The name of the virus is
'Sanesecurity.Jurlbl.Auto.16581.UNOFFICIAL'
but there is no matching regex
Sanesecurity\.Jurlbl\.Auto\.x=>1.6
Sanesecurity\.Jurlbl\.x=>2.6
the trailing 'x' will the regex prevent from matching
(a trailing 'i' is in
(Email|HTML|Sanesecurity)\.(Phishing|Spear|(Spam|Scam)[a-z0-9]?)\.i=>4.6 )
???
I think the regexes should be:
Sanesecurity\.Jurlbl\.Auto\.=>1.6
Sanesecurity\.Jurlbl\.=>2.6
(Email|HTML|Sanesecurity)\.(Phishing|Spear|(Spam|Scam)[a-z0-9]?)\.=>4.6
But your regex would not work in the current versions, because there are
'|' inside the regexes.
The complete regex will work to find a 'SuspiciousVirus' , but to get the
weight, we need to separate the regex in its parts. Currently this is done
by looking for '|' - but this will not work with your regex as you can
see.
while ($new =~ s/([^\|]+)?\s*\=\>\s*(-{0,1}\d+\.*\d*)\s*/$1/) {
You should see this in the log while starting
...
Info: SuspiciousVirus : regex Sanesecurity\.Jurlbl\.Auto\.x - weight
set to 2.6
...
some of your definitions should be not or wrong listed.
I think the following part is hard to find:
(Email|HTML|Sanesecurity)\.(Phishing|Spear|(Spam|Scam)[a-z0-9]?)\.i=>4.6
and if someone wants it to do, the regexes parts could be very complex -
much more than this one.
I hope I've found a way to separate weighted regexes : a weighted regex
has to begin and end with a '~' followed by '=>' and the weight value:
~(Email|HTML|Sanesecurity)\.(Phishing|Spear|(Spam|Scam)[a-z0-9]?)\.i~=>4.6
and
while ($new =~ s/\~([^\~]+)?\~\s*\=\>\s*(-{0,1}\d+\.*\d*)\s*/$1/)
{
hoping a '~' will be never be searched in a weighted regex.
I'll implement it this way in 2.0.1_RC0.2.08 .
Fields marked with an additional asterisk (**) accept a second weight
value. Every weighted regex has to begin and end with a '~' followed by
'=>' and the weight value. For example: ~spammer~=>1.45 or
~(Email|HTML|Sanesecurity)\.(Phishing|Spear|(Spam|Scam)[a-z0-9]?)\.i~=>4.6
. The character '~' has to be never used inside a weighted regular
expression. The multiplication result of the weight and the penaltybox
valence value will be used for scoring, if the absolute value of weight is
less or equal 6. Otherwise the value of weight is used for scoring.<br />
Thomas
James Brown <[email protected]>
05.06.2009 16:13
Bitte antworten an
ASSP development mailing list <[email protected]>
An
ASSP development mailing list <[email protected]>
Kopie
Thema
Re: [Assp-test] Antwort: ClamAV - set scoring/reject based on virus
database FP risk
Thomas,
I tried:
Phishing\.=>4.6|Email.Spam\d{1,4}-SecuriteInfo=>4.1|(Email|HTML|
Sanesecurity)\.(Phishing|Spear|(Spam|Scam)[a-z0-9]?)\.i=>4.6|
Sanesecurity\.(Hdr|Img|ImgO|Junk|Doc|Casino)\.x=>6.1|Sanesecurity\.
(Lott|Fake|SpamImg|Job|Stk)\.x=>6.1|Sanesecurity\.(Loan|Porn|Bou|Dipl|
Cred)\.x=>6.1|Sanesecurity\.Jurlbl\.Auto\.x=>1.6|Sanesecurity\.Jurlbl
\.x=>2.6|winnow\.phish\.x=>6.1|winnow\.spam\.x=>2.1|INetMsg
\.SpamDomain-2w\.=>2.0|INetMsg\.=>1.0|(MSRBL-Images\.)=>2.1|(MSRBL-SPAM
\.)=>5.1|Safebrowsing=>1.25|Heuristics=>1.25
Log says:
...
Info: SuspiciousVirus : regex Sanesecurity\.Jurlbl\.Auto\.x - weight
set to 2.6
...
But when a virus comes in it says:
Jun-5-09 23:14:00 [Worker_1] Connected: 192.168.1.2:63921 ->
192.168.1.9:25 -> 127.0.0.1:10026
Jun-5-09 23:14:01 id-07640-00619 [Worker_1] 192.168.1.2
<[email protected]
> to: [email protected] Message-Score: total for this message is
45, added 45 for virus detected: 'Sanesecurity.Jurlbl.Auto.
16581.UNOFFICIAL'
Jun-5-09 23:14:01 id-07640-00619 [Worker_1] [VIRUS] 192.168.1.2
<[email protected]
> to: [email protected] [spam found] (virus detected:
'Sanesecurity.Jurlbl.Auto.16581.UNOFFICIAL') [A unique way out of
debt] -> /applications/assp/discarded/07640.eml;
Jun-5-09 23:14:01 [Worker_1] Disconnected: 192.168.1.2
Is it saying that it was 45 and it added another 45 to the score, or
that the score was 45 after adding the vdValencePB? I'm pretty sure it
is the latter, but wouldn't it make more sense to log it the other
way? Ie "Added 45 for Virus Detected, total for this message is 45"
vdValencePB is 45
vsVlanecePB is 25 (have since changed it to 10)
PenaltyMessageLimit is 50
Is there something wrong with the regex that it is not picking it up?
Thanks,
James.
PS. Running 2.0.1 (RC 0.2.06)
On 30/05/2009, at 7:35 PM, Thomas Eckardt/eck wrote:
> Hi James,
>
> I've looked at the code, and what you want to do, should be possible
> with
> the current code. The only thing you need to know, is the returned
> string
> from ClamAV.
> Since 2.0.0_16.... the 'SuspiciousVirus' is a 'weighted' regex
> (signed by
> the two ** in GUI).
>
> -----------------
> Fields marked with an additional asterisk (**) accept a second weight
> value separated by => from the regular expression. For example:
> spammer=>1.45 . The multiplication result of the weight and the
> penaltybox
> valence value will be used for scoring, if the absolute value of
> weight is
> less or equal 6. Otherwise the value of weight is used for scoring.
> -----------------
>
> Set 'SuspiciousVirus' to your needs. For example:
>
> Worm65=>2|eicar=>0|Sanesecurity\.SpamImg\.14=>1.5|winnow\.malware\.
> 37=>3|Sanesecurity\.Lott\.34=>1|Sanesecurity\.Junk\.20=>35|
> Sanesecurity\.Junk\.d+=>10
>
> ASSP is processing the matches from left to right. Use the exact
> matches
> first and those with wildcards after (see
> Sanesecurity\.Junk\.20=>35|Sanesecurity\.Junk.\d+=>10)
>
> Do not forget to escape dots (.) !
>
>
> Thomas
>
>
>
>
> James Brown <[email protected]>
> 29.05.2009 01:26
> Bitte antworten an
> ASSP development mailing list <[email protected]>
>
>
> An
> ASSP development mailing list <[email protected]>
> Kopie
>
> Thema
> [Assp-test] ClamAV - set scoring/reject based on virus database FP
> risk
>
>
>
>
>
>
> I use ASSP v2 with ClamAV and the additional virus/phish/spam
> databases on the SaneSecurity web site.
>
> Some of these third party databases have higher risk of False
> Positives than others.
>
> It would be good it ASSP's behaviour on detecting such a 'virus' was
> able to be based on the database's risk factor. This risk factor is
> listed on:
>
> Sanesecurity's ClamAV - Phishing and Scam/Spam Signatures
>
> For example, I would like to be able to block any message that matches
> a pattern from a database with Low FP risk, and give different Penalty
> Box scores if it matches any of the Med or High risk databases.
>
> These third party databases greatly reduce the amount of spam that has
> to be processed, but the fear of FPs makes me nervous about using them
> in a blocking mode.
>
> Thanks,
>
> James.
>
------------------------------------------------------------------------------
> Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT
> is a gathering of tech-side developers & brand creativity
> professionals.
> Meet
> the minds behind Google Creative Lab, Visual Complexity, Processing, &
> iPhoneDevCamp as they present alongside digital heavyweights like
> Barbarian
> Group, R/GA, & Big Spaceship. http://p.sf.net/sfu/creativitycat-com
> _______________________________________________
> Assp-test mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
>
>
> DISCLAIMER:
> *******************************************************
> This email and any files transmitted with it may be confidential,
> legally
> privileged and protected in law and are intended solely for the use
> of the
>
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> *******************************************************
>
>
------------------------------------------------------------------------------
> Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT
> is a gathering of tech-side developers & brand creativity
> professionals. Meet
> the minds behind Google Creative Lab, Visual Complexity, Processing, &
> iPhoneDevCamp as they present alongside digital heavyweights like
> Barbarian
> Group, R/GA, & Big Spaceship. http://p.sf.net/sfu/creativitycat-com
> _______________________________________________
> Assp-test mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/assp-test
------------------------------------------------------------------------------
OpenSolaris 2009.06 is a cutting edge operating system for enterprises
looking to deploy the next generation of Solaris that includes the latest
innovations from Sun and the OpenSource community. Download a copy and
enjoy capabilities such as Networking, Storage and Virtualization.
Go to: http://p.sf.net/sfu/opensolaris-get
_______________________________________________
Assp-test mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/assp-test
DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally
privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no
known virus in this email!
*******************************************************
------------------------------------------------------------------------------
OpenSolaris 2009.06 is a cutting edge operating system for enterprises
looking to deploy the next generation of Solaris that includes the latest
innovations from Sun and the OpenSource community. Download a copy and
enjoy capabilities such as Networking, Storage and Virtualization.
Go to: http://p.sf.net/sfu/opensolaris-get
_______________________________________________
Assp-test mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/assp-test
