Using additional signatures
Posted: Thu Feb 25, 2016 8:45 am
I realise that the additional signatures that ASL adds to the normal clamav set offers a better level of protection against the kind of nasties that could compromise the security of a server.
But they don't seem to help much with booby-trapped attachments, and we are seeing an alarming number of these being missed.
The scammers are getting more sophisticated in their social engineering, and your typical consumer is undoubtedly going to fall for one eventually. If their own PC's anti-virus is not good, or not up to date, they are going to get clobbered.
So, on our PG boxes, I've set up https://github.com/extremeshok/clamav-unofficial-sigs to automatically download and use some additional signatures.
In all, the script allows you to automatically download Sanesecurity, SecuriteInfo, rfx, FOXHOLE, MalwarePatrol and a few others signature sets. You can then decide on subsets of these signatures, based on their false positive level and suchlike. I was very impressed.
securesite and MalwarePatrol require you to set up fee or premium accounts, and MalwarePatrol prohibits commercial use of any kind.
I've not been running them long enough to make any significant observations other than seeing sanesecurity rules block these nasty attachments very frequently, which I've found encouraging.
Has anyone else had any luck with additional signatures? Does anyone have any recommendations? Any to avoid?
But they don't seem to help much with booby-trapped attachments, and we are seeing an alarming number of these being missed.
The scammers are getting more sophisticated in their social engineering, and your typical consumer is undoubtedly going to fall for one eventually. If their own PC's anti-virus is not good, or not up to date, they are going to get clobbered.
So, on our PG boxes, I've set up https://github.com/extremeshok/clamav-unofficial-sigs to automatically download and use some additional signatures.
In all, the script allows you to automatically download Sanesecurity, SecuriteInfo, rfx, FOXHOLE, MalwarePatrol and a few others signature sets. You can then decide on subsets of these signatures, based on their false positive level and suchlike. I was very impressed.
securesite and MalwarePatrol require you to set up fee or premium accounts, and MalwarePatrol prohibits commercial use of any kind.
I've not been running them long enough to make any significant observations other than seeing sanesecurity rules block these nasty attachments very frequently, which I've found encouraging.
Has anyone else had any luck with additional signatures? Does anyone have any recommendations? Any to avoid?