[clamav-users] signature processing order

C.D. Cochrane cdc at post.com
Tue May 24 08:52:17 EDT 2016


I guess it all depends on what you want from AV.  I hope for 0 day email
detection.  If my customsig or ClamAV official DB detect the virus in the
days and weeks AFTER the virus hit my inbox then I've already lost.  I
never do full system file scans with ClamAV.  I want incoming email
detection.

So, I keep hoping that any new official detection will be indicative of
a new 0 day algorithm, not merely a copy of the static signature I already
redundantly created.  Insanity is doing the same thing over and over
hoping for different results :)  Am I insane, or are the ClamAV sig writers?
...Chris


> Sent: Tuesday, May 24, 2016 at 8:37 AM
> From: Groach <groachmail-stopspammingme at yahoo.com>
> To: "ClamAV users ML" <clamav-users at lists.clamav.net>
> Subject: Re: [clamav-users] signature processing order
> I dont understand why anyone would want to delete a signature from their
> databases even if it is a duplicate. Consider this:
>
> MAIN: signature "BadWilly" (no guesses what it might be trying to trap)
> 3rdParty signature "3rdBadWilly" attempting to catch the same virus
>
> Ok, so now you have determined there are 2 viruses with the same
> intewntion. So you delete one of them
>
> Unknown to you, the one you deleted wasnt very good and doesnt actually
> work as expected. (Whereas the deleted one weas good).
>
> OR
>
> You delete one, leaving one that was once proven effective...then tnat
> same provider changes that defniition (agains leaving you without the
> protection).
>
> OR.... you delete signature (thinkning its redundant) then do a database
> update and it gets restored again.
>
> And you simply cant ask the providers to not include the definitions
> 'just because MAIN Clam has included it' because MAYBE there is a
> customer that does like or update MAIN database (and actually likes to
> rely solely on the 3rd party database).
>



More information about the clamav-users mailing list