1 (edited by RajeshM 2019-11-18 09:29:15)

Topic: foxhole_all not being called by amavis

hi,

using iredpro on debian

while sending outgoing test emails via sogo webmail, i attached a file with exe extension which was zipped up using winzip.

the file was was not detected by foxhole_all.cdb which was in placed in /var/lib/clamav directory along with clam signature databases

eicar test signatures where correctly detected though.

extract from /etc/amavis/conf.d/50-user file is given below

need help in figuring out what further settings needs to be done to detect banned attachments (such as exe, bat, com, etc) which are archived within zip, tar , etc


# Mark Spam/Virus with third-party clamav signatures: SaneSecurity.
#   *) The order matters, first match wins. Set to 'undef' to keep as infected
#   *) Anything declared as undefined will be marked as a virus
@virus_name_to_spam_score_maps =(new_RE(
    # SaneSecurity + Foxhole
    [ qr'^Sanesecurity\.(Malware|Badmacro|Foxhole|Rogue|Trojan)\.' => undef ],
    [ qr'^Sanesecurity\.MalwareHash\.'    => undef ],
    [ qr'^Sanesecurity.TestSig_'          => undef ],
    [ qr'^Sanesecurity\.'                 => 0.1 ],

    # winnow
    [ qr'^winnow\.(Exploit|Trojan|malware)\.'     => undef ],
    [ qr'^winnow\.(botnet|compromised|trojan)'    => undef ],
    [ qr'^winnow\.(exe|ms|JS)\.'                  => undef ],
    [ qr'^winnow\.phish\.'                        => 3.0 ],
    [ qr'^winnow\.'                               => 0.1 ],

    # bofhland
    [ qr'^Bofhland\.Malware\.'                    => undef ],
    [ qr'^BofhlandMWFile'                         => undef ],
    [ qr'^Bofhland\.Phishing\.'                   => 3.0 ],
    [ qr'^Bofhland\.'                             => 0.1 ],

    # porcupine.ndb
[ qr'^Porcupine\.(Malware|Trojan)\.'          => undef ],
    [ qr'^Porcupine\.(Junk|Spammer)\.'            => 3.0 ],
    [ qr'^Porcupine\.Phishing\.'                  => 3.0 ],
    [ qr'^Porcupine\.'                            => 0.01 ],

    # phishtank.ndb
    [ qr'^PhishTank\.Phishing\.'                  => 3.0 ],

    # SecuriteInfo
    [ qr'^SecuriteInfo\.com\.Spammer\.'           => 3.0 ],

     # Others
    [ qr'^Structured\.(SSN|CreditCardNumber)\b'            => 0.1 ],
    [ qr'^(Heuristics\.)?Phishing\.'                       => 0.1 ],
    [ qr'^(Email|HTML)\.Phishing\.(?!.*Sanesecurity)'      => 0.1 ],
    [ qr'^Email\.Spam\.Bounce(\.[^., ]*)*\.Sanesecurity\.' => 0   ],
    [ qr'^Email\.Spammail\b'                               => 0.1 ],
    [ qr'^MSRBL-(Images|SPAM)\b'                           => 0.1 ],
    [ qr'^VX\.Honeypot-SecuriteInfo\.com\.Joke'            => 0.1 ],
    [ qr'^VX\.not-virus_(Hoax|Joke)\..*-SecuriteInfo\.com(\.|\z)' => 0.1 ],
    [ qr'^Email\.Spam.*-SecuriteInfo\.com(\.|\z)'          => 0.1 ],
    [ qr'^Safebrowsing\.'                                  => 0.1 ],
    [ qr'^INetMsg\.SpamDomain'                             => 0.1 ],
    [ qr'^Doppelstern\.(Spam|Scam|Phishing|Junk|Lott|Loan)'=> 0.1 ],
    [ qr'^ScamNailer\.'                                    => 0.1 ],
    [ qr'^HTML/Bankish'                                    => 0.1 ],
    [ qr'(-)?SecuriteInfo\.com(\.|\z)'                     => undef ],
    [ qr'^MBL_NA\.UNOFFICIAL'                              => 0.1 ],
    [ qr'^MBL_'                                            => undef ],
));


thanks,
rajesh

2

Re: foxhole_all not being called by amavis

RESOLVED

@keep_decoded_original_maps = (new_RE(
    # let virus scanner (clamav) see full original message (can be slow)
    # this setting is required if we're going to use third-party clamav
    # signatures. for example, Sanesecurity signatures.
    # FYI: http://sanesecurity.com/support/signature-testing/

################# UNCOMMENT LINE BELOW TO ALLOW UNOFFICAL SIGNATURES
qr'^MAIL$',
#qr'^MAIL$',

    qr'^MAIL-UNDECIPHERABLE$', # same as ^MAIL$ if mail is undecipherable
    qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
    #qr'^Zip archive data',     # don't trust Archive::Zip
));


and below that

I use only BADMACRO and FOXHOLE and therefore commented the rest

# Mark Spam/Virus with third-party clamav signatures: SaneSecurity.
#   *) The order matters, first match wins. Set to 'undef' to keep as infected
#   *) Anything declared as undefined will be marked as a virus
@virus_name_to_spam_score_maps =(new_RE(
    # SaneSecurity + Foxhole


   [ qr'^Sanesecurity\.(Badmacro|Foxhole)\.' => undef ],

#   [ qr'^Sanesecurity\.(Malware|Badmacro|Foxhole|Rogue|Trojan)\.' => undef ],
#    [ qr'^Sanesecurity\.MalwareHash\.'    => undef ],
#   [ qr'^Sanesecurity.TestSig_'          => undef ],
#    [ qr'^Sanesecurity\.'                 => 0.1 ],

    # winnow
#    [ qr'^winnow\.(Exploit|Trojan|malware)\.'     => undef ],
#    [ qr'^winnow\.(botnet|compromised|trojan)'    => undef ],
#    [ qr'^winnow\.(exe|ms|JS)\.'                  => undef ],
#    [ qr'^winnow\.phish\.'                        => 3.0 ],
#    [ qr'^winnow\.'                               => 0.1 ],

    # bofhland
#    [ qr'^Bofhland\.Malware\.'                    => undef ],
#    [ qr'^BofhlandMWFile'                         => undef ],
#    [ qr'^Bofhland\.Phishing\.'                   => 3.0 ],
#    [ qr'^Bofhland\.'                             => 0.1 ],

    # porcupine.ndb
#   [ qr'^Porcupine\.(Malware|Trojan)\.'          => undef ],
#    [ qr'^Porcupine\.(Junk|Spammer)\.'            => 3.0 ],
#    [ qr'^Porcupine\.Phishing\.'                  => 3.0 ],
#    [ qr'^Porcupine\.'                            => 0.01 ],

    # phishtank.ndb
#    [ qr'^PhishTank\.Phishing\.'                  => 3.0 ],

    # SecuriteInfo
#    [ qr'^SecuriteInfo\.com\.Spammer\.'           => 3.0 ],

     # Others
#    [ qr'^Structured\.(SSN|CreditCardNumber)\b'            => 0.1 ],
#    [ qr'^(Heuristics\.)?Phishing\.'                       => 0.1 ],
#    [ qr'^(Email|HTML)\.Phishing\.(?!.*Sanesecurity)'      => 0.1 ],
#    [ qr'^Email\.Spam\.Bounce(\.[^., ]*)*\.Sanesecurity\.' => 0   ],
#    [ qr'^Email\.Spammail\b'                               => 0.1 ],
#    [ qr'^MSRBL-(Images|SPAM)\b'                           => 0.1 ],
#    [ qr'^VX\.Honeypot-SecuriteInfo\.com\.Joke'            => 0.1 ],
#    [ qr'^VX\.not-virus_(Hoax|Joke)\..*-SecuriteInfo\.com(\.|\z)' => 0.1 ],
#    [ qr'^Email\.Spam.*-SecuriteInfo\.com(\.|\z)'          => 0.1 ],
#    [ qr'^Safebrowsing\.'                                  => 0.1 ],
#    [ qr'^INetMsg\.SpamDomain'                             => 0.1 ],
#    [ qr'^Doppelstern\.(Spam|Scam|Phishing|Junk|Lott|Loan)'=> 0.1 ],
#    [ qr'^ScamNailer\.'                                    => 0.1 ],
#    [ qr'^HTML/Bankish'                                    => 0.1 ],
    [ qr'(-)?SecuriteInfo\.com(\.|\z)'                     => undef ],
#    [ qr'^MBL_NA\.UNOFFICIAL'                              => 0.1 ],
#    [ qr'^MBL_'                                            => undef ],
));