[clamav-users] ClamAV+exim: scanner finds not a single malware

Joel Esler (jesler) jesler at cisco.com
Mon May 23 14:03:05 EDT 2016


--
Joel Esler
Manager, Talos Group




On May 23, 2016, at 1:52 PM, C.D. Cochrane <cdc at post.com<mailto:cdc at post.com>> wrote:


My 2 cents would be that rapid traditional signature updates are not a viable solution to this long term problem.
I'm pretty sure the current generation of Locky, Dridex, Nemucod, etc. ransomware is generated using millions
of tiny mutations so that almost every email attachment has a unique signature. There is no way to keep up with
that. ClamAV got more than a million virus samples per day, last time I inquired.
...Chris

As for they claim above about Dridex etc being too numerous to handle,
Sane Security seems to be doing just a fine job of it. (So its just a
lame response).

I'm not sure what heuristic Sane Security uses. My original point was that a traditional signature (sigtool?)
on the current generation of malware seems to be a non-scalable idea. One million new sigs per day is not
realistic. ClamAV must evolve if it is going to remain useful. There has to be a better scheme to ID new
malware than sigtool.

Otherwise, groach is right.  ClamAV is just a redundant way to scan for virus files from 2008 or see if your
latest files can generate FPs.


Obviously going to disagree.  We are pushing almost a thousand pieces of detection every four hours now, and that will only increase from here.






More information about the clamav-users mailing list