/ ___| (_) | \ `--. __ _ _ __ ___ ___ ___ ___ _ _ _ __ _| |_ _ _ `--. \/ _` | '_ \ / _ \/ __|/ _ \/ __| | | | '__| | __| | | | /\__/ / (_| | | | | __/\__ \ __/ (__| |_| | | | | |_| |_| | \____/ \__,_|_| |_|\___||___/\___|\___|\__,_|_| |_|\__|\__, | __/ | |___/ ################# 3rd Party ClamAV signatures ################ Last updated: 15.09.2015 WARNING ======= Please use the provided download scripts where possible... and make sure that you double-check the cron job scheduling, as neither myself or the mirrors will appreciate signatures being downloaded, every second. The mirrors reserve the right to block your IP address, if you are downloading too many times per hour or are abusing their servers/bandwidth in any way. If the download service is abused, the public rsync mirrors will be moved to a password only service, with only people that have donated receiving the password to let them access the mirrors. Information =========== · Signatures are now signed using GnuPG, ensuring integrity of the signatures. The public key for these signature will be available from here (http://sanesecurity.co.uk/publickey.gpg) For example, here's a good verify: gpg --verify junk.ndb.sig gpg: Signature made 01/09/09 09:55:48 using DSA key ID 31EA4D9E gpg: Good signature from "Sanesecurity (Sanesecurity Signatures)" Here's a bad verify: gpg --verify junk.ndb.sig gpg: Signature made 01/09/09 09:55:48 using DSA key ID 31EA4D9E gpg: BAD signature from "Sanesecurity (Sanesecurity Signatures)" · A round-robin dns system, to help spread the load over multiple rsync servers. This has been setup using editdns.net dns service, in order to manage the multiple A records. As this is currently a free account, the TTL (time to live) for each server is set to 300 (5 minutes). If I receive enough donations, I'll update the account. · A donation page, using PayPal will now also accept credit cards and hopefully we will be able to provide an invoice for people who want one. Anyone who donates will be given a non-public download url, using only the fastest mirrors and in addition, be notified of any important changes. · A Mailing list which is recommended that signature users subscribe to, so that any future problems can be reported directly to you. Signup to the Sanesecurity mailing list, by sending a Subject of subscribe to: sanesecurity-request@freelists.org Note: There is an archive, so you can read previous messages here: http://www.freelists.org/archive/sanesecurity Details ======= Current signature names ======================= The following databases are distributed and produced by Sanesecurity Database Name Description FP Risk junk.ndb General high hitting junk, containing spam/phishing/lottery/jobs/419s etc. Low jurlbl.ndb Junk Url based Low jurlbla.ndb Junk Url based autogenerated from various feeds Med lott.ndb Lottery Med phish.ndb Phishing Low rogue.hdb Malware, Rogue anti-virus software and Fake codecs etc. Low scam.ndb Spam/scams Low spam.ldb Spam detected using the new Logical Signature type Med spamimg.hdb Spammed images Low spamattach.hdb Spammed attachments such as pdf's/docs/rtf/zips Low spear.ndb Spear phishing email addresses (autogenerated from data here) Med spearl.ndb Spear phishing urls (autogenerated from data here) Med The following databases are distributed by Sanecurity, but produced by OITC Database Name Description FP Risk winnow_malware.hdb Current virus, trojan and other malware not yet detected by ClamAV. Low Undetected virus samples can be sent to virus_samples@oitc.com winnow_malware_links.ndb Links to malware Low winnow_spam_complete.ndb Signatures to detect fraud and other malicious spam Med winnow_phish_complete.ndb Phishing and other malicious url's and compromised hosts High winnow_phish_complete_url.ndb Similar to winnow_phish_complete.ndb except that entire urls's are used Med winnow.complex.patterns.ldb contains hand generated signatures for malware and some egregious fraud Med winnow_extended_malware.hdb contains hand generated signatures for malware. Low winnow_extended_malware_links.ndb contain hand generated signatures for malware links. Med winnow.attachments.hdb Spammed attachments such as pdf's/docs/rtf/zips Low Note: Only use ONE of the above databases, winnow_phish_complete.ndb or winnow_phish_complete_url.ndb The following databases are distributed by Sanecurity, but produced by Julian Field Database Name Description FP Risk scamnailer.ndb Spear phishing and other phishing emails Med The following databases are distributed by Sanecurity, but produced by Andrew Lewis Database Name Description FP Risk doppelstern.ndb phishing, scams and other junk Med doppelstern.hdb hashes of spam documents and images Low The following databases are distributed by Sanesecurity, but produced by CRDF Database Name Description FP Risk crdfam.clamav.hdb List of new threats detected by CRDF Anti Malware. Low Other files =========== sanesecurity.ftm Message file types REQUIRED for best performance sigwhitelist.ign2 Fast update file to whitelist any problem signature REQUIRED 0.96rc1+ (databasename).sig All signatures files are gpg signed for extra security /integrity (eg. phish.ndb.sig) Donations ========= SaneSecurity signatures are a culmination of hard work and commitment to providing Third-Party signatures to the web community that are of professional quality. We are not a company and the signatures and support for the signatures are carried out in my spare time. If you feel that you would like to give a donation for your use of these signatures, or just because you want to support us, please consider making a donation via this page (we ask that you at least donate $5 to cover PayPal processing fee's): http://sanesecurity.com/donate/ Rsync Mirrors ============= If you wish to mirror the Sanesecurity signature files and be added to the dns round-robin system, please contact me (steveb_clamav AT sanesecurity.com) The mirror needs are basic...I need rsync access to a directory and also you'll need to setup IPTables to block IP's which may try to hammer the server.. more details will be given later. Thanks ====== Malcolm Scott at Retrosnub Internet Services (http://www.retrosnub.co.uk) for providing a mirror, download script and for his knowledge in helping to setup the new download system. Malcolm Scott at Retrosnub, Doc Schneider at FSL (http://fsl.com), Steve Freegard at FSL (http://fsl.com), Steve Swaney at FSL (http://fsl.com), Laurent CARON, Joerg.Traeger, Panagiotis Christias, Roland Pelzer, Patrick Ben Koetter and Matt at mxuptime for their invaluable help in mirroring the signatures and providing assistance. False Positives =============== Please go to this page and report any false positives you find. http://sanesecurity.com/support/false-positives/ If you need to decoder the signatures to help pinpoint False Positives, please use the decoder here: http://sanesecurity.com/support/signature-decoding/ While you wait for the faulty signature to be fixed, the following two examples show you how to create a local.ign file, to skip signatures, which are causing you a problem. Example 1: ---------- If you have a false positive for Sanesecurity.Phishing.Rdi.5.UNOFFICIAL (which is in the phish.ndb database), all you have to do it create a local.ign file containing a line like this: phish.ndb:5:Sanesecurity.Phishing.Rdi.5 And that signature will then be ignored. Note: make sure you leave off the .UNOFFICIAL from the signature name in the .ign file, otherwise it won't work. Example 2: ---------- If you have a false positive for Sanesecurity.Stk.3440.UNOFFICIAL (which is in the scam.ndb database), all you have to do it create a local.ign file containing a line like this: scam.ndb:3440:Sanesecurity.Stk.3440 And that signature will then be ignored. Note: make sure you leave off the .UNOFFICIAL from the signature name in the .ign file, otherwise it won't work. Commercial use: You can use the Sanesecurity signatures in commercial products. However, if would be appreciated if you if you make a reasonable donation and send an email, with information about the name of company and what product the signatures are being used in. If you are using the signatures for a anti-spam/virus product and wish to mirror the signatures for your own users to download directly then please contact me, (steveb_clamav AT sanesecurity.com). Disclaimer: =========== Whilst every effort has been made by Sanesecurity to ensure that the signatures don't lead to false positives, we make no warranty that the signatures will meet your requirements, be uninterrupted, complete, timely, secure or error free. You must therefore use them at your own risk. Terms of use: Commercial use: You can use the SaneSecurity signatures free of charge in commercial products. However, if would be appreciated if you would make a donation, as well as an email with the name of company and what product the signatures are being used in. No Signature copying, duplication or reproduction is permitted without the permission of Sanesecurity. ClamAV is a registered trademark of Sourcefire, Inc. Trademarks ========== Signatures © sanesecurity.org.uk. All Rights Reserved. ClamAV is a registered trademark of Cisco Systems. (C)2015 Cisco 0010100001100011001010010010000001010011011101000110010101110110011001010010000001000010011000010111001101100110011011110111001001100100