Results 1 to 4 of 4

Thread: SaneSecurity :: winnow Exploit Detection Signatures

  1. #1
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    25

    Default SaneSecurity :: winnow Exploit Detection Signatures

    Steve from Sanesecurity would like to to announce the launch of Winnow ClamAV Exploit Detection Signatures.

    Winnow signatures offer the following feature sets:
    • Malware received but not currently detected by official ClamAV signatures, including: Phishing, including financial, gaming, email, networking, social, trading, retail, government, file sharing
    • Fraud, including: fake banks, escrows, shippers, 419s, jobs, mules, money laundering
    • Hacked and exploited hosts
    • Rogue domains harboring malware/spam/etc.
    The three databases distributed at the moment are:
    • winnow_malware.hdb - Current virus, trojan and other malware not yet detected by ClamAV.
    • winnow_phish_complete.ndb - Signatures to detect phishing and other malicious url's and compromised hosts - derived in a similar fashion as SURBL but with special processing to remove the possibility of false positives. (Recommended)
    • winnow_phish_complete_url.ndb - Similar to winnow_phish_complete.ndb except that entire urls's are used to derive the signatures rather than carefully selected hosts. (Conservative)
    For more details: winnow ClamAV Threat Detection Signatures

    Download scripts will be available shortly for these signatures on the new mirrors.
    Last edited by mmorse; 03-31-2009 at 11:21 AM. Reason: links and formatting

  2. #2
    Join Date
    Jan 2009
    Location
    Palermo
    Posts
    43
    Rep Power
    6

    Default

    Thanks uxbod, but testing the new script (after the configuration) i receive this message:

    Code:
    Testing updated SaneSecurity database file: junk.ndb
    SaneSecurity GPG Signature tested good on junk.ndb database
    Clamscan reports SaneSecurity junk.ndb database integrity tested BAD - SKIPPING
    
    Testing updated SaneSecurity database file: phish.ndb
    SaneSecurity GPG Signature tested good on phish.ndb database
    Clamscan reports SaneSecurity phish.ndb database integrity tested BAD - SKIPPING
    
    Testing updated SaneSecurity database file: rogue.hdb
    SaneSecurity GPG Signature tested good on rogue.hdb database
    Clamscan reports SaneSecurity rogue.hdb database integrity tested BAD - SKIPPING
    
    Testing updated SaneSecurity database file: sanesecurity.ftm
    SaneSecurity GPG Signature tested good on sanesecurity.ftm database
    Clamscan reports SaneSecurity sanesecurity.ftm database integrity tested BAD - SKIPPING
    
    Testing updated SaneSecurity database file: spear.ndb
    SaneSecurity GPG Signature tested good on spear.ndb database
    Clamscan reports SaneSecurity spear.ndb database integrity tested BAD - SKIPPING
    
    Testing updated SaneSecurity database file: winnow_malware.hdb
    SaneSecurity GPG Signature tested good on winnow_malware.hdb database
    Clamscan reports SaneSecurity winnow_malware.hdb database integrity tested BAD - SKIPPING
    
    Testing updated SaneSecurity database file: winnow_phish_complete.ndb
    SaneSecurity GPG Signature tested good on winnow_phish_complete.ndb database
    Clamscan reports SaneSecurity winnow_phish_complete.ndb database integrity tested BAD - SKIPPING
    The old script (v 1.8) works great.

  3. #3
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    25

    Default

    Make sure the PATH in the script also includes /opt/zimbra/clamav/bin. I had this issue when I upgraded last night; but have not had time to fix it yet. Another job for this evening

  4. #4
    Join Date
    Jan 2009
    Location
    Palermo
    Posts
    43
    Rep Power
    6

    Default

    Thanks, ok now

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •