Grepular

Detecting Bad ClamAV Signatures by Scanning Ham

Written 15 years ago by Mike Cardwell

I use Clam Antivirus on my personal email as well as at work. I’ve been using some third party generated signatures from SaneSecurity for quite some time now and they’ve been very effective at stopping spam. Recently, some bad signatures have found their way into the SaneSecurity signature files. Yesterday in the jurlbl signatures they listed “com” as a bad domain, and a couple of months back they listed “acebook.com” which caused facebook email to get blocked.

So I’ve created a quick early warning system to alert me to when a really bad signature gets added such as the “com” one. I figured that if I scan the read email in my Inbox with ClamAV and it starts flagging any of them up as spam, then there is a problem. I created a cron job to do the scan once every 20 minutes. Here it is:

13-53/20 * * * * if [ `/usr/bin/clamscan /var/CommuniGate/Domains/grepular.com/m.sub/i.sub/mike.macnt/INBOX.mdir/*-S* 2>/dev/null|/bin/egrep '^Infected files: [0-9]+$’|/usr/bin/awk {'print $3'}` -gt 0 ]; then echo "ClamAV is identifying some ham as spam"; fi 2>/dev/null

If you were using Maildir format, you might scan something like “/home/user/Maildir/cur” rather than “/var/CommuniGate/Domains/grepular.com/m.sub/i.sub/mike.macnt/INBOX.mdir/-S“

Ideally the script which downloads the signatures would perform this test before rolling them out, but the one I’m currently using is written as a shell script and I’m not too hot on shell scripting. I may write a Perl version at some point.

UPDATE:

Literally an hour after I wrote this blog post, Steve from SaneSecurity had implemented his own HAM scanning solution on the server side, so signatures should be tested against a collection of HAM before being rolled out now. Kudos.

Want to leave a tip?BitcoinMoneroZcashPaypalYou can follow this Blog using RSS or Mastodon. To read more, visit my blog index.