These signatures are installed by default in Mailborder v5 and greatly enhance the Clam Antivirus package by adding additional checks including zero-day virus detection. The signatures are a collection distributed by SaneSecurity and are updated several times per day. When added to your Master or Child server’s freshclam.conf, database updates are performed automatically with the server’s antivirus update package.
Several of the low false positive databases are included with Mailborder servers by default. The below list describes each database and additional databases are provided for use. To use a set of signatures, add the associated URL to freshclam.conf like this:
Checks 6
# Required
DatabaseCustomURL http://sigs.mailborder.com/sanesecurity.ftm
DatabaseCustomURL http://sigs.mailborder.com/sigwhitelist.ign2
# Optional
DatabaseCustomURL http://sigs.mailborder.com/junk.ndb
DatabaseCustomURL http://sigs.mailborder.com/jurlbl.ndb
DatabaseCustomURL http://sigs.mailborder.com/scam.ndb
The freshclam.conf should be configured to update once every 4 to 6 hours using the configuration parameter “Checks 6” or “Checks 4”. Please do not use a frequency higher than this as your server may be throttled due to excessive bandwidth.
The signatures are a collection produced by: SaneSecurity | OITC | bofhland | Rook Security | CRDF Malware | Porcupine | Phishtank
| Database | Description | freshclam.conf |
|---|---|---|
| sanesecurity.ftm | Database file definitions for ClamAV | http://sigs.mailborder.com/sanesecurity.ftm |
| sigwhitelist.ign2 | Fast update file to whitelist problem signatures | http://sigs.mailborder.com/sigwhitelist.ign2 |
| Database | Description | freshclam.conf |
|---|---|---|
| junk.ndb | General high hitting junk containing spam/phishing/lottery/jobs/419s | http://sigs.mailborder.com/junk.ndb |
| jurlbl.ndb | Junk Url based | http://sigs.mailborder.com/jurlbl.ndb |
| phish.ndb | Phishing | http://sigs.mailborder.com/phish.ndb |
| rogue.hdb | Malware, Rogue anti-virus software and Fake codecs etc. Updated hourly to cover the latest malware threats. | http://sigs.mailborder.com/rogue.hdb |
| scam.ndb | Scams | http://sigs.mailborder.com/scam.ndb |
| spamimg.hdb | Spam images | http://sigs.mailborder.com/spamimg.hdb |
| spamattach.hdb | Spam Spammed attachments such as pdf/doc/rtf/zip | http://sigs.mailborder.com/spamattach.hdb |
| blurl.ndb | Blacklisted full urls over the last 7 days covering malware/spam/phishing. | http://sigs.mailborder.com/blurl.ndb |
| foxhole_generic.cdb | This database will block double extensions of certain dangerous filetypes that are contained within Zip, Rar, 7Zip, Arj and Cab files. These files will be detected only if they end in dangerous filestypes such as: pif, scr, exe, com, bat, cmd, vbs, lnk, cpl and vb. | http://sigs.mailborder.com/foxhole_generic.cdb |
| foxhole_filename.cdb | This database will block certain commonly known malware filenames within Zip, Rar, 7z, Arj and Cab archives. | http://sigs.mailborder.com/foxhole_filename.cdb |
| malwarehash.hsb | Malware hashes without known Size | http://sigs.mailborder.com/malwarehash.hsb |
| hackingteam.hsb | Hacking Team hashes converted to ClamAV format | http://sigs.mailborder.com/hackingteam.hsb |
| winnow_malware.hdb | Current virus, trojan and other malware not yet detected by ClamAV | http://sigs.mailborder.com/winnow_malware.hdb |
| winnow_malware_links.ndb | Links to malware | http://sigs.mailborder.com/winnow_malware_links.ndb |
| winnow_extended_malware.hdb | Hand generated malware signatures | http://sigs.mailborder.com/winnow_extended_malware.hdb |
| winnow.attachments.hdb | Spam attachments such as pdf/docs/rtf/zips | http://sigs.mailborder.com/winnow.attachments.hdb |
| winnow_bad_cw.hdb | MD5 hashes of malware attachments acquired directly from a group of botnets | http://sigs.mailborder.com/winnow_bad_cw.hdb |
| bofhland_cracked_URL.ndb | Spam URLs | http://sigs.mailborder.com/bofhland_cracked_URL.ndb |
| bofhland_malware_URL.ndb | Malware URLs | http://sigs.mailborder.com/bofhland_malware_URL.ndb |
| bofhland_phishing_URL.ndb | Phishing URLs | http://sigs.mailborder.com/bofhland_phishing_URL.ndb |
| bofhland_malware_attach.hdb | Malware hashes | http://sigs.mailborder.com/bofhland_malware_attach.hdb |
| crdfam.clamav.hdb | List of real time malware threats | http://sigs.mailborder.com/crdfam.clamav.hdb |
| porcupine.ndb | Brazilian email phishing and malware signatures | http://sigs.mailborder.com/porcupine.ndb |
| phishtank.ndb | Online and valid phishing urls from phishtank.com data feed | http://sigs.mailborder.com/phishtank.ndb |
| porcupine.hsb | SHA256 Hashes of VBS and JSE malware,kept for 7 days | http://sigs.mailborder.com/porcupine.hsb |
| Database | Description | freshclam.conf |
|---|---|---|
| jurlbla.ndb | Junk Url based autogenerated from various feeds | http://sigs.mailborder.com/jurlbla.ndb |
| lott.ndb | Lottery | http://sigs.mailborder.com/lott.ndb |
| spam.ldb | Spam detected using the new Logical Signature type | http://sigs.mailborder.com/spam.ldb |
| spear.ndb | Spear phishing email addresses | http://sigs.mailborder.com/spear.ndb |
| spearl.ndb | Spear phishing urls | http://sigs.mailborder.com/spearl.ndb |
| foxhole_js.cdb | This database will block most JavaScript (.js) files within within Zip, Rar files. The current #locky #javascript #malware is using rapidly changing JavaScript files and this database is aimed at blocking these. To help minimise false positives, this database will only scan small sized Zip and Rar files. | http://sigs.mailborder.com/foxhole_js.cdb |
| badmacro.ndb | Blocks dangerous macros embedded in Word/Excel/Xml/RTF/JS documents | http://sigs.mailborder.com/badmacro.ndb |
| winnow_spam_complete.ndb | Signatures to detect fraud and other malicious spam | http://sigs.mailborder.com/winnow_spam_complete.ndb |
| winnow_phish_complete_url.ndb | Similar to winnow_phish_complete.ndb except that entire URLs are used | http://sigs.mailborder.com/winnow_phish_complete_url.ndb |
| winnow.complex.patterns.ldb | Contains hand generated signatures for malware and some egregious fraud | http://sigs.mailborder.com/winnow.complex.patterns.ldb |
| winnow_extended_malware_links.ndb | Contains hand generated signatures for malware links | http://sigs.mailborder.com/winnow_extended_malware_links.ndb |
| Database | Description | freshclam.conf |
|---|---|---|
| foxhole_all.cdb | This database will block all files (single and double extensions) within Zip, Rar and 7z archives that contrain dangerous filestypes such as: ade, adp, bat, chm, cmd, com, cpl, exe, hta, ins, isp, jse, lib, mde, msd, msp, mst, pif, scr, sct, shb, sys, vb, vbe, vbs, vxd, wsc, wsf and wsh. This will be the most effective database of the three but also has the highest risk of false positives, unless you are using scoring. Currently only Zip, Rar, 7z and Arj archives are used, however this can be extended to Cab and Tar files. | http://sigs.mailborder.com/foxhole_all.cdb |