Let me start with a statement that I am NOT a perl programmer so the below code suggestions should be taken as an attempt to communicate my suggestion in "pidgin perl" and no a direct replacement.
Background. ClamAV has a lot of options and detection types and I assume whatever people are using for file AV are similar. ClamAV now has Google Safe browsing signatures, heuristic detection, as well as PUA detection and "unofficial" signatures. ClamAV have become more than just a "virus" detection engine but an engine used to detect malware as well as malware vectors like phishing, etc. As such there can be a higher probability of false positives as well as a need to have certain detections processed by further so that the scam can be entered into the bayesian database. Thus I propose a slight change in SuspiciousVirus handling. Rules would be written as: re => weight similar to DNSBLs. Thus, you might have: /Phishing/i => 1.25 /Heuristic/ => 0.75 /Something that is FP to me/ => 0 So my code suggestion is to do something like this to read SuspiciousVirus or the file that contains the SuspiciousVirus rules: # Read suspicious virus signatures and weights # SuspiciousVirusList [RE][weight] while (<>) { @tmp = split /(?:\s+=>\s+)+/; $tmpRE = $tmp[1]; $tmp[1] = qr/$tmpRE/; push @SuspiciousVirusList, [ @tmp ]; } where SuspiciousVirusList is a 2 dimensional array containing [RE][weight]. Now replace current SuspiciousVirusRE test with something like: } elsif ( checkAVSignature($virus, $sig, $weight) ) { if ($weight) { $score = $vsValencePB * $weight; $this->{messagereason} = "SuspiciousVirus: $virus '$sig'"; pbAdd( $fh, $this->{ip}, $score, "$virus", 1 ); $this->{prepend} = "[VIRUS][scoring]"; mlog( $fh, "'$virus' passing because of '$sig' weighted as $score" ); } else { mlog( $fh, "'$virus' whitelisted because of '$sig'" ); } return 1; The function, checkAVSignature, checks the value returned by clamd against the array of [RE][weight] pairs and returns 0 (false) if not found or 1 (true) if found along with returning the sig identifier (this could be better) and the associated weight. sub checkAVSignature($virus, $sig, $weight) { for my $element (@{$SuspiciousVirusList}) { if $virus =~ ( '(' . $element[1] . ')' ) ) { $sig = $element[1]; $weight = $element[2]; return 1; } } return 0; } I am sure that my perl is terrible but it is my attempt to help. This capability will provide for much better flexibility in handling clad responses aw well as the ability to fine tune scoring and deal with local detection issues. Tom ------------------------------------------------------------------------------ This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com _______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test