[clamav-users] signature processing order
cdc at post.com
Tue May 24 08:52:17 EDT 2016
I guess it all depends on what you want from AV. I hope for 0 day email
detection. If my customsig or ClamAV official DB detect the virus in the
days and weeks AFTER the virus hit my inbox then I've already lost. I
never do full system file scans with ClamAV. I want incoming email
So, I keep hoping that any new official detection will be indicative of
a new 0 day algorithm, not merely a copy of the static signature I already
redundantly created. Insanity is doing the same thing over and over
hoping for different results :) Am I insane, or are the ClamAV sig writers?
> Sent: Tuesday, May 24, 2016 at 8:37 AM
> From: Groach <groachmail-stopspammingme at yahoo.com>
> To: "ClamAV users ML" <clamav-users at lists.clamav.net>
> Subject: Re: [clamav-users] signature processing order
> I dont understand why anyone would want to delete a signature from their
> databases even if it is a duplicate. Consider this:
> MAIN: signature "BadWilly" (no guesses what it might be trying to trap)
> 3rdParty signature "3rdBadWilly" attempting to catch the same virus
> Ok, so now you have determined there are 2 viruses with the same
> intewntion. So you delete one of them
> Unknown to you, the one you deleted wasnt very good and doesnt actually
> work as expected. (Whereas the deleted one weas good).
> You delete one, leaving one that was once proven effective...then tnat
> same provider changes that defniition (agains leaving you without the
> OR.... you delete signature (thinkning its redundant) then do a database
> update and it gets restored again.
> And you simply cant ask the providers to not include the definitions
> 'just because MAIN Clam has included it' because MAYBE there is a
> customer that does like or update MAIN database (and actually likes to
> rely solely on the 3rd party database).
More information about the clamav-users