On 8/5/2010 3:42 PM, Noel Jones wrote:
Creating "banned word" signatures is pretty straightforward. Convert
the names to hex, add the clamav stuff and save it in a foo.ndb file
in the clamav directory. A sig for "John Doe" would look something
like (completely untested):
Client.Data.John.Doe:0:*:4a6f686e20446f65
You would need a separate sig for "Doe, John", but clam matches are
very fast. There is unlikely to be much difference in scanning speed
with 70,000 vs. 140,000 body sigs.
I don't know of any "secret code" bypass mechanism in either
amavisd-new or clamav. Such a feature would give the security folks
nightmares. It is possible to whitelist a specific recipient.
But it would be easy enough to bypass by changing the cASE of the name
or using J. Doe etc. (you might be able to use wildcards to ignore
case in the sig)
But just because this might partially work doesn't mean it's a good
idea. The main problem I see is that it gives a false sense of
security because there are too many ways to intentionally or
accidentally bypass it. This isn't something to bet the farm on
working 100%, because it can't.
Thanks. I know it isn't a great idea. It seems to be one of those "show
we are making an effort" as opposed to "this is really a great idea"
things. I guess I could just tell them to put the 'safe code' after the
First letter of the person's name. Thanks for the reference. I will
experiment with the wildcard settings as well.
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
