[sanesecurity] Re: Q. about stdout "keywords" to distinguish between data sources

• From: "Steve Basford" <steveb_clamav@xxxxxxxxxxxxxxxx>
• To: sanesecurity@xxxxxxxxxxxxx
• Date: Tue, 14 Feb 2012 08:21:19 -0000

> PS - Here is a follow-up question... is there a way to get ClamAv to
> search SOME signature DBs before others? That way, "low risk" could be
> put head of "medium risk" ones. That way, if a low risk one has a hit,
> its score wouldn't be watered down by a "high risk" rule hitting it
> first and then watering down the score, using the system described above.

Hi Rob,

Nope... external scoring isn't the whole answer but might help,

eg:

# @av_scanners = ();
# @av_scanners_backup = ();
# $first_infected_stops_scan = undef;

# $viruses_that_fake_sender_re = undef;
# @viruses_that_fake_sender_maps = (\$viruses_that_fake_sender_re, 1);
# @virus_name_to_spam_score_maps =
#   (new_RE(  # the order matters!
#     [ qr'^Structured\.(SSN|CreditCardNumber)\b'                   => 0.1 ],
#     [ qr'^(Heuristics\.)?Phishing\.'                              => 0.1 ],
#     [ qr'^(Email|HTML)\.Phishing\.(?!.*Sanesecurity)'             => 0.1 ],
#     [ qr'^Sanesecurity\.(Malware|Rogue|Trojan)\.' => undef ],# keep
infected
#     [ qr'^Sanesecurity\.'                                         => 0.1 ],
#     [ qr'^Sanesecurity_PhishBar_'                                 => 0   ],
#     [ qr'^Sanesecurity.TestSig_'                                  => 0   ],
#     [ qr'^Email\.Spam\.Bounce(\.[^., ]*)*\.Sanesecurity\.'        => 0   ],
#     [ qr'^Email\.Spammail\b'                                      => 0.1 ],
#     [ qr'^MSRBL-(Images|SPAM)\b'                                  => 0.1 ],
#     [ qr'^VX\.Honeypot-SecuriteInfo\.com\.Joke'                   => 0.1 ],
#     [ qr'^VX\.not-virus_(Hoax|Joke)\..*-SecuriteInfo\.com(\.|\z)' => 0.1 ],
#     [ qr'^Email\.Spam.*-SecuriteInfo\.com(\.|\z)'                 => 0.1 ],
#     [ qr'^Safebrowsing\.'                                         => 0.1 ],
#     [ qr'^winnow\.(phish|spam)\.'                                 => 0.1 ],
#     [ qr'^INetMsg\.SpamDomain'                                    => 0.1 ],
#     [ qr'^Doppelstern\.(Scam4|Phishing)'                          => 0.1 ],
#     [ qr'^ScamNailer\.'                                           => 0.1 ],
#     [ qr'^HTML/Bankish'                                     => 0.1 ],  #
F-Prot
#     [ qr'-SecuriteInfo\.com(\.|\z)'         => undef ],  # keep as infected
#     [ qr'^MBL_NA\.UNOFFICIAL'               => 0.1 ],    # false positives
#     [ qr'^MBL_'                             => undef ],  # keep as infected
#   ));

Cheers,

Steve
Sanesecurity

• References:
  • [sanesecurity] Q. about stdout "keywords" to distinguish between data sources
    • From: Rob McEwen

Other related posts:

• » [sanesecurity] Q. about stdout "keywords" to distinguish between data sources- Rob McEwen
• » [sanesecurity] Re: Q. about stdout "keywords" to distinguish between data sources- Rob McEwen
• » [sanesecurity] Re: Q. about stdout "keywords" to distinguish between data sources - Steve Basford

1. Home
2. sanesecurity
3. Archive
4. 02-2012

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---