Kenneth Porter wrote:
On 11/7/2018 1:24 PM, Kris Deugau wrote:
I use a combination of adding local signatures (mainly hashes for
"random-executable-inna-archive") and selected signatures from a
number of third parties to the stock set in a "primary" Clam instance
that's an absolute yes/no check, and using only things like the
Heuristics.Spoofdomain test and a selection of riskier local and
third-party signatures in a second instance called from SA and scored
according to the signature (or signature group).
I call ClamAV from MIMEDefang before invoking SA.
*nod* That's the other good way to apply more fine-grained behaviours
to different Clam hits; for a while I was using this on our outbound
cluster to mitigate the nuisance from Heuristics.SpoofDomain hits on
legitimate mail.
I use the "unofficial
sigs" package (available as an RPM via yum for Red Hat systems) for much
better detection.
https://sourceforge.net/projects/unofficial-sigs/
It's been in Debian for a while too. That upstream link is an old
version; it was forked or taken over (not sure which) by
extremeshok.com at https://github.com/extremeshok/clamav-unofficial-sigs.
I'm also using an stripped-down extract of the older version to
distribute signatures locally; there are a few subsets of various
third-party signature groups and files that I consider too high-risk for
absolute blocking, so the main download script just pulls files to a
local workspace instead of straight into the Clam DB directory, then a
local script filters/sorts them and the live servers pull from that space.
-kgd