| Some
of download scripts, as well as downloading the Sanesecurity
signatures can also download other Third-Party databases.
The following tables contains a brief list of all Third-Party
databases, their brief description and also my opinion on their
appoximate false positive risk, but your milage may vary.
It's also recommended, especially on the high risk groups,
to score the detections, instead of an outright block
and it's down to each signature user, to determine their detection
rate vs false positive rate for each group.
Any false positives will normally be fixed by each signature
producer.
The
following databases are distributed and produced by Sanesecurity
Database Name |
Description |
FP
Risk |
| junk.ndb |
General
high hitting junk, containing spam/phishing/lottery/jobs/419s
etc. |
Low |
| jurlbl.ndb |
Junk
Url based |
Low |
| jurlbla.ndb |
Junk
Url based autogenerated from various feeds |
Med |
| lott.ndb |
Lottery |
Med |
| phish.ndb |
Phishing |
Low |
| rogue.hdb |
Malware,
Rogue anti-virus software and Fake codecs etc.
Please send
any Undetected virus samples to
|
Low |
| sanesecurity.ftm |
Message
file types (REQUIRED for best performance) |
- |
| sigwhitelist.ign2 |
Fast
update file to whitelist any problem signatures (REQUIRED 0.96rc1+) |
- |
| scam.ndb |
Spam/scams |
Low |
| spam.ldb |
Spam
detected using the new Logical Signature type |
Med |
| spamimg.hdb |
Spam
images |
Low |
| spamattach.hdb |
Spam
Spammed attachments such as pdf's/docs/rtf/zips |
Low |
| spear.ndb |
Spear
phishing email addresses (autogenerated from data here) |
Med |
| spearl.ndb |
Spear
phishing urls (autogenerated from data here) |
Med |
The
following databases are distributed by Sanesecurity, but produced by Bill
Landry (InetMsg)
Database
Name
|
Description
|
FP
Risk
|
| INetMsg-SpamDomains-2w.ndb |
last
2 'weeks' of spam domains found
|
<Med |
| INetMsg-SpamDomains-2m.ndb |
last
2 'months' of spam domains found |
Med |
| Note:
Only use ONE of the above databases, SpamDomains-2w.ndb
or SpamDomains-2m.ndb |
The following databases are distributed by Sanesecurity, but produced by OITC
Database
Name
|
Description
|
FP
Risk |
| winnow_malware.hdb |
Current
virus, trojan and other malware not yet detected by ClamAV. Undetected
virus samples can be sent to virus_samples@oitc.com |
Low |
| winnow_malware_links.ndb |
Links
to malware |
Low |
| winnow_spam_complete.ndb |
Signatures to detect fraud and other malicious spam |
Med |
| winnow_phish_complete.ndb |
Phishing
and other malicious url's and compromised hosts |
High |
| winnow_phish_complete_url.ndb |
Similar
to winnow_phish_complete.ndb except that entire urls's are
used |
Med |
| winnow.complex.patterns.ldb |
contain hand generated signatures for malware and some egregious fraud |
Med |
| winnow_extended_malware.hdb |
contain hand generated signatures for malware. |
Low |
| winnow_extended_malware_links.ndb |
contain hand generated signatures for malware links. |
Med |
| winnow.attachments.hdb |
Spammed attachments such as pdf's/docs/rtf/zips |
Low |
| Note:
Only use ONE of the above databases, winnow_phish_complete.ndb
or winnow_phish_complete_url.ndb |
The following
databases are distributed by Sanesecurity, but produced
by Julian Field
Database
Name
|
Description
|
FP
Risk
|
| scamnailer.ndb |
Spear
phishing and other phishing emails |
Med
|
The
following databases are distributed by Sanesecurity,
but produced by Doppelstern
Antispam
Database
Name
|
Description
|
FP
Risk
|
| doppelstern.ndb |
phishing, scams and other junk |
Med |
| doppelstern.hdb |
hashes of spam documents and images |
Low |
The
following databases are distributed by Sanesecurity,
but produced by CRDF
Database
Name
|
Description
|
FP
Risk
|
| crdfam.clamav.hdb |
List of new threats detected by CRDF Anti Malware. |
Low |
The
following databases are produced and distributed by SecuriteInfo
Database
Name
|
Description
|
FP
Risk
|
| honeynet.hdb |
Old
malwares not detected |
Low |
| securiteinfoelf.hdb |
Malwares
ELF (Linux executables) |
Low |
| securiteinfosh.hdb |
Malwares SHELL (Linux) |
Low |
| securiteinfopdf.hdb |
Malwares
PDF |
Low |
| securiteinfooffice.hdb |
Malwares
Macros Office |
Low |
| securiteinfohtml.hdb |
Malwares
HTML |
Low |
| securiteinfodos.hdb |
Malwares
MS-DOS |
Low |
| securiteinfobat.hdb |
Malwares
BAT |
Low |
| securiteinfo.hdb |
Malwares
in the Wild |
Low |
The
following databases are produced and distributed by MalwarePatrol
Database
Name
|
Description
|
FP
Risk
|
| mbl.ndb |
URLs
containing of Viruses, Trojans, Worms, or Malware |
Low |
The
following databases are produced and distributed by MSRBL
Note:
the MSRBL database haven't
been updated in quite some time so
may not be beneficial at the moment
Database
Name
|
Description
|
FP
Risk
|
| MSRBL-SPAM.ndb |
created
from spam emails (URLs or other content) that looks static |
Low
|
| MSRBL-Images.hdb |
created
from images contained within spam emails |
Low
|
Disclaimer:
Whilst every effort has been made by Sanesecurity to ensure that the signatures
don't lead to false positives, we make no warranty that the signatures will
meet your requirements, be uninterrupted, complete, timely, secure or error
free.
You must therefore use them at your own risk.
|
