Question about scoring with sanesecurity signatures
francis picabia
fpicabia at gmail.com
Wed Sep 5 20:55:36 CEST 2012
On Wed, Sep 5, 2012 at 2:57 PM, Noel Jones <njones at megan.vbhcs.org> wrote:
> On 9/5/2012 12:29 PM, francis picabia wrote:
>> Many of the signatures available with sanesecurity are rated to produce
>> false positives at a "medium" rate. Their page:
>>
>> http://sanesecurity.co.uk/databases.htm
>>
>> suggests to score the detections rather than block.
>>
>> How can I prevent amavis from blocking (flagging as INFECTED)
>> for specific clamav databases?
>>
>> For example, I'd like to treat scamnailer.ndb as a DB I would
>> not block based on its match.
>>
>
>
> See the "@virus_name_to_spam_score_maps" section in amavisd.conf, or
> create such a section if it doesn't exist. There should be a
> commented example in amavisd.conf-default and/or in the RELEASE_NOTES.
>
> Basically you match (part of) the virus name you're interested in
> scoring. If there are multiple matches, the first match wins, so
> put more specific matches earlier in the file, general matches
> later. Names not matched, or matched and scored as undef are
> treated as infected.
>
> @virus_name_to_spam_score_maps =
> (new_RE( # the order matters!
> [ qr'^ScamNailer\.Phish' => 5.0 ], # phish scored at 5.
> [ qr'^ScamNailer\.' => 4.0 ], # others scored at 4.
> ));
>
>
>
>
> -- Noel Jones
That's cool. I've seen references to this before but it was never explained
why people were setting up such clauses. I get it now.
More information about the amavis-users
mailing list