Mailing List Archive

ClamAV reputation rating
Hi,

Hoping someone could help with the info I'm looking for.

Does ClamAV support in enabling the reputation rating? Seems I couldn't
find any info when searching for it. There's nothing mentioned in the
config file as well.

Thanks,
Ray
Re: ClamAV reputation rating [ In reply to ]
I'm guessing you are talking about e-mail headers here?

I can't say definitively, but I have never seen a signature that was looking at them. Perhaps there are unofficial signatures that do.

I've always been under the impression that such headers were designed to be used by Mail clients & servers.

Sent from my iPad

-Al-

On Jun 23, 2019, at 20:58, Epicon Elysium via clamav-users <clamav-users@lists.clamav.net> wrote:
> Hi,
>
> Hoping someone could help with the info I'm looking for.
>
> Does ClamAV support in enabling the reputation rating? Seems I couldn't find any info when searching for it. There's nothing mentioned in the config file as well.
>
> Thanks,
> Ray


_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: ClamAV reputation rating [ In reply to ]
No.

But can you share an example? And what you’d like to do?

Sent from my ? iPhone

> On Jun 23, 2019, at 23:59, Epicon Elysium via clamav-users <clamav-users@lists.clamav.net> wrote:
>
> Hi,
>
> Hoping someone could help with the info I'm looking for.
>
> Does ClamAV support in enabling the reputation rating? Seems I couldn't find any info when searching for it. There's nothing mentioned in the config file as well.
>
> Thanks,
> Ray
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
Re: ClamAV reputation rating [ In reply to ]
Epicon Elysium via clamav-users <epicon.elysium@gmail.com> wrote:

> Does ClamAV support in enabling the reputation rating? Seems I couldn't find any info when searching for it. There's nothing mentioned in the config file as well.

AIUI no, it doesn't have anything for that.
However, a very common setup is use AMaViS to scan mail, with ClamAV as just one of the tools it uses - the other tools can include things like reputation rating (eg sender real-time blacklists and so on).
You might also want to have a look at PolicyD (aka Cluebringer) which brings other tools to the party - such as greylisting and quotas.


_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: ClamAV reputation rating [ In reply to ]
Thank you all for your response.

We're building a PaaS where everything runs on Linux. As part of the
security requirements, we have to deploy Antivirus as well. We chose ClamAV
in this case. One of the requirement in terms of Antivirus is that we
should enable reputation rating. The environment itself is pretty static
once deployed. There's no email traffic in/out. It's just application
traffic through WAF/ModSecurity. The files itself on the OS level are
pretty static. So the ClamAV is used to scan the filesystem. So basically,
I think it's just reputation rating on the files if any.

If it doesn't have it, is there any plugins/tools that can be used to
achieve that? I haven't checked that PolicyD yet.

Many thanks,
Ray




On Mon, Jun 24, 2019 at 11:21 PM Simon Hobson <linux@thehobsons.co.uk>
wrote:

> Epicon Elysium via clamav-users <epicon.elysium@gmail.com> wrote:
>
> > Does ClamAV support in enabling the reputation rating? Seems I couldn't
> find any info when searching for it. There's nothing mentioned in the
> config file as well.
>
> AIUI no, it doesn't have anything for that.
> However, a very common setup is use AMaViS to scan mail, with ClamAV as
> just one of the tools it uses - the other tools can include things like
> reputation rating (eg sender real-time blacklists and so on).
> You might also want to have a look at PolicyD (aka Cluebringer) which
> brings other tools to the party - such as greylisting and quotas.
>
>
Re: ClamAV reputation rating [ In reply to ]
Epicon Elysium <epicon.elysium@gmail.com> wrote:

> There's no email traffic in/out. It's just application traffic through WAF/ModSecurity. The files itself on the OS level are pretty static. So the ClamAV is used to scan the filesystem. So basically, I think it's just reputation rating on the files if any.

I'm struggling to understand what you mean by reputation rating in this context - a file is a file, and short of taking a blanket "anything ending in '.exe' fails" sort of approach, I can't see how you can apply any sort of reputation rating.
If you were to try and apply a ".gif is potentially dangerous" approach, then what next ?
You scan it and find it matches a malware signature - no different to just scanning it.
You scan it and find that it doesn't match anything - now what ? It's scanned clean, but now you are wanting to say that it could still be harmful (just because it's a ".gif"), or it could be clean.

> I haven't checked that PolicyD yet.

That's for email anyway.


_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: ClamAV reputation rating [ In reply to ]
The short answer is "No". ClamAV does not do reputation ratings, unless you are talking about a scale of not malicious, heuristic, PUA, and full on malicious.

But there is not a reputation system, no.

> On Jun 26, 2019, at 7:25 PM, Epicon Elysium via clamav-users <clamav-users@lists.clamav.net> wrote:
>
> Thank you all for your response.
>
> We're building a PaaS where everything runs on Linux. As part of the security requirements, we have to deploy Antivirus as well. We chose ClamAV in this case. One of the requirement in terms of Antivirus is that we should enable reputation rating. The environment itself is pretty static once deployed. There's no email traffic in/out. It's just application traffic through WAF/ModSecurity. The files itself on the OS level are pretty static. So the ClamAV is used to scan the filesystem. So basically, I think it's just reputation rating on the files if any.
>
> If it doesn't have it, is there any plugins/tools that can be used to achieve that? I haven't checked that PolicyD yet.
>
> Many thanks,
> Ray
>
>
>
>
> On Mon, Jun 24, 2019 at 11:21 PM Simon Hobson <linux@thehobsons.co.uk <mailto:linux@thehobsons.co.uk>> wrote:
> Epicon Elysium via clamav-users <epicon.elysium@gmail.com <mailto:epicon.elysium@gmail.com>> wrote:
>
> > Does ClamAV support in enabling the reputation rating? Seems I couldn't find any info when searching for it. There's nothing mentioned in the config file as well.
>
> AIUI no, it doesn't have anything for that.
> However, a very common setup is use AMaViS to scan mail, with ClamAV as just one of the tools it uses - the other tools can include things like reputation rating (eg sender real-time blacklists and so on).
> You might also want to have a look at PolicyD (aka Cluebringer) which brings other tools to the party - such as greylisting and quotas.
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
Re: ClamAV reputation rating [ In reply to ]
The OP is going to have to explain more fully, but I took the question as does ClamXAV consider any reputation ratings that are made by the e-mail systems through which a message transits which are often expressed as spam or malware scores in the header information.

As I said earlier, I believe that consideration of such information is normally accomplished by the user's e-mail reader client or the e-mail ISP's server.

-Al-

On Thu, Jun 27, 2019 at 07:51 AM, Joel Esler (jesler) via clamav-users wrote:
> The short answer is "No". ClamAV does not do reputation ratings, unless you are talking about a scale of not malicious, heuristic, PUA, and full on malicious.
>
> But there is not a reputation system, no.
>
>> On Jun 26, 2019, at 7:25 PM, Epicon Elysium via clamav-users <clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>> wrote:
>>
>> Thank you all for your response.
>>
>> We're building a PaaS where everything runs on Linux. As part of the security requirements, we have to deploy Antivirus as well. We chose ClamAV in this case. One of the requirement in terms of Antivirus is that we should enable reputation rating. The environment itself is pretty static once deployed. There's no email traffic in/out. It's just application traffic through WAF/ModSecurity. The files itself on the OS level are pretty static. So the ClamAV is used to scan the filesystem. So basically, I think it's just reputation rating on the files if any.
>>
>> If it doesn't have it, is there any plugins/tools that can be used to achieve that? I haven't checked that PolicyD yet.
>>
>> Many thanks,
>> Ray
>>
>> On Mon, Jun 24, 2019 at 11:21 PM Simon Hobson <linux@thehobsons.co.uk <mailto:linux@thehobsons.co.uk>> wrote:
>> Epicon Elysium via clamav-users <epicon.elysium@gmail.com <mailto:epicon.elysium@gmail.com>> wrote:
>>
>> > Does ClamAV support in enabling the reputation rating? Seems I couldn't find any info when searching for it. There's nothing mentioned in the config file as well.
>>
>> AIUI no, it doesn't have anything for that.
>> However, a very common setup is use AMaViS to scan mail, with ClamAV as just one of the tools it uses - the other tools can include things like reputation rating (eg sender real-time blacklists and so on).
>> You might also want to have a look at PolicyD (aka Cluebringer) which brings other tools to the party - such as greylisting and quotas.
Re: ClamAV reputation rating [ In reply to ]
Hi there,

On Fri, 28 Jun 2019, Al Varnell wrote:
> On Thu, Jun 27, 2019 at 07:51 AM, Joel Esler (jesler) via clamav-users wrote:
>>> On Jun 26, 2019, at 7:25 PM, Epicon Elysium via clamav-users <clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>> wrote:
>>>
>>> We're building a PaaS where everything runs on Linux. As part of
>>> the security requirements, we have to deploy Antivirus as well. We
>>> chose ClamAV in this case. One of the requirement in terms of
>>> Antivirus is that we should enable reputation rating. ...
>>
>> The short answer is "No". ClamAV does not do reputation ratings,
>> unless you are talking about a scale of not malicious, heuristic,
>> PUA, and full on malicious.
>>
>> But there is not a reputation system, no.
>
> The OP is going to have to explain more fully, but I took the
> question as does ClamXAV consider any reputation ratings that are
> made by the e-mail systems through which a message transits which
> are often expressed as spam or malware scores in the header
> information.

Seems to me that the OP doesn't know what he wants, but he has some
kind of requirements specification which was written by somebody who
doesn't know either, and he's doing his best to comply with that.

Anti-virus and reputation are pretty much orthogonal concepts.

My take on reputation is: If it comes from something somehow listed in
one of my blacklists, it has a bad reputation and I don't want it (to
the point of automatically adding a firewall TARPIT rule if it tries
to send me anything).

mail6:/etc/mail/x-milter# >>> wc -l *blacklist
140 x-milter_ASN_blacklist
324 x-milter_connect_blacklist
57 x-milter_country_blacklist (*)
166 x-milter_envfrom_blacklist
104 x-milter_header_blacklist
107 x-milter_helo_blacklist
18 x-milter_rcpt_blacklist
14 x-milter_RP_blacklist
6 x-milter_SPF_blacklist
9 x-milter_whois_blacklist
945 total

(*) The line count is rather misleading for this file, there are at the
moment 165 ISO 3166-1 country codes in it:
https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2

If anyone wants to see any of this stuff I'm happy to publish it.

Of course this is a Sendmail milter which scans mail. If you're
shaving yaks, things are very different. I just hope that there's
something here that might stimulate.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml