https://sanesecurity.com/support/documentation/
This way you control what scores higher, or lower (negative scoring) for some test
Code: Select all
loadplugin ClamAV ClamAV.pm
ifplugin ClamAV
full CLAMAV eval:check_clamav()
describe CLAMAV Clam AntiVirus detected something...
score CLAMAV 0.001
add_header all Virus _CLAMAVRESULT_
# Look for specific types of ClamAV detections
header __CLAMAV_PHISH X-Spam-Virus =~ /Yes.{1,8}Phishing/i
header __CLAMAV_HEUR_PHISH X-Spam-Virus =~ /Yes.{1,30}Heuristics\.Phishing\.Email/i
header __CLAMAV_SANE X-Spam-Virus =~ /Yes.{1,30}Sanesecurity/i
header __CLAMAV_SANE_FOXHOLE X-Spam-Virus =~ /Yes.{1,30}Sanesecurity.FoxHole/i
header __CLAMAV_SANE_JUNK X-Spam-Virus =~ /Yes.{1,30}Sanesecurity.Junk/i
header __CLAMAV_SANE_BLURL X-Spam-Virus =~ /Yes.{1,30}Sanesecurity.Blurl/i
header __CLAMAV_SANE_PHISHING X-Spam-Virus =~ /Yes.{1,30}Sanesecurity.Phishing/i
header __CLAMAV_SANE_JURLBL X-Spam-Virus =~ /Yes.{1,30}Sanesecurity.Jurlbl/i
# Give the above rules a very late priority so that they can see the output
# of previous rules - otherwise they don't work! Not sure what the correct
# priority should be but this seems to work...
priority __CLAMAV_PHISH 500
priority __CLAMAV_HEUR_PHISH 500
priority __CLAMAV_SANE 500
priority __CLAMAV_SANE_FOXHOLE 500
priority __CLAMAV_SANE_JUNK 500
priority __CLAMAV_SANE_BLURL 500
priority __CLAMAV_SANE_PHISHING 500
priority __CLAMAV_SANE_JURLBL 500
# Work out what ClamAV detected and score accordingly
# ClamAV general signatures
meta CLAMAV_VIRUS (CLAMAV && !__CLAMAV_PHISH && !__CLAMAV_HEUR_PHISH && !__CLAMAV_SANE)
describe CLAMAV_VIRUS Virus found by ClamAV default signatures
score CLAMAV_VIRUS 20.0
# ClamAV phishing signatures
meta CLAMAV_PHISH (CLAMAV && __CLAMAV_PHISH && !__CLAMAV_SANE && !__CLAMAV_HEUR_PHISH)
describe CLAMAV_PHISH Phishing email found by ClamAV default signatures
score CLAMAV_PHISH 10.0
# ClamAV phishing with heuristic engine (not signatures based, may lead to false positives)
# Available since ClamAV 0.91
meta CLAMAV_PHISH_HEUR (CLAMAV && __CLAMAV_HEUR_PHISH && !__CLAMAV_SANE)
describe CLAMAV_PHISH_HEUR Phishing email found by ClamAV heuristic engine
score CLAMAV_PHISH_HEUR 5.0
# ClamAV SaneSecurity signatures from http://www.sanesecurity.com/clamav/
meta CLAMAV_SANE (CLAMAV && __CLAMAV_SANE)
describe CLAMAV_SANE SPAM found by ClamAV SaneSecurity signatures
score CLAMAV_SANE 7.5
# ClamAV SaneSecurity signatures from http://www.sanesecurity.com/clamav/
meta CLAMAV_SANE_FOXHOLE (CLAMAV && __CLAMAV_SANE && __CLAMAV_SANE_FOXHOLE)
describe CLAMAV_SANE_FOXHOLE SPAM found by ClamAV SaneSecurity Foxhole signatures
score CLAMAV_SANE_FOXHOLE 7.5
# ClamAV SaneSecurity signatures from http://www.sanesecurity.com/clamav/
meta CLAMAV_SANE_JUNK (CLAMAV && __CLAMAV_SANE && __CLAMAV_SANE_JUNK)
describe CLAMAV_SANE_JUNK SPAM found by ClamAV SaneSecurity Junk signatures
score CLAMAV_SANE_JUNK 2.5
# ClamAV SaneSecurity signatures from http://www.sanesecurity.com/clamav/
meta CLAMAV_SANE_BLURL (CLAMAV && __CLAMAV_SANE && __CLAMAV_SANE_BLURL)
describe CLAMAV_SANE_BLURL SPAM found by ClamAV SaneSecurity Blurl signatures
score CLAMAV_SANE_BLURL 2.5
# ClamAV SaneSecurity signatures from http://www.sanesecurity.com/clamav/
meta CLAMAV_SANE_PHISHING (CLAMAV && __CLAMAV_SANE && __CLAMAV_SANE_PHISHING)
describe CLAMAV_SANE_PHISHING SPAM found by ClamAV SaneSecurity Phishing signatures
score CLAMAV_SANE_PHISHING 5.0
# ClamAV SaneSecurity signatures from http://www.sanesecurity.com/clamav/
meta CLAMAV_SANE_JURLBL (CLAMAV && __CLAMAV_SANE && __CLAMAV_SANE_JURLBL)
describe CLAMAV_SANE_JURLBL SPAM found by ClamAV SaneSecurity Jurlbl signatures
score CLAMAV_SANE_JURLBL 2.5
endif