[clamav-users] Trouble with foxhole

Gene Heskett gheskett at wdtv.com
Wed Oct 14 08:45:53 UTC 2015 

On Wednesday 14 October 2015 04:27:08 Rajesh M wrote:

> steve
>
> i am writing this on the basis of the experience of over 18500
> corporate users -- and they have no complaints at all.
>
> basically people sending all these different file exe, jar and other
> forbidden extensions directly or within zip rar etc are 99.999 percent
> spammers / botnet
>
> the only people who mentioned the issue are software developers who
> happened to send exe or jar etc with their emails.
>
> however once i explained to them and and provided them ftp accounts
> for transmitting such files they were happy.
>
> also genuine senders are intimated correctly that their email has not
> been sent so there is no loss of communications.
>
> the internet is getting to be an extremely dangerous place -- and i
> have seen several incidences of people opening these exe or scr files
> within zip files and having their entire pc locked up / companies
> losing millions because their employees' pcs were hacked.
>
> antivirus is only as good as the signature -- many many many many
> times clam fails -- even now word / excel macro virus documents are
> not detected.
>
> badfile names --- very very difficult to keep updating those.
>
> i would rather block the root cause (though a few people may complain)
> and than have the pcs of  a huge number of people at risk.
>
> rajesh

I am with rajesh on this. clamav's hit rate, and I run every incoming 
mail past it, is disgustingly poor at detecting this stuff. I have fed 
500 or more of these *^%$ .zip or .doc attachments to sa-learn spam, 
probably poisoning its database since the last actual hit by clamav, 
which was on Sept 8th.  I'll see if this improves the hit rate, because 
it has never been even accceptably accurate and has become very poor 
these days.

> ----- Original Message -----
> From: Steve Basford [mailto:steveb_clamav at sanesecurity.com]
> To: clamav-users at lists.clamav.net
> Sent: Wed, 14 Oct 2015 08:19:32 +0100
> Subject: Re: [clamav-users] Trouble with foxhole
>
> On Wed, October 14, 2015 7:37 am, Rajesh M wrote:
> > Sanesecurity.Foxhole.7z:CL_TYPE_7Z
> > Sanesecurity.Foxhole.Rar:CL_TYPE_RAR
>
> etc..
>
> Hi rajesh,
>
> Yep, the above will work... but could cause high FP's for some people
> which they might find unacceptable, depending on their setup.
>
> If anyone has a nice malware zip/7z/rar etc. collection it might be
> nice to create a "database" of their "common" bad filenames, which I
> can add into foxhole_filename.cdb.
>
> I've made start on the above and will shortly be adding thise into
> foxhole_filename.cdb
>
> Cheers,
>
> Steve
> Web : sanesecurity.com
> Blog: sanesecurity.blogspot.com
>
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml


Cheers, Gene Heskett
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page <http://geneslinuxbox.net:6309/gene>

More information about the clamav-users mailing list