This will be implemented in the next version (ClamAV and FileScan)!
Thomas
Tom Shaw <ts...@oitc.com>
12.04.2009 22:54
Bitte antworten an
ASSP development mailing list <assp-test@lists.sourceforge.net>
An
ASSP development mailing list <assp-test@lists.sourceforge.net>
Kopie
Thema
[Assp-test] SuspiciousVirus suggestion
Let me start with a statement that I am NOT a perl programmer so the
below code suggestions should be taken as an attempt to communicate
my suggestion in "pidgin perl" and no a direct replacement.
Background. ClamAV has a lot of options and detection types and I
assume whatever people are using for file AV are similar. ClamAV now
has Google Safe browsing signatures, heuristic detection, as well as
PUA detection and "unofficial" signatures. ClamAV have become more
than just a "virus" detection engine but an engine used to detect
malware as well as malware vectors like phishing, etc.
As such there can be a higher probability of false positives as well
as a need to have certain detections processed by further so that the
scam can be entered into the bayesian database.
Thus I propose a slight change in SuspiciousVirus handling. Rules
would be written as:
re => weight
similar to DNSBLs. Thus, you might have:
/Phishing/i => 1.25
/Heuristic/ => 0.75
/Something that is FP to me/ => 0
So my code suggestion is to do something like this to read
SuspiciousVirus or the file that contains the SuspiciousVirus rules:
# Read suspicious virus signatures and weights
# SuspiciousVirusList [RE][weight]
while (<>) {
@tmp = split /(?:\s+=>\s+)+/;
$tmpRE = $tmp[1];
$tmp[1] = qr/$tmpRE/;
push @SuspiciousVirusList, [ @tmp ];
}
where SuspiciousVirusList is a 2 dimensional array containing
[RE][weight]. Now replace current SuspiciousVirusRE test with
something like:
} elsif ( checkAVSignature($virus, $sig, $weight) ) {
if ($weight) {
$score = $vsValencePB * $weight;
$this->{messagereason} =
"SuspiciousVirus: $virus '$sig'";
pbAdd( $fh, $this->{ip}, $score, "$virus", 1 );
$this->{prepend} = "[VIRUS][scoring]";
mlog( $fh, "'$virus' passing because of '$sig'
weighted as $score" );
} else {
mlog( $fh, "'$virus' whitelisted because of
'$sig'" );
}
return 1;
The function, checkAVSignature, checks the value returned by clamd
against the array of [RE][weight] pairs and returns 0 (false) if not
found or 1 (true) if found along with returning the sig identifier
(this could be better) and the associated weight.
sub checkAVSignature($virus, $sig, $weight) {
for my $element (@{$SuspiciousVirusList}) {
if $virus =~ ( '(' . $element[1] . ')' )
) {
$sig = $element[1];
$weight = $element[2];
return 1;
}
}
return 0;
}
I am sure that my perl is terrible but it is my attempt to help.
This capability will provide for much better flexibility in handling
clad responses aw well as the ability to fine tune scoring and deal
with local detection issues.
Tom
------------------------------------------------------------------------------
This SF.net email is sponsored by:
High Quality Requirements in a Collaborative Environment.
Download a free trial of Rational Requirements Composer Now!
http://p.sf.net/sfu/www-ibm-com
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally
privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no
known virus in this email!
*******************************************************
------------------------------------------------------------------------------
This SF.net email is sponsored by:
High Quality Requirements in a Collaborative Environment.
Download a free trial of Rational Requirements Composer Now!
http://p.sf.net/sfu/www-ibm-com
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
