[clamav-users] signature processing order
Steve Basford
steveb_clamav at sanesecurity.com
Tue May 24 12:12:27 UTC 2016
On Tue, May 24, 2016 12:23 pm, Groach wrote:
> Out of interest, what does it matter? Why is it important that an
> official CLAM definition stops the virus before the 3rd party definition
> stops the same virus (if they both have the same criteria)? Surely a goal
> is a goal and it doesnt matter who kicked the ball.
I have to agree :)
a) if you *really* want to know what sigs matched a sample you
can use clamscan -z, which gives you this sort of output...
caution_lizr_587777.zip: Sanesecurity.Foxhole.JS_Zip_1.UNOFFICIAL FOUND
caution_lizr_587777.zip: Sanesecurity.Foxhole.Zip_fs208.UNOFFICIAL FOUND
Ok, so scanning will continue until ALL matches are found in official and
3rd party sigs, which would take a bit longer to scan... but at least
you'd know.
b) You can use clamscan --official-db-only=yes to only use official ones
As for "removing" a 3rd party signature when official ones block it,
well... overall... it wouldn't really be a good idea.
Cheers,
Steve
Web : sanesecurity.com
Twitter: @sanesecurity
More information about the clamav-users
mailing list