Hi all, who ever uses ClamAV with assp should have a look in to the sanesecurity signatures.
http://www.sanesecurity.co.uk/databases.htm who ever still uses this signatures should have a look in to the ClamSup.ini file. There are several lines exluded from the download - what I mean are: # # Foxhole double-extension, filename and dangerous attachment blocking sigs are disabled by default # see http://sanesecurity.com/foxhole-databases/ for more details about their use # # SaneSecurity foxhole_generic.cdb - Foxhole_Generic sigs [MEDIUM FP RISK] -rsync://rsync.sanesecurity.net/sanesecurity;foxhole_generic.cdb;N;Y;Y;N;N # SaneSecurity foxhole_filename.cdb - Foxhole_filename sigs [MEDIUM FP RISK] -rsync://rsync.sanesecurity.net/sanesecurity;foxhole_filename.cdb;N;Y;Y;N;N # SaneSecurity foxhole_all.cdb - Foxhole_all sigs [HIGH FP RISK] -rsync://rsync.sanesecurity.net/sanesecurity;foxhole_all.cdb;N;Y;Y;N;N I recommend to use this signatures - simply remove the (-) in front of 'rsync'. I also created my own small signature files 'bad_extenson.zmd' and 'bad_extenson.rmd' - with the following content: bad_extenson.zmd: Sanesecurity.Blocked.Zip.xxx.exe:0:(?i)\.(docx?|xlsx?|ppdx?|wpd|txt|jpg|jpeg|htm|html|pdf|pif|scr)\.exe$:*:*:*:*:*:* Sanesecurity.Blocked.Zip.xxx.js:0:(?i)\.(docx?|xlsx?|ppdx?|wpd|txt|jpg|jpeg|htm|html|pdf|pif|scr)\.js$:*:*:*:*:*:* Sanesecurity.Blocked.Zip.xxx.wsh:0:(?i)\.(docx?|xlsx?|ppdx?|wpd|txt|jpg|jpeg|htm|html|pdf|pif|scr)\.wsh$:*:*:*:*:*:* Sanesecurity.Blocked.Zip.xxx.ps1:0:(?i)\.(docx?|xlsx?|ppdx?|wpd|txt|jpg|jpeg|htm|html|pdf|pif|scr)\.ps1$:*:*:*:*:*:* bad_extenson.rmd Sanesecurity.Blocked.Rar.xxx.exe:0:(?i)\.(docx?|xlsx?|ppdx?|wpd|txt|jpg|jpeg|htm|html|pdf|pif|scr)\.exe$:*:*:*:*:*:* Sanesecurity.Blocked.Rar.xxx.js:0:(?i)\.(docx?|xlsx?|ppdx?|wpd|txt|jpg|jpeg|htm|html|pdf|pif|scr)\.js$:*:*:*:*:*:* Sanesecurity.Blocked.Rar.xxx.wsh:0:(?i)\.(docx?|xlsx?|ppdx?|wpd|txt|jpg|jpeg|htm|html|pdf|pif|scr)\.wsh$:*:*:*:*:*:* Sanesecurity.Blocked.Rar.xxx.ps1:0:(?i)\.(docx?|xlsx?|ppdx?|wpd|txt|jpg|jpeg|htm|html|pdf|pif|scr)\.ps1$:*:*:*:*:*:* Both are old style files and can be used with older ClamAV version. If you want to create your own signature files, have a look in to the Foxhole signatures - it is very easy. Thomas DISCLAIMER: ******************************************************* This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the individual to whom it is addressed. This email was multiple times scanned for viruses. There should be no known virus in this email! *******************************************************
------------------------------------------------------------------------------
_______________________________________________ Assp-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/assp-user
