Fwd: Clamav suggestions post

[Fabio Pedretti]

Forwarding Steve Basford comment to the list.

----- Messaggio inoltrato da steveb_clamav at sanesecurity.com -----
     Data: Mon, 21 May 2007 14:04:58 +0100 (BST)
       Da: Steve Basford <steveb_clamav at sanesecurity.com>
Rispondi-A:Steve Basford <steveb_clamav at sanesecurity.com>
  Oggetto: Clamav suggestions post
        A: pedretti at eco.unibs.it

Hi,

> No, in fact the string I have posted was taken from clamav signatures
> and not sanesecurity signatures.
> The problem is for all signatures that uses the "signature format #4"
> (the signature for checking mail), as specified in signatures.pdf in
> clamav source.

Thanks correct!  ALL type 4 sigs will not match unless there are some headers
present in the file that is passed to Clamd for scanning:

Look at the code:
http://svn.clamav.net/websvn/filedetails.php?repname=clamav-devel&path=%2Ftrunk%2Flibclamav%2Ffiletypes.c&rev=0&sc=0

If any of the following are there... ClamAV knows it's a type 4 file being
scanned:

     /* Mail */

     {0,  "From ",			 5, "MBox",		  CL_TYPE_MAIL},
     {0,  "Received: ",			10, "Raw mail",		  CL_TYPE_MAIL},
     {0,  "Return-Path: ",		13, "Maildir",		  CL_TYPE_MAIL},
     {0,  "Return-path: ",		13, "Maildir",		  CL_TYPE_MAIL},
     {0,  "Delivered-To: ",		14, "Mail",		  CL_TYPE_MAIL},
     {0,  "X-UIDL: ",			 8, "Mail",		  CL_TYPE_MAIL},
     {0,  "X-Apparently-To: ",		17, "Mail",		  CL_TYPE_MAIL},
     {0,  "X-Envelope-From: ",		17, "Mail",		  CL_TYPE_MAIL},
     {0,  "X-Original-To: ",		15, "Mail",		  CL_TYPE_MAIL},
     {0,  "X-Symantec-",			11, "Symantec",		  CL_TYPE_MAIL},
     {0,  "X-EVS",			 5, "EVS mail",		  CL_TYPE_MAIL},
     {0,  "X-Real-To: ",                 11, "Mail",
CL_TYPE_MAIL},
     {0,  "X-Sieve: ",			 9, "Mail",		  CL_TYPE_MAIL},
     {0,  ">From ",			 6, "Mail",		  CL_TYPE_MAIL},
     {0,  "Date: ",			 6, "Mail",		  CL_TYPE_MAIL},
     {0,  "Message-Id: ",		12, "Mail",		  CL_TYPE_MAIL},
     {0,  "Message-ID: ",		12, "Mail",		  CL_TYPE_MAIL},
     {0,  "Envelope-to: ",		13, "Mail",		  CL_TYPE_MAIL},
     {0,  "Delivery-date: ",		15, "Mail",		  CL_TYPE_MAIL},
     {0,  "To: ",			 4, "Mail",		  CL_TYPE_MAIL},
     {0,  "Subject: ",			 9, "Mail",		  CL_TYPE_MAIL},
     {0,  "For: ",			 5, "Eserv mail",	  CL_TYPE_MAIL},
     {0,  "From: ",			 6, "Exim mail",	  CL_TYPE_MAIL},
     {0,  "v:\015\012Received: ",	14, "VPOP3 Mail (DOS)",	  CL_TYPE_MAIL},
     {0,  "v:\012Received: ",		13, "VPOP3 Mail (UNIX)",  CL_TYPE_MAIL},
     {0,  "Hi. This is the qmail-send",  26, "Qmail bounce",	  CL_TYPE_MAIL},

If you changed all the type 4 signatures to a type 0 (ALL files) you would
get detection... but... in ALL files including word documents, jpgs, etc,
etc. which isn't what you want.

So, I would think for the best detection rates from the official ClamAV
sigs and certainly from my Sanesecurity sigs... you HAVE to scan the whole
email, including headers.

Must of my image spam sigs will not work... UNLESS you have headers too :(

Hope it helps,

Steve
Sanesecurity.com


----- Fine del messaggio inoltrato -----