SaneSecurity signatures are a culmination of hard work and commitment to providing
Third-Party signatures to the web community that are of professional quality.

If you feel that you would like to give a donation for your use of these signatures,
or just because you want to support us, please consider making a donation.


Please could Linux flavoured users try and use the provided scripts where possible... and make sure that you double-check the cron job scheduling, as neither myself or the mirrors will appreciate signatures being downloaded, every second.

If you are using your own scripts, please could users also:

* download signatures only when there have been changes
* download the signatures no more frequently than hourly
* only download from the following main round-robin urls:

http://www.sanesecurity.com/clamav/phishsigs/phish.ndb.gz
http://www.sanesecurity.com/clamav/scamsigs/scam.ndb.gz

Linux (aka non-windows) Download Scripts (rename to .sh)
Download	Author/Details	Last Updated
download script 1a	Author: Norbert Buchmuller: downloads the Phish and Scam databases. Also downloads the Third Party MSRBL databases via Rsync (based on download script 1b) Note: this script will sleep for 30secs-10minutes in order to reduce strain on the server	22.12.07
download script 1b (old)	Author: Rick Cooper: downloads the Phish and Scam databases. Also downloads the Third Party MSRBL databases via Rsync Note: this script will sleep for 30secs-10minutes in order to reduce strain on the server	14.08.07
download script 2	Author: Bill Landry: downloads the SaneSecurity Phish/Scam databases and the MSRBL databases and SecuriteInfo's Unofficial malware database (last version)	25.09.07
download script 3	Author: Gerard Seibert: downloads the Phish and Scam databases. Also downloads the Third Party MSRBL databases (via Rsync) and SecuriteInfo's Unofficial malware database	10.12.07
download script 4	Author: Dan Larsson: downloads the Phish and Scam databases. Also downloads the Third Party MSRBL databases (via Rsync) and SecuriteInfo's Unofficial malware database	25.08.07
Windows Download Scripts
Download	Author/Details	Last Updated
ClamSup	Author: tBB: downloads the Phish and Scam databases. Also downloads the Third Party MSRBL databases via Rsync Note: For Win2k(3) and XP systems only	17.05.07

The unzipped databases are placed in the normal ClamAV database directories, for example:

Linux: /var/lib/clamav/
Linux: /usr/local/share/clamav/

Tbb Builds: C:\clamav\data
w32 ClamAV Build: C:\Program Files\clamAV\data
ClamWin Build: C:\Documents and Settings\All Users\.clamwin\db\

Signature Problems

Note: Some of the download scripts also download other Third-Party signatures and are therefore not under the control of SaneSecurity.

If you have problems with a signature, please check the signature names:

Sanesecurity: contact Sanesecurity
MSRBL-Images or MSRBL-SPAM: contact MSRBL
MBL: contact Malware Block List
-SecuriteInfo.com: contact SecuriteInfo

Signature Testing

In order to make sure you are getting the best out of the Sanesecurity signatures,
you should follow the following three email tests and make sure that your email setup "passed" all three tests:


TEST 1: Html.Sanesecurity.TestSig_Type3_Bdy

Send a HTML formatted email to yourself with this text in the BODY of the email:

body_rrg63uhj2ucyeccrux7d83a4qd5ua5vnlgwjp6b6fmpzpobzjabftehuhraxfbyzzzzz

TEST 2: Email.Sanesecurity.TestSig_Type4_Hdr

Send an email to yourself with this text in the SUBJECT of the email:

rrg63Uhj2UCyECcruX7D83A4qd5UA5vnlgwJp6b6fmPZpObZJAbftehuhRAXFby

TEST 3: Email.Sanesecurity.TestSig_Type4_Bdy

Send an email to yourself with this text in the BODY of the email:

body_rrg63Uhj2UCyECcruX7D83A4qd5UA5vnlgwJp6b6fmPZ0ajdjkwjnSSDfsdfsdfnwerd

Results

TEST 1: Html.Sanesecurity.TestSig_Type3_Bdy FOUND
TEST 2: Email.Sanesecurity.TestSig_Type4_Hdr FOUND
TEST 3: Email.Sanesecurity.TestSig_Type4_Bdy FOUND

TEST 2 is an important one to pass, as a lot of the newer signatures use the message headers of an email. If you fail this test, it's usually due to you email system not passing the complete RAW/Whole message to be scanned by ClamAV.

For example: in amavisd-new settings:

Use key 'MAIL' in @keep_decoded_original_maps, e.g.:

@keep_decoded_original_maps = (new_RE(
qr'^MAIL$', # retain full original message for virus checking
qr'^MAIL-UNDECIPHERABLE$', # recheck full mail if it contains undecipherables
qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
));

You may find that you already have a '^MAIL$' token in there, but commented out by default. Uncomment it, restart amavisd-maia, and the full, undecoded body of the email will be scanned in addition to the attachments.

For more information on the above, see this thread

Disclaimer:

Whilst every effort has been made by Sanesecurity to ensure that the signatures don't lead to false positives, we make no warranty that the signatures will meet your requirements, be uninterrupted, complete, timely, secure or error free. You must therefore use them at your own risk.