[Mimedefang] clamav-unofficial-sigs and pyzor

Discussion:

Marcus Schopen

2016-09-19 05:46:11 UTC

Hi,

my be a little bit off topic, but are there any experience with the
efficiency of pyzor and clamav-unofficial-sigs [1]. I used pyzor years
ago and didn't follow it since then. And a lot of locky mails passed my
filter, therefore I tought clamav-unofficial-sigs with turning on
sanesecurity sigs might help here.

Ciao
Marcus

[1] https://github.com/extremeshok/clamav-unofficial-sigs

_______________________________________________
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list ***@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimed

Richard Laager

2016-09-19 06:23:25 UTC

Permalink

Post by Marcus Schopen
my be a little bit off topic, but are there any experience with the
efficiency of pyzor and clamav-unofficial-sigs

We use clamav-unofficial-sigs. If clamd triggers, it's a hard fail for
us, regardless of whether it was a virus or spam rule. We do
differentiate them for logging and SMTP rejection messages.

I can't say how much spam would have been blocked anyway by later
processing (e.g. SpamAssassin), but we have very few (but non-zero over
the years) false positives. And in our filter, whitelisting does not
bypass this test; maybe it should, but that's the current setup.

--
Richard
_______________________________________________
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list ***@lists.roaringpenguin.com
http://lists.roaringpenguin.c

Marcus Schopen

2016-09-19 06:48:59 UTC

Permalink

Hi Richard,

Post by Richard Laager

Post by Marcus Schopen
my be a little bit off topic, but are there any experience with the
efficiency of pyzor and clamav-unofficial-sigs

We use clamav-unofficial-sigs. If clamd triggers, it's a hard fail for
us, regardless of whether it was a virus or spam rule. We do
differentiate them for logging and SMTP rejection messages.
I can't say how much spam would have been blocked anyway by later
processing (e.g. SpamAssassin), but we have very few (but non-zero over
the years) false positives. And in our filter, whitelisting does not
bypass this test; maybe it should, but that's the current setup.

Thank you for your interesting feedback. Did you activate all signatures
or just e.g. sanesecurity sigs? I read activating all signatures turns
clamav into an evil memory monster, while only activating sanesecurity
sigs catches most and doesn't need that much resources.

What about pyzor or razor integration? Do they help or just burn
performance?

Ciao
Marcus

_______________________________________________
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list ***@lists.roaringpenguin.com
http://lists.roaringpenguin.com

Richard Laager

2016-09-19 07:43:56 UTC

Permalink

Post by Marcus Schopen
Did you activate all signatures
or just e.g. sanesecurity sigs? I read activating all signatures turns
clamav into an evil memory monster, while only activating sanesecurity
sigs catches most and doesn't need that much resources.

I don't adjust the defaults. I don't use anything that requires signing
up. I just looked into those, but they're for non-commercial use, which
is why they require a sign-up.

Post by Marcus Schopen
What about pyzor or razor integration? Do they help or just burn
performance?

I think I tried Pyzor a long time ago and found it worthless, but I have
no idea what it's like now.

We have Razor enabled. Historically, that's been very effective, though
I haven't actually double-checked recently.

Dianne Skoll

2016-09-19 12:36:06 UTC

Permalink

On Mon, 19 Sep 2016 07:46:11 +0200

Post by Marcus Schopen
my be a little bit off topic, but are there any experience with the
efficiency of pyzor and clamav-unofficial-sigs [1].

No comment on pyzor because I don't use it, but some of the
clamav-unofficial-sigs are useful. We use the following data sets:

phish.ndb
rogue.hdb
sanesecurity.ftm
winnow_malware.hdb
winnow_malware_links.ndb

We find the others have unacceptably-high false-positive rates, and
even the ones above occasionally get a bad signature that produces annoying
false-positives.

Regards,

Dianne.
_______________________________________________
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list ***@lists.roaringpenguin.com
http:/

Marcus Schopen

2016-09-19 12:49:42 UTC

Permalink

Post by Dianne Skoll
On Mon, 19 Sep 2016 07:46:11 +0200

Post by Marcus Schopen
my be a little bit off topic, but are there any experience with the
efficiency of pyzor and clamav-unofficial-sigs [1].

No comment on pyzor because I don't use it, but some of the
phish.ndb
rogue.hdb
sanesecurity.ftm
winnow_malware.hdb
winnow_malware_links.ndb
We find the others have unacceptably-high false-positive rates, and
even the ones above occasionally get a bad signature that produces annoying
false-positives.

Dianne and Richard, thanks for your feedback! I will get those a try.

Ciao
Marcus

_______________________________________________
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list ***@lists.roaringpenguin.com
http://lists.