ClamAV unofficial rules?

faris · Unread post by **faris** » Sun Dec 21, 2008 6:22 pm

I've noticed that the number of bad messages (spam/phishing rather than actualy badware) that clamav detects and drops has ...errr...dropped significantly recently.

Going through my clamav logs, I'm not seeing anything with "UNOFFICIAL" listed.

Previously I'd see loads of these, which were from the http://sanesecurity.com/clamav/ rulset.

I notice from the above page that there were some issues with a DoS, and that the rules have instead now been mirrored (but with some false positives - out ouf date rules).

Scott, what's your take on this? Those rules were obviously doing a lot of good in the past, though mostly they were picking up spam.

Faris.

Unread post by **mikeshinn** » Sun Dec 21, 2008 7:05 pm

Looks like the SaneSecurity project is on a temporary break. We have an archive of the last good set of signatures and will make them available, but you can see the author isn't supporting them right now.

If he decides to drop the project we may fork the sigs (copyright and licensing issues still be explored by the laywers) and start maintaining them ourselves as they are really good sigs - and stop a lot of spam and phishing. We've seen them do a better job than the commercial services out there in fact.

faris · Unread post by **faris** » Sun Dec 21, 2008 8:04 pm

I'd definitely like to make use of the last known good set. They were working very well for us.

If you do make them available please can you be sure to let us know where they are supposed to go (i.e which folder)?

Faris.

Griffith · Unread post by **Griffith** » Mon Dec 29, 2008 11:05 am

Any news on this? Maybe a link where we can download a copy of the signatures?

Unread post by **scott** » Mon Dec 29, 2008 12:33 pm

We've been maintaining our own mirror with the Atomic version of clamav since last year actually. The updater is /usr/bin/clamav_updater.sh, take a look in there if you want to see how it works.

Griffith · Unread post by **Griffith** » Tue Dec 30, 2008 5:08 am

I actually did

I noticed that when I tried to download the scam.ndb, the filesize is 0kb. That means will have to pay to get access to it?

faris · Unread post by **faris** » Tue Dec 30, 2008 7:45 am

I was going to ask about that -- if the updater is meant to download the known good rules mirror then something is up - because it doesn't seem to be doing so.

If the filesize is 0kb then that would explain it

Faris.

Unread post by **scott** » Tue Dec 30, 2008 10:40 am

Its an upstream problem, SANE is taking a break/was being DoS'd.

Griffith · Unread post by **Griffith** » Tue Dec 30, 2008 1:07 pm

We've noticed that:)

Mike said:

Looks like the SaneSecurity project is on a temporary break. We have an archive of the last good set of signatures and will make them available, but you can see the author isn't supporting them right now.

Could we get a copy of that??

Griffith · Unread post by **Griffith** » Sat Jan 10, 2009 9:59 am

Scott: have you considered updating clamav_updater.sh with some of this:
http://www200.pair.com/mecham/spam/Upda ... ity.sh.txt

and include it in gamera?

Unread post by **scott** » Sat Jan 10, 2009 11:46 am

Sure, it would go into the clamav-db package. Fortunately almost all of that is already in there.

faris · Unread post by **faris** » Mon Jan 12, 2009 1:58 pm

Well, it looks like the sanesecurity site came up, then went back down (as far as the rules are concerned).

Maybe you should sponsor him as well if you have anything left after grsec?

All he needs is a server capable of handling the huge number of requests really.

And his rules rock.

Faris.

Griffith · Unread post by **Griffith** » Tue Jan 20, 2009 5:58 pm

Sanesec rules are back now

faris · Unread post by **faris** » Tue Jan 20, 2009 6:15 pm

faris · Unread post by **faris** » Tue Jan 20, 2009 6:17 pm

ok, so the download method/location has changed.

I presume ASL clamav users don't need to worry about this?