[clamav-users] signature processing order

Steve Basford steveb_clamav at sanesecurity.com
Tue May 24 08:12:27 EDT 2016


On Tue, May 24, 2016 12:23 pm, Groach wrote:
> Out of interest, what does it matter?  Why is it important that an
> official CLAM definition stops the virus before the 3rd party definition
> stops the same virus (if they both have the same criteria)?  Surely a goal
> is a goal and it doesnt matter who kicked the ball.

I have to agree :)

a) if you *really* want to know what sigs matched a sample you
can use clamscan -z, which gives you this sort of output...

caution_lizr_587777.zip: Sanesecurity.Foxhole.JS_Zip_1.UNOFFICIAL FOUND
caution_lizr_587777.zip: Sanesecurity.Foxhole.Zip_fs208.UNOFFICIAL FOUND

Ok, so scanning will continue until ALL matches are found in official and
3rd party sigs, which would take a bit longer to scan... but at least
you'd know.

b) You can use clamscan  --official-db-only=yes to only use official ones

As for "removing" a 3rd party signature when official ones block it,
well... overall... it wouldn't really be a good idea.

Cheers,

Steve
Web : sanesecurity.com
Twitter: @sanesecurity




More information about the clamav-users mailing list