clamav-users January 2008 archive
Main Archive Page > Month Archives  > clamav-users archives
clamav-users: Re: [Clamav-users] Failure to detect first time

Re: [Clamav-users] Failure to detect first time

From: Dennis Peterson <dennispe_at_nospam>
Date: Thu Jan 03 2008 - 14:21:37 GMT
To: ClamAV users ML <clamav-users@lists.clamav.net>


Phil Chambers wrote:

>
> I was not aware that there was any way to get clamd to do anything other than
> check the content of messages. The Sanesecurity signatures are just a set of
> phishing and scam signatures for ClamAV which are used in addition to the
> standard ClamAV ones.
>
> Given that ClamAV reports finding "Email.Spam.Sanesecurity.Url_269", for
> example, how do I look up the signature that clamd is using for that?
>

Grep that string from the Sane Security patterns. This one is in scam.ndb and produces this:

Email.Spam.Sanesecurity.Url_269:4:*:4E6F206D6F72652070616964207365782C20776974682061203920696E636820636F636B20776F6D656E2077696C6C2077616E7420796F75206576657279206461792E

Copy the hex string beginning with 4E to the end and paste it into the right hand window at this location:

http://nickciske.com/tools/hex.php

Then click decode. You must do this because if I paste in the solution here many mail systems will reject this post. While the name suggests it is a URL sig it is not. It is a simple regex pattern of clearly objectionable content. It is not the kind of thing ClamAV should miss the first time through unless there is a mime decode error or other policy that prevents scanning messages from the particular source to to a particular recipient.

dp


Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html

   © Copyright 2012 Guardian Digital, Inc. All Rights Reserved.