Am 19.02.2015 um 16:13 schrieb Matteo Dessalvi:
I am just curious, since I am using SaneSecurity signatures too. According to: http://sanesecurity.com/usage/signatures/ some of the lists you mentioned have been classified with 'medium' to 'high' risk of false positives: foxhole_* spear / spearl Did you not get into trouble with those ones?
no, ClamAV don't see much mail at all because clamav-milter is running after spamass-milter and the filters in front are killing 99% at the envelope stage
Blocked: 204540 SpamAssassin: 3292 Virus: 68the foxhole ar classified with 'high' because they don't care if it is a virus at all, they unpack the archive and reject if there is a file with a blocked extension unconditional
On 19.02.2015 15:46, Reindl Harald wrote:Am 19.02.2015 um 15:43 schrieb David F. Skoll:On Thu, 19 Feb 2015 09:34:28 -0500 Alex Regan <mysqlstud...@gmail.com> wrote: [David Skoll]spreadsheet with a macro virus in it. ClamAV is essentially useless at detecting viruses, so it's a real problem... any ideas?Useless? Are you using the third-party patterns?No, because when I tried some of them, there were an unacceptably high number of FPs. I tried tweaking various sets of Sane Security signatures and they didn't work well for melooks you are using the wrong ones no problems with that ones blurl.ndb bofhland_cracked_URL.ndb bofhland_malware_attach.hdb bofhland_malware_URL.ndb bofhland_phishing_URL.ndb crdfam.clamav.hdb foxhole_all.cdb foxhole_filename.cdb foxhole_generic.cdb malwarehash.hsb phish.ndb phishtank.ndb rogue.hdb sanesecurity.ftm scamnailer.ndb scam.ndb sigwhitelist.ign2 spearl.ndb spear.ndb winnow.attachments.hdb winnow_bad_cw.hdb winnow_extended_malware.hdb winnow_malware.hdb winnow_malware_links.ndb winnow_phish_complete_url.ndb winnow_spam_complete.ndb
signature.asc
Description: OpenPGP digital signature
