Mailing List Archive

elf signature for clamav
# cat local_elf.ndb from /var/lib/clamav (databasedir in clamd)
Sanesecurity.ELF.1:6:0:7F454C46

took me 5 mins to make :)

thanks to KAM on this its very simple, i like feed back from mimedefang
and amavisd users
Re: elf signature for clamav [ In reply to ]
On Sun, 26 Sep 2021, Benny Pedersen wrote:

>
> # cat local_elf.ndb from /var/lib/clamav (databasedir in clamd)
> Sanesecurity.ELF.1:6:0:7F454C46
>
> took me 5 mins to make :)
>
> thanks to KAM on this its very simple, i like feed back from mimedefang and
> amavisd users

If you use the "ClamAV" SA plugin (
http://wiki.apache.org/spamassassin/ClamAVPlugin ) then you can use the full
power of ClamAV scanning/detection in SA with out the need for external
connectors like mimedefang or amavisd.

This has the advantage of being open to a SA users and makes it possible to make
special meta rules combining the results of ClamAV scans with other SA filtering
such as welcome_auth validated trusted sources.

I run two copies of the ClamAV engine:
1) standard ClamAV with standard rules called from milters in my front line MX
servers to outright block known malware.
2) a customized ClamAV with full bells-&-whistles such as Heuristics and lots of
custom add-in signatures (EG
https://github.com/extremeshok/clamav-unofficial-sigs).
These can have a moderate FP risk but run from within SA I can use other rules
such as welcome_auth to control their risk or use them at low score but meta
with other things such as Bayes to jack up the score.



--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center, 103 S Capitol St.
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{