Sanesecurity signatures are no longer being updated or distributed

Steve Basford steveb_clamav at sanesecurity.com
Tue Dec 16 21:05:43 GMT 2008 


Greg Matthews wrote:
> Anyone know if Sane Security are submitting signatures direct to 
> ClamAV? I understand that many of their signatures would make their 
> way into the official Clam updates.
Sanesecurity signatures aren't being added into the ClamAV official 
signatures... they are totally third-party sigs.

> Sounds like a P2P distribution mech may have helped here.
>
Well, I've just managed to find a little time to do a little log 
checking, now that the round-robin php script was turned off..  Checking 
the log for today:

Position:  IP: number of hits for today

1      196.35.158.184  2,538
2     86.96.229.88     1,504
3     196.25.255.218     1,080
4     66.159.122.2     1,066
5     198.54.202.218     1,028
6     198.54.202.70     656
7     62.12.131.147     642
8     198.144.196.51     620
9     202.60.56.252     528
10     198.54.202.146     504
11     64.119.33.98     467
12     70.167.192.42     461
13     196.25.255.210     389
14     82.190.241.234     360
15     121.52.89.35     359
16     85.44.247.211     354
17     89.186.90.219     354
18     88.38.193.116     352
19     82.54.83.49     350
20     83.216.177.35     350
21     85.43.92.188     348
22     216.201.128.42     346
23     83.216.181.170     344
24     198.54.202.210     314
25     64.132.142.170     308
26     198.144.196.52     308
27     63.123.82.75     308
28     142.32.208.231     266
29     85.18.239.12     264
30     217.76.134.221     244
31     196.2.124.253     244
32     193.225.225.18     240
33     193.225.225.16     240
34     217.166.60.146     240
35     217.7.104.28     240
36     217.7.104.26     240
37     217.7.104.27     240
38     82.165.187.176     224
39     62.77.162.9     224
40     72.36.139.242     191
41     207.195.79.250     176
42     217.98.12.118     176
43     198.54.202.182     176
44     88.40.197.18     175
45     64.78.22.100     168
46     217.188.47.4     154
47     68.179.9.105     151
48     195.229.237.38     150
49     213.132.250.2     136
50     208.21.38.66    136

In other words, if people downloaded the sigs every hour, each ip should 
only have 24 hits....as you can see, the above ips are WAY over that.
Checking the log in detail... it's seems people are setting the download 
scripts to download every second.... all adding up to: 45,554 hits an hour,
add the fact that 45,554 hits would run a php script... guess that's why 
the cpu usage was so high on a shared server and then got suspended.

Signature Note:

People have decided to mirror the last version of the public signatures:

1. The signatures were removed and a placeholder signature added, so 
that hopefully people would quickly notice that their scripts needed to 
be changed... as the server is still getting hammered by wget/curl 
requests (approx 45,554 hits per hour)

2. NO SUPPORT will be given on these unofficially mirrored signatures, 
in fact these mirrored signatures are already out of date, some false 
positives have already been corrected and new signatures have already 
been added to my private version of the signatures.

Hope that helps,

Steve
Sanesecurity

More information about the MailScanner mailing list