On Thu, 2014-03-20 at 15:04 -0400, David F. Skoll wrote: > Post-Cisco, ClamAV seems to have greatly declined in usefulness. > It catches hardly anything anymore... anyone else experiencing this?
Are you using clamav-unofficial-signatures? We are.
I have no idea how much we should be catching. But here's a dump of what
we're doing, in case it's helpful to anyone. If I'm doing something
stupid or not doing something smart, I welcome feedback.
We outright reject files with these extensions:
my $bad_exts = '(ade|adp|app|asd|bas|bat|chm|cmd|com|cpl|crt|exe|fxp|
hlp|hta|hto|inf|ini|ins|isp|jse?|lib|lnk|mde|mim|msc|msp|mst|ocx|pcd|
pif|prg|scr|sct|shb|shs|sys|vb|vbe|vbs|vxd|wmd|wms|wsc|wsf|wsh|\{[^
\}]+\})';
my $bad_filename_regex = '\.' . $bad_exts . '\.*$';
We outright reject encrypted zip files.
We ignore official or unofficial signatures with virus names that
match: /^(AAPL|Application|PUA|SPR)\./
We handle the phishing and spam signatures differently, and exempt mail
going to our helpdesk or a variety of phishing-reporting addresses (at
banks, etc.):
/^((email)?(abuse|fraud|phish(ing)?|(report_)?spam|spoof)\@.*|.*\@(abuse
\.net|spam\.spamcop\.net)|aollegal\@aol\.com|askvisa(usa)?\@visa\.com|
enforcement\@sec\.gov|fraud_help\@usbank\.com|mail-spoof\@cc\.yahoo-inc
\.com|phishing-report\@us-cert\.gov|reports\@habeas\.com|stop-spoofing
\@amazon\.com|reportphish\@wellsfargo\.com)$/
I'm skeptical that reporting phishing scams to major banks actually does
any good, but some of our customers want to be able to do so. We ignore
the Heuristics.Phishing.Email.SpoofedDomain test because of false
positives. Maybe we could score it, but we don't currently.
Viruses from the Internet are silently discarded to avoid generating
backscatter. Viruses from our customers are rejected (so they get an
error in their mail client if there's a false positive). Phishing/spam
mail detected by clamav is rejected on the spot; unlike SpamAssassin, we
apply this regardless of user settings and whitelisting does not apply.
In other words, the false positive rate is very, very low.
The encrypted zip and filename extensions are separate error messages
from each other and separate from spam and virus messages. We
special-case .lnk blocking with an error message that says they should
mail the file itself, not the shortcut to it.
--
Richard
signature.asc
Description: This is a digitally signed message part
_______________________________________________ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
