I just ran across a page on the Web offering downloadable phishing and scam signatures for ClamAV and ClamWin. The Web page is offered by SaneSecurity. Location: https://sanesecurity.com/clamav/downloads.htm.

They offer download scripts, and there are separate signature databases for phishing and scams. It evidently is a small project with limited bandwith. They claim that downloading 4 times a day will provide you with good coverage.

Does anyone know anything about this? Could this be used to provide additional functionality for ClamWin? Perhaps someone from the ClamWin team should look into this and check it out.

Regards,

you can put signatures in db directory, but not all .cvd packages so they use an .ndb signature list, you can safely try it with clamwin

https://www.sanesecurity.com/clamav/news.htm
If I understand it corectly - the guy works now with ClamAV team, so sooner his phishing database will be merged with ClamAV's one.

You wrote:

"If I understand it corectly - the guy works now with ClamAV team, so sooner his phishing database will be merged with ClamAV's one. "

That's good. I understand that Clam has a phishing heuristic that was developed under the Google Summer of Code project. Perhaps this will be incorporated in version 0.090. I hope ClamWin can take advantage of it.

Regards,

[quote="drgoa.r"]

Hi All,

I'm the guy that does the Sanesecurity phishing and scam signatures. Hopefully, you are
finding the installers are working fine for ClamWin.

Just to point out something regarding the ClamAV team.

Firstly, there are no plans to merge my phishing signatures into the main ClamAV database. While it would be nice to do, it's not going to happen, as the ClamAV team have pretty "strict" methods of producing signatures.. which my signatures don't all adhere too.

Secondly, the scam database (which helps with some image spam/stock spams/419s etc) won't ever be added, as ClamAV team only officially deals with Viruses/Trojans/Phishing.

I have produced some signatures already for ClamAV.

Any more questions... just yell

Cheers,

Steve
SaneSecurity.com

For a long time the antivirus programmers/programs refused to think about spyware. Now many of them are expanding their signatures/other detection methods to incorporate spyware also. To me this seems like a good idea--even though it increases their workload. They shouldn't be in the position of deciding what is malware--if code is placed on a computer without the owner's knowledge/consent, then it's malware, no matter what it is called, and they are in the position of stopping malware.

It appears that ClamAV is going to depend a lot upon heuristics to detect phishing. Note the tester mentions the Sane Security signatures are more up-to-date than Clam's. Follow the link below.

https://www.mail-archive.com/clamav-devel@lists.clamav.net/msg02552.html

Thanks for your efforts, Steve.

Regards,

What are the mechanics of installing/enabling/including this in Clamwin? What about the updating aspect - manual or automatic? From an email perspective this sounds at first blush to be a desirable addition.

I don't know much about it--haven't downloaded/used the signatures. I found a reference to ClamAV and phishing on the Web. The download page is at https://www.sanesecurity.com/clamav/usage.htm. There is a script for downloading. Make sure you get the ClamWin version. Looks like you download the signatures and put them in your ClamWin db directory with the regular signatures. Let us know how it works if you use them.

Regards,

I am using them.
Took ClamWin versions, they come with installer (which I don't like, not only these ones, ALL installers )
So, installers are configured to place signature files in default database folder for ClamWin, BUT the good thing is that you can change the location manually (if you are not using the default folder).
The strange thing is that (in addition to new signatures) you will end up with few new empty folders (in your DB folder), which probably you will never need...
I test the signatures using text files provided on the site for this purpose, and they works.
It will be good if the developer provides signature files without installer.
But if he don't - you can use ClamAV files, removing .gz at the end, and placing renamed files in your ClamWin database folder manually.

Good. The ClamWin developers have mentioned the possibility of separate signatures for ClamWin. Perhaps Steve could work with the ClamWin team to make the update process smoother and increase the functionality of ClamWin--providing it could be done at low cost/effort.

Regards,

Hmmm... I'll take a look at that later, when I get a minute.



If you don't want to use the installer than manually download the .gz files and then use a program such as IZarc or 7-Zip to un-tar the contents. You should then end up with phish.ndb and scam.ndb, which you place in your ClamWin DB folder.

All I ask that is that you don't hit the server every hour (I don't have unlimited bandwidth)

Cheers,

Steve

Interesting... I wonder if the SourceForge site could be use to mirror my phish and scam signatures and have two new options in ClamWin:

Use SaneSecurity Phishing Sigs [Y/N] {default: No}
Use SaneSecurity Scam Sigs [Y/N} {default: No}

Something like that... in that way, ClamWin could download the needed sigs from sourceforge and untar them... and place in the right DB directory.

It might just work

Cheers,

Steve

Let's see what Alch and the other developers say. This might be something they would consider for Version 1.0 when it comes out--I don't know if they want to do much more with the present version.

Regards,

No problem.. I've dropped them a "hello" and pointed them to this thread

By the way all, I've just updated the phish and scam installers... so, should catch a few more stuff!

Cheers,

Steve