[clamav-users] ClamAV reputation rating

G.W. Haywood clamav at jubileegroup.co.uk
Fri Jun 28 16:49:23 UTC 2019 

Hi there,

On Fri, 28 Jun 2019, Al Varnell wrote:
> On Thu, Jun 27, 2019 at 07:51 AM, Joel Esler (jesler) via clamav-users wrote:
>>> On Jun 26, 2019, at 7:25 PM, Epicon Elysium via clamav-users <clamav-users at lists.clamav.net <mailto:clamav-users at lists.clamav.net>> wrote:
>>>
>>> We're building a PaaS where everything runs on Linux. As part of
>>> the security requirements, we have to deploy Antivirus as well. We
>>> chose ClamAV in this case. One of the requirement in terms of
>>> Antivirus is that we should enable reputation rating. ...
>> 
>> The short answer is "No".  ClamAV does not do reputation ratings,
>> unless you are talking about a scale of not malicious, heuristic,
>> PUA, and full on malicious.
>>
>> But there is not a reputation system, no.
> 
> The OP is going to have to explain more fully, but I took the
> question as does ClamXAV consider any reputation ratings that are
> made by the e-mail systems through which a message transits which
> are often expressed as spam or malware scores in the header
> information.

Seems to me that the OP doesn't know what he wants, but he has some
kind of requirements specification which was written by somebody who
doesn't know either, and he's doing his best to comply with that.

Anti-virus and reputation are pretty much orthogonal concepts.

My take on reputation is: If it comes from something somehow listed in
one of my blacklists, it has a bad reputation and I don't want it (to
the point of automatically adding a firewall TARPIT rule if it tries
to send me anything).

mail6:/etc/mail/x-milter# >>> wc -l *blacklist
   140 x-milter_ASN_blacklist
   324 x-milter_connect_blacklist
    57 x-milter_country_blacklist (*)
   166 x-milter_envfrom_blacklist
   104 x-milter_header_blacklist
   107 x-milter_helo_blacklist
    18 x-milter_rcpt_blacklist
    14 x-milter_RP_blacklist
     6 x-milter_SPF_blacklist
     9 x-milter_whois_blacklist
   945 total

(*) The line count is rather misleading for this file, there are at the
moment 165 ISO 3166-1 country codes in it:
https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2

If anyone wants to see any of this stuff I'm happy to publish it.

Of course this is a Sendmail milter which scans mail.  If you're
shaving yaks, things are very different.  I just hope that there's
something here that might stimulate.

-- 

73,
Ged.

More information about the clamav-users mailing list