SaneSecurity :: winnow Exploit Detection Signatures

[uxbod]

Steve from Sanesecurity would like to to announce the launch of Winnow ClamAV Exploit Detection Signatures.

Winnow signatures offer the following feature sets:

• Malware received but not currently detected by official ClamAV signatures, including: Phishing, including financial, gaming, email, networking, social, trading, retail, government, file sharing
• Fraud, including: fake banks, escrows, shippers, 419s, jobs, mules, money laundering
• Hacked and exploited hosts
• Rogue domains harboring malware/spam/etc.

The three databases distributed at the moment are:

• winnow_malware.hdb - Current virus, trojan and other malware not yet detected by ClamAV.
• winnow_phish_complete.ndb - Signatures to detect phishing and other malicious url's and compromised hosts - derived in a similar fashion as SURBL but with special processing to remove the possibility of false positives. (Recommended)
• winnow_phish_complete_url.ndb - Similar to winnow_phish_complete.ndb except that entire urls's are used to derive the signatures rather than carefully selected hosts. (Conservative)

For more details: winnow ClamAV Threat Detection Signatures

Download scripts will be available shortly for these signatures on the new mirrors.

[babyporch]

Thanks uxbod, but testing the new script (after the configuration) i receive this message:

Code:

Testing updated SaneSecurity database file: junk.ndb
SaneSecurity GPG Signature tested good on junk.ndb database
Clamscan reports SaneSecurity junk.ndb database integrity tested BAD - SKIPPING

Testing updated SaneSecurity database file: phish.ndb
SaneSecurity GPG Signature tested good on phish.ndb database
Clamscan reports SaneSecurity phish.ndb database integrity tested BAD - SKIPPING

Testing updated SaneSecurity database file: rogue.hdb
SaneSecurity GPG Signature tested good on rogue.hdb database
Clamscan reports SaneSecurity rogue.hdb database integrity tested BAD - SKIPPING

Testing updated SaneSecurity database file: sanesecurity.ftm
SaneSecurity GPG Signature tested good on sanesecurity.ftm database
Clamscan reports SaneSecurity sanesecurity.ftm database integrity tested BAD - SKIPPING

Testing updated SaneSecurity database file: spear.ndb
SaneSecurity GPG Signature tested good on spear.ndb database
Clamscan reports SaneSecurity spear.ndb database integrity tested BAD - SKIPPING

Testing updated SaneSecurity database file: winnow_malware.hdb
SaneSecurity GPG Signature tested good on winnow_malware.hdb database
Clamscan reports SaneSecurity winnow_malware.hdb database integrity tested BAD - SKIPPING

Testing updated SaneSecurity database file: winnow_phish_complete.ndb
SaneSecurity GPG Signature tested good on winnow_phish_complete.ndb database
Clamscan reports SaneSecurity winnow_phish_complete.ndb database integrity tested BAD - SKIPPING

The old script (v 1.8) works great.

[uxbod]

Make sure the PATH in the script also includes /opt/zimbra/clamav/bin. I had this issue when I upgraded last night; but have not had time to fix it yet. Another job for this evening

[babyporch]

Thanks, ok now