store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Mon Nov 18, 2019 2:39 am

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 3 posts ] 
Author Message
 Post subject: Using additional signatures
Unread postPosted: Thu Feb 25, 2016 8:45 am 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2321
I realise that the additional signatures that ASL adds to the normal clamav set offers a better level of protection against the kind of nasties that could compromise the security of a server.

But they don't seem to help much with booby-trapped attachments, and we are seeing an alarming number of these being missed.

The scammers are getting more sophisticated in their social engineering, and your typical consumer is undoubtedly going to fall for one eventually. If their own PC's anti-virus is not good, or not up to date, they are going to get clobbered.

So, on our PG boxes, I've set up https://github.com/extremeshok/clamav-unofficial-sigs to automatically download and use some additional signatures.

In all, the script allows you to automatically download Sanesecurity, SecuriteInfo, rfx, FOXHOLE, MalwarePatrol and a few others signature sets. You can then decide on subsets of these signatures, based on their false positive level and suchlike. I was very impressed.

securesite and MalwarePatrol require you to set up fee or premium accounts, and MalwarePatrol prohibits commercial use of any kind.

I've not been running them long enough to make any significant observations other than seeing sanesecurity rules block these nasty attachments very frequently, which I've found encouraging.

Has anyone else had any luck with additional signatures? Does anyone have any recommendations? Any to avoid?

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
Reply with quote  
 Post subject: Re: Using additional signatures
Unread postPosted: Mon Feb 29, 2016 6:34 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 4087
Location: Chantilly, VA
Quote:
But they don't seem to help much with booby-trapped attachments, and we are seeing an alarming number of these being missed.


Thats on purpose. Those signatures work great for email, but they cause a lot of false positives for web sites that serve up zip files with js, exes, etc. So we purposefully do not include them as clamav has no way of distinguishing if the context is email, or web. So while I agree those signatures are useful for some email users, keep in mind that clamav may be scanning more than just email on your system and this can cause false positives.

_________________
Michael Shinn
Atomicorp - Security For Everyone


Top
 Profile  
Reply with quote  
 Post subject: Re: Using additional signatures
Unread postPosted: Mon Feb 29, 2016 9:49 pm 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2321
All the more reason, I suppose, to scan mail on a dedicated mailscanner node.

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 3 posts ] 

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 6 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group