W dniu 2015-01-11 o 04:49, Reindl Harald pisze:
>
> Am 10.01.2015 um 22:07 schrieb Marcin Mirosław:
>> W dniu 2015-01-10 o 15:27, Reindl Harald pisze:
>>>
>>> Am 10.01.2015 um 15:19 schrieb David Flanigan:
>>>> Is anyone using the Malware Patrol 3rd party Spamassassin Rules
>>>> (https://www.malwarepatrol.net/index.shtml)?
>>>>
>>>> I have downloaded and looked them over and, in concept, they look
>>>> pretty
>>>> good.
>>>>
>>>> However the cf file is over 8.5megs (yes megs) in size. By far the
>>>> biggest ruleset I have. I cannot think this would do good things for
>>>> performance.
>>>>
>>>> Any experience, comments, etc?
>>>
>>> 8.5 MB SA rules is crazy
>>>
>>> that really belongs to clamav directly after SA because SA eats more
>>> http://sanesecurity.com/usage/signatures/
>>
>> Imho clamav needs less CPU power than SA (and need less time to scane
>> email) so I think it's better to use clamav before SA
>
> that is true *but* after a few months it turned out that ClamAV don't
> catch that much mail which was killed by the SA milter after it and so
> 90% of all messages need to pass both - for the overall system so it
> makes more sense to have SA in front
I forgot about one, important thing, I'm using unofficial rules for
Clamav. My stats counted since 2014-12 are:
$ grep -r "X-ACL-Warn: Virus found" 201412* 201501*|wc -l
18314
$ find 201412* 2015* -type f|wc -l
33170
$ grep -hr "X-ACL-Warn: Virus found" 201412* 201501*|grep -c UNOFFICIAL
18288
$ grep -hr "X-ACL-Warn: Virus found" 201412* 201501*|grep -vc UNOFFICIAL
26
$ grep -hr "X-ACL-Warn: Virus found" 201412* 201501*|grep -v
UNOFFICIAL|sort|uniq
X-ACL-Warn: Virus found / znaleziono wirusa
:Heuristics.Phishing.Email.SpoofedDomain
X-ACL-Warn: Virus found / znaleziono wirusa
:Heuristics.Safebrowsing.Suspected-malware_safebrowsing.clamav.net
X-ACL-Warn: Virus found / znaleziono wirusa
:Heuristics.Safebrowsing.Suspected-phishing_safebrowsing.clamav.net
X-ACL-Warn: Virus found / znaleziono wirusa
:Zip.Suspect.ExecutablePhoto-zippwd-2
$ grep -hr "X-ACL-Warn: Virus found" 201412* 201501*|grep
UNOFFICIAL|grep -viE "(Junk|url|Spam)"|sort|uniq -c
1 X-ACL-Warn: Virus found / znaleziono wirusa
:BofhlandMWFile1302.UNOFFICIAL
1 X-ACL-Warn: Virus found / znaleziono wirusa
:BofhlandMWFile1306.UNOFFICIAL
7 X-ACL-Warn: Virus found / znaleziono wirusa
:BofhlandMWFile1356.UNOFFICIAL
1 X-ACL-Warn: Virus found / znaleziono wirusa
:Porcupine.Malware.29046.UNOFFICIAL
1 X-ACL-Warn: Virus found / znaleziono wirusa
:Porcupine.Malware.29327.UNOFFICIAL
2 X-ACL-Warn: Virus found / znaleziono wirusa
:Porcupine.Phishing.20003.UNOFFICIAL
724 X-ACL-Warn: Virus found / znaleziono wirusa
:Sanesecurity.Foxhole.Zip_doc.UNOFFICIAL
715 X-ACL-Warn: Virus found / znaleziono wirusa
:Sanesecurity.Foxhole.Zip_docx.UNOFFICIAL
94 X-ACL-Warn: Virus found / znaleziono wirusa
:Sanesecurity.Foxhole.Zip_jpeg.UNOFFICIAL
970 X-ACL-Warn: Virus found / znaleziono wirusa
:Sanesecurity.Foxhole.Zip_pdf.UNOFFICIAL
80 X-ACL-Warn: Virus found / znaleziono wirusa
:Sanesecurity.Foxhole.Zip_xml.UNOFFICIAL
1 X-ACL-Warn: Virus found / znaleziono wirusa
:Sanesecurity.Malware.19736.UNOFFICIAL
4 X-ACL-Warn: Virus found / znaleziono wirusa
:Sanesecurity.Malware.21933.ZipHeur.UNOFFICIAL
1 X-ACL-Warn: Virus found / znaleziono wirusa
:Sanesecurity.Malware.24212.ZipHeur.UNOFFICIAL
9 X-ACL-Warn: Virus found / znaleziono wirusa
:Sanesecurity.Malware.24273.ZipHeur.UNOFFICIAL
2 X-ACL-Warn: Virus found / znaleziono wirusa
:Sanesecurity.Malware.24306.UNOFFICIAL
1 X-ACL-Warn: Virus found / znaleziono wirusa
:Sanesecurity.Malware.24423.ZipHeur.UNOFFICIAL
2 X-ACL-Warn: Virus found / znaleziono wirusa
:Sanesecurity.Malware.24488.UNOFFICIAL
9 X-ACL-Warn: Virus found / znaleziono wirusa
:Sanesecurity.Malware.24594.ZipHeur.UNOFFICIAL
15 X-ACL-Warn: Virus found / znaleziono wirusa
:Sanesecurity.Malware.24595.ZipHeur.UNOFFICIAL
13 X-ACL-Warn: Virus found / znaleziono wirusa
:Sanesecurity.Malware.24639.ZipHeur.UNOFFICIAL
2 X-ACL-Warn: Virus found / znaleziono wirusa
:Sanesecurity.Malware.24646.DocHeur.UNOFFICIAL
9 X-ACL-Warn: Virus found / znaleziono wirusa
:Sanesecurity.Malware.24647.ZipHeur.UNOFFICIAL
8 X-ACL-Warn: Virus found / znaleziono wirusa
:Sanesecurity.Malware.24648.ZipHeur.UNOFFICIAL
5 X-ACL-Warn: Virus found / znaleziono wirusa
:Sanesecurity.Malware.24675.XlsHeur.UNOFFICIAL
1 X-ACL-Warn: Virus found / znaleziono wirusa
:Sanesecurity.Rogue.0hr.20141201-1850.UNOFFICIAL
11 X-ACL-Warn: Virus found / znaleziono wirusa
:Sanesecurity.Rogue.0hr.20141202-0850.UNOFFICIAL
5 X-ACL-Warn: Virus found / znaleziono wirusa
:Sanesecurity.Rogue.0hr.20141203-0953.UNOFFICIAL
11 X-ACL-Warn: Virus found / znaleziono wirusa
:Sanesecurity.Rogue.0hr.20141208-0651.UNOFFICIAL
3 X-ACL-Warn: Virus found / znaleziono wirusa
:Sanesecurity.Rogue.0hr.20141210-0848.UNOFFICIAL
26 X-ACL-Warn: Virus found / znaleziono wirusa
:Sanesecurity.Rogue.0hr.20141212-1249.UNOFFICIAL
6 X-ACL-Warn: Virus found / znaleziono wirusa
:Sanesecurity.Rogue.0hr.20141217-0648.UNOFFICIAL
4 X-ACL-Warn: Virus found / znaleziono wirusa
:Sanesecurity.Rogue.0hr.20141217-0949.UNOFFICIAL
6 X-ACL-Warn: Virus found / znaleziono wirusa
:Sanesecurity.Rogue.0hr.20141218-0648.UNOFFICIAL
10 X-ACL-Warn: Virus found / znaleziono wirusa
:Sanesecurity.Rogue.0hr.20141219-1047.UNOFFICIAL
1 X-ACL-Warn: Virus found / znaleziono wirusa
:Sanesecurity.Scam4.1386.UNOFFICIAL
1 X-ACL-Warn: Virus found / znaleziono wirusa
:Sanesecurity.Scam4.1880.UNOFFICIAL
1 X-ACL-Warn: Virus found / znaleziono wirusa
:Sanesecurity.Scam4.939.UNOFFICIAL
1 X-ACL-Warn: Virus found / znaleziono wirusa
:Sanesecurity.ScamL.273.UNOFFICIAL
and number of mail delivered to user was ~7000.
My conclusion is that using unofficial rules for Clamav can brings
higher number of detected any kind of viruses and also spam. It can give
perfomance benefits due to catching spam before SA takes email. And I
think that official rules are updated too slow to detect new malware.
P.S. Due to having spamtraps on this mail server I'm scannig (using
Clamav and SA) and saving all emails delivered to MTA, no matter if it
is spam or ham.
