized use, copying, distribution, or dissemination is strictly prohibited. All rights to this information are reserved by Royce Associates, LLC. If you are not the intended recipient, please contact the sender by reply e-mail and please delete this e-mail from your system and destroy any copies.
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks

2004-11-29 Thread Brian Morrison

On Mon, 29 Nov 2004 13:50:40 -0500 in
[EMAIL PROTECTED] Mark Penkower
[EMAIL PROTECTED] wrote:

  How do I get clamav to not cc the intended user with the virus
  notification message?

ClamAV doesn't do that, it is your MTA that does it.

-- 

Brian Morrison

bdm at fenrir dot org dot uk

GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

RE: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks

2004-11-29 Thread Nigel Horne

Give the --postmaster-only option to clamav-milter.


-Nigel

On Mon, 2004-11-29 at 18:50, Mark Penkower wrote:
 How do I get clamav to not cc the intended user with the virus notification 
 message?
 
 Thanks
 
 
 Mark Penkower
 
 
 At 01:51 PM 11/15/2004, you wrote:
 Brian Morrison [EMAIL PROTECTED] wrote:
   2) It takes extra work for someone to make the decision, create the
   separate databases etc.
 
 Diego d'Ambra [EMAIL PROTECTED] wrote:
   Julian Mehnle wrote:
The definition of what _I_ would like ClamAV to detect is:  anything
that poses a technical thread, no matter whether it also poses a
social/fraud threat or not.  That's a clear enough criterion, isn't
it?
  
   Creating such a system has a dramatic impact on the work needed to
   classify a suspicious sample. These samples often contains weird Jave,
   HTML etc. that must be decoded and tested with different software
   versions to ensure no exploit is being triggered and/or harmful content
   installed.
 
 I can't see why discriminating technical attacks from social engineering
 attacks would be extra work.  After all, when drafting a signature for a
 new attack, a name for the attack has to be chosen.  If you know you're
 going to file it as HTML.Phishing.Bank-12, you have already
 distinguished between a technical attack and a social engineering one.
 
 If your point is that classifying new attacks can be a difficult task,
 well, though luck, that's how it is.  In order to find a good name for the
 attack, you have to do the classifying properly anyway.
 
 So where's the extra work?
 
 And don't tell me creating the database files from the signatures isn't
 already a largely automated process. ;-)
 
 ___
 http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
 
 
 
 NOTICE TO RECIPIENT: This e-mail is meant only for the intended recipient(s) 
 of the transmission, and contains confidential information which is 
 proprietary to Royce  Associates, LLC. Any unauthorized use, copying, 
 distribution, or dissemination is strictly prohibited. All rights to this 
 information are reserved by Royce  Associates, LLC. If you are not the 
 intended recipient, please contact the sender by reply e-mail and please 
 delete this e-mail from your system and destroy any copies.
 
 __
 ___
 http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks

2004-11-16 Thread Brian Morrison

On Tue, 16 Nov 2004 01:31:22 +0100 in
[EMAIL PROTECTED] Julian Mehnle
[EMAIL PROTECTED] wrote:

  If people require machines as desperately as that to prevent
  themselves from falling for fraud attempts, humanity is truly doomed.

It always has been. Never mind the quality, feel the *width*.

-- 

Brian Morrison

bdm at fenrir dot org dot uk

GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks

2004-11-16 Thread Tomasz Papszun

On Tue, 16 Nov 2004 at  1:31:22 +0100, Julian Mehnle wrote:
 
 If people require machines as desperately as that to prevent themselves
 from falling for fraud attempts, humanity is truly doomed.
 

It already is ;-) .
Anybody who doubts it can have a look:

http://www.manbottle.com/humor/Further_proof_that_the_human_race_is_doomed.htm

http://www.doheth.co.uk/funny/doomed.php

-- 
 Tomasz Papszun   SysAdm @ TP S.A. Lodz, Poland  | And it's only
 [EMAIL PROTECTED] http://www.lodz.tpsa.pl/iso/ | ones and zeros.
 [EMAIL PROTECTED]   http://www.ClamAV.net/   A GPL virus scanner
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

RE: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks

2004-11-16 Thread jef moskot

On Tue, 16 Nov 2004, Julian Mehnle wrote:
 If people require machines as desperately as that to prevent themselves
 from falling for fraud attempts...

...then they're pretty much behaving in the manner humanity always has and
always will.

 To those of you who argue that ClamAV should detect phishing attacks
 even though tools like SpamAssassin are designed and inherently better
 suited for doing that, I'd like to say that you will never really be
 able to abandon SpamAssassin  Co. anyway.

Again, I don't think that's what the ClamAV team is trying to accomplish
here.  They're just going after the most active phishing threats out
there, not trying to completely prevent your system from any sort of
unwanted e-mail (or even every possible phishing attack).

I understand that you want your users to have the right to screw
themselves, which I understand from a philosophical standpoint, despite
the fact that I think it's terribly silly.  But, you aren't demanding that
everyone else be terribly silly, so I don't see any problem with your
request.  Given the way things have happened in the past, I wouldn't be
surprised if this functionality were quietly added in the next CVS release
while everyone keeps arguing about how many clicks it takes to make
something a virus.

The argument I DON'T think much of is the slippery slope argument,
mostly for this reason...interspersed between all the discussion in this
thread are tons of confirmation messages in my inbox, letting me know that
ClamAV has nailed tons of phishing messages that wouldn't have otherwise
been caught.  Job well done.

There are dozens (hundreds?) of new viruses and tronjans added to the
database every week that most of our systems will never see, but no one
complains about the resource hit those are making, because we all know
that on the off-chance we ever get one of these rare beasts, we'd be very
happy ClamAV was there to stop it.

The argument that phishing attacks are a bunch of one-offs that you'll
never see again is not backed up by my data.  The very first anti-phishing
signature added to the database got nabbed a few specimens just today.
Maybe in a month they'll be gone forever, but such is the way of worm
flare-ups these days as well.

Despite all the hyperbole, what's really happened here is that a small
amount of work (ie, a few signatures) has been done that will save a
disproportiately huge amount of headaches in the sys admin community.
There's no point in claiming the sky is falling, just yet, anyway.

I think this is a worthwhile discussion to have, and philosophical ideals
are important, but we should also take a peek at the real world from time
to time as well.

We should be watchful of any drastic turns in ClamAV development, but we
haven't seen any of those yet.

Jeffrey Moskot
System Administrator
[EMAIL PROTECTED]
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

RE: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks

2004-11-16 Thread Ken Jones


 On Tue, 16 Nov 2004, Julian Mehnle wrote:
Announcingple require machines as desperately as that to prevent themselves
 from falling for fraud attempts...

 ...then they're pretty much behaving in the manner humanity always has and
 always will.

 To those of you who argue that ClamAV should detect phishing attacks
 even though tools like SpamAssassin are designed and inherently better
 suited for doing that, I'd like to say that you will never really be
 able to abandon SpamAssassin  Co. anyway.


Anouncing a NEW phishing threat ... this is an excerpt from winXP news ...

how to disable the Windows Scripting Host (WSH) to prevent an insidious
new phishing technique that uses a script to redirect you to a
fraudulent Web site when you log on to do online banking.

So some of the phishing attacks now use scripts 


--
Ken Jones
[EMAIL PROTECTED]


___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

RE: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks

2004-11-15 Thread Julian Mehnle

Matt [EMAIL PROTECTED] wrote:
 Trog wrote:
  I'm not trying to scare you away, I really don't care what you do.
 
  I've told you how you can easily do what you want, using ClamAV.

  As Trog has already mentioned, you can simply remove the phishing
 signatures from the database. This is not trying to scare you away. It
 is a simple workaround to your specific needs at this moment.

  Or, as Tomasz and I have both mentioned, you can easily bypass this in
 your filtering software.

  This discussion is not a vendetta against the idea, but everyone is
 entitled to their own opinion, so it is of no use getting touchy when
 someone offers alternative advice, or a personal opinion.

Pardon me, Trog offered me two options, of which user another product
was the first.  If that isn't scaring me away for you, then I don't know
what is.

I just explained why Thomasz' suggesting is suboptimal in another message
of mine.

I might be able to remove the signatures I don't want, but I would still
have to know if there is an authoritative hierarchy of signature names
from which I can see what hierarchy branches ('HTML.Phishing.*', etc.) I
would have to remove.  Is there one?

But I think this is overly complicated.  Maybe it would be better for the
official ClamAV signature databases to be modular, i.e. have one for
technical attacks and one for social engineering attacks.  That way people
who only use one of them wouldn't have to download both.

___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks

2004-11-15 Thread Matt

Julian Mehnle wrote:

 Pardon me, Trog offered me two options, of which user another product
 was the first.  If that isn't scaring me away for you, then I don't know
 what is.

 That was just another alternative :)

 I might be able to remove the signatures I don't want, but I would still
 have to know if there is an authoritative hierarchy of signature names
 from which I can see what hierarchy branches ('HTML.Phishing.*', etc.)
 I would have to remove.  Is there one?

sigtool -l | egrep '*.Phishing.*'

 That will show you all the phishing signatures in the database.

Matt
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks

2004-11-15 Thread Tomasz Kojm

On Mon, 15 Nov 2004 16:02:03 +0100
Julian Mehnle [EMAIL PROTECTED] wrote:

 Matt [EMAIL PROTECTED] wrote:
  Julian Mehnle wrote:
   I might be able to remove the signatures I don't want, but I would
   still have to know if there is an authoritative hierarchy of
   signature names from which I can see what hierarchy branches
   ('HTML.Phishing.*', etc.) I would have to remove.  Is there one?
 
  sigtool -l | egrep '*.Phishing.*'
 
  That will show you all the phishing signatures in the database.
 
 Thanks, but the point of my question was that I wanted to know whether
 there are more social engineering signature in the database than
 just phishing ones.

Yes, there are. E.g. HTML.Mydoom.email-gen-1 and others...

-- 
   oo. Tomasz Kojm [EMAIL PROTECTED]
  (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg
 \..._ 0DCA5A08407D5288279DB43454822DC8985A444B
   //\   /\  Mon Nov 15 16:05:05 CET 2004


pgpF4WYeD0qk6.pgp
Description: PGP signature
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

RE: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks

2004-11-15 Thread Julian Mehnle

Tomasz Kojm [EMAIL PROTECTED] wrote:
 Julian Mehnle [EMAIL PROTECTED] wrote:
  Thanks, but the point of my question was that I wanted to know whether
  there are more social engineering signature in the database than
  just phishing ones.

 Yes, there are. E.g. HTML.Mydoom.email-gen-1 and others...

Just why is it that I can't get rid of the feeling that I'm not wanted
here...  Of course I meant signatures for pure social engineering with no
technical threat component.

___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks

2004-11-15 Thread Matt

Julian Mehnle wrote:

   Thanks, but the point of my question was that I wanted to know
   whether there are more social engineering signature in the
   database than just phishing ones.

 Apologies. I misinterpreted that question.

  Yes, there are. E.g. HTML.Mydoom.email-gen-1 and others...
 
 Just why is it that I can't get rid of the feeling that I'm not wanted
 here...  Of course I meant signatures for pure social engineering with
 no technical threat component.


 Glad to know I'm not the only paranoid on the list :)

 The problem is that, as yourself and others have mentioned, the
distinction between the different categories are dependant upon personal
interpretation. What one classes as social engineering, someone else may
class as, for example, malware. Even though they can technically be the
same thing, perceptions vary, thereby making it a nigh on impossible
question to answer.

Matt
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks

2004-11-15 Thread Dave Goodrich

Julian Mehnle wrote:
Dennis Skinner [EMAIL PROTECTED] wrote:
Julian Mehnle wrote:
Besides, if mail servers started using SPF (or similar authentication
techniques) to verify envelope sender addresses, whoever publishes SPF
records for his domains would be
Not to start another flame war, but I find it interesting that you take
such a hard-nosed approach to what is and is not technically a virus,

Am I?  I'm just saying that I think that a distinction between technical
attacks and social engineering attacks is possible and meaningful (even if
not everyone would make use of that distinction).  That has nothing to do
with being hard-nosed, has it?
I hate to butt into a discussion, but I would have to agree. I use 
SpamAssassin and ClamAV, I don't need or want them doing the same job. 
I've seen this same discussion on the SpamAssassin list where users 
wanted rules to stop Viruses with SA, and the general reponse was No, 
SA is a spam filter, get ClamAV if you want to stop Viruses

DAve

--
Systems Administrator
http://www.tls.net
Get rid of Unwanted Emails...get TLS Spam Blocker!
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

RE: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks

2004-11-15 Thread Julian Mehnle

Matt [EMAIL PROTECTED] wrote:
 The problem is that, as yourself and others have mentioned, the
 distinction between the different categories are dependant upon personal
 interpretation. What one classes as social engineering, someone else may
 class as, for example, malware. Even though they can technically be the
 same thing, perceptions vary, thereby making it a nigh on impossible
 question to answer.

Following that logic, any distinction between spam and malware would be
artificial, too.  Sorry, but I don't subscribe to this sort of nihilism.
;-)

I have not tried to make a distinction between social engineering and
malware.  Those are orthogonal concepts.  But there definitely is a
distinction between technical attacks and social engineering attacks, even
though they're somewhat overlapping.

___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks

2004-11-15 Thread Brian Morrison

On Mon, 15 Nov 2004 17:48:35 +0100 in
[EMAIL PROTECTED] Julian Mehnle
[EMAIL PROTECTED] wrote:

  But there definitely is a distinction between technical attacks and
  social engineering attacks, even though they're somewhat overlapping.

I can't see logically how things that are distinct can also be
overlapping. Is that really the description you want to use?

-- 

Brian Morrison

bdm at fenrir dot org dot uk

GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks

2004-11-15 Thread Brian Morrison

On Mon, 15 Nov 2004 17:53:31 +0100 in
[EMAIL PROTECTED] Julian Mehnle
[EMAIL PROTECTED] wrote:

 Trog [EMAIL PROTECTED] wrote:
  Please give a full definition of Spam and Malware/Viruses that do
  not intersect, and will never intersect for all future Spam and
  Malware such that we can be sure we know what you are requesting.
 
 The definition of what _I_ would like ClamAV to detect is:  anything
 that poses a technical thread, no matter whether it also poses a
 social/fraud threat or not.  That's a clear enough criterion, isn't
 it?

That depends on your definition of 'technical' doesn't it?

-- 

Brian Morrison

bdm at fenrir dot org dot uk

GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

RE: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks

2004-11-15 Thread Trog

On Mon, 2004-11-15 at 16:53, Julian Mehnle wrote:
 Trog [EMAIL PROTECTED] wrote:
  Please give a full definition of Spam and Malware/Viruses that do not
  intersect, and will never intersect for all future Spam and Malware such
  that we can be sure we know what you are requesting.
 
 The definition of what _I_ would like ClamAV to detect is:  anything that
 poses a technical thread, no matter whether it also poses a social/fraud
 threat or not.  That's a clear enough criterion, isn't it?

And that's fine. It's not what I asked for, but thats ok too.

So, you can know go and put the effort in to achieving your
requirements. Let us know how you get on.

-trog



signature.asc
Description: This is a digitally signed message part
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

RE: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks

2004-11-15 Thread Julian Mehnle

Brian Morrison [EMAIL PROTECTED] wrote:
 What I am suggesting is that, because you appear to have a requirement
 that is significantly different from nearly everyone else that has
 responded in this thread,

(I don't think you're judging the proportions correctly.)

 you are in the best position to roll your own solution rather than
 suggesting that ClamAV is changed to accommodate your requirement.
 [...]
 I find it really hard to understand why you want to do it as well, I
 find that ClamAV kills the obvious signature-based phishing attacks and
 SA spots those that ClamAV doesn't. Two lines of defence is fine by me.

What I don't understand is that no one seems to be willing to discuss my
proposal of making the signature database modular, i.e. offer social
engineering attack signatures separately from technical attack ones for
download and installation.  That would solve my and others' problem
nicely, and would take _nothing_ away from those who don't care what
ClamAV detects.

___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks

2004-11-15 Thread Bart Silverstrim

On Nov 15, 2004, at 11:48 AM, Julian Mehnle wrote:
Matt [EMAIL PROTECTED] wrote:
The problem is that, as yourself and others have mentioned, the
distinction between the different categories are dependant upon 
personal
interpretation. What one classes as social engineering, someone else 
may
class as, for example, malware. Even though they can technically be 
the
same thing, perceptions vary, thereby making it a nigh on impossible
question to answer.
Following that logic, any distinction between spam and malware would be
artificial, too.  Sorry, but I don't subscribe to this sort of 
nihilism.
;-)
Because there is still a difference...commonly accepted definitions 
are watering them down though :-)

Malware...bad software with bad intentions.
I think the line is pretty easy to find between viruses/worms and 
trojans and spam/UCE/UBE and social engineering attacks.  The lines 
blur as they start using each other to their own advantage (viruses 
spreading spam from infected machines, for example) but it's clear 
enough that the actual virus or worm is the executable code or script, 
while the click here for amazing rates! is simply spam, and the 
techniques for fighting spam can be quite different from those used to 
stop an infectious file attachment.

I have not tried to make a distinction between social engineering and
malware.  Those are orthogonal concepts.  But there definitely is a
distinction between technical attacks and social engineering attacks, 
even
though they're somewhat overlapping.
Very correct.  There's a difference between me taking your wallet and 
me telling you about a wonderful investment opportunity where you can 
double...no...triple your money in two weeks!

If it takes advantage of a bug in the OS or contains executable code or 
scripts that carry the intention of infecting...spreading/running 
without the user's knowledge...then I would think it's Clam's job to 
stop it.  If it's someone trying to triple my money or beg for a place 
to hide a billion dollars while the sender's government falls, it's 
SA's job to stop it.  If I wanted overlap, I'd install multiple spam 
filters and multiple virus filters, I don't need multiple spirus 
filters to try to diagnose and maintain :-)

-Bart
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks

2004-11-15 Thread Bart Silverstrim

On Nov 15, 2004, at 11:48 AM, Trog wrote:
Not one of the Clam developers have proposed adding general spam
detection to ClamAV.
You're right.  This was an idea being proposed, I thought...a 
suggestion.  Isn't this something worth going over on a users list as 
discussion?

Sorry if not... :-/
-Bart
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

RE: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks

2004-11-15 Thread Julian Mehnle

Trog [EMAIL PROTECTED] wrote:
 What you don't seem to understand is that the distinction between
 technical attacks and social engineering attacks is irrelevant, because
 thats not what *any* anti-virus product has as a requirement.

So now you're declaring _my_ requirements irrelevant.  I'm not surprised.

 If you want to impose your own requirements, then *you* will have to put
 in the work to fulfil them.

So where do you take it from that I would not be willing to do so?  I am
just trying to find a solution that can be incorporated in the official
ClamAV distribution so that not just me (and it's not just me who has that
requirement, read some other postings) can benefit from it.

 The rest of us don't much care.

Speak only for yourself. :-)

___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks

2004-11-15 Thread Bart Silverstrim

On Nov 15, 2004, at 11:54 AM, Brian Morrison wrote:
On Mon, 15 Nov 2004 17:48:35 +0100 in
[EMAIL PROTECTED] Julian Mehnle
[EMAIL PROTECTED] wrote:
 But there definitely is a distinction between technical attacks and
 social engineering attacks, even though they're somewhat overlapping.
I can't see logically how things that are distinct can also be
overlapping. Is that really the description you want to use?
You get a mail...
If it has an attachment that will run in the background on your 
computer for the express reason of propagating itself, it's for clam.

If it has an attachment that will spread to other computers to cause 
harm, it's for clam.

If it was sent to you by a worm with itself as a payload, it's for clam.
If viewing the message takes advantage of an OS bug to alter the 
computer without your knowledge, it's for clam.

If it's a bunch of flashy graphics telling you to visit a website for 
fantastic deals on hiding money from third world countries while 
getting fantastic mortgage rates on your pen1s enlargement ointment, 
it's for a spam filter.

If it only does harm if you follow a link and then consciously give 
your account information, be it ebay or bank or paypal, to a third 
party site, it's for the spam filter.

howzat? :-)
-Bart
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

RE: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks

2004-11-15 Thread Julian Mehnle

Brian Morrison [EMAIL PROTECTED] wrote:
 Julian Mehnle [EMAIL PROTECTED] wrote:
  Trog [EMAIL PROTECTED] wrote:
   Please give a full definition of Spam and Malware/Viruses that do
   not intersect, and will never intersect for all future Spam and
   Malware such that we can be sure we know what you are requesting.
 
  The definition of what _I_ would like ClamAV to detect is:  anything
  that poses a technical thread, no matter whether it also poses a
  social/fraud threat or not.  That's a clear enough criterion, isn't
  it?

 That depends on your definition of 'technical' doesn't it?

technical := affecting the technical systems involved in storing and
transporting the data items subject to being scanned by ClamAV.

technical threat := (go figure...)

___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks

2004-11-15 Thread Chris Meadors

On Mon, 2004-11-15 at 12:12 -0500, Bart Silverstrim wrote:

 If it's a bunch of flashy graphics telling you to visit a website for 
 fantastic deals on hiding money from third world countries while 
 getting fantastic mortgage rates on your pen1s enlargement ointment, 
 it's for a spam filter.
 
 If it only does harm if you follow a link and then consciously give 
 your account information, be it ebay or bank or paypal, to a third 
 party site, it's for the spam filter.
 
 howzat? :-)

How about an e-mail that contains a link that takes one to a webpage
that exploits the web browser to install a program that will intercept
the account information the next time the actual site is visited?

___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

RE: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks

2004-11-15 Thread Daniel J McDonald

On Mon, 2004-11-15 at 18:00 +0100, Julian Mehnle wrote: 
 Brian Morrison [EMAIL PROTECTED] wrote:
  What I am suggesting is that, because you appear to have a requirement
  that is significantly different from nearly everyone else that has
  responded in this thread,

 What I don't understand is that no one seems to be willing to discuss my
 proposal of making the signature database modular, i.e. offer social
 engineering attack signatures separately from technical attack ones for
 download and installation.  That would solve my and others' problem
 nicely, and would take _nothing_ away from those who don't care what
 ClamAV detects.

Ah, then we would have all manner of classifications - is it social?  Is
it Adware?  Is it a trojan?  Does it promulgate via IRC?  or ...?

But then the signature writers would have to tag all of the viruses, and
decide which of the 47 classes (or multiple, semi-overlapping classes)
to split them all into, instead of slamming out a sig to catch the
latest mail worm that just killed your network.

And, that would require a new format for the signatures - starting off
by classifying all 28K legacy signatures, creating a new format that
allows people to select the classes they want, going through a 2-month
beta period and probably a one-year upgrade period where they have to
maintain two distinct formats...

And the reason for this effort?  So you can report e-mail as spam?
Because you have sophisticated users who like poking fun at phishers?
Doesn't sound like a useful or simple solution to me.  And don't you
think there are other people with unprotected boxes who will get the
phishes and report them?  Or are you the key to the spamcop network, and
without your input the system will collapse?

clamav kills bad things - that's good, and I'd like it to be able to
continue to kill bad things in the same expedient manner that it has in
the past.

-- 
Daniel J McDonald, CCIE # 2495, CNX
Austin Energy

[EMAIL PROTECTED]

___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks

2004-11-15 Thread Dennis Skinner

Julian Mehnle wrote:
technical := affecting the technical systems involved in storing and
transporting the data items subject to being scanned by ClamAV.
technical threat := (go figure...)
Would that include viruses that require action on the part of the 
recipient?  Included in password protected zips?  What is the difference 
between tricking a person into opening a password protected zip (which 
is not dangerous in its delivered form) and tricking a user into 
clicking a link that takes them to the virus?

How little user interaction is required before it is considered a 
technical enough?  Require the user to open the attachment?  Require 
the user to pop their mail?

Technically, most viruses these days are social engineered in some way. 
 Unlike the the boot sector viruses that seem to have gone the way of 
the floppy disc.

Given the new push for integration between the internet and local 
computers, limiting an AV scanner to only protecting against viruses 
physically included in an email is a bit short-sighted in my opinion. 
It's getting to the point where users are unable to distinguish between 
what is remote and local content.

--
Dennis Skinner
Systems Administrator
BlueFrog Internet
http://www.bluefrog.com
She calls it stick season, this slow disrobing of summer, leaf by 
leaf, till the bores of tall trees rattle and scrape in the wind.  - 
Eric Pinder
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks

2004-11-15 Thread Bart Silverstrim

On Nov 15, 2004, at 12:25 PM, Chris Meadors wrote:
On Mon, 2004-11-15 at 12:12 -0500, Bart Silverstrim wrote:
If it's a bunch of flashy graphics telling you to visit a website for
fantastic deals on hiding money from third world countries while
getting fantastic mortgage rates on your pen1s enlargement ointment,
it's for a spam filter.
If it only does harm if you follow a link and then consciously give
your account information, be it ebay or bank or paypal, to a third
party site, it's for the spam filter.
howzat? :-)
How about an e-mail that contains a link that takes one to a webpage
that exploits the web browser to install a program that will intercept
the account information the next time the actual site is visited?
Hmm...if it is scripted so no user intervention is necessary for it to 
run, it's an executable script, so it's clam.

If it is something like click here to see Anna Kournakova NUDE! and 
is just a plain URL, no exploit, then it's spam.

Otherwise, you're talking about something that makes just as much sense 
to integrate Clam into Squid to scan all traffic streaming through the 
web proxy...keep users from being able to view this site, it contains 
harmful code for their computer!  Actually if this is a threat, maybe 
more work should be put into making the file-access-scanner daemon more 
stable and keeping definitions on the users Windows machine updated for 
their Windows AV scanner.

The actual harm to the computer in your example still came from the 
user doing something beyond reasonable safety...being duped into going 
to a website.  The mail itself was harmless.  The bug should be patched 
in the browser so it shouldn't happen.  The program getting on the 
system is no different from any other spyware vector installation.

___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks

2004-11-15 Thread Bart Silverstrim

On Nov 15, 2004, at 12:29 PM, Daniel J McDonald wrote:
clamav kills bad things - that's good, and I'd like it to be able to
continue to kill bad things in the same expedient manner that it has in
the past.
That's not entirely true.  There are people who installed it on Windows 
and Windows still booted afterwards.

:-)
-Bart
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

RE: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks

2004-11-15 Thread Julian Mehnle

Chris Meadors [EMAIL PROTECTED] wrote:
 How about an e-mail that contains a link that takes one to a webpage
 that exploits the web browser to install a program that will intercept
 the account information the next time the actual site is visited?

That's social engineering.

I know some of you would like that to be detected, but still it is not
directly a technical threat but simply social engineering.

But I'm not even saying ClamAV shouldn't have the capacity to detect that,
I'm just saying I would like to have some option to disable it for my
setup.

___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks

2004-11-15 Thread Matt

Julian Mehnle wrote:

 The definition of what _I_ would like ClamAV to detect is:  anything
 that poses a technical thread, no matter whether it also poses a
 social/fraud threat or not.  That's a clear enough criterion, isn't it?


 Again, that can be interpreted in different ways :) What is a technical
threat?

1) Something which causes damage on the destination machine?

2) Something which pops up an annoying, but otherwise harmless message?

3) Something which replicates and just uses some of your bandwidth to
   propogate?

4) Something which prompts a luser to click on a weblink, and download a
   programme which, theoretically, has then bypassed segments of your
   filtering?

 This not meant as tardiness, but just to point out that the distinction
is so blurry. Add to that personal and differing technical concepts and
opinions, and the definition again changes. At the end of the day, the
developers design it as they see fit. (Thanks for the software, chaps).

 If the standard database was segregated, some people would inevitably
cock up their configs and run with partial protection. This can cause
problems not only for themselves, but others, in the case of propogation.

 There is also the fact, and I am sure that I am not alone, in being very
draconian. You control the machines, the users get what they are given :)


 A better proposition to your predicament would probably be to write an
external programme/script which can remove user defined criterion from the
database, thereby allowing for personal customisation. This would allow
the standard database to cover everything as it does already. The benefit
being that someone who does know enough about their requirements to then
remove specific portions would not then be shooting themselves in the
foot.

Matt



___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks

2004-11-15 Thread Bart Silverstrim

On Nov 15, 2004, at 12:32 PM, Dennis Skinner wrote:
How little user interaction is required before it is considered a 
technical enough?  Require the user to open the attachment?  Require 
the user to pop their mail?

Technically, most viruses these days are social engineered in some 
way.  Unlike the the boot sector viruses that seem to have gone the 
way of the floppy disc.

Given the new push for integration between the internet and local 
computers, limiting an AV scanner to only protecting against viruses 
physically included in an email is a bit short-sighted in my opinion. 
It's getting to the point where users are unable to distinguish 
between what is remote and local content.
Well...how about this counterproposal...
Let's make ClamAV into a filter that takes ALL mail, strips HTML, 
converts it into plain text, and strips all scripting out of the 
message whatsoever, as well as attachments?  It could move them to a 
configured mail website where you click a link that Clam inserts into 
the mail message (plain old URL) if you're interested in getting it, 
and you can browse whatever graphics or attachments were meant for that 
message and were instead stripped?  Of course this would mean setting 
up a web server and database server, but those tools exist already.  
This way it doesn't matter what new threat comes out, your mail is 
already defanged, demangled, demimed and sanitized for the user's 
protection!  It could protect from click traps, malware attachments, 
script exploits...users just lose their dancing icons and pretty pretty 
backgrounds.  It could also make previously hidden text visible from 
spam.

On one hand, it's sarcastic as heck.  On the other, it might not be a 
bad idea.

-Bart
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks

2004-11-15 Thread Bart Silverstrim

On Nov 15, 2004, at 12:43 PM, Matt wrote:
 If the standard database was segregated, some people would inevitably
cock up their configs and run with partial protection. This can cause
problems not only for themselves, but others, in the case of 
propogation.
Whitelist all traffic you want to allow! Mail servers, web 
sites...there must be a way.  After reading how Lexmark is apparently 
having their *drivers* phone home, and the number of emails from 
spammers that may link to pages where users happily click away their 
lifesavingsand...there's just getting to be too much.  It is 
getting utterly hopeless to have some kind of order arise from the 
UBE/UCE/Spam/Spim/trojan/virus/worm/scammer/ad content/spyware/etc. 
muck and mire we're currently dealing with.

I need a new career :-(
 There is also the fact, and I am sure that I am not alone, in being 
very
draconian. You control the machines, the users get what they are given 
:)
This is why UNIX had the modular black box model, as I recall...take 
the app, make it focus on it's task, and if you need other 
functionality, it was done in another app.  Chain together.  Repeat as 
necessary.

Some...many...ISPs would want a scoring system for spam so users can 
have an opportunity to filter themselves or decide their tolerance and 
training levels.

Others, like my school, need to make decisions FOR everyone because 
there's too many users that just don't take the time to learn how to 
use it.  We have too much user turnover and it's impractical with our 
human resources to keep people up to speed when they really don't give 
a hoot about such things.

Some people don't like their messages being filtered at all...they 
prefer it done by themselves at the desktop.  Some people combine it, 
some at the server, some at the desktop.

The modular model makes all these possible with ClamAV without ClamAV 
being twisted or bent to fit.  It plugs in and does it's job, nothing 
more nothing less.

___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

RE: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks

2004-11-15 Thread Julian Mehnle

Dennis Skinner [EMAIL PROTECTED] wrote:
 Julian Mehnle wrote:
  technical := affecting the technical systems involved in storing
  and transporting the data items subject to being scanned by ClamAV.
 
  technical threat := (go figure...)

 Would that include viruses that require action on the part of the
 recipient?  Included in password protected zips?  What is the difference
 between tricking a person into opening a password protected zip (which
 is not dangerous in its delivered form) and tricking a user into
 clicking a link that takes them to the virus?

Counter question:  What do have the following in common: 1. tricking a
user into clicking a link that takes him to a virus, and 2. tricking a
user into clicking a link that takes him to a web page that tricks him
into clicking on a link that takes him to the virus?

Answer:  It's not ClamAV's responsibility to protect the user from
immediate threats that are outside of its sphere of action.

This problem shouldn't be decided from an end-user's point of view.  If
_that_ were the criterion, ClamAV should also prevent the wrong device
drivers from being installed on my PC.

ClamAV could block a lot of stuff that somehow coult put the user in
danger, but that would be an endless undertaking.  Besides, the more
indirect the threat gets, the more people will disagree on its
dangerousness.

ClamAV should be responsible for detecting objects that are immediately
dangerous to the user (executables, JPEG exploits, etc.).  The user's web
browser is responsible not to allow untrusted objects from web pages to be
executed.  Those objects don't go through ClamAV as an e-mail scanner, and
thus ClamAV as an e-mail scanner should not deploy measures to keep the
user from getting in those object's vicinity.

___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

RE: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks

2004-11-15 Thread Julian Mehnle

Hanford, Seth [EMAIL PROTECTED] wrote:
 I agree with Julian that Clam does not seem the logical solution to Spam
 messages.

Please note that I have never talked about ClamAV unwantedly detecting
_spam_.  I just talked about social engineering in general and about
phishing in particular.

___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks

2004-11-15 Thread Dennis Skinner

Julian Mehnle wrote:
Counter question:  What do have the following in common: 1. tricking a
user into clicking a link that takes him to a virus, and 2. tricking a
user into clicking a link that takes him to a web page that tricks him
into clicking on a link that takes him to the virus?
Answer:  It's not ClamAV's responsibility to protect the user from
immediate threats that are outside of its sphere of action.
And a password protected zipped virus could be considered outside 
ClamAV's sphere too.  We should not block those because it would be the 
job of the unzip program to protect the user, right?

Oh wait!  Don't catch doc macro viruses because that is MSWord's job to 
protect the user.

I think your slope is just as slippery as mine :)
--
Dennis Skinner
Systems Administrator
BlueFrog Internet
http://www.bluefrog.com
Fall is my favorite season in Los Angeles, watching the birds change 
color and fall from the trees.  - David Letterman
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

RE: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks

2004-11-15 Thread Julian Mehnle

Dennis Skinner [EMAIL PROTECTED] wrote:
 Julian Mehnle wrote:
  Counter question:  What do have the following in common: 1. tricking a
  user into clicking a link that takes him to a virus, and 2. tricking a
  user into clicking a link that takes him to a web page that tricks him
  into clicking on a link that takes him to the virus?
 
  Answer:  It's not ClamAV's responsibility to protect the user from
  immediate threats that are outside of its sphere of action.

 And a password protected zipped virus could be considered outside
 ClamAV's sphere too.  We should not block those because it would be the
 job of the unzip program to protect the user, right?

No, because the unzip program can't ever be expected to provide reasonable
protection, plus it is just acting as a component of ClamAV, plus the user
never operates the unzip program directly.

E-Mail virus scanners can reasonably be expected to scan e-mails for
malware, web browsers can reasonable be expected to prevent users from
executing code from unknown websites.  What those two have in common is
that they are responsible for not letting dangerous objects onto the
user's system.

 Oh wait!  Don't catch doc macro viruses because that is MSWord's job to
 protect the user.

No, because then, the dangerous object already _is_ on the user's system.
Current versions of Microsoft Word do warn the user before executing
untrusted macros, but it is still not really Word's responsibility.

Microsoft probably decided to build protection against untrusted macros
into Word for the same reason some ClamAV fans want to have phishing
protection in ClamAV: because they want to accomodate ignorant users and
are willing to do nearly all they can to protect them from possible
dangers.

One could consider this a good thing, but it leads to a world where every
software tries to do everything security-wise, and even if someone wanted
to disable a certain security measure, he can't because ten other programs
will take over the job and offer their protection instead.

Good software needs to have a somewhat clear definition of what it is
responsible to do and what not, so the I take every protection I can get
argument doesn't hold.

 I think your slope is just as slippery as mine :)

I don't think so. :-)

___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks

2004-11-15 Thread Dave Goodrich

Trog wrote:
On Mon, 2004-11-15 at 16:39, Dave Goodrich wrote:
Julian Mehnle wrote:
Am I?  I'm just saying that I think that a distinction between technical
attacks and social engineering attacks is possible and meaningful (even if
not everyone would make use of that distinction).  That has nothing to do
with being hard-nosed, has it?
I hate to butt into a discussion, but I would have to agree. I use 
SpamAssassin and ClamAV, I don't need or want them doing the same job. 
I've seen this same discussion on the SpamAssassin list where users 
wanted rules to stop Viruses with SA, and the general reponse was No, 
SA is a spam filter, get ClamAV if you want to stop Viruses

Please give a full definition of Spam and Malware/Viruses that do not
intersect, and will never intersect for all future Spam and Malware such
that we can be sure we know what you are requesting.
rant
I cannot protect my users from spam or viruses. I do not think any 
sysadmin can realisticly protect the user. I am only interested in 
protecting my own network. After three years of dealing with spam and 
viruses I truely believe that the average user would climb a ladder, 
swing on a rope, drop from a helicopter, all to touch the stovetop and 
see if it was hot.
/rant

I believe a virus is a file capable of performing a task not implicitly 
requested by the user of the destination machine. Whether the user 
clicks or not is irrelevent, thanks to MS this is taken care of for them.

A spam is any email message not reqested or desired by the user of the 
destination machine.

So my point was this, a Virus is a file, in hand, it is here, I have it, 
I want to know if I should let the destination machine have it. ClamAV 
scans a file in it's posession against a known signature db. Does it 
match? YES or NO. ClamAV does this very well.

Spam is a email message, it might not be a message the destination 
machine wants to receive, it might provide access to a payload, it might 
not. But I don't have the proposed/suspected/feared payload. Should I 
let the destination machine have the message or not? SA scans a message 
for known traits, and finding enough known traits, scores the message as 
spam (in the _opinion_ of the person who weighted those traits). 
SpamAssassin does this very well.

I believe that is specific enough. YMMV.
Not one of the Clam developers have proposed adding general spam
detection to ClamAV.
I never said the developers were. I only agreed that a distinction 
between social and technical attacks was meaningful and relevent. My 
comment on the discussions I have seen on the SA list were simply and 
example as to the fact that the SA developers see a distinction.

Please don't associate me with a group, I don't choose sides. If we(my 
company, the user) determine that ClamAV needs to gain/lose a feature, 
we will either offer to pay the developers to implement it, or implement 
it ourselves and give the code back. We would not argue with developers.

I believed the thread was a discussion, I joined the discussion and 
offered an opinion. That is all.

DAve
--
Systems Administrator
http://www.tls.net
Get rid of Unwanted Emails...get TLS Spam Blocker!
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks

2004-11-15 Thread Kelson

Bart Silverstrim wrote:
I find it interesting though that I've yet to hear from anyone 
commenting on my proposal to create a filter that will extract and 
convert all emails into pure text, or reformat it so only certain things 
can get through as an attachment with a pure text message so it would be 
defanged of scripts, web content, potential scripting exploits, 
etc...I'm honestly beginning to wonder how hard that would be to make 
and whether it may be of use for some sites.  Draconian, yet it would be 
extremely handy in stopping the maliciousness of viruses or spam 
tricks...dynamically rewriting all email to a standard format.
I believe you can do this with Can-It Pro. http://www.roaringpenguin.com/
They're the authors of MIMEDefang.  Can-It is their commercial product, 
and a much more thorough solution.

--
Kelson Vibber
SpeedGate Communications www.speed.net
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks

2004-11-15 Thread Matt


Thanks, but the point of my question was that I wanted to know
whether there are more social engineering signature in the
database than just phishing ones.


 Getting back to the somewhat original question, if you download the
signatures.pdf from the Clam website, that gives you a general listing of
the different classes of various virii/malware naming conventions. That
should give you an idea of which parts of the database you may wish to
remove.

Matt
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

RE: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks

2004-11-15 Thread Julian Mehnle

Ken Jones [EMAIL PROTECTED] wrote:
 Knowing two freinds that have responded to phising emails and what it
 took afterwards to correct the problem . they would beg you to
 remove the possability of this threat.

Bit Fuzzy [EMAIL PROTECTED] wrote:
 I'm sorry, but I personally know 7 people who fell prey to this
 practice, and I've gotten emails from users thanking us for the
 addition.

 Set it up as an option if needed, but as a network administrator, I'd
 rather be on the safe side and allow them to view the email held if they
 desire, than to find out that because it got through and put a hard
 working family in to financial turmoil.

If people require machines as desperately as that to prevent themselves
from falling for fraud attempts, humanity is truly doomed.

To those of you who argue that ClamAV should detect phishing attacks even
though tools like SpamAssassin are designed and inherently better suited
for doing that, I'd like to say that you will never really be able to
abandon SpamAssassin  Co. anyway.  ClamAV will never be able to replace
SpamAssassin without becoming SpamAssassin.

Bit Fuzzy [EMAIL PROTECTED] wrote:
 I can't believe this one subject can create such a mess.

I absolutely concur.  Considering that exactly _no one_ here demanded that
ClamAV abandon its capacity for detecting phishing attacks, little yellow
rubber ducks in PNG images, or whatever else, the uproar is truly
ludicrous.  What was actually requested is that there be an _option_ not
to scan for certain classes of malware.  No one would be disadvantaged by
that.

Oh well, I can only hope that the ClamAV developers won't let themselves
be deceived by specious counter-arguments such as configurability is bad
because admins might goof up their config and then be insecure, and will
consider adding configurability for what to detect, or making the sig
database modular.

Everything else on the topic has been said, I think.

___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

RE: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks

2004-11-15 Thread Julian Mehnle

Matt [EMAIL PROTECTED] wrote:
 Thanks, but the point of my question was that I wanted to know
 whether there are more social engineering signature in the
 database than just phishing ones.

 Getting back to the somewhat original question, if you download the
 signatures.pdf from the Clam website, that gives you a general listing
 of the different classes of various virii/malware naming conventions.
 That should give you an idea of which parts of the database you may
 wish to remove.

Thanks for your constructive reply.

If you mean section 3.5, unfortunately there is not mention of the
Phishing prefix, so obviously this list is not complete.  The fact that
a Joke prefix (for hoaxes) is also listed there makes me worry how many
more supposed malware categories are unconditionally detected by ClamAV
which I would not want to be detected as malware...

Also please keep in mind that a modular sig db would relieve ClamAV users
from downloading signatures they don't plan using.  Having to remove
unwanted sigs yourself requires you to download all existing sigs.

___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

[Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks

2004-11-14 Thread Julian Mehnle

Hi all,

since ClamAV reached v0.80, I am using it to scan and reject e-mail
messages.  Today I noticed that ClamAV also detects phishing attacks.
Phishing is pure social engineering and poses no threat whatsoever in a
technical sense.

How can I configure ClamAV not to try to detect phishing and other social
engineering attacks?

___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks

2004-11-14 Thread Matt

Julian Mehnle wrote:

 How can I configure ClamAV not to try to detect phishing and other
 social engineering attacks?


 Why? Your prerogative, obviously, but I am just curious.

Matt
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks

2004-11-14 Thread Tomasz Kojm

On Sun, 14 Nov 2004 13:58:53 +0100
Julian Mehnle [EMAIL PROTECTED] wrote:

 Hi all,
 
 since ClamAV reached v0.80, I am using it to scan and reject e-mail
 messages.  Today I noticed that ClamAV also detects phishing attacks.
 Phishing is pure social engineering and poses no threat whatsoever in
 a technical sense.
 
 How can I configure ClamAV not to try to detect phishing and other
 social engineering attacks?

Modify your mail scanner to pass HTML.Phishing.* through.

-- 
   oo. Tomasz Kojm [EMAIL PROTECTED]
  (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg
 \..._ 0DCA5A08407D5288279DB43454822DC8985A444B
   //\   /\  Sun Nov 14 14:26:03 CET 2004


pgptEjgKqKQ0U.pgp
Description: PGP signature
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

RE: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks

2004-11-14 Thread Julian Mehnle

BitFuzzy [EMAIL PROTECTED] wrote:
 So blocking [social engineering attacks] can only be seen as a good
 thing.

I disagree, and I already explained why.

I don't even request that ClamAV completely stop detecting such stuff, I
just request that I have the option of disabling it.

___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks

2004-11-14 Thread Jason Haar

This is a me too. I am ABSOLUTELY in love with ClamAV due to the fact 
it has gone beyond what most commercial AV players are doing, and is 
incorporating scanning for phishing and spyware.

If you follow the industry, you will see that most AV vendors are 
bringing out *separate* products to detect spyware - i.e they want us 
the consumers to pay TWICE to gain full protection.

I think it's a crock - and I'm glad to see the ClamAV developers do too. 
Viruses/trojans/phishing/spyware - it's all rubbish I would rather was 
not in my end-users mailboxes.

--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users