On Thu, 2014-03-20 at 15:04 -0400, David F. Skoll wrote: > Post-Cisco, ClamAV seems to have greatly declined in usefulness. > It catches hardly anything anymore... anyone else experiencing this?
Are you using clamav-unofficial-signatures? We are. I have no idea how much we should be catching. But here's a dump of what we're doing, in case it's helpful to anyone. If I'm doing something stupid or not doing something smart, I welcome feedback. We outright reject files with these extensions: my $bad_exts = '(ade|adp|app|asd|bas|bat|chm|cmd|com|cpl|crt|exe|fxp| hlp|hta|hto|inf|ini|ins|isp|jse?|lib|lnk|mde|mim|msc|msp|mst|ocx|pcd| pif|prg|scr|sct|shb|shs|sys|vb|vbe|vbs|vxd|wmd|wms|wsc|wsf|wsh|\{[^ \}]+\})'; my $bad_filename_regex = '\.' . $bad_exts . '\.*$'; We outright reject encrypted zip files. We ignore official or unofficial signatures with virus names that match: /^(AAPL|Application|PUA|SPR)\./ We handle the phishing and spam signatures differently, and exempt mail going to our helpdesk or a variety of phishing-reporting addresses (at banks, etc.): /^((email)?(abuse|fraud|phish(ing)?|(report_)?spam|spoof)\@.*|.*\@(abuse \.net|spam\.spamcop\.net)|aollegal\@aol\.com|askvisa(usa)?\@visa\.com| enforcement\@sec\.gov|fraud_help\@usbank\.com|mail-spoof\@cc\.yahoo-inc \.com|phishing-report\@us-cert\.gov|reports\@habeas\.com|stop-spoofing \@amazon\.com|reportphish\@wellsfargo\.com)$/ I'm skeptical that reporting phishing scams to major banks actually does any good, but some of our customers want to be able to do so. We ignore the Heuristics.Phishing.Email.SpoofedDomain test because of false positives. Maybe we could score it, but we don't currently. Viruses from the Internet are silently discarded to avoid generating backscatter. Viruses from our customers are rejected (so they get an error in their mail client if there's a false positive). Phishing/spam mail detected by clamav is rejected on the spot; unlike SpamAssassin, we apply this regardless of user settings and whitelisting does not apply. In other words, the false positive rate is very, very low. The encrypted zip and filename extensions are separate error messages from each other and separate from spam and virus messages. We special-case .lnk blocking with an error message that says they should mail the file itself, not the shortcut to it. -- Richard
signature.asc
Description: This is a digitally signed message part
_______________________________________________ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang