Sanesecurity ClamAV sigs are back. Yay!

Rick Cooper rcooper at
Fri Jan 23 23:13:03 GMT 2009


 > -----Original Message-----
 > From: mailscanner-bounces at 
 > [mailto:mailscanner-bounces at] On 
 > Behalf Of Alex Broens
 > Sent: Friday, January 23, 2009 5:04 PM
 > To: MailScanner discussion
 > Subject: Re: Sanesecurity ClamAV sigs are back. Yay!
 > On 1/23/2009 10:35 PM, Julian Field wrote:
 > > 
 > > 
 > > On 23/1/09 15:38, Alex Broens wrote:
 > >> On 1/23/2009 4:22 PM, Jonas Akrouh Larsen wrote:
 > >>> I've not used sanesecurity so far, because it messes up 
 > statistics and
 > >>> generally make it less transparent why a mail was blocked.
 > >>>
 > >>> My problem is I don't want my system to list a mail as a 
 > virus if its 

 > The SaneSecurity sigs have developed in a direction where 
 > they have very 
 > little to do with pure AV but act more like several well 
 > known digests 
 > designed for spam detection and imo, should be treated as such.

Actually if you look at pretty much all the third party signatures they
revolve around spam, phishing, etc and not actual viruses. Viruses are
submitted to the clam team and added to their sigs. I believe this was part
of the reason the clamav team started the practice of outputting the fact
that the signature that was hit is a third party sig so parsers could easily
tell that the sig was likely not an actual virus. I think the sanesecurity
sigs do an overall better job than a lot of the various digests and
spamassassin for that matter. I cannot rememeber ever seeing a FP from them.
Maybe, somewhere down the road the clam section of MS can be reworked to
recognize "UNOFFICIAL" I n the virus name. For that matter SaneSecurity
actually has .Spam, .Malware, .Scamx in the virus name as well. If it's not
too hard to rewrite the clam section to add non virus hits to spam/scam
instead of viruses it might be worth doing. 

Maybe add a X-SaneSecurity header that can be scored by SpamAssassin? I
guess not, now that I think about it spam scanning comes before virus
scanning doesn't it? Too bad that can't easily be changed as it's a shame to
scan a message for spam only to find it contains a virus/malware and
wouldn't be delivered anyway

 > Alex
 > PS: I wouldn't underestimate the power of pretty graphs... :-)
 > --
 > MailScanner mailing list
 > mailscanner at
 > Before posting, read
 > Support MailScanner development - buy the book off the website!

This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the MailScanner mailing list