[Mimedefang] )What AV scanners do you use? (was Re: Any Sophie users out there?

Thu Mar 20 16:00:50 EDT 2014

On Thu, 2014-03-20 at 15:04 -0400, David F. Skoll wrote:
> Post-Cisco, ClamAV seems to have greatly declined in usefulness.
> It catches hardly anything anymore... anyone else experiencing this?

Are you using clamav-unofficial-signatures? We are.

I have no idea how much we should be catching. But here's a dump of what
we're doing, in case it's helpful to anyone. If I'm doing something
stupid or not doing something smart, I welcome feedback.

We outright reject files with these extensions:
my $bad_exts = '(ade|adp|app|asd|bas|bat|chm|cmd|com|cpl|crt|exe|fxp|
hlp|hta|hto|inf|ini|ins|isp|jse?|lib|lnk|mde|mim|msc|msp|mst|ocx|pcd|
pif|prg|scr|sct|shb|shs|sys|vb|vbe|vbs|vxd|wmd|wms|wsc|wsf|wsh|\{[^
\}]+\})';
my $bad_filename_regex = '\.' . $bad_exts . '\.*$';

We outright reject encrypted zip files.

We ignore official or unofficial signatures with virus names that
match: /^(AAPL|Application|PUA|SPR)\./

We handle the phishing and spam signatures differently, and exempt mail
going to our helpdesk or a variety of phishing-reporting addresses (at
banks, etc.):

/^((email)?(abuse|fraud|phish(ing)?|(report_)?spam|spoof)\@.*|.*\@(abuse
\.net|spam\.spamcop\.net)|aollegal\@aol\.com|askvisa(usa)?\@visa\.com|
enforcement\@sec\.gov|fraud_help\@usbank\.com|mail-spoof\@cc\.yahoo-inc
\.com|phishing-report\@us-cert\.gov|reports\@habeas\.com|stop-spoofing
\@amazon\.com|reportphish\@wellsfargo\.com)$/

I'm skeptical that reporting phishing scams to major banks actually does
any good, but some of our customers want to be able to do so. We ignore
the Heuristics.Phishing.Email.SpoofedDomain test because of false
positives. Maybe we could score it, but we don't currently.

Viruses from the Internet are silently discarded to avoid generating
backscatter. Viruses from our customers are rejected (so they get an
error in their mail client if there's a false positive). Phishing/spam
mail detected by clamav is rejected on the spot; unlike SpamAssassin, we
apply this regardless of user settings and whitelisting does not apply.
In other words, the false positive rate is very, very low.

The encrypted zip and filename extensions are separate error messages
from each other and separate from spam and virus messages. We
special-case .lnk blocking with an error message that says they should
mail the file itself, not the shortcut to it.

-- 
Richard
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <https://lists.mimedefang.org/pipermail/mimedefang_lists.mimedefang.org/attachments/20140320/7cce311a/attachment.sig>