[Clamav-devel] [clamav-users] Question about Heuristic Scanning and Signature Based Scanning

crazy thinker crazythinker91 at gmail.com
Wed May 10 06:41:10 EDT 2017


@AI Varnell
Yes, I have plans to rewrite it from scratch.. you willing to join me ?:)

On 9 May 2017 at 13:08, Al Varnell <alvarnell at mac.com> wrote:

> On Tue, May 09, 2017 at 12:29 AM, crazy thinker wrote:
> >
> > Thanks for Reply.  How many Heuristic  Scan Engines ClamAV using Now?
>
> I only know of one.
>
> All the other heuristic approaches use the primary scanner along with
> signatures designed to detect suspicious patterns in file names or coding.
>
> > what
> > are extensions of db files used by ClamAV  Heurisitci Engine?
>
> As I told you on Friday...
> > There's a heuristics engine that uses data from the .pdb and .sfp
> sections of the database to detect messages from selected financial
> institutions that appear to be phishing attempts.
>
> > Can I
> > Increase Heuristic Scan Engine  Count ?
>
> I suspect you would have to write your own.
>
> -Al-
>
> > On 9 May 2017 at 12:21, Al Varnell wrote:
> >
> >> I already answered most of these questions before and after reading "My
> >> Understanding" which is totally wrong, it's obvious you have not read
> the
> >> signature.pdf documentation closely enough to understand an of this.
> >>
> >> The way you have chosen to classify signatures is completely wrong,
> which
> >> means the questions you've asked don't make any sense. All signatures in
> >> the database are static in that they only change when replaced by a more
> >> accurate signature. There is nothing dynamic about any of them.
> >>
> >> The signature based scanner uses both fixed and variable length
> signatures.
> >>
> >> As I told you before, the heuristics based scanner only checks a limited
> >> list of financial institutions for phishing attempts. That only
> represents
> >> a tiny fraction of what could be considered behavior based malware
> >> detection. And the database is used to define what financial
> institutions
> >> are included as well as the ability to whitelist certain behaviors that
> are
> >> known to not be a threat.
> >>
> >> On Mon, May 08, 2017 at 10:49 PM, crazy thinker wrote:
> >>>
> >>> Hi ClamAV Developers,Users
> >>>
> >>> As per My Understnading , Virus Signatures are Classified into two
> types
> >>>
> >>> 1.Static Virus Signatures(short/fixed  length virus signatures)
> >>> 2.Dynamic Virus Signatures(long length Signatures with Regular
> >> Expression)
> >>>
> >>> So  I guess, ClamAV performing both Signature Based Scanning and
> >> Heuristic
> >>> Based Scanning for Malware Detection Process
> >>>
> >>> Please find below questions that in my mind
> >>>
> >>> 1.Does Signature Based Scanner uses  only  Static Signatures (not
> Dynamic
> >>> Signatures)  ?
> >>> 2.Does  Heuristic Scanner uses only Dynamic Signatures for Malware
> >>> Detection?
> >>> 3. If Herusitc Scanner uses Behaviour Based Approach, why  Heuristic
> >>> Scanner needs Virus Database?
> >>> 4.To implement   Efficient AV Scanner, Can I go with Heuristic Scanning
> >>> Approach and Excluding Signature Based Scanning Approach?
> >>>
> >>> I would like to get help/suggestions from you guys...
> >>>
> >>>
> >>> Kindly waiting for your reply!!!!
> >>>
> >>>
> >>> Thanks,
> >>> Crazy Thinker, Inc
>
> _______________________________________________
> clamav-users mailing list
> clamav-users at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>



More information about the clamav-devel mailing list