On 7/24/07, OliverScott <[EMAIL PROTECTED]> wrote:
You need to set a high priority for the meta rules as otherwise they are
evaluated BEFORE the ClamAV plugin is used (I think?). I am not an expert
in
how SA works, but I eventually came up with the following solution (for
using several different 3rd party clamav signatures):
This is my clamav.cf file:
loadplugin ClamAV clamav.pm
full CLAMAV eval:check_clamav()
describe CLAMAV Clam AntiVirus detected something...
score CLAMAV 0.001
# Look for specific types of ClamAV detections
header __CLAMAV_PHISH X-Spam-Virus =~ /Yes.{1,20}Phishing/i
header __CLAMAV_SANE X-Spam-Virus =~ /Yes.{1,20}Sanesecurity/i
header __CLAMAV_MBL X-Spam-Virus =~ /Yes.{1,20}MBL/
header __CLAMAV_MSRBL X-Spam-Virus =~ /Yes.{1,20}MSRBL/
[snip]
While playing with this, I found that I needed to change my rules a little.
Some of the Sane security sigs were being picked up as viruses, due to the
"Sanesecurity" string being 22 (or so) characters away from the Yes at the
start of the X-Spam-Virus header.
header __CLAMAV_PHISH X-Spam-Virus =~ /Yes.{1,30}Phishing/i
header __CLAMAV_SANE X-Spam-Virus =~ /Yes.{1,30}Sanesecurity/i
header __CLAMAV_MBL X-Spam-Virus =~ /Yes.{1,30}MBL/
header __CLAMAV_MSRBL X-Spam-Virus =~ /Yes.{1,30}MSRBL/
Thanks for your work on this, and hopefully this reduces false positives for
some folks.
