Mailborder Antivirus Signatures

Mailborder Antivirus Signatures

These signatures are installed by default in Mailborder v5 and greatly enhance the Clam Antivirus package by adding additional checks including zero-day virus detection. The signatures are a collection distributed by SaneSecurity and are updated several times per day. When added to your Master or Child server’s freshclam.conf, database updates are performed automatically with the server’s antivirus update package.

Several of the low false positive databases are included with Mailborder servers by default. The below list describes each database and additional databases are provided for use. To use a set of signatures, add the associated URL to freshclam.conf like this:

# Frequency of checks per day
Checks 6

# Required
DatabaseCustomURL http://sigs.mailborder.com/sanesecurity.ftm
DatabaseCustomURL http://sigs.mailborder.com/sigwhitelist.ign2

# Optional
DatabaseCustomURL http://sigs.mailborder.com/junk.ndb
DatabaseCustomURL http://sigs.mailborder.com/jurlbl.ndb
DatabaseCustomURL http://sigs.mailborder.com/scam.ndb

The freshclam.conf should be configured to update once every 4 to 6 hours using the configuration parameter “Checks 6” or “Checks 4”. Please do not use a frequency higher than this as your server may be throttled due to excessive bandwidth.

Recommended settings: Download

Available Signatures

The signatures are a collection produced by: SaneSecurity | OITC | bofhland | Rook Security | CRDF Malware | Porcupine | Phishtank


Required
DatabaseDescriptionfreshclam.conf
sanesecurity.ftmDatabase file definitions for ClamAVhttp://sigs.mailborder.com/sanesecurity.ftm
sigwhitelist.ign2Fast update file to whitelist problem signatureshttp://sigs.mailborder.com/sigwhitelist.ign2
Low False Positive Risk
DatabaseDescriptionfreshclam.conf
junk.ndbGeneral high hitting junk containing spam/phishing/lottery/jobs/419shttp://sigs.mailborder.com/junk.ndb
jurlbl.ndbJunk Url basedhttp://sigs.mailborder.com/jurlbl.ndb
phish.ndbPhishinghttp://sigs.mailborder.com/phish.ndb
rogue.hdbMalware, Rogue anti-virus software and Fake codecs etc. Updated hourly to cover the latest malware threats.http://sigs.mailborder.com/rogue.hdb
scam.ndbScamshttp://sigs.mailborder.com/scam.ndb
spamimg.hdbSpam imageshttp://sigs.mailborder.com/spamimg.hdb
spamattach.hdbSpam Spammed attachments such as pdf/doc/rtf/ziphttp://sigs.mailborder.com/spamattach.hdb
blurl.ndbBlacklisted full urls over the last 7 days covering malware/spam/phishing.http://sigs.mailborder.com/blurl.ndb
foxhole_generic.cdbThis database will block double extensions of certain dangerous filetypes that are contained within Zip, Rar, 7Zip, Arj and Cab files. These files will be detected only if they end in dangerous filestypes such as: pif, scr, exe, com, bat, cmd, vbs, lnk, cpl and vb.http://sigs.mailborder.com/foxhole_generic.cdb
foxhole_filename.cdbThis database will block certain commonly known malware filenames within Zip, Rar, 7z, Arj and Cab archives.http://sigs.mailborder.com/foxhole_filename.cdb
malwarehash.hsbMalware hashes without known Sizehttp://sigs.mailborder.com/malwarehash.hsb
hackingteam.hsbHacking Team hashes converted to ClamAV formathttp://sigs.mailborder.com/hackingteam.hsb
winnow_malware.hdbCurrent virus, trojan and other malware not yet detected by ClamAVhttp://sigs.mailborder.com/winnow_malware.hdb
winnow_malware_links.ndbLinks to malwarehttp://sigs.mailborder.com/winnow_malware_links.ndb
winnow_extended_malware.hdbHand generated malware signatureshttp://sigs.mailborder.com/winnow_extended_malware.hdb
winnow.attachments.hdbSpam attachments such as pdf/docs/rtf/zipshttp://sigs.mailborder.com/winnow.attachments.hdb
winnow_bad_cw.hdbMD5 hashes of malware attachments acquired directly from a group of botnetshttp://sigs.mailborder.com/winnow_bad_cw.hdb
bofhland_cracked_URL.ndbSpam URLshttp://sigs.mailborder.com/bofhland_cracked_URL.ndb
bofhland_malware_URL.ndbMalware URLshttp://sigs.mailborder.com/bofhland_malware_URL.ndb
bofhland_phishing_URL.ndbPhishing URLshttp://sigs.mailborder.com/bofhland_phishing_URL.ndb
bofhland_malware_attach.hdbMalware hasheshttp://sigs.mailborder.com/bofhland_malware_attach.hdb
crdfam.clamav.hdbList of real time malware threatshttp://sigs.mailborder.com/crdfam.clamav.hdb
porcupine.ndbBrazilian email phishing and malware signatureshttp://sigs.mailborder.com/porcupine.ndb
phishtank.ndbOnline and valid phishing urls from phishtank.com data feedhttp://sigs.mailborder.com/phishtank.ndb
porcupine.hsbSHA256 Hashes of VBS and JSE malware,kept for 7 dayshttp://sigs.mailborder.com/porcupine.hsb
Medium False Positive Risk

DatabaseDescriptionfreshclam.conf
jurlbla.ndbJunk Url based autogenerated from various feedshttp://sigs.mailborder.com/jurlbla.ndb
lott.ndbLotteryhttp://sigs.mailborder.com/lott.ndb
spam.ldbSpam detected using the new Logical Signature typehttp://sigs.mailborder.com/spam.ldb
spear.ndbSpear phishing email addresseshttp://sigs.mailborder.com/spear.ndb
spearl.ndbSpear phishing urlshttp://sigs.mailborder.com/spearl.ndb
foxhole_js.cdbThis database will block most JavaScript (.js) files within within Zip, Rar files. The current #locky #javascript #malware is using rapidly changing JavaScript files and this database is aimed at blocking these. To help minimise false positives, this database will only scan small sized Zip and Rar files.http://sigs.mailborder.com/foxhole_js.cdb
badmacro.ndbBlocks dangerous macros embedded in Word/Excel/Xml/RTF/JS documentshttp://sigs.mailborder.com/badmacro.ndb
winnow_spam_complete.ndbSignatures to detect fraud and other malicious spamhttp://sigs.mailborder.com/winnow_spam_complete.ndb
winnow_phish_complete_url.ndbSimilar to winnow_phish_complete.ndb except that entire URLs are usedhttp://sigs.mailborder.com/winnow_phish_complete_url.ndb
winnow.complex.patterns.ldbContains hand generated signatures for malware and some egregious fraudhttp://sigs.mailborder.com/winnow.complex.patterns.ldb
winnow_extended_malware_links.ndbContains hand generated signatures for malware linkshttp://sigs.mailborder.com/winnow_extended_malware_links.ndb
High False Positive Risk
DatabaseDescriptionfreshclam.conf
foxhole_all.cdbThis database will block all files (single and double extensions) within Zip, Rar and 7z archives that contrain dangerous filestypes such as: ade, adp, bat, chm, cmd, com, cpl, exe, hta, ins, isp, jse, lib, mde, msd, msp, mst, pif, scr, sct, shb, sys, vb, vbe, vbs, vxd, wsc, wsf and wsh. This will be the most effective database of the three but also has the highest risk of false positives, unless you are using scoring. Currently only Zip, Rar, 7z and Arj archives are used, however this can be extended to Cab and Tar files.http://sigs.mailborder.com/foxhole_all.cdb