News

News: 09.03.2017:

Database: foxhole_mail.cdb
Description: block any mail that contains a possible dangerous attachments such as: js, jse, exe, bat, com, scr, uue, ace, pif, jar, gz, lnk, lzh.
FP Risk: High

The following databases are distributed by Sanesecurity, but produced by malware.expert

General Description: Signatures Detect malware from PHP files. Signatures are generated for real life PHP malware from live Web Hosting Servers

malware.expert.fp:
Description: found to be false positive malware
FP Risk: Med

Database: malware.expert.hdb
Description: statics MD5 pattern for files
FP Risk: Low

Database: malware.expert.ldb
Database: foxhole_mail.cdb
Description: which use multi-words search for malware in files.
FP Risk: Med

Database: malware.expert.ndb
Description: Generic Hex pattern PHP malware, which can cause false positive alarms
FP Risk: Med

News: 26.01.2017

2 New distributed databases:

Name: MiscreantPunch099-Low.ldb
False positive risk: Medium
Description: ruleset contains comprehensive rules for detecting malicious or abnormal Macros,
JS, HTA, HTML, XAP, JAR, SWF, and more

Name: MiscreantPunch099-INFO-Low.ldb
False positive risk: High
Description: ruleset contains a small collection of signatures that can provide context to various files.
Info and Suspicious level signatures may inform analysts of potentially interesting conditions that exist
within a document.

[SO NOT FOR EVERYDAY SCANNING]

Database removal:

The following obsolete databases will shortly be removed from the mirrors and will therefore need to be
removed from your config files:

doppelstern-phishtank.ndb
doppelstern.hdb
doppelstern.ndb

Other News:

Tip: when and how to synchronise, using Rsync:
http://sanesec.jessen.ch/rsynctiming

Stats from one Mirror:
http://sanesec.jessen.ch/statistics

23.11.16: Three new databases added

Name: shelter.ldb
False positive risk: Medium
Description: Mainly covers phishing and malware. Needed to catch the tricky ones that are hard to detect with phish.ndb only.

Two new foxhole databases (pretty much the same setup as their .ldb counterparts but focusing on GZip and Ace archives:

Name: foxhole_js.ndb
False positive risk: Medium/High
Description: This database will block ALL JavaScript (.js) files within GZip and Ace archives.

Name: foxhole_all.ndb
False positive risk: Medium/High
Description: This database will block all files (single and double extensions) within GZip and Ace archives that contain dangerous filestypes such as: ade, adp, bat, chm, cmd, com, cpl, exe, hta, ins, isp, jse, lib, mde, msd, msp, mst, pif, scr, sct, shb, sys, vb, vbe, vbs, vxd, wsc, wsf and wsh

12.08.15:Four new databases added, two of which are in Yara format and need ClamAV 0.99 to work

badmacro.ndb (detect dangerous macros)
hackingteam.hsb (hacking team hashes)
Sanesecurity_sigtest.yara (Yara format: Sanesecurity test signatures)
Sanesecurity_spam.yara (Yara format: detect spam)

11.05.2015: Thanks to Adrian at extremeshok.com we now have a new fork of
Bill Landry’s download script.

14.01.2015: For the latest 0 hour malware, phishing and scam news, our blog is updated daily: http://sanesecurity.blogspot.co.uk/

18.04.2013:

a) Three new Sanesecurity databases

foxhole_all.cdb
foxhole_filename.cdb
foxhole_generic.cdb

Detailed usage here:

http://sanesecurity.co.uk/foxhole-databases/

Updated signature information:

http://sanesecurity.co.uk/usage/signatures/

b) Windows users:

Updated ClamSup.ini file and dropbox mirror of Tbb (Nico’s) programs:

Windows Scripts

c) New website:

HOME

10.04.2013: bofhland_malware_attach.hdb is now live on the mirrors.

19.03.2013: Welcome to the new look Sanesecurity website. Parts of the site are a little bit work-in-progress so please mind your head as you look around.

Permanent link to this article: http://sanesecurity.com/news/