[clamav-users] signature processing order

Groach groachmail-stopspammingme at yahoo.com
Tue May 24 12:37:24 UTC 2016 

I dont understand why anyone would want to delete a signature from their 
databases even if it is a duplicate. Consider this:

MAIN:  signature "BadWilly" (no guesses what it might be trying to trap)
3rdParty signature "3rdBadWilly" attempting to catch the same virus

Ok, so now you have determined there are 2 viruses with the same 
intewntion.  So you delete one of them

Unknown to you, the one you deleted wasnt very good and doesnt actually 
work as expected.  (Whereas the deleted one weas good).

OR

You delete one, leaving one that was once proven effective...then tnat 
same provider changes that defniition (agains leaving you without the 
protection).

OR.... you delete signature (thinkning its redundant) then do a database 
update and it gets restored again.

And you simply cant ask the providers to not include the definitions 
'just because MAIN Clam has included it' because MAYBE there is a 
customer that does like or update MAIN database (and actually likes to 
rely solely on the 3rd party database).



On 24/05/2016 14:13, C.D. Cochrane wrote:
> Hmm, that's strange.  I have noted exactly the opposite behavior.  My customsig.ndb sigs
> only get applied after official ClamAV detection has run.  I know this because I am
> always watching for my UNOFFICIAL FOUNDs to be replaced by official ones and I then
> delete the related sig from my customsig.ndb.  It does not happen often, but it does
> happen (official detection, I mean)!
> ...Chris
>   
>> Sent: Tuesday, May 24, 2016 at 5:54 AM
>> From: Axb <axb.lists at gmail.com>
>> To: clamav-users at lists.clamav.net
>> Subject: [clamav-users] signature processing order
>> Good day,
>>
>> I've noticed that apparently third party (UNOFFICIAL) signatures get
>> applied before the official ones.
>>
>> Depending on the signature types, we may never see any "official" sigs
>> hitting, ever.
>>
>> Is there a scientific reason for this? (or am I missing something?)
>>
>> If no, could it be made switchable (via clamd.conf) and --switch for
>> clamscan.
>>
>> Thanks
>>
>> Axb
>>
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

More information about the clamav-users mailing list