[clamav-users] Archive & signature precedence

Fri Nov 7 11:54:24 UTC 2014

On 06/11/14 16:25, Steven Morgan wrote:
> Hi Cedric,
> 
> I have a few questions/points: - Are you writing your own zmd/rmd
> signatures?

Yes.

> - If so, have have you tried using .cdb signatures? I've noticed
> in docs/signatures.pdf the zmd/rmd are annotated as "obsolete" and
> the cdb format seems to subsume, although this may not accomplish
> what you want it to do.

I may have been referring to an older signatures.pdf and hadn't
actually noticed the "(now obsolete)" comment.  .zmd/.rmd still works
on 0.98.4 (Debian wheezy).

I have now converted all the sigs to .cdb, and found .cdb is tested
first, then .zmd/.rmd, then the .hdb, .ndb and .cld.  So unfortunately
this does not help with the problem.

> - Not the most elegant, but you could use sigtool and split up the 
> signature data base into a pattern/hash set and a container set and
> filter through two ClamAV instances(or just eliminate the container
> sigs and use a single ClamAV, if that works for your case)

I think two instances with different configs would be very messy for
what I want.  It's a not a big enough problem to justify this (there's
very little chance of a generic filename-based detection being scored
low enough in Amavis to pass). I want to know if a detection already
matches a specific sig in daily.cld or is novel malware that I want to
report.

I do want the container sigs.  I could convert them to a SpamAssassin
plugin rather than using ClamAV at all, but I would imagine the
feature of testing files from most specific to most generic would be a
useful enhancement for many users.

> - Feel free to submit feature requests to bugzilla.clamav.net

I think this is an RFE, so will do so.  Thanks.

CK

> 
> Steve
> 
> On Thu, Nov 6, 2014 at 5:27 AM, Cedric Knight <cedric at gn.apc.org>
> wrote:
> 
> Hi
> 
> Like a lot of users I suspect, I use ClamAV to search within
> archives for generic filename patterns (or other characteristics)
> specified in a .zmd file.  Like some, I use clamdscan through
> amavis and rescore some types of hits that conceivably might be a
> false positive as a number of spam points.  Unfortunately the
> .zmd/.rmd file appears to take precedence over particular
> signatures, so the archive rules hit *instead of* detection of, for
> example, a specific Zeus variant.
> 
> I'm all for minimising CPU usage where possible, but actually in 
> combination with SpamAssassin this situation of having generic 
> detection first rather than an immediate quarantine can require
> more CPU.  Security is of course more of a priority, and also the
> current behaviour makes it harder to find samples that aren't
> detected by the current signatures.
> 
> Is it possible to configure ClamAV to only do the archive
> .zmd/.rmd tests after other more specific tests pass OK?  I was
> wondering whether to file this as a RFE.
> 
> Thanks
> 
> CK