News: 09.03.2017:

Database: foxhole_mail.cdb
Description: block any mail that contains a possible dangerous attachments such as: js, jse, exe, bat, com, scr, uue, ace, pif, jar, gz, lnk, lzh.
FP Risk: High

The following databases are distributed by Sanesecurity, but produced by

General Description: Signatures Detect malware from PHP files. Signatures are generated for real life PHP malware from live Web Hosting Servers
Description: found to be false positive malware
FP Risk: Med

Description: statics MD5 pattern for files
FP Risk: Low

Database: foxhole_mail.cdb
Description: which use multi-words search for malware in files.
FP Risk: Med

Description: Generic Hex pattern PHP malware, which can cause false positive alarms
FP Risk: Med

News: 26.01.2017

2 New distributed databases:

Name: MiscreantPunch099-Low.ldb
False positive risk: Medium
Description: ruleset contains comprehensive rules for detecting malicious or abnormal Macros,
JS, HTA, HTML, XAP, JAR, SWF, and more

Name: MiscreantPunch099-INFO-Low.ldb
False positive risk: High
Description: ruleset contains a small collection of signatures that can provide context to various files.
Info and Suspicious level signatures may inform analysts of potentially interesting conditions that exist
within a document.


Database removal:

The following obsolete databases will shortly be removed from the mirrors and will therefore need to be
removed from your config files:


Other News:

Tip: when and how to synchronise, using Rsync:

Stats from one Mirror:

23.11.16: Three new databases added

Name: shelter.ldb
False positive risk: Medium
Description: Mainly covers phishing and malware. Needed to catch the tricky ones that are hard to detect with phish.ndb only.

Two new foxhole databases (pretty much the same setup as their .ldb counterparts but focusing on GZip and Ace archives:

Name: foxhole_js.ndb
False positive risk: Medium/High
Description: This database will block ALL JavaScript (.js) files within GZip and Ace archives.

Name: foxhole_all.ndb
False positive risk: Medium/High
Description: This database will block all files (single and double extensions) within GZip and Ace archives that contain dangerous filestypes such as: ade, adp, bat, chm, cmd, com, cpl, exe, hta, ins, isp, jse, lib, mde, msd, msp, mst, pif, scr, sct, shb, sys, vb, vbe, vbs, vxd, wsc, wsf and wsh

12.08.15:Four new databases added, two of which are in Yara format and need ClamAV 0.99 to work

badmacro.ndb (detect dangerous macros)
hackingteam.hsb (hacking team hashes)
Sanesecurity_sigtest.yara (Yara format: Sanesecurity test signatures)
Sanesecurity_spam.yara (Yara format: detect spam)

11.05.2015: Thanks to Adrian at we now have a new fork of
Bill Landry’s download script.

14.01.2015: For the latest 0 hour malware, phishing and scam news, our blog is updated daily:


a) Three new Sanesecurity databases


Detailed usage here:

Updated signature information:

b) Windows users:

Updated ClamSup.ini file and dropbox mirror of Tbb (Nico’s) programs:

c) New website:


10.04.2013: bofhland_malware_attach.hdb is now live on the mirrors.

19.03.2013: Welcome to the new look Sanesecurity website. Parts of the site are a little bit work-in-progress so please mind your head as you look around.

Permanent link to this article: