--On 11 September 2008 13:22:25 +0100 Steve Basford <[EMAIL PROTECTED]> wrote:
>> Could anyone knowledgeable comment? > > I've knocked something quickly together, it won't be 100% accurate and is > very vague, but it might give you a few pointers: Thanks Steve. That's very helpful. I've put the list up on the wiki at: <https://wiki.clamav.net/Main/ConfigurationTips> BTW, any chance that we could get a link to Configuration Tips from the main wiki page, please? An essential part of getting ClamAV running on a live mail service is getting the configuration right. Now, having done that, I'm thinking PUA could be VERY useful. In fact, I've been considering banning outright the passing of executable files in archives - too many bits of malware are slipping through the net at the moment. It would be nice if ClamAV were to have that option - perhaps "all executables" could constitute a class of PUA, perhaps? Probably that would need to be explicitly enabled... Anyway, can anyone think of a reason why anyone on a University Campus would (a) have a need to transfer files in any category below, and (b) not have access to alternative means like sftp? > Vague Outline > ------------- > > PUA is a potentially unwanted application > > Sub-Type: RAT is Remote Access Trojans > Description: tools used to remotely access systems but can be used by > system admins, for example VNC or RAdmin > > Example: PUA.RAT.RAdmin-16 could be RAdmin > Example: PUA.RAT.VNC-7 would be VNC > > Windows Example: Scanning a *genuine* UltraVnc gives this: > C:\Program Files\UltraVNC\vnchooks.dll: PUA.RAT.VNC-21 FOUND > > Sub-Type: PwTool is Password Tool > Description: Tools used to recover/find passwords. Can be useful for > system admins. > > Example: PUA.PwTool.DialupPass-8 > > Sub-Type: NetTool > Description: General network LAN/WAN tools, for example ip scanning, port > scanners, Netcat etc. > Example: PUA.NetTool.Angryscan-2 > > Sub-Type: Tool > Description: General system tools, process killers/finders > Example: PUA.Tool.PsKill-2 > > Sub-Type: Spy > Description: Keyloggers, spying tools > Example: PUA.Spy.DigitalX > > Sub-Type: Server > Description: Server based "badware" > Example: PUA.Server.DistributedNet > > Sub-Type: Script > Description: Known "problem" scripts (Javascript/ActiveX etc.) > Example: PUA.Script.Packed-1 > > Sub-Type: Packed > Description: Known "bad" packers/tools which can used to hide malware or > make debugging difficult > Example: PUA.Packed.NPack-3 > > Sub-Type: IRC > Description: IRC server based programs/malware > Example: PUA.IRC.Mechbot > > Hope that helps, > > Cheers, > > Steve > Sanesecurity > > _______________________________________________ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://www.clamav.net/support/ml -- Ian Eiloart IT Services, University of Sussex x3148 _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
