Question about scoring with sanesecurity signatures
Nikolaos Milas
nmilas at noa.gr
Sat Oct 13 16:04:45 CEST 2012
On 11/10/2012 12:11 πμ, Noel Jones wrote:
> In the case of doppelstern, you would need to be careful of the
> virus names used. A quick look at the files suggests this might be
> possible, but you'll need to check the virus names more carefully.
Thanks Noel,
How can I get a list of virus names used in each file (e.g. in
"doppelstern.ndb" and in "doppelstern.hdb")?
If we browse the file "doppelstern.ndb" (with a text editor), I see
entries of the form:
...
Doppelstern.Hoax.3:4:*:53686f636b696e6720696e666f2061626f7574206e6577204a455355532066696c6d202d20506c6561736520667764
Doppelstern.Lott.37:4:*:46726f6d3a20224555524f204d494c4c494f4e
Doppelstern.Loan.14:4:*:4c6f616e204f666665722047756172616e74656564
Doppelstern.Lott.39:7:0:77652061726520706c6561736520746f20616e6e6f756e636520746f20796f75207468617420796f757220656d61696c206164647265737320656d657267656420616c6f6e6720736964652034206f746865727320617320612063617465676f727920322077696e6e6572
Doppelstern.Scam4.160:7:0:6d757475616c2062656e65666974
...
So, does this mean we can specify (in order to force scoring for these
signatures):
@virus_name_to_spam_score_maps =
(new_RE( # the order matters!
[ qr'^Doppelstern\.Hoax\.' => 5.0 ],
[ qr'^Doppelstern\.Lott\.' => 5.0 ],
[ qr'^Doppelstern\.Loan\.' => 5.0 ],
[ qr'^Doppelstern\.Scam4\.' => 5.0 ],
...
));
and the like, for other "Medium"-rated databases?
Also, would you deem a value of "5.0" as a sensible *initial* value
(based on experience) to avoid FPs? I have not used these rules again in
the past, and I would appreciate some advice before migrating our
production systems (i.e. our mail gateways) to the
Postfix/Amavis/ClamAV/SpamAssassin platform.
Thanks,
Nick
More information about the amavis-users
mailing list