[clamav-users] Win.Trojan.Toa-5368540-0 - How many people need to complain before you listen?

Reindl Harald h.reindl at thelounge.net
Thu Dec 29 09:32:15 UTC 2016 


Am 29.12.2016 um 10:21 schrieb Reindl Harald:
> Am 29.12.2016 um 03:54 schrieb Al Varnell:
>> Over 11,000 of them were dropped several days ago, but a few were
>> added at the same time. I have no idea what the status of those new
>> ones are and maybe I've lost track, but I believe only one of the new
>> ones has been brought up here.
>>
>> Since all signatures are put through their QA process before release,
>> I'm not clear on what it is you are proposing.
>
> probably that the QA process is not working the last 2 months?
>
> state of the official sgnatures is that clamav don't catch many real
> malware all over the time without sanesecurity 3rd party signatures and
> the official
>
> cat clamscan.log | grep FOUND | wc -l
> 5267
>
> cat clamscan.log | grep FOUND | grep UNOFFICIAL | wc -l
> 4281
>
> i bet the 25% would have been caught by sanesecurity sigs too

these are 99.9% false positives and hence only scored

cat clamscan.log | grep FOUND | grep 
"Heuristics.Phishing.Email.SSL-Spoof" | wc -l
662

these are not signatures and only scored

cat clamscan.log | grep FOUND | grep "Heuristics.OLE2.ContainsMacros" | 
wc -l
225

given how much memory the instance with the officical signatures i am 
going so far to say that i would love to be able to *completly* exclude 
"daily.cld", "daily.cvd" and "main.cvd" and only update 
"safebrowsing.cvd" and just keep the few sanesecurity signatures in the 
clamd-instance which is allowed to reject directly via milter

[root at mail-gw:~]$ ls /var/lib/clamav
insgesamt 210M
-rw-r--r-- 1 clamupdate clamupdate  75K 2016-12-28 12:53 
foxhole_filename.cdb
-rw-r--r-- 1 clamupdate clamupdate  44K 2016-06-28 09:58 foxhole_generic.cdb
-rw-r--r-- 1 clamupdate clamupdate 4,1K 2016-06-18 16:55 
thelounge_blocked_extensions.cdb
-rw-r--r-- 1 clamupdate clamupdate  79M 2016-12-29 09:25 daily.cld
-rw-r--r-- 1 clamupdate clamupdate  85K 2016-07-04 14:30 bytecode.cvd
-rw-r--r-- 1 clamupdate clamupdate  26M 2016-12-18 01:25 daily.cvd
-rw-r--r-- 1 clamupdate clamupdate 105M 2016-07-04 14:29 main.cvd
-rw-r--r-- 1 clamupdate clamupdate  11K 2016-10-18 15:56 sanesecurity.ftm
-rw-r--r-- 1 clamupdate clamupdate 103K 2016-12-29 09:47 
bofhland_malware_attach.hdb
-rw-r--r-- 1 clamupdate clamupdate   82 2016-07-13 21:44 crdfam.clamav.hdb
-rw-r--r-- 1 clamupdate clamupdate  14K 2016-12-22 10:51 rogue.hdb
-rw-r--r-- 1 clamupdate clamupdate  86K 2016-12-29 09:45 
winnow_extended_malware.hdb
-rw-r--r-- 1 clamupdate clamupdate 264K 2016-12-29 09:45 winnow_malware.hdb
-rw-r--r-- 1 clamupdate clamupdate  48K 2015-08-05 09:24 hackingteam.hsb
-rw-r--r-- 1 clamupdate clamupdate  15K 2016-08-10 15:06 malwarehash.hsb
-rw-r--r-- 1 clamupdate clamupdate  16K 2016-12-29 09:46 porcupine.hsb
-rw-r--r-- 1 clamupdate clamupdate 6,7K 2016-11-25 09:56 sigwhitelist.ign2
-rw-r--r-- 1 clamupdate clamupdate  196 2016-08-10 09:57 
thelounge_whitelist.ign2
-rw-r--r-- 1 clamupdate clamupdate  56K 2016-12-27 20:39 badmacro.ndb
-rw-r--r-- 1 clamupdate clamupdate  59K 2016-12-29 09:52 blurl.ndb
-rw-r--r-- 1 clamupdate clamupdate 1012 2016-12-29 09:47 
bofhland_malware_URL.ndb
-rw-r--r-- 1 clamupdate clamupdate 337K 2016-12-29 09:46 porcupine.ndb
-rw-r--r-- 1 clamupdate clamupdate   61 2016-10-10 19:47 
thelounge_custom_sigs.ndb
-rw-r--r-- 1 clamupdate clamupdate 1,3M 2016-12-29 09:45 
winnow_malware_links.ndb

[root at mail-gw:~]$ ls /var/lib/clamav-spam/
insgesamt 77M
-rw-r--r-- 1 clamupdate clamupdate 9,1K 2016-11-28 16:00 foxhole_all.cdb
-rw-r--r-- 1 clamupdate clamupdate 2,7K 2016-12-06 09:52 foxhole_js.cdb
-rw-r--r-- 1 clamupdate clamupdate 5,7K 2016-06-18 16:55 
thelounge_tagged_extensions.cdb
-rw-r--r-- 1 clamupdate clamupdate  85K 2016-07-04 14:30 bytecode.cvd
-rw-r--r-- 1 clamupdate clamupdate  43M 2016-11-04 18:27 safebrowsing.cvd
-rw-r--r-- 1 clamupdate clamupdate  11K 2016-10-18 15:56 sanesecurity.ftm
-rw-r--r-- 1 clamupdate clamupdate 1,3K 2016-12-12 16:53 spamattach.hdb
-rw-r--r-- 1 clamupdate clamupdate 6,0K 2016-12-08 10:53 spamimg.hdb
-rw-r--r-- 1 clamupdate clamupdate 515K 2016-12-29 09:45 
winnow.attachments.hdb
-rw-r--r-- 1 clamupdate clamupdate   66 2016-12-29 09:45 winnow_bad_cw.hdb
-rw-r--r-- 1 clamupdate clamupdate 6,7K 2016-11-25 09:56 sigwhitelist.ign2
-rw-r--r-- 1 clamupdate clamupdate  196 2016-08-10 09:57 
thelounge_whitelist.ign2
-rw-r--r-- 1 clamupdate clamupdate 1011 2016-11-29 17:56 shelter.ldb
-rw-r--r-- 1 clamupdate clamupdate  556 2016-10-06 15:53 spam.ldb
-rw-r--r-- 1 clamupdate clamupdate  660 2016-12-29 09:45 
winnow.complex.patterns.ldb
-rw-r--r-- 1 clamupdate clamupdate  59K 2016-12-29 09:52 blurl.ndb
-rw-r--r-- 1 clamupdate clamupdate  656 2016-12-29 09:47 
bofhland_cracked_URL.ndb
-rw-r--r-- 1 clamupdate clamupdate 1012 2016-12-29 09:47 
bofhland_malware_URL.ndb
-rw-r--r-- 1 clamupdate clamupdate 2,2K 2016-12-29 09:47 
bofhland_phishing_URL.ndb
-rw-r--r-- 1 clamupdate clamupdate 5,7K 2016-11-21 09:55 foxhole_all.ndb
-rw-r--r-- 1 clamupdate clamupdate  230 2016-11-21 09:55 foxhole_js.ndb
-rw-r--r-- 1 clamupdate clamupdate 6,5M 2016-12-20 16:53 junk.ndb
-rw-r--r-- 1 clamupdate clamupdate 228K 2016-12-29 09:52 jurlbla.ndb
-rw-r--r-- 1 clamupdate clamupdate 196K 2016-12-29 09:52 jurlbl.ndb
-rw-r--r-- 1 clamupdate clamupdate 240K 2016-07-29 18:20 lott.ndb
-rw-r--r-- 1 clamupdate clamupdate 3,8M 2016-12-28 12:53 phish.ndb
-rw-r--r-- 1 clamupdate clamupdate 3,5M 2016-12-29 09:46 phishtank.ndb
-rw-r--r-- 1 clamupdate clamupdate  14M 2016-12-29 09:45 scamnailer.ndb
-rw-r--r-- 1 clamupdate clamupdate 1,8M 2016-11-28 16:24 scam.ndb
-rw-r--r-- 1 clamupdate clamupdate  49K 2016-12-28 19:52 spearl.ndb
-rw-r--r-- 1 clamupdate clamupdate 2,0M 2016-12-28 19:48 spear.ndb
-rw-r--r-- 1 clamupdate clamupdate   61 2016-10-10 19:47 
thelounge_custom_sigs.ndb
-rw-r--r-- 1 clamupdate clamupdate  159 2016-12-29 09:45 
winnow_extended_malware_links.ndb
-rw-r--r-- 1 clamupdate clamupdate 1,3M 2016-12-29 09:45 
winnow_malware_links.ndb
-rw-r--r-- 1 clamupdate clamupdate 297K 2016-12-29 09:45 
winnow_phish_complete.ndb
-rw-r--r-- 1 clamupdate clamupdate 165K 2016-12-29 09:45 
winnow_spam_complete.ndb
-rw-r--r-- 1 clamupdate clamupdate 1,5K 2015-07-01 14:54 
Sanesecurity_sigtest.yara
-rw-r--r-- 1 clamupdate clamupdate 1,3K 2016-02-22 13:21 
Sanesecurity_spam.yara

More information about the clamav-users mailing list