Some of download scripts, as well as downloading the Sanesecurity signatures can also download other Third-Party databases.
The following tables contains a brief list of all Third-Party databases, their brief description and also my opinion on their approximate false positive risk, but your mileage may vary.
It’s also recommended, especially on the high risk groups, to score the detections, instead of an outright block and it’s down to each signature user, to determine their detection rate vs false positive rate for each group.
Any false positives will normally be fixed by each signature producer.
The following databases are distributed and produced by Sanesecurity:
Database Name
|
Description
|
FP Risk
|
junk.ndb | General high hitting junk, containing spam/phishing/lottery/jobs/419s etc. |
Low
|
jurlbl.ndb | Junk Url based |
Low
|
jurlbla.ndb | Junk Url based autogenerated from various feeds |
Med
|
lott.ndb | Lottery |
Med
|
phish.ndb | Phishing and Malware |
Low
|
rogue.hdb | Malware, Rogue anti-virus software and Fake codecs etc. Updated hourly to cover the latest malware threats Please send any Undetected virus samples to |
Low
|
sanesecurity.ftm | Message file types (REQUIRED for best performance) |
–
|
sigwhitelist.ign2 | Fast update file to whitelist any problem signatures (REQUIRED 0.96rc1+) |
–
|
scam.ndb | Spam/scams |
Low
|
spam.ldb | Spam detected using the new Logical Signature type |
Med
|
spamimg.hdb | Spam images |
Low
|
spamattach.hdb | Spam Spammed attachments such as pdf’s/docs/rtf/zips |
Low
|
spear.ndb | Spear phishing email addresses (autogenerated from data here) |
Med
|
spearl.ndb | Spear phishing urls (autogenerated from data here) |
Med
|
blurl.ndb | Blocklisted full urls over the last 7 days, covering malware/spam/phishing. URL’s added only when main signatures have failed to detect but are known to be “bad”. | Low |
foxhole_generic.cdb | See Foxhole page for more details | Low |
foxhole_filename.cdb | See Foxhole page for more details | Low |
foxhole_js.cdb | See Foxhole page for more details |
Med
|
foxhole_js.ndb | See Foxhole page for more details |
Med
|
foxhole_all.cdb | See Foxhole page for more details | High |
foxhole_all.ndb | See Foxhole page for more details | High |
foxhole_mail.cdb | See Foxhole page for more details | High |
malwarehash.hsb | Malware hashes without known Size | Low |
hackingteam.hsb | Hacking Team hashes converted to ClamAV format (based on work by rooksecurity.com) | Low |
badmacro.ndb | Blocks dangerous macros embedded in Word/Excel/Xml/RTF/JS documents, | Med |
shelter.ldb | Phishing and Malware | Med |
Sanesecurity_sigtest.yara | Yara format: Signature test | Low |
Sanesecurity_spam.yara | Yara format: Detects Spam emails | Low |
The following databases are distributed by Sanesecurity, but produced by OITC
Database Name
|
Description
|
FP Risk
|
winnow_malware.hdb | Current virus, trojan and other malware not yet detected by ClamAV. Undetected virus samples can be sent to virus_samples@oitc.com |
Low
|
winnow_malware_links.ndb | Links to malware |
Low
|
winnow_spam_complete.ndb | Signatures to detect fraud and other malicious spam |
Med
|
winnow_phish_complete.ndb | Phishing and other malicious url’s and compromised hosts |
High
|
winnow_phish_complete_url.ndb | Similar to winnow_phish_complete.ndb except that entire urls’s are used |
Med
|
winnow.complex.patterns.ldb | contain hand generated signatures for malware and some egregious fraud |
Med
|
winnow_extended_malware.hdb | contain hand generated signatures for malware. |
Low
|
winnow_extended_malware_links.ndb | contain hand generated signatures for malware links. |
Med
|
winnow.attachments.hdb | Spammed attachments such as pdf’s/docs/rtf/zips |
Low
|
winnow_bad_cw.hdb | md5 hashes of malware attachments acquired directly from a group of botnets | Low |
Note: the two databases winnow_phish_complete.ndb and winnow_phish_complete_url.ndb shouldn’t be used together. |
The following databases are distributed by Sanesecurity, but produced by MiscreantPunch
Database Name
|
Description
|
FP Risk
|
MiscreantPunch099-Low.ldb | ruleset contains comprehensive rules for detecting malicious or abnormal Macros, JS, HTA, HTML, XAP, JAR, SWF, and more. |
Med
|
MiscreantPunch099-INFO-Low.ldb | ruleset provides context to various files. Info and Suspicious level signatures may inform analysts of potentially interesting conditions that exist within a document. | High |
The following databases are distributed by Sanesecurity, but produced by bofhland
Database Name
|
Description
|
FP Risk
|
bofhland_cracked_URL.ndb | Spam URLs |
Low
|
bofhland_malware_URL.ndb | Malware URLs |
Low
|
bofhland_phishing_URL.ndb | Phishing URLs |
Low
|
bofhland_malware_attach.hdb | Malware Hashes | Low |
The following databases are distributed by Sanesecurity, but produced by Porcupine Signatures
Database Name
|
Description
|
FP Risk
|
porcupine.ndb | Brazilian e-mail phishing and malware signatures. |
Low
|
phishtank.ndb | Online and valid phishing urls from phishtank.com data feed. |
Low
|
porcupine.hsb | Sha256 Hashes of VBS and JSE malware,kept for 7 days |
Low
|
Disclaimer:
Whilst every effort has been made by Sanesecurity to ensure that the signatures don’t lead to false positives, we make no warranty that the signatures will meet your requirements, be uninterrupted, complete, timely, secure or error free. You must therefore use them at your own risk.