[clamav-users] Archive & signature precedence

[Steven Morgan]

Hi Cedric,

I have a few questions/points:
- Are you writing your own zmd/rmd signatures?
- If so, have have you tried using .cdb signatures? I've noticed in
docs/signatures.pdf the zmd/rmd are annotated as "obsolete" and the cdb
format seems to subsume, although this may not accomplish what you want it
to do.
- Not the most elegant, but you could use sigtool and split up the
signature data base into a pattern/hash set and a container set and filter
through two ClamAV instances(or just eliminate the container sigs and use a
single ClamAV, if that works for your case)
- Feel free to submit feature requests to bugzilla.clamav.net

Steve

On Thu, Nov 6, 2014 at 5:27 AM, Cedric Knight <cedric at gn.apc.org> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi
>
> Like a lot of users I suspect, I use ClamAV to search within archives
> for generic filename patterns (or other characteristics) specified in
> a .zmd file.  Like some, I use clamdscan through amavis and rescore
> some types of hits that conceivably might be a false positive as a
> number of spam points.  Unfortunately the .zmd/.rmd file appears to
> take precedence over particular signatures, so the archive rules hit
> *instead of* detection of, for example, a specific Zeus variant.
>
> I'm all for minimising CPU usage where possible, but actually in
> combination with SpamAssassin this situation of having generic
> detection first rather than an immediate quarantine can require more
> CPU.  Security is of course more of a priority, and also the current
> behaviour makes it harder to find samples that aren't detected by the
> current signatures.
>
> Is it possible to configure ClamAV to only do the archive .zmd/.rmd
> tests after other more specific tests pass OK?  I was wondering
> whether to file this as a RFE.
>
> Thanks
>
> CK
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
>
> iQIcBAEBAgAGBQJUW00OAAoJEN5s/jLcInyIdw4QAI7+DOzA0bmadlMvgZeKZ2nr
> SmnMYiNpq/Imt/jLSDlxSuy3LYx+8ZQHfZmmGUG9bM4Ov5MSJWYc0dWdKbb2588k
> DN9PiNvLLWZg+mHvVyqjk/UkfJS7YUNK7POzXYZUxk/5jX67WVA/B/K8WYqWKuo5
> S6330gDh5SsuV3xYvjrhBSCWYS4XgAq+lnfN6cp5zUhOyQLnt/unSbGvSzW84/X6
> 4dbiiSLeCuva8LOxwFb+qbE9H6WuLt9l8FnFII9nzGOF1LvGGHIgIuaIKu6g/E0w
> 5mQuZzImtByu73X7nGztEv/MFI3dzgyoYPhtZ94cmlWD9Qm6rF4NkVy9CDzjr2T4
> sWxuvxUJ5sZPZnoQGxQz5hNK2J06uWG5rk3bkAbo+RtboJMMRm+TQdZF6hUy0R+y
> 5sqa3jj4ZAOjNYyXXmRUOhPjwbUmyCPZIrnETuR9oi2/lVsjZ56eCAn2o5w0s69r
> hCJNfcRFZn4EOW6NNtBQr+ytrLKyJsNNW/ZX2km+AXW09JRh42xElisq7DddxQl5
> IOYp54BtQWueXiXRTbRQY/AvJK4JlWBtUQhLuJkkaRBmqEycnN+A/n3j/saPujFw
> Vc61YacHUJ1z1uOFvvLlxai9wX/YsE8m1oVd4w2RdTTc4l6QbxbW24gMRoA868XL
> f0uEYfRFMAGPADzgfXvS
> =eWDZ
> -----END PGP SIGNATURE-----
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>