All signatures are checked against the current ClamAV signatures, both official and unofficial, using the --phishing-scan-urls=no option. This is done so as not to duplicate mainstream signatures and yet provide for detection on confirmed phish and malware urls that normally would not be found by systems where heuristic or safe browsing scanning are disabled. Spam signatures are also checked against the host names of Fortune 2000 companies, TRUSTe, CSA, Verisign, ISIPP, JunkEmailFilter, uribl, mailpolice and the SwiNOG whitelists to insure clean and reliable signatures. The signatures are then packaged and and made available for distribution several times per day.
Phish and exploit signatures are derived from phish and exploit attempts detected on our servers, honeypots, and from data feeds that we have created and that we participate in. Each url derived signature has been verified to be currently active in malicious activity or indicating that the host is currently compromised.
Files provided are:
winnow_malware.hdb - Current virus, trojan and other malware not yet detected by ClamAV. You can view names (if there are any at present) of the malware detected here.
winnow_malware_links.ndb - Signatures to detect links to malware in winnow_malware.hdb and links to other malicious malware. (Scoring is not required on these signatures)
winnow_phish_complete.ndb - Signatures to detect phishing and other malicious url's and compromised hosts. This collection of signatures are derived by checking many data feeds (see below) coupled with special processing to remove the possibility of false positives. (Recommended to be used with scoring)
winnow_phish_complete_url.ndb - Similar to winnow_phish_complete.ndb except that entire urls's are used to derive the signatures rather than carefully selected hosts. (Conservative) Be advised that by using these complete url signatures, fast flux phishing sites as well as phishing sites that use obfuscated urls and those that insert trash in urls to confuse anti-malware systems may not be reliably detected by some of these signatures (Conservative and can be used without scoring).
winnow_spam_complete.ndb - Signatures to detect fraud and other malicious spam. This collection of signatures are derived using special processing on data sent to spam traps and honeypots. (Scoring of these signatures is recommended)
Signature naming conventions for malware are winnow.malware.ref_number, where ref_number is an internal reference number.
The rest of the signatures are identified as winnow.sigtype.source.type.ref_number, where:
sigtype - phish, trojan or spam signature.
source - source from which the signature was derived. Note: Many of these signatures are derived from multiple sources. The first source that detected the scam is listed here.
aa - Originally detected by Artists Against 419 and independantly confirmed.
br - Originally detected by Broadband Reports and independantly confirmed.
cc - Originally detected by the now defunct CastleCops feed but still active.
cl - Originally detected by one of our honeypots.
cm - Originally detected by Clean MX and independantly confirmed.
ff - Domains currently being used by fast flux botnets and tracked by Fast Flux Tracker.
go - On version 1 of the Google safebrowsing data base and independantly confirmed.
mdl - Originally detected by Malware Domain List and independantly confirmed.
ms - Originally detected by APWG and independantly confirmed.
pt - Originally detected by PhishTank and independantly confirmed.
sfa - Originally reported in various fraud/scam forums and independantly confirmed.
ts - Originally detected by one of our fraud traps.
zu - Domains currently being tracked by ZeuS Tracker.
type - indicates the type of scam/fraud such as paypal, bankofamerica, irs, classmates.com, moneylaunder, rogue, url, drugs, etc..
ref_number - an internal reference number.
Test signatures are also available:
winnow.malware.test.eicar.com - contained in winnow_malware.hdb and will be identified when the eicar.com file is detected.
winnow.trojan.ts.test.test - contained in winnow_malware_links.ndb and will be identified when you place testpointstart->winnow trojan url test point type 4<-testpointend in an email.
winnow.phish.ts.test.test - contained in winnow_phish_complete.ndb and winnow_phish_complete_url.ndb and will be identified when you place testpointstart->winnow phish test point type 4<-testpointend in an email.
winnow.spam.ts.test.test - contained in winnow_spam_complete.ndb and will be identified when you place testpointstart->winnow spam test point type 4<-testpointend in an email.
winnow signatures have been created to work with and augment the existing, professional quality, Third-Party signatures. winnow signature are distributed via SaneSecurity's rsync mirrors (Thank-you, Steve) and associated download scripts (Thank-you, Bill and Garrett)
Donations are highly appreciated as this effort is carried out without support. Commercial and government users can certainly give us and SaneSecurity a reasonable donation to help us all continue our third party signature efforts.
The use of winnow singnatures in commercial products requires 1) formal acknowledgement in your product's documentaion and about boxes of your use of winnow signatures and 2) our copyright of those signatures. And, again a consideration of donations is highly appreciated.
Support and reports of any problems should be directed to
Virus samples can be forwarded to us for analysis and incorporation into winnow signatures. Just send the malware (or forward the received malware mail envelop and contents) to Note that all samples submitted will be forwarded to the ClamAV Signature Team for analysis as well as to others in the AV community.
