Hi James, I've looked at the code, and what you want to do, should be possible with the current code. The only thing you need to know, is the returned string from ClamAV. Since 2.0.0_16.... the 'SuspiciousVirus' is a 'weighted' regex (signed by the two ** in GUI).
----------------- Fields marked with an additional asterisk (**) accept a second weight value separated by => from the regular expression. For example: spammer=>1.45 . The multiplication result of the weight and the penaltybox valence value will be used for scoring, if the absolute value of weight is less or equal 6. Otherwise the value of weight is used for scoring. ----------------- Set 'SuspiciousVirus' to your needs. For example: Worm65=>2|eicar=>0|Sanesecurity\.SpamImg\.14=>1.5|winnow\.malware\.37=>3|Sanesecurity\.Lott\.34=>1|Sanesecurity\.Junk\.20=>35|Sanesecurity\.Junk\.d+=>10 ASSP is processing the matches from left to right. Use the exact matches first and those with wildcards after (see Sanesecurity\.Junk\.20=>35|Sanesecurity\.Junk.\d+=>10) Do not forget to escape dots (.) ! Thomas James Brown <[email protected]> 29.05.2009 01:26 Bitte antworten an ASSP development mailing list <[email protected]> An ASSP development mailing list <[email protected]> Kopie Thema [Assp-test] ClamAV - set scoring/reject based on virus database FP risk I use ASSP v2 with ClamAV and the additional virus/phish/spam databases on the SaneSecurity web site. Some of these third party databases have higher risk of False Positives than others. It would be good it ASSP's behaviour on detecting such a 'virus' was able to be based on the database's risk factor. This risk factor is listed on: Sanesecurity's ClamAV - Phishing and Scam/Spam Signatures For example, I would like to be able to block any message that matches a pattern from a database with Low FP risk, and give different Penalty Box scores if it matches any of the Med or High risk databases. These third party databases greatly reduce the amount of spam that has to be processed, but the fear of FPs makes me nervous about using them in a blocking mode. Thanks, James. ------------------------------------------------------------------------------ Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT is a gathering of tech-side developers & brand creativity professionals. Meet the minds behind Google Creative Lab, Visual Complexity, Processing, & iPhoneDevCamp as they present alongside digital heavyweights like Barbarian Group, R/GA, & Big Spaceship. http://p.sf.net/sfu/creativitycat-com _______________________________________________ Assp-test mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/assp-test DISCLAIMER: ******************************************************* This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the individual to whom it is addressed. This email was multiple times scanned for viruses. There should be no known virus in this email! ******************************************************* ------------------------------------------------------------------------------ Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT is a gathering of tech-side developers & brand creativity professionals. Meet the minds behind Google Creative Lab, Visual Complexity, Processing, & iPhoneDevCamp as they present alongside digital heavyweights like Barbarian Group, R/GA, & Big Spaceship. http://p.sf.net/sfu/creativitycat-com _______________________________________________ Assp-test mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/assp-test
