You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A lot time has passed, so maybe it's time to re-review the current clamav settings and signatures. This is not intended to force making a change, just to review and discuss them.
Phishing Settings
Currently we do have following features in clamav disabled:
# With this option enabled ClamAV will try to detect phishing attempts by using
# HTML.Phishing and Email.Phishing NDB signatures.
# Default: yes
#PhishingSignatures no
# With this option enabled ClamAV will try to detect phishing attempts by
# analyzing URLs found in emails using WDB and PDB signature databases.
# Default: yes
#PhishingScanURLs no
Do these bring any advantages for mailcow? I suppose some most things being detected by rspamd and not needed for clamav?
Signatures
Currently following signatures from sanesecurity are enabled by default in mailcow:
I have built a convenient list of signatures which could be beneficial to include. I only picked low/med as false-positive chance and any which were updated in the last weeks or so.
Table of suggested signatures: (as of 2024-11-18)
Name
Description
Last Modification
Size
False-Positive
foxhole_filename.cdb
This database will block certain commonly known malware filenames within Zip, Rar, 7z, Arj and Cab archives.
Nov 6 17:34
307K
Low
porcupine.hsb
Sha256 Hashes of VBS and JSE malware,kept for 7 days
Nov 18 13:30
17K
Low
badmacro.ndb
Blocks dangerous macros embedded in Word/Excel/Xml/RTF/JS documents
Oct 31 17:49
112K
Med
shelter.ldb
Phishing and Malware
Sep 13 11:36
9.9K
Med
MiscreantPunch099-Low.ldb
ruleset contains comprehensive rules for detecting malicious or abnormal Macros, JS, HTA, HTML, XAP, JAR, SWF, and more.
Nov 18 13:33
586K
Med
Might any of them be of any interest or beneficial?
Motivation
See if there is any optimization potential for clamav settings and/or available signatures.
Additional context
No response
The text was updated successfully, but these errors were encountered:
Summary
A lot time has passed, so maybe it's time to re-review the current clamav settings and signatures. This is not intended to force making a change, just to review and discuss them.
Phishing Settings
Currently we do have following features in clamav disabled:
mailcow-dockerized/data/conf/clamav/clamd.conf
Lines 35 to 36 in bd9f4ba
The default clamav config however is enabling both:
https://github.com/Cisco-Talos/clamav/blob/main/etc/clamd.conf.sample#L485-L493
Do these bring any advantages for mailcow? I suppose some most things being detected by rspamd and not needed for clamav?
Signatures
Currently following signatures from sanesecurity are enabled by default in mailcow:
mailcow-dockerized/data/Dockerfiles/clamd/clamd.sh
Lines 65 to 77 in bd9f4ba
However sanesecurity provides more files - a full list is here: https://sanesecurity.com/usage/signatures/
I have built a convenient list of signatures which could be beneficial to include. I only picked low/med as false-positive chance and any which were updated in the last weeks or so.
Table of suggested signatures: (as of 2024-11-18)
Might any of them be of any interest or beneficial?
Motivation
See if there is any optimization potential for clamav settings and/or available signatures.
Additional context
No response
The text was updated successfully, but these errors were encountered: