Discussion:
[AMaViS-user] SaneSecurity malware signatures are not being
(too old to reply)
Bill Landry
2007-05-18 18:28:49 UTC
Permalink
I have been exchanging e-mails with Steve Basford of SaneSecuirty
regarding malware e-mails that are not detected and quarantined by
amavisd-new, yet are detected fine when scanned directly by clamdscan.
Here is my amavisd.conf entries for SaneSecurity and MSRBL signature
detection:

@virus_name_to_spam_score_maps =
(new_RE( [ qr'^(Email|HTML)\.(Phishing|Spam|Scam[a-z0-9]?)\.'i => 0.1 ],
[ qr'^(Email|Html)\.Malware\.Sanesecurity\.' => undef ],
[ qr'^(Email|Html)(\.[^., ]*)*\.Sanesecurity\.' => 0.1 ],
[ qr'^(MSRBL-Images/|MSRBL-SPAM\.)' => 0.1 ],
));

However, it does not seem to detect and quarantine any signature that
starts with "Email", even though clamdscan corrected detects and reports
the malware signature:

clamdscan test.msg
test.msg: Email.Malware.Sanesecurity.07051800 FOUND

The entries in amavisd.conf look correct, but for some reason, malware
signatures beginning with "Email" do not get detected and quarantined by
amaviad-new. Thoughts?

Thanks,

Bill


-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
AMaViS-user mailing list
AMaViS-***@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
Mark.Martinec+ (Mark Martinec)
2007-05-18 18:54:57 UTC
Permalink
Bill,
Post by Bill Landry
[ qr'^(Email|HTML)\.(Phishing|Spam|Scam[a-z0-9]?)\.'i => 0.1 ],
[ qr'^(Email|Html)\.Malware\.Sanesecurity\.' => undef],
[ qr'^(Email|Html)(\.[^., ]*)*\.Sanesecurity\.' => 0.1 ],
[ qr'^(MSRBL-Images/|MSRBL-SPAM\.)' => 0.1 ],
However, it does not seem to detect and quarantine any signature that
starts with "Email", even though clamdscan corrected detects and reports
test.msg: Email.Malware.Sanesecurity.07051800 FOUND
The entries in amavisd.conf look correct, but for some reason, malware
signatures beginning with "Email" do not get detected and quarantined by
amaviad-new. Thoughts?
Why do you have the second entry (... => undef) ???
If matched, it terminates the search and reports that a lookup
did not find enything. You probably intended to just remove the line.

Mark

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
AMaViS-user mailing list
AMaViS-***@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
Bill Landry
2007-05-22 02:57:43 UTC
Permalink
Bill,
I've noticed that when multiple message parts match different clamav
signatures, *all* the signature names must be listed in
@virus_name_to_spam_score_maps for it to be considered spam.
[...] When a virus scanner returns
names of viruses, and all provided names are matched by the
@virus_name_to_spam_score_maps, and no other virus scanner has
anything more sinister to report, then a message is _not_ flagged
as a virus, but a corresponding spam score is contributed to other
spam results [...]
This is a key issue here.
Your test example after enabling /^MAIL$/ (which requests that
a full message is passed to virus scanners, besides each decoded
part), clamd starts to report _two_ malware names.
Mark, can you tell me why the Email.Malware are still not detected
without enabling /^MAIL$/? I would like to keep virus scan processing
to a minimum, but if I disable /^MAIL$/, then Email.Malware messages are
not detected.
list, such mail did not fulfill the requirement that _all_ reported
names must be in the list for the result to be turned into spam,
so you ended up with a quarantined 'virus'.
Thanks for the explanation, and thanks to Noel for his assistance in
figuring this out off-list over the weekend.

Bill

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
AMaViS-user mailing list
AMaViS-***@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
Noel Jones
2007-05-22 04:35:48 UTC
Permalink
Post by Bill Landry
Mark, can you tell me why the Email.Malware are still not detected
without enabling /^MAIL$/? I would like to keep virus scan processing
to a minimum, but if I disable /^MAIL$/, then Email.Malware messages are
not detected.
Most of the Email.Malware signatures are "email" type
signatures. Clamav must be presented with a file recognizable as an
email (Received: headers and other clues) for these signature to even
be checked.

You must always present clamav with raw email files to use all the
published signatures. In addition to the SaneSecurity add-on
signatures, most of the "official" clam Phish signatures are "email"
type, along with several official trojan & worm signatures.

If you don't set amavisd-new to scan the full email message, you
effectively disable all signatures requiring an email message.
--
Noel Jones


-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
AMaViS-user mailing list
AMaViS-***@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
Bill Landry
2007-05-22 05:15:03 UTC
Permalink
Post by Noel Jones
Post by Bill Landry
Mark, can you tell me why the Email.Malware are still not detected
without enabling /^MAIL$/? I would like to keep virus scan processing
to a minimum, but if I disable /^MAIL$/, then Email.Malware messages are
not detected.
Most of the Email.Malware signatures are "email" type
signatures. Clamav must be presented with a file recognizable as an
email (Received: headers and other clues) for these signature to even
be checked.
You must always present clamav with raw email files to use all the
published signatures. In addition to the SaneSecurity add-on
signatures, most of the "official" clam Phish signatures are "email"
type, along with several official trojan & worm signatures.
If you don't set amavisd-new to scan the full email message, you
effectively disable all signatures requiring an email message.
Okay, then is there any reason to have amavisd-new break e-mail messages
up for individual parts scanning? Would it make sense to disable parts
scanning and just have amavisd-new only pass the entire raw message to
clamd for scanning?

Bill


-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
AMaViS-user mailing list
AMaViS-***@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
Mark.Martinec+ (Mark Martinec)
2007-05-22 17:08:26 UTC
Permalink
Bill,
Post by Bill Landry
Okay, then is there any reason to have amavisd-new break e-mail messages
up for individual parts scanning?
Several virus scanners are not able to decode a MIME structure,
or do a poor job at it, or can not decode certain types of
archives or encodings. Carefully decoding by amavisd can also
protect virus scanners from mail bombs, e.g. recursive archives.

MIME and archive decoding also provides information about
mail structure and its components to banning rules (file names,
file types, mime types), and to a bad MIME-header check.
Post by Bill Landry
Would it make sense to disable parts scanning and just have
amavisd-new only pass the entire raw message to clamd for scanning?
If you trust your virus scanner, and don't need extra
information for banning rules, then sure, you may disable
decodings by amavisd.

Either disable decoders/dearchivers indvidually by
adjusting @decoders list, or turn them off altogether
by setting $bypass_decode_parts=1;

Now with 2.5.1-pre1, the $bypass_decode_parts=1 also
disables MIME decoding by MIME::Parser, and implicitly
enables passing of a complete mail to virus scanners,
which is what you are asking for.

Mark

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
AMaViS-user mailing list
AMaViS-***@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/

Loading...