Feature #2897
Support Sanesecurity Foxhole
Status: | CLOSED | Start date: | ||
---|---|---|---|---|
Priority: | Normal | Due date: | ||
Assignee: | - | % Done: | 100% | |
Category: | nethserver-antivirus | |||
Target version: | v6.5 | |||
Resolution: | NEEDINFO: | Yes |
Description
I'd like to have support for the new Foxhole clamav sigs (http://sanesecurity.com/foxhole-databases/).
Two steps required:
1. add dbs to /etc/e-smith/templates/etc/clamav-unofficial-sigs/clamav-unofficial-sigs.conf/20dbs
2. tell amavisd to treat foxhole as viruses
1:
@@ -149,6 +149,8 @@ crdfam.clamav.hdb phishtank.ndb porcupine.ndb + foxhole_generic.cdb + foxhole_filename.cdb "
2:
# cat /etc/e-smith/templates-custom/etc/amavisd.conf/96block_all_virus @virus_name_to_spam_score_maps = ();
Clearing virus2spam cores seems aggressive, but I couldn't find a suitable regexp.
Related issues
Associated revisions
Enabled Sanesecurity Foxhole DB. Refs #2897
amavisd.conf: remove default virus mappings to spam score. Refs #2897
The default amavis configuration maps some AV results to SPAM. This
setting considers such results as viruses.
History
#1 Updated by Davide Principi over 6 years ago
- Status changed from NEW to TRIAGED
- Target version set to v6.5
- % Done changed from 0 to 20
#2 Updated by Davide Principi over 6 years ago
- Related to Enhancement #2924: Fetchmail support for AD users added
#3 Updated by Davide Principi over 6 years ago
- Status changed from TRIAGED to ON_DEV
- Assignee set to Davide Principi
- % Done changed from 20 to 30
#4 Updated by Davide Principi over 6 years ago
- File amavisd-virus-score.txt added
This is the content of @virus_name_to_spam_score_maps after appending Sanesecurity.Foxhole (see attached file).
#5 Updated by Davide Principi over 6 years ago
- Status changed from ON_DEV to MODIFIED
- Assignee deleted (
Davide Principi) - % Done changed from 30 to 60
Test case
#6 Updated by Davide Principi over 6 years ago
- Status changed from MODIFIED to ON_QA
- % Done changed from 60 to 70
In nethserver-testing:
nethserver-mail-filter-1.2.0-1.0git1904950e.ns6
nethserver-antivirus-1.1.0-1.0gitf33b848b.ns6
#7 Updated by Stefano Fancello over 6 years ago
- Assignee set to Stefano Fancello
#8 Updated by Stefano Fancello over 6 years ago
- Status changed from ON_QA to VERIFIED
- Assignee changed from Stefano Fancello to Filippo Carletti
- % Done changed from 70 to 90
- NEEDINFO changed from No to Yes
I've tried this [[http://sanesecurity.com/foxhole-databases/]], foxhole_generic, sending a mail with attached a zip file containing .pif filled with random data. The mail server responded: 5.7.0 Reject, id=14999-03 - BANNED: CLASS Exec:.dat,test.pif.
==> /var/log/maillog <== Dec 3 11:51:50 makako submission/smtpd[21302]: connect from pc-stefano.nethesis.it[192.168.5.14] Dec 3 11:51:55 makako submission/smtpd[21302]: NOQUEUE: client=pc-stefano.nethesis.it[192.168.5.14], sasl_method=PLAIN, sasl_username=test1 Dec 3 11:52:04 makako amavis[14999]: (14999-03) Blocked BANNED (CLASS Exec:.dat,test.pif) {RejectedInternal,Quarantined}, SUBMISSION/MYNETS LOCAL [192.168.X.X]:41280 [192.168.X.X] <test1@menghesis.it> -> <test1@menghesis.it>, Message-ID: <547EEB44.8050806@menghesis.it>, mail_id: mEe_wZlThO-Q, Hits: -, size: 1373, 10379 ms Dec 3 11:52:04 makako submission/smtpd[21302]: proxy-reject: END-OF-MESSAGE: 554 5.7.0 Reject, id=14999-03 - BANNED: CLASS Exec:.dat,test.pif; from=<test1@menghesis.it> to=<test1@menghesis.it> proto=ESMTP helo=<pc-stefano.nethesis.it> Dec 3 11:52:47 makako submission/smtpd[21302]: disconnect from pc-stefano.nethesis.it[192.168.X.X]
So I think that this could be considered VERIFIED, but I'm not sure because of the other test that I've tried (following test case descripted here [[http://sanesecurity.com/support/signature-testing/]]) fails under certain circumstances:
Test 1, html formatted mail with signature in body, is PASSED, mail is blocked
554 5.7.0 Reject, id=14999-01 - INFECTED: Sanesecurity.TestSig_Type3_Bdy.4.UNOFFICIAL;
Test 2, with sign in email subject fails, and email is delivered
Test 3 fails if email is sended normally using thunderbird (by the same account on same server) and pass (email is blocked) if sended by smtptest
5.7.0 Reject, id=14998-04 - INFECTED: Sanesecurity.TestSig_Type4_Bdy.3.UNOFFICIAL
#9 Updated by Giacomo Sanchietti over 6 years ago
- Assignee deleted (
Filippo Carletti)
#10 Updated by Giacomo Sanchietti over 6 years ago
- Status changed from VERIFIED to CLOSED
- % Done changed from 90 to 100
- nethserver-mail-filter-1.2.1-1.ns6.noarch.rpm
- nethserver-antivirus-1.1.1-1.ns6.noarch.rpm