block attachment in zip

Use this forum if you want to suggest a new feature to hMailServer. Before posting, please search the forum to confirm that it has not already been suggested.
User avatar
katip
Senior user
Senior user
Posts: 732
Joined: 2006-12-22 07:58
Location: Istanbul

Re: block attachment in zip

Post by katip » 2015-11-11 16:01

jimimaseye wrote:how about this for Zero-Hour response? What do you think?
Yep, congrats. seen here too as blocked spam, but scanned manually with clam just to test and detected!!

BTW, this evil below is a zipped jar, and it's been 4 hours... clam didn't detect it (hourly sigupdate) 5 minutes ago.
download (1).png
Katip
--
HMS 5.7.0 x64, MariaDB 10.4.10 x64, SA 3.4.2, ClamAV 0.101.2 + SaneS

User avatar
jimimaseye
Moderator
Moderator
Posts: 8309
Joined: 2011-09-08 17:48

Re: block attachment in zip

Post by jimimaseye » 2015-11-11 16:51

Perhaps you can submit it to sane for adding to its definitions. (on their website)
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
katip
Senior user
Senior user
Posts: 732
Joined: 2006-12-22 07:58
Location: Istanbul

Re: block attachment in zip

Post by katip » 2015-11-11 17:17

jimimaseye wrote:Perhaps you can submit it to sane for adding to its definitions. (on their website)
done :wink:
Katip
--
HMS 5.7.0 x64, MariaDB 10.4.10 x64, SA 3.4.2, ClamAV 0.101.2 + SaneS

tochi
Senior user
Senior user
Posts: 278
Joined: 2015-07-28 22:55

Re: block attachment in zip

Post by tochi » 2015-11-11 19:23

jimimaseye wrote:Tochi/Katip, how about this for Zero-Hour response? What do you think?
ZeroHour.png
ZeroHour.png
Whilst 16 minutes later its only being detected by 4 other companies:
ZeroHour.png
Looks really good for me.
Yes. That's nice. ClamAV+SaneSecurity is the best among all products I've tested.

But SaneSecurity updates virus definitions hourly and we pull those definitions hourly. Which means the longest possible delay for new definitions is more than 1 hour and spammers could send thousands of emails in 1 hour. That's why I want to have an option to block all potentially harmful files.

With SaneSecurity I have even more flexible options. With BadMacro and 3 types of foxhole databases, I can choose my desired protection level up to 100% (virus link excluded though). Thank you SaneSecurity team.

User avatar
jimimaseye
Moderator
Moderator
Posts: 8309
Joined: 2011-09-08 17:48

Re: block attachment in zip

Post by jimimaseye » 2015-11-11 20:16

tochi wrote: But SaneSecurity updates virus definitions hourly and we pull those definitions hourly. Which means the longest possible delay for new definitions is more than 1 hour
I think I have noticed that they update as soon as they have them (can be more than once per hour). How do I know? Because in my test/evaluation environment this last week I have the 'sigupdate' run every 30 minutes. (Dont tell anyone. Sssshhh....!!! :wink: )

(Might be wrong though. Now I am properly going to monitor it).
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

sanesecurity
New user
New user
Posts: 16
Joined: 2011-11-02 17:20

Re: block attachment in zip

Post by sanesecurity » 2015-11-11 22:00

katip wrote: BTW, this evil below is a zipped jar, and it's been 4 hours... clam didn't detect it (hourly sigupdate) 5 minutes ago
Thanks for the sample, sigs added to foxhole_filename.cdb, phish.ndb.

Post Reply