Question about scoring with sanesecurity signatures
njones at megan.vbhcs.org
Wed Sep 5 19:57:24 CEST 2012
On 9/5/2012 12:29 PM, francis picabia wrote:
> Many of the signatures available with sanesecurity are rated to produce
> false positives at a "medium" rate. Their page:
> suggests to score the detections rather than block.
> How can I prevent amavis from blocking (flagging as INFECTED)
> for specific clamav databases?
> For example, I'd like to treat scamnailer.ndb as a DB I would
> not block based on its match.
See the "@virus_name_to_spam_score_maps" section in amavisd.conf, or
create such a section if it doesn't exist. There should be a
commented example in amavisd.conf-default and/or in the RELEASE_NOTES.
Basically you match (part of) the virus name you're interested in
scoring. If there are multiple matches, the first match wins, so
put more specific matches earlier in the file, general matches
later. Names not matched, or matched and scored as undef are
treated as infected.
(new_RE( # the order matters!
[ qr'^ScamNailer\.Phish' => 5.0 ], # phish scored at 5.
[ qr'^ScamNailer\.' => 4.0 ], # others scored at 4.
-- Noel Jones
More information about the amavis-users