[clamav-users] SaneSecurity SpearL signatures

Ian Eiloart iane at sussex.ac.uk
Tue Jan 26 11:21:46 EST 2016


I had a spate of reports about an FP in the SaneSecurity SpearL list. It included a URL that’s attached by MessaageLabs when it scans outbound mail from the University of Brighton (which is just over the road from us).

However, the reports that came in referred variously to Sanesecurity.SpearL.448.UNOFFICIAL and Sanesecurity.SpearL.447.UNOFFICIAL
I went to http://sane.mxuptime.com/s.aspx?id=Sanesecurity.SpearL.448.UNOFFICIAL to identify the offending string, but when I go there now, I see a different string. That makes it very difficult to track down FPs that have been reported a few days after the fact. Also, it means that whitelisting a pattern by name doesn’t work properly.

Some questions arise:

1. Am I seeing codes re-used as the source for the signatures changes?
2. Does this happen with other types of signature?
3. If 'yes' to either, is it possible to prevent this in order to make it easier to investigate problems?
4. Otherwise, what am I doing wrong?

BTW: note to self, decode patterns in spearl.hdb with 

for n in ` cut -d: -f4  spearl.ndb ` ;  do  ( echo $n |xxd -r -p );echo; done 
Ian Eiloart
Postmaster, University of Sussex
+44 (0) 1273 87-3148

More information about the clamav-users mailing list