[clamav-users] Archive & signature precedence

[Cedric Knight]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi

Like a lot of users I suspect, I use ClamAV to search within archives
for generic filename patterns (or other characteristics) specified in
a .zmd file.  Like some, I use clamdscan through amavis and rescore
some types of hits that conceivably might be a false positive as a
number of spam points.  Unfortunately the .zmd/.rmd file appears to
take precedence over particular signatures, so the archive rules hit
*instead of* detection of, for example, a specific Zeus variant.

I'm all for minimising CPU usage where possible, but actually in
combination with SpamAssassin this situation of having generic
detection first rather than an immediate quarantine can require more
CPU.  Security is of course more of a priority, and also the current
behaviour makes it harder to find samples that aren't detected by the
current signatures.

Is it possible to configure ClamAV to only do the archive .zmd/.rmd
tests after other more specific tests pass OK?  I was wondering
whether to file this as a RFE.

Thanks

CK
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJUW00OAAoJEN5s/jLcInyIdw4QAI7+DOzA0bmadlMvgZeKZ2nr
SmnMYiNpq/Imt/jLSDlxSuy3LYx+8ZQHfZmmGUG9bM4Ov5MSJWYc0dWdKbb2588k
DN9PiNvLLWZg+mHvVyqjk/UkfJS7YUNK7POzXYZUxk/5jX67WVA/B/K8WYqWKuo5
S6330gDh5SsuV3xYvjrhBSCWYS4XgAq+lnfN6cp5zUhOyQLnt/unSbGvSzW84/X6
4dbiiSLeCuva8LOxwFb+qbE9H6WuLt9l8FnFII9nzGOF1LvGGHIgIuaIKu6g/E0w
5mQuZzImtByu73X7nGztEv/MFI3dzgyoYPhtZ94cmlWD9Qm6rF4NkVy9CDzjr2T4
sWxuvxUJ5sZPZnoQGxQz5hNK2J06uWG5rk3bkAbo+RtboJMMRm+TQdZF6hUy0R+y
5sqa3jj4ZAOjNYyXXmRUOhPjwbUmyCPZIrnETuR9oi2/lVsjZ56eCAn2o5w0s69r
hCJNfcRFZn4EOW6NNtBQr+ytrLKyJsNNW/ZX2km+AXW09JRh42xElisq7DddxQl5
IOYp54BtQWueXiXRTbRQY/AvJK4JlWBtUQhLuJkkaRBmqEycnN+A/n3j/saPujFw
Vc61YacHUJ1z1uOFvvLlxai9wX/YsE8m1oVd4w2RdTTc4l6QbxbW24gMRoA868XL
f0uEYfRFMAGPADzgfXvS
=eWDZ
-----END PGP SIGNATURE-----