Tilman Schmidt wrote: > Dennis Peterson schrieb: >> James E. Pratt wrote: >> >>> >>>>>>>>> I can confirm too that Trojan.Downloader.JS.Agent-2 (and 1) hit >>> a >>>> load of legitimate sites. >>> >>> Hello . I ran into this " Trojan.Downloader.JS.Agent-2" issue yesterday >>> on our web server. When notified, the webmaster replied with "these are >>> coming from compressed js files using Dean Edwards' javascript "packer" >>> [http://dean.edwards.name/packer/], which compresses js and usually >>> reduces the file size by 30-40 percent." >> >> If the principal users of this service are spammers trying to >> obfuscate their content then I see no reason not to use a tool to >> block that content. A lesson that has been hard to teach is that when >> legitimate users create content that is indistinguishable from common >> spam it will be blocked. That takes into consideration the source - >> sales and marketing types in any corporation have a particular problem >> as almost all of what they create could be considered spam by someone. >> Best effort rules apply. I've never had a manager reverse me on this. > > Sorry, but that's completely beside the point. > > a) We are not talking about spam filtering here, but about classification > as malware. > > b) Applying spam blocking rules to web content is quite inappropriate, as > websites are actively requested, as opposed to spam which is forced on > the recipient through her mailbox slot. > > c) Whether "the principal users" of Dean Edwards' JavaScript packer are > spammers is open to debate, although IMHO it doesn't even matter in the > light of a) and b). > > Generally speaking, I am quite wary of the increasing tendency of ClamAV > to try and detect spam in addition to malware. These two categories need > to be treated quite differently for many reasons, among them legal ones. > mixing them up like this makes my life and work more difficult. Please > don't do it. > > Thanks, > T.
We don't disagree on much, here. The last point you make is why I suggested some kind of scoring system. I've not examined the return codes from clamd but I suspect it is the same for every kind of match. Code Red would return the same thing as an Ebay scam, and if so then that right there is the problem. It leaves us with no means to evaluate the message further if ClamAV is to be a go no-go tool. A work-around is to not use ClamAV as a go no-go tool and evaluate every message further regardless of the presence of a virus. I'd prefer to not do that. I would like to evaluate certain image and scam messages further, though, and of course the way to do that is to disable that kind of filtering in ClamAV. And I'd prefer to not do that, too. I'd like all the tools to contribute to the score of a message and make the go no-go decision on that score. If you read Tomasz' interview by the SANS Tech Institute you'll learn that this business of going beyond malware is going to expand. I'm not real crazy about that. dp _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html