Re: [Mimedefang] clamav-unofficial-sigs and pyzor
Am Montag, den 19.09.2016, 08:36 -0400 schrieb Dianne Skoll: > On Mon, 19 Sep 2016 07:46:11 +0200 > Marcus Schopen wrote: > > > my be a little bit off topic, but are there any experience with the > > efficiency of pyzor and clamav-unofficial-sigs [1]. > > No comment on pyzor because I don't use it, but some of the > clamav-unofficial-sigs are useful. We use the following data sets: > >phish.ndb >rogue.hdb >sanesecurity.ftm >winnow_malware.hdb >winnow_malware_links.ndb > > We find the others have unacceptably-high false-positive rates, and > even the ones above occasionally get a bad signature that produces annoying > false-positives. Dianne and Richard, thanks for your feedback! I will get those a try. Ciao Marcus ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] clamav-unofficial-sigs and pyzor
On Mon, 19 Sep 2016 07:46:11 +0200 Marcus Schopen wrote: > my be a little bit off topic, but are there any experience with the > efficiency of pyzor and clamav-unofficial-sigs [1]. No comment on pyzor because I don't use it, but some of the clamav-unofficial-sigs are useful. We use the following data sets: phish.ndb rogue.hdb sanesecurity.ftm winnow_malware.hdb winnow_malware_links.ndb We find the others have unacceptably-high false-positive rates, and even the ones above occasionally get a bad signature that produces annoying false-positives. Regards, Dianne. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] clamav-unofficial-sigs and pyzor
On 09/19/2016 01:48 AM, Marcus Schopen wrote: > Did you activate all signatures > or just e.g. sanesecurity sigs? I read activating all signatures turns > clamav into an evil memory monster, while only activating sanesecurity > sigs catches most and doesn't need that much resources. I don't adjust the defaults. I don't use anything that requires signing up. I just looked into those, but they're for non-commercial use, which is why they require a sign-up. > What about pyzor or razor integration? Do they help or just burn > performance? I think I tried Pyzor a long time ago and found it worthless, but I have no idea what it's like now. We have Razor enabled. Historically, that's been very effective, though I haven't actually double-checked recently. -- Richard ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] clamav-unofficial-sigs and pyzor
Hi Richard, Am Montag, den 19.09.2016, 01:23 -0500 schrieb Richard Laager: > On 09/19/2016 12:46 AM, Marcus Schopen wrote: > > my be a little bit off topic, but are there any experience with the > > efficiency of pyzor and clamav-unofficial-sigs > > We use clamav-unofficial-sigs. If clamd triggers, it's a hard fail for > us, regardless of whether it was a virus or spam rule. We do > differentiate them for logging and SMTP rejection messages. > > I can't say how much spam would have been blocked anyway by later > processing (e.g. SpamAssassin), but we have very few (but non-zero over > the years) false positives. And in our filter, whitelisting does not > bypass this test; maybe it should, but that's the current setup. Thank you for your interesting feedback. Did you activate all signatures or just e.g. sanesecurity sigs? I read activating all signatures turns clamav into an evil memory monster, while only activating sanesecurity sigs catches most and doesn't need that much resources. What about pyzor or razor integration? Do they help or just burn performance? Ciao Marcus ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] clamav-unofficial-sigs and pyzor
On 09/19/2016 12:46 AM, Marcus Schopen wrote: > my be a little bit off topic, but are there any experience with the > efficiency of pyzor and clamav-unofficial-sigs We use clamav-unofficial-sigs. If clamd triggers, it's a hard fail for us, regardless of whether it was a virus or spam rule. We do differentiate them for logging and SMTP rejection messages. I can't say how much spam would have been blocked anyway by later processing (e.g. SpamAssassin), but we have very few (but non-zero over the years) false positives. And in our filter, whitelisting does not bypass this test; maybe it should, but that's the current setup. -- Richard ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] clamav-unofficial-sigs and pyzor
Hi, my be a little bit off topic, but are there any experience with the efficiency of pyzor and clamav-unofficial-sigs [1]. I used pyzor years ago and didn't follow it since then. And a lot of locky mails passed my filter, therefore I tought clamav-unofficial-sigs with turning on sanesecurity sigs might help here. Ciao Marcus [1] https://github.com/extremeshok/clamav-unofficial-sigs ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang