Re: [Assp-test] Antwort: Re: Antwort: Re: Antwort: ClamAV - set scoring/reject based on virus database FP risk

[James Brown]

On 06/06/2009, at 2:16 PM, Thomas Eckardt/eck wrote:

> James your regex is wrong and does not work (score 45 -> should be  
> score
> 45 * 2.6 = 117)
>
> ~Phishing\.~=>4.6~Email.Spam\d{1,4}-SecuriteInfo~=>4.1~(Email|HTML|
> Sanesecurity)\.(Phishing|Spear|(Spam|Scam)[a-z0-9]?)
> \.~=>4.6~Sanesecurity\.(Hdr|Img|ImgO|Junk|Doc|Casino)
> \.~=>6.1~Sanesecurity\.(Lott|Fake|SpamImg|Job|Stk) 
> \.~=>6.1~Sanesecurity
> \.(Loan|Porn|Bou|Dipl|Cred)\.~=>6.1~Sanesecurity\.Jurlbl\.Auto
> \.~=>2.6~Sanesecurity\.Jurlbl\.~=>2.6~winnow\.phish\.~=>6.1~winnow
> \.spam\.~=>2.1~INetMsg\.SpamDomain-2w\.~=>2.0~INetMsg\.~=>1.0~(MSRBL-
> Images\.)~=>2.1~(MSRBL-SPAM
> \.)~=>5.1~Safebrowsing~=>1.25~Heuristics~=>1.25
>
> The regexes parts (like before the code changes) have to be  
> separated with
> '|' !
>
Ah, I thought the problem was that t was getting confused between the  
pipes in the regex and the pipe to separate the whole weighted regexes.

Have added them back in:

~Phishing\.~=>4.6|~Email.Spam\d{1,4}-SecuriteInfo~=>4.1|~(Email|HTML| 
Sanesecurity)\.(Phishing|Spear|(Spam|Scam)[a-z0-9]?)\.~=>4.6| 
~Sanesecurity\.(Hdr|Img|ImgO|Junk|Doc|Casino)\.~=>6.1|~Sanesecurity\. 
(Lott|Fake|SpamImg|Job|Stk)\.~=>6.1|~Sanesecurity\.(Loan|Porn|Bou|Dipl| 
Cred)\.~=>6.1|~Sanesecurity\.Jurlbl\.Auto\.~=>2.6|~Sanesecurity\.Jurlbl 
\.~=>2.6|~winnow\.phish\.~=>6.1|~winnow\.spam\.~=>2.1|~INetMsg 
\.SpamDomain-2w\.~=>2.0|~INetMsg\.~=>1.0|~(MSRBL-Images\.)~=>2.1| 
~(MSRBL-SPAM\.)~=>5.1|~Safebrowsing~=>1.25|~Heuristics~=>1.25

But still they get through!

Jun-6-09 15:25:02 id-65900-01208 [Worker_1] 192.168.1.2 
<stopld...@weekendnewsonline.com 
 > to: myu...@bordo.com.au Message-Score: added 45 for virus detected:  
'Sanesecurity.Jurlbl.Auto.21657.UNOFFICIAL', total score for this  
message is 45
Jun-6-09 15:25:02 id-65900-01208 [Worker_1] [VIRUS] 192.168.1.2 
<stopld...@weekendnewsonline.com 
 > to: myu...@bordo.com.au [spam found] (virus detected:  
'Sanesecurity.Jurlbl.Auto.21657.UNOFFICIAL') [Compare auto insurance  
rates] -> /applications/assp/discarded/65900.eml;

>
> Set 'MaintenanceLog' to verbose and you should see at startup a log  
> line
> with the regex and weight for every weighted regex.
> If not, there is anything wrong!
>
> info: $name : regex $reg - weight set to $k"
> ....
> ....
> Regex $name: $count weighted regular expression defined

Startup gives:

Jun-6-09 15:28:07 [startup] Info: no valid recipient replacement rule  
found
Jun-6-09 15:28:07 [startup] Info: SuspiciousVirus : regex Phishing\. -  
weight set to 4.6
Jun-6-09 15:28:07 [startup] Info: SuspiciousVirus : regex Email.Spam 
\d{1,4}-SecuriteInfo - weight set to 4.1
Jun-6-09 15:28:07 [startup] Info: SuspiciousVirus : regex (Email|HTML| 
Sanesecurity)\.(Phishing|Spear|(Spam|Scam)[a-z0-9]?)\. - weight set to  
4.6
Jun-6-09 15:28:07 [startup] Info: SuspiciousVirus : regex Sanesecurity 
\.(Hdr|Img|ImgO|Junk|Doc|Casino)\. - weight set to 6.1
Jun-6-09 15:28:07 [startup] Info: SuspiciousVirus : regex Sanesecurity 
\.(Lott|Fake|SpamImg|Job|Stk)\. - weight set to 6.1
Jun-6-09 15:28:07 [startup] Info: SuspiciousVirus : regex Sanesecurity 
\.(Loan|Porn|Bou|Dipl|Cred)\. - weight set to 6.1
Jun-6-09 15:28:07 [startup] Info: SuspiciousVirus : regex Sanesecurity 
\.Jurlbl\.Auto\. - weight set to 2.6
Jun-6-09 15:28:07 [startup] Info: SuspiciousVirus : regex Sanesecurity 
\.Jurlbl\. - weight set to 2.6
Jun-6-09 15:28:07 [startup] Info: SuspiciousVirus : regex winnow\.phish 
\. - weight set to 6.1
Jun-6-09 15:28:07 [startup] Info: SuspiciousVirus : regex winnow\.spam 
\. - weight set to 2.1
Jun-6-09 15:28:07 [startup] Info: SuspiciousVirus : regex INetMsg 
\.SpamDomain-2w\. - weight set to 2.0
Jun-6-09 15:28:07 [startup] Info: SuspiciousVirus : regex INetMsg\. -  
weight set to 1.0
Jun-6-09 15:28:07 [startup] Info: SuspiciousVirus : regex (MSRBL-Images 
\.) - weight set to 2.1
Jun-6-09 15:28:07 [startup] Info: SuspiciousVirus : regex (MSRBL-SPAM 
\.) - weight set to 5.1
Jun-6-09 15:28:07 [startup] Info: SuspiciousVirus : regex Safebrowsing  
- weight set to 1.25
Jun-6-09 15:28:07 [startup] Info: SuspiciousVirus : regex Heuristics -  
weight set to 1.25
Jun-6-09 15:28:07 [startup] Info: Regex SuspiciousVirus: 16 weighted  
regular expression defined

Thanks,

James.



------------------------------------------------------------------------------
OpenSolaris 2009.06 is a cutting edge operating system for enterprises 
looking to deploy the next generation of Solaris that includes the latest 
innovations from Sun and the OpenSource community. Download a copy and 
enjoy capabilities such as Networking, Storage and Virtualization. 
Go to: http://p.sf.net/sfu/opensolaris-get
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test