Page 1 of 3
ClamAV unofficial rules?
Posted: Sun Dec 21, 2008 6:22 pm
by faris
I've noticed that the number of bad messages (spam/phishing rather than actualy badware) that clamav detects and drops has ...errr...dropped significantly recently.
Going through my clamav logs, I'm not seeing anything with "UNOFFICIAL" listed.
Previously I'd see loads of these, which were from the
http://sanesecurity.com/clamav/ rulset.
I notice from the above page that there were some issues with a DoS, and that the rules have instead now been mirrored (but with some false positives - out ouf date rules).
Scott, what's your take on this? Those rules were obviously doing a lot of good in the past, though mostly they were picking up spam.
Faris.
Posted: Sun Dec 21, 2008 7:05 pm
by mikeshinn
Looks like the SaneSecurity project is on a temporary break. We have an archive of the last good set of signatures and will make them available, but you can see the author isn't supporting them right now.
If he decides to drop the project we may fork the sigs (copyright and licensing issues still be explored by the laywers) and start maintaining them ourselves as they are really good sigs - and stop a lot of spam and phishing. We've seen them do a better job than the commercial services out there in fact.
Posted: Sun Dec 21, 2008 8:04 pm
by faris
I'd definitely like to make use of the last known good set. They were working very well for us.
If you do make them available please can you be sure to let us know where they are supposed to go (i.e which folder)?
Faris.
Posted: Mon Dec 29, 2008 11:05 am
by Griffith
Any news on this? Maybe a link where we can download a copy of the signatures?
Posted: Mon Dec 29, 2008 12:33 pm
by scott
We've been maintaining our own mirror with the Atomic version of clamav since last year actually. The updater is /usr/bin/clamav_updater.sh, take a look in there if you want to see how it works.
Posted: Tue Dec 30, 2008 5:08 am
by Griffith
I actually did
I noticed that when I tried to download the scam.ndb, the filesize is 0kb. That means will have to pay to get access to it?
Posted: Tue Dec 30, 2008 7:45 am
by faris
I was going to ask about that -- if the updater is meant to download the known good rules mirror then something is up - because it doesn't seem to be doing so.
If the filesize is 0kb then that would explain it
Faris.
Posted: Tue Dec 30, 2008 10:40 am
by scott
Its an upstream problem, SANE is taking a break/was being DoS'd.
Posted: Tue Dec 30, 2008 1:07 pm
by Griffith
We've noticed that:)
Mike said:
Looks like the SaneSecurity project is on a temporary break. We have an archive of the last good set of signatures and will make them available, but you can see the author isn't supporting them right now.
Could we get a copy of that??
Posted: Sat Jan 10, 2009 9:59 am
by Griffith
Scott: have you considered updating clamav_updater.sh with some of this:
http://www200.pair.com/mecham/spam/Upda ... ity.sh.txt
and include it in gamera?
Posted: Sat Jan 10, 2009 11:46 am
by scott
Sure, it would go into the clamav-db package. Fortunately almost all of that is already in there.
Posted: Mon Jan 12, 2009 1:58 pm
by faris
Well, it looks like the sanesecurity site came up, then went back down (as far as the rules are concerned).
Maybe you should sponsor him as well if you have anything left after grsec?
All he needs is a server capable of handling the huge number of requests really.
And his rules rock.
Faris.
Posted: Tue Jan 20, 2009 5:58 pm
by Griffith
Sanesec rules are back now
Posted: Tue Jan 20, 2009 6:15 pm
by faris
yay!
Posted: Tue Jan 20, 2009 6:17 pm
by faris
ok, so the download method/location has changed.
I presume ASL clamav users don't need to worry about this?