SaneSecurity :: winnow Exploit Detection Signatures

Printable View

03-31-2009, 08:25 AM
uxbod

SaneSecurity :: winnow Exploit Detection Signatures
Steve from Sanesecurity would like to to announce the launch of Winnow ClamAV Exploit Detection Signatures.

Winnow signatures offer the following feature sets:
- Malware received but not currently detected by official ClamAV signatures, including: Phishing, including financial, gaming, email, networking, social, trading, retail, government, file sharing
- Fraud, including: fake banks, escrows, shippers, 419s, jobs, mules, money laundering
- Hacked and exploited hosts
- Rogue domains harboring malware/spam/etc.
The three databases distributed at the moment are:
- winnow_malware.hdb - Current virus, trojan and other malware not yet detected by ClamAV.
- winnow_phish_complete.ndb - Signatures to detect phishing and other malicious url's and compromised hosts - derived in a similar fashion as SURBL but with special processing to remove the possibility of false positives. (Recommended)
- winnow_phish_complete_url.ndb - Similar to winnow_phish_complete.ndb except that entire urls's are used to derive the signatures rather than carefully selected hosts. (Conservative)
For more details: winnow ClamAV Threat Detection Signatures

Download scripts will be available shortly for these signatures on the new mirrors.
04-01-2009, 04:04 AM
babyporch

Thanks uxbod, but testing the new script (after the configuration) i receive this message:

Code:

Testing updated SaneSecurity database file: junk.ndb SaneSecurity GPG Signature tested good on junk.ndb database Clamscan reports SaneSecurity junk.ndb database integrity tested BAD - SKIPPING Testing updated SaneSecurity database file: phish.ndb SaneSecurity GPG Signature tested good on phish.ndb database Clamscan reports SaneSecurity phish.ndb database integrity tested BAD - SKIPPING Testing updated SaneSecurity database file: rogue.hdb SaneSecurity GPG Signature tested good on rogue.hdb database Clamscan reports SaneSecurity rogue.hdb database integrity tested BAD - SKIPPING Testing updated SaneSecurity database file: sanesecurity.ftm SaneSecurity GPG Signature tested good on sanesecurity.ftm database Clamscan reports SaneSecurity sanesecurity.ftm database integrity tested BAD - SKIPPING Testing updated SaneSecurity database file: spear.ndb SaneSecurity GPG Signature tested good on spear.ndb database Clamscan reports SaneSecurity spear.ndb database integrity tested BAD - SKIPPING Testing updated SaneSecurity database file: winnow_malware.hdb SaneSecurity GPG Signature tested good on winnow_malware.hdb database Clamscan reports SaneSecurity winnow_malware.hdb database integrity tested BAD - SKIPPING Testing updated SaneSecurity database file: winnow_phish_complete.ndb SaneSecurity GPG Signature tested good on winnow_phish_complete.ndb database Clamscan reports SaneSecurity winnow_phish_complete.ndb database integrity tested BAD - SKIPPING

The old script (v 1.8) works great.
04-01-2009, 04:18 AM
uxbod

Make sure the PATH in the script also includes /opt/zimbra/clamav/bin. I had this issue when I upgraded last night; but have not had time to fix it yet. Another job for this evening :)
04-01-2009, 04:25 AM
babyporch

Thanks, ok now