Home / clamav / sanesecurity
File Name
README.md
/ ___| (_) |
\ `--. __ _ _ __ ___ ___ ___ ___ _ _ _ __ _| |_ _ _
`--. \/ _` | '_ \ / _ \/ __|/ _ \/ __| | | | '__| | __| | | |
/\__/ / (_| | | | | __/\__ \ __/ (__| |_| | | | | |_| |_| |
\____/ \__,_|_| |_|\___||___/\___|\___|\__,_|_| |_|\__|\__, |
__/ |
|___/
################# 3rd Party ClamAV signatures ################

Last updated: 15.09.2015

WARNING
=======

Please use the provided download scripts where possible... and make sure that you double-check the
cron job scheduling, as neither myself or the mirrors will appreciate signatures being downloaded, every second.

The mirrors reserve the right to block your IP address, if you are downloading too many times per hour or are
abusing their servers/bandwidth in any way.

If the download service is abused, the public rsync mirrors will be moved to a password only service, with only
people that have donated receiving the password to let them access the mirrors.

Information
===========

� Signatures are now signed using GnuPG, ensuring integrity of the signatures. The public key for these signature will
be available from here (http://sanesecurity.co.uk/publickey.gpg)

For example, here's a good verify:
gpg --verify junk.ndb.sig
gpg: Signature made 01/09/09 09:55:48 using DSA key ID 31EA4D9E
gpg: Good signature from "Sanesecurity (Sanesecurity Signatures)"
Here's a bad verify:
gpg --verify junk.ndb.sig
gpg: Signature made 01/09/09 09:55:48 using DSA key ID 31EA4D9E
gpg: BAD signature from "Sanesecurity (Sanesecurity Signatures)"

� A round-robin dns system, to help spread the load over multiple rsync servers. This has been setup using editdns.net
dns service, in order to manage the multiple A records. As this is currently a free account, the TTL (time to live)
for each server is set to 300 (5 minutes). If I receive enough donations, I'll update the account.

� A donation page, using PayPal will now also accept credit cards and hopefully we will be able to provide an invoice
for people who want one. Anyone who donates will be given a non-public download url, using only the fastest mirrors
and in addition, be notified of any important changes.

� A Mailing list which is recommended that signature users subscribe to, so that any future problems
can be reported directly to you. Signup to the Sanesecurity mailing list, by sending a Subject of subscribe to:

sanesecurity-request@freelists.org

Note: There is an archive, so you can read previous messages here: http://www.freelists.org/archive/sanesecurity


Details
=======

Current signature names
=======================

The following databases are distributed and produced by Sanesecurity

Database Name Description FP Risk

junk.ndb General high hitting junk, containing spam/phishing/lottery/jobs/419s etc. Low
jurlbl.ndb Junk Url based Low
jurlbla.ndb Junk Url based autogenerated from various feeds Med
lott.ndb Lottery Med
phish.ndb Phishing Low
rogue.hdb Malware, Rogue anti-virus software and Fake codecs etc. Low
scam.ndb Spam/scams Low
spam.ldb Spam detected using the new Logical Signature type Med
spamimg.hdb Spammed images Low
spamattach.hdb Spammed attachments such as pdf's/docs/rtf/zips Low
spear.ndb Spear phishing email addresses (autogenerated from data here) Med
spearl.ndb Spear phishing urls (autogenerated from data here) Med


The following databases are distributed by Sanecurity, but produced by OITC

Database Name Description FP Risk

winnow_malware.hdb Current virus, trojan and other malware not yet detected by ClamAV. Low
Undetected virus samples can be sent to virus_samples@oitc.com
winnow_malware_links.ndb Links to malware Low
winnow_spam_complete.ndb Signatures to detect fraud and other malicious spam Med
winnow_phish_complete.ndb Phishing and other malicious url's and compromised hosts High
winnow_phish_complete_url.ndb Similar to winnow_phish_complete.ndb except that entire urls's are used Med
winnow.complex.patterns.ldb contains hand generated signatures for malware and some egregious fraud Med
winnow_extended_malware.hdb contains hand generated signatures for malware. Low
winnow_extended_malware_links.ndb contain hand generated signatures for malware links. Med
winnow.attachments.hdb Spammed attachments such as pdf's/docs/rtf/zips Low

Note: Only use ONE of the above databases, winnow_phish_complete.ndb or winnow_phish_complete_url.ndb

The following databases are distributed by Sanecurity, but produced by Julian Field

Database Name Description FP Risk

scamnailer.ndb Spear phishing and other phishing emails Med

The following databases are distributed by Sanecurity, but produced by Andrew Lewis

Database Name Description FP Risk

doppelstern.ndb phishing, scams and other junk Med
doppelstern.hdb hashes of spam documents and images Low

The following databases are distributed by Sanesecurity, but produced by CRDF

Database Name Description FP Risk

crdfam.clamav.hdb List of new threats detected by CRDF Anti Malware. Low


Other files
===========

sanesecurity.ftm Message file types REQUIRED for best performance
sigwhitelist.ign2 Fast update file to whitelist any problem signature REQUIRED 0.96rc1+

(databasename).sig All signatures files are gpg signed for extra security
/integrity (eg. phish.ndb.sig)

Donations
=========

SaneSecurity signatures are a culmination of hard work and commitment to providing Third-Party signatures to the
web community that are of professional quality. We are not a company and the signatures and support for the signatures
are carried out in my spare time.

If you feel that you would like to give a donation for your use of these signatures, or just because you want to support
us, please consider making a donation via this page (we ask that you at least donate $5 to cover PayPal
processing fee's):

http://sanesecurity.com/donate/

Rsync Mirrors
=============

If you wish to mirror the Sanesecurity signature files and be added to the dns round-robin system, please contact me
(steveb_clamav AT sanesecurity.com)

The mirror needs are basic...I need rsync access to a directory and also you'll need to setup IPTables to block IP's
which may try to hammer the server.. more details will be given later.

Thanks
======

Malcolm Scott at Retrosnub Internet Services (http://www.retrosnub.co.uk) for providing a mirror, download script and
for his knowledge in helping to setup the new download system.

Malcolm Scott at Retrosnub, Doc Schneider at FSL (http://fsl.com), Steve Freegard at FSL (http://fsl.com),
Steve Swaney at FSL (http://fsl.com), Laurent CARON, Joerg.Traeger, Panagiotis Christias, Roland Pelzer,
Patrick Ben Koetter and Matt at mxuptime for their invaluable help in mirroring the signatures and providing assistance.

False Positives
===============

Please go to this page and report any false positives you find.

http://sanesecurity.com/support/false-positives/

If you need to decoder the signatures to help pinpoint False Positives, please use the decoder here:

http://sanesecurity.com/support/signature-decoding/

While you wait for the faulty signature to be fixed, the following two examples show you how to create a
local.ign file, to skip signatures, which are causing you a problem.

Example 1:
----------

If you have a false positive for Sanesecurity.Phishing.Rdi.5.UNOFFICIAL (which is in the phish.ndb database),
all you have to do it create a local.ign file containing a line like this:

phish.ndb:5:Sanesecurity.Phishing.Rdi.5

And that signature will then be ignored.

Note: make sure you leave off the .UNOFFICIAL from the signature
name in the .ign file, otherwise it won't work.

Example 2:
----------

If you have a false positive for Sanesecurity.Stk.3440.UNOFFICIAL (which is in the scam.ndb database),
all you have to do it create a local.ign file containing a line like this:

scam.ndb:3440:Sanesecurity.Stk.3440

And that signature will then be ignored.

Note: make sure you leave off the .UNOFFICIAL from the signature
name in the .ign file, otherwise it won't work.


Commercial use: You can use the Sanesecurity signatures in commercial products. However, if would be appreciated
if you if you make a reasonable donation and send an email, with information about the name of company and what
product the signatures are being used in.

If you are using the signatures for a anti-spam/virus product and wish to mirror the signatures for your own users
to download directly then please contact me, (steveb_clamav AT sanesecurity.com).

Disclaimer:
===========

Whilst every effort has been made by Sanesecurity to ensure that the signatures don't lead to false positives,
we make no warranty that the signatures will meet your requirements, be uninterrupted, complete, timely, secure or error free.
You must therefore use them at your own risk.

Terms of use:

Commercial use: You can use the SaneSecurity signatures free of charge in commercial products. However, if would be appreciated
if you would make a donation, as well as an email with the name of company and what product the signatures are being used in.

No Signature copying, duplication or reproduction is permitted without the permission of Sanesecurity.

ClamAV is a registered trademark of Sourcefire, Inc.


Trademarks
==========

Signatures � sanesecurity.org.uk. All Rights Reserved.
ClamAV is a registered trademark of Cisco Systems. (C)2015 Cisco

0010100001100011001010010010000001010011011101000110010101110110011001010010000001000010011000010111001101100110011011110111001001100100