[clamav-users] Trouble with foxhole
Steve Basford
steveb_clamav at sanesecurity.com
Wed Oct 14 09:42:15 UTC 2015
On Wed, October 14, 2015 9:45 am, Gene Heskett wrote:
> I am with rajesh on this. clamav's hit rate, and I run every incoming
> mail past it, is disgustingly poor at detecting this stuff. I have fed 500
> or more of these *^%$ .zip or .doc attachments to sa-learn spam, probably
> poisoning its database since the last actual hit by clamav, which was on
> Sept 8th. I'll see if this improves the hit rate, because
> it has never been even accceptably accurate and has become very poor these
> days.
In fairness to ClamAV, lots of AV's have poor hit rates, here's a sample I
received 8 hours ago...
https://www.virustotal.com/en/file/bb35fa3b86bef9b8ede7bb1690c8aaf486405392538a8f9edff2195158f73e2c/analysis/1444814562/
Currently: 4 out of 54 scanners find it (this was 8 hours later)
Was automatically added to rogue.hdb (within the hour of receiving it)
Sanesecurity.Rogue.0h.20151014-0350 (Shipment_Advice.zip)
Obviously this would have been blocked by foxhole_all.cdb and/or the
sigs posted earlier, if you aren't too bothered about FPs.
Hop over to the Sanesecurity list if people are still having issues with
the 3rd Party sigs catching things.
http://sanesecurity.com/support/mailing-list/
Cheers,
Steve
Web : sanesecurity.com
Blog: sanesecurity.blogspot.com
More information about the clamav-users
mailing list