[Mimedefang] ClamAV + SaneSecurity signatures

Richard Laager rlaager at wiktel.com
Thu Sep 18 15:33:41 EDT 2014 

We use Sanesecurity signatures, as well as everything else from
clamav-unofficial-sigs. The code below is from filter_begin(), after we
run clamav.

We disable these signatures entirely, site-wide (i.e. not just for our
spam scanning boxes), though the spam scanning boxes were not the cause
of the initial complaints:
        MBL_311364
        MBL_400944
        Sanesecurity.Malware.20847.ZipHeur
        winnow.spam.ts.stock.4

This doesn't affect the spam scanning boxes in our deployment, but we
have had false positives on these as well, so maybe they should be
excluded on the spam scanning boxes too:
        Tool.PassSteel.945.4       #ProduKey.exe
        W32.Damaged_File.B.gen.238 #WindowsInstaller-KB893803-v2-x86.exe
        Win.Trojan.Jadtre-17       #KillBox.exe
        Win.Trojan.Swrort-4659     #PsInfo.exe
All but the WindowsInstaller-KB893803-v2-x86.exe (which is obviously
some sort of Microsoft patch, which in our case ships as part of another
product's installer) are tools used by our IT guys.

We block Encrypted.Zip in filter_end() subject to an exception based on
the filename of the attachment, which we get in filter(). Specifcally,
we allow them if the filename ends in .csd, because of a customer
complaint about a Windows application named Ultra Tax.

$local_relay is:
    my $local_relay = &is_local_sender($RelayAddr);
    if ($local_relay == 0 &&
        exists($SendmailMacros{"auth_authen"}))
    {
        $local_relay = 1;
    }
where
is_local_sender() checks the IP against a list it obtained from our
database at slave startup.

$first_recipient = &normalize_address($Recipients[0]);
where
sub normalize_address($) # address
{
    my $address = $_[0];

    $address =~ s/^<(.*)>$/$1/;
    return lc($address);
}

&log_mail_event() is just a wrapper around md_graphdefang_log().

    if ($category eq "virus" &&
        $VirusName ne "Encrypted.Zip" &&
        $VirusName ne "Oversized.Zip" &&
        $VirusName ne "Zip.ExceededFileSize")
    {
        if (($VirusName =~ /^Sanesecurity\./ &&
             $VirusName !~ /^Sanesecurity\.Rogue/) ||
            $VirusName =~ /winnow\.spam/ ||
            $VirusName =~ /\.Phishing/)
        {
            # Heuristics.Phishing.Email.SpoofedDomain is excluded as it
            # matches too much legitimate mail.
            #
            # Allow local users to send "spam" to the Helpdesk.  This way, we
            # can ask them to forward us a copy in false positive cases.
            #
            # Likewise, we allow them to send mail to certain spam reporting
            # destinations.  NOTE: We have a copy of this list in filter_end.
            unless ($VirusName eq 'Heuristics.Phishing.Email.SpoofedDomain' ||
                    ($local_sender_address == 1 &&
                     $#Recipients == 0 &&
                     ($first_recipient eq $DaemonAddress ||
                      $first_recipient =~ /^((email)?(abuse|fraud|phish(ing)?|(report_)?spam|spoof)\@.*|.*\@(abuse\.net|spam\.spamcop\.net)|aollegal\@aol\.com|askvisa(usa)?\@visa\.com|enforcement\@sec\.gov|fraud_help\@usbank\.com|mail-spoof\@cc\.yahoo-inc\.com|phishing-report\@us-cert\.gov|reports\@habeas\.com|stop-spoofing\@amazon\.com|reportphish\@wellsfargo\.com)$/)))
            {
                &log_mail_event('clamav_spam', $VirusName);

                action_bounce(
                  "Spam not allowed. Contact $DaemonAddress for " .
                  "assistance. ($MsgID)",
                  554, "5.7.1");
            }
        }
        elsif ($VirusName =~ /^(AAPL|Application|PUA|SPR)\./)
        {
            # This list came from Arnaud Jacques <webmaster at securiteinfo.com>,
            # who responded to an inquiry about false positives for SPR.*
            # signatures.
            #
            # We just log this for our information.
            &log_mail_event('clamav_pua', $VirusName);
        }
        else
        {
            &log_mail_event('virus', $VirusName);

            if ($local_relay)
            {
                # Viruses from our users are rejected, so they know their
                # message did not go through.
                action_bounce(
                  "Virus detected: $VirusName. Contact $DaemonAddress for " .
                  "assistance. ($MsgID)",
                  554, "5.7.1");
            }
            else
            {
                # Viruses from the Internet are discarded to avoid generating
                # backscatter.
                action_discard();
            }
        }

-- 
Richard
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <https://lists.mimedefang.org/pipermail/mimedefang_lists.mimedefang.org/attachments/20140918/83125ac1/attachment-0003.sig>

More information about the MIMEDefang mailing list