ClamAV unofficial rules?
ClamAV unofficial rules?
I've noticed that the number of bad messages (spam/phishing rather than actualy badware) that clamav detects and drops has ...errr...dropped significantly recently.
Going through my clamav logs, I'm not seeing anything with "UNOFFICIAL" listed.
Previously I'd see loads of these, which were from the http://sanesecurity.com/clamav/ rulset.
I notice from the above page that there were some issues with a DoS, and that the rules have instead now been mirrored (but with some false positives - out ouf date rules).
Scott, what's your take on this? Those rules were obviously doing a lot of good in the past, though mostly they were picking up spam.
Faris.
Going through my clamav logs, I'm not seeing anything with "UNOFFICIAL" listed.
Previously I'd see loads of these, which were from the http://sanesecurity.com/clamav/ rulset.
I notice from the above page that there were some issues with a DoS, and that the rules have instead now been mirrored (but with some false positives - out ouf date rules).
Scott, what's your take on this? Those rules were obviously doing a lot of good in the past, though mostly they were picking up spam.
Faris.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Looks like the SaneSecurity project is on a temporary break. We have an archive of the last good set of signatures and will make them available, but you can see the author isn't supporting them right now.
If he decides to drop the project we may fork the sigs (copyright and licensing issues still be explored by the laywers) and start maintaining them ourselves as they are really good sigs - and stop a lot of spam and phishing. We've seen them do a better job than the commercial services out there in fact.
If he decides to drop the project we may fork the sigs (copyright and licensing issues still be explored by the laywers) and start maintaining them ourselves as they are really good sigs - and stop a lot of spam and phishing. We've seen them do a better job than the commercial services out there in fact.
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
I'd definitely like to make use of the last known good set. They were working very well for us.
If you do make them available please can you be sure to let us know where they are supposed to go (i.e which folder)?
Faris.
If you do make them available please can you be sure to let us know where they are supposed to go (i.e which folder)?
Faris.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
I was going to ask about that -- if the updater is meant to download the known good rules mirror then something is up - because it doesn't seem to be doing so.
If the filesize is 0kb then that would explain it
Faris.
If the filesize is 0kb then that would explain it
Faris.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
Scott: have you considered updating clamav_updater.sh with some of this:
http://www200.pair.com/mecham/spam/Upda ... ity.sh.txt
and include it in gamera?
http://www200.pair.com/mecham/spam/Upda ... ity.sh.txt
and include it in gamera?
Well, it looks like the sanesecurity site came up, then went back down (as far as the rules are concerned).
Maybe you should sponsor him as well if you have anything left after grsec?
All he needs is a server capable of handling the huge number of requests really.
And his rules rock.
Faris.
Maybe you should sponsor him as well if you have anything left after grsec?
All he needs is a server capable of handling the huge number of requests really.
And his rules rock.
Faris.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>