ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
Reply to topic
Sane Security Phishing & Scam Signatures for Clam/ClamWi
GuitarBob


Joined: 09 Jul 2006
Posts: 4335
Location: USA
Reply with quote
I just ran across a page on the Web offering downloadable phishing and scam signatures for ClamAV and ClamWin. The Web page is offered by SaneSecurity. Location: http://sanesecurity.com/clamav/downloads.htm.

They offer download scripts, and there are separate signature databases for phishing and scams. It evidently is a small project with limited bandwith. They claim that downloading 4 times a day will provide you with good coverage.

Does anyone know anything about this? Could this be used to provide additional functionality for ClamWin? Perhaps someone from the ClamWin team should look into this and check it out.

Regards,
View user's profileSend private message
sherpya


Joined: 22 Mar 2006
Posts: 898
Location: Italy
Reply with quote
you can put signatures in db directory, but not all .cvd packages so they use an .ndb signature list, you can safely try it with clamwin
View user's profileSend private message
drgoa.r


Joined: 20 Nov 2006
Posts: 66
Location: Bulgaria
Reply with quote
Quote:
31.01.07

Woah... has it been that long... okay... quick news rundown... I'm now doing phishing sigs for the ClamAV team.... whoo!

Firstly, my sigs are still going to be around... as the ClamAV team and myself work to slightly different methods when it comes to phishing and how to produce signatures but basically, everyone will benifit and that's the main thing Smile

Secondly... the scam sigs are doing really well, which I'm really pleased about Smile

http://www.sanesecurity.com/clamav/news.htm
If I understand it corectly - the guy works now with ClamAV team, so sooner his phishing database will be merged with ClamAV's one.
View user's profileSend private message
Phishing and Scam Signatures
GuitarBob


Joined: 09 Jul 2006
Posts: 4335
Location: USA
Reply with quote
You wrote:

"If I understand it corectly - the guy works now with ClamAV team, so sooner his phishing database will be merged with ClamAV's one. "

That's good. I understand that Clam has a phishing heuristic that was developed under the Google Summer of Code project. Perhaps this will be incorporated in version 0.090. I hope ClamWin can take advantage of it.

Regards,
View user's profileSend private message
sanesecurity


Joined: 09 Feb 2007
Posts: 7
Reply with quote
[quote="drgoa.r"]
Quote:
If I understand it corectly - the guy works now with ClamAV team, so sooner his phishing database will be merged with ClamAV's one.


Hi All,

I'm the guy that does the Sanesecurity phishing and scam signatures. Hopefully, you are
finding the installers are working fine for ClamWin.

Just to point out something regarding the ClamAV team.

Firstly, there are no plans to merge my phishing signatures into the main ClamAV database. While it would be nice to do, it's not going to happen, as the ClamAV team have pretty "strict" methods of producing signatures.. which my signatures don't all adhere too.

Secondly, the scam database (which helps with some image spam/stock spams/419s etc) won't ever be added, as ClamAV team only officially deals with Viruses/Trojans/Phishing.

I have produced some signatures already for ClamAV.

Any more questions... just yell Smile

Cheers,

Steve
SaneSecurity.com
View user's profileSend private message
Phishing/Scam Database
GuitarBob


Joined: 09 Jul 2006
Posts: 4335
Location: USA
Reply with quote
For a long time the antivirus programmers/programs refused to think about spyware. Now many of them are expanding their signatures/other detection methods to incorporate spyware also. To me this seems like a good idea--even though it increases their workload. They shouldn't be in the position of deciding what is malware--if code is placed on a computer without the owner's knowledge/consent, then it's malware, no matter what it is called, and they are in the position of stopping malware.

It appears that ClamAV is going to depend a lot upon heuristics to detect phishing. Note the tester mentions the Sane Security signatures are more up-to-date than Clam's. Follow the link below.

http://www.mail-archive.com/clamav-devel@lists.clamav.net/msg02552.html

Thanks for your efforts, Steve.

Regards,
View user's profileSend private message
galileo


Joined: 01 Nov 2006
Posts: 19
Location: Charlotte, NC USA
Reply with quote
What are the mechanics of installing/enabling/including this in Clamwin? What about the updating aspect - manual or automatic? From an email perspective this sounds at first blush to be a desirable addition.
View user's profileSend private message
Sane Security
GuitarBob


Joined: 09 Jul 2006
Posts: 4335
Location: USA
Reply with quote
I don't know much about it--haven't downloaded/used the signatures. I found a reference to ClamAV and phishing on the Web. The download page is at http://www.sanesecurity.com/clamav/usage.htm. There is a script for downloading. Make sure you get the ClamWin version. Looks like you download the signatures and put them in your ClamWin db directory with the regular signatures. Let us know how it works if you use them.

Regards,
View user's profileSend private message
drgoa.r


Joined: 20 Nov 2006
Posts: 66
Location: Bulgaria
Reply with quote
I am using them.
Took ClamWin versions, they come with installer (which I don't like, not only these ones, ALL installers Twisted Evil)
So, installers are configured to place signature files in default database folder for ClamWin, BUT the good thing is that you can change the location manually (if you are not using the default folder).
The strange thing is that (in addition to new signatures) you will end up with few new empty folders (in your DB folder), which probably you will never need...
I test the signatures using text files provided on the site for this purpose, and they works.
It will be good if the developer provides signature files without installer.
But if he don't - you can use ClamAV files, removing .gz at the end, and placing renamed files in your ClamWin database folder manually.
View user's profileSend private message
Phishing Signatures
GuitarBob


Joined: 09 Jul 2006
Posts: 4335
Location: USA
Reply with quote
Good. The ClamWin developers have mentioned the possibility of separate signatures for ClamWin. Perhaps Steve could work with the ClamWin team to make the update process smoother and increase the functionality of ClamWin--providing it could be done at low cost/effort.

Regards,
View user's profileSend private message
sanesecurity


Joined: 09 Feb 2007
Posts: 7
Reply with quote
drgoa.r wrote:

The strange thing is that (in addition to new signatures) you will end up with few new empty folders (in your DB folder), which probably you will never need....


Hmmm... I'll take a look at that later, when I get a minute.

drgoa.r wrote:

I test the signatures using text files provided on the site for this purpose, and they works.
It will be good if the developer provides signature files without installer.
But if he don't - you can use ClamAV files, removing .gz at the end, and placing renamed files in your ClamWin database folder manually.


If you don't want to use the installer than manually download the .gz files and then use a program such as IZarc or 7-Zip to un-tar the contents. You should then end up with phish.ndb and scam.ndb, which you place in your ClamWin DB folder.

All I ask that is that you don't hit the server every hour (I don't have unlimited bandwidth)

Cheers,

Steve
View user's profileSend private message
Re: Phishing Signatures
sanesecurity


Joined: 09 Feb 2007
Posts: 7
Reply with quote
GuitarBob wrote:
Good. The ClamWin developers have mentioned the possibility of separate signatures for ClamWin. Perhaps Steve could work with the ClamWin team to make the update process smoother and increase the functionality of ClamWin--providing it could be done at low cost/effort.

Regards,


Interesting... I wonder if the SourceForge site could be use to mirror my phish and scam signatures and have two new options in ClamWin:

Use SaneSecurity Phishing Sigs [Y/N] {default: No}
Use SaneSecurity Scam Sigs [Y/N} {default: No}

Something like that... in that way, ClamWin could download the needed sigs from sourceforge and untar them... and place in the right DB directory.

It might just work Wink

Cheers,

Steve
View user's profileSend private message
Sane Security
GuitarBob


Joined: 09 Jul 2006
Posts: 4335
Location: USA
Reply with quote
Let's see what Alch and the other developers say. This might be something they would consider for Version 1.0 when it comes out--I don't know if they want to do much more with the present version.

Regards,
View user's profileSend private message
Re: Sane Security
sanesecurity


Joined: 09 Feb 2007
Posts: 7
Reply with quote
GuitarBob wrote:
Let's see what Alch and the other developers say. This might be something they would consider for Version 1.0 when it comes out--I don't know if they want to do much more with the present version.

Regards,


No problem.. I've dropped them a "hello" and pointed them to this thread Smile

By the way all, I've just updated the phish and scam installers... so, should catch a few more stuff!

Cheers,

Steve
View user's profileSend private message
Sane Security Phishing & Scam Signatures for Clam/ClamWi
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 1  

  
  
 Reply to topic