[clamav-users] Question about Heuristic Scanning and Signature Based Scanning

Al Varnell alvarnell at mac.com
Tue May 9 07:38:12 UTC 2017 

On Tue, May 09, 2017 at 12:29 AM, crazy thinker wrote:
> 
> Thanks for Reply.  How many Heuristic  Scan Engines ClamAV using Now?

I only know of one.

All the other heuristic approaches use the primary scanner along with signatures designed to detect suspicious patterns in file names or coding.

> what
> are extensions of db files used by ClamAV  Heurisitci Engine?

As I told you on Friday...
> There's a heuristics engine that uses data from the .pdb and .sfp sections of the database to detect messages from selected financial institutions that appear to be phishing attempts.

> Can I
> Increase Heuristic Scan Engine  Count ?

I suspect you would have to write your own.

-Al-

> On 9 May 2017 at 12:21, Al Varnell wrote:
> 
>> I already answered most of these questions before and after reading "My
>> Understanding" which is totally wrong, it's obvious you have not read the
>> signature.pdf documentation closely enough to understand an of this.
>> 
>> The way you have chosen to classify signatures is completely wrong, which
>> means the questions you've asked don't make any sense. All signatures in
>> the database are static in that they only change when replaced by a more
>> accurate signature. There is nothing dynamic about any of them.
>> 
>> The signature based scanner uses both fixed and variable length signatures.
>> 
>> As I told you before, the heuristics based scanner only checks a limited
>> list of financial institutions for phishing attempts. That only represents
>> a tiny fraction of what could be considered behavior based malware
>> detection. And the database is used to define what financial institutions
>> are included as well as the ability to whitelist certain behaviors that are
>> known to not be a threat.
>> 
>> On Mon, May 08, 2017 at 10:49 PM, crazy thinker wrote:
>>> 
>>> Hi ClamAV Developers,Users
>>> 
>>> As per My Understnading , Virus Signatures are Classified into two types
>>> 
>>> 1.Static Virus Signatures(short/fixed  length virus signatures)
>>> 2.Dynamic Virus Signatures(long length Signatures with Regular
>> Expression)
>>> 
>>> So  I guess, ClamAV performing both Signature Based Scanning and
>> Heuristic
>>> Based Scanning for Malware Detection Process
>>> 
>>> Please find below questions that in my mind
>>> 
>>> 1.Does Signature Based Scanner uses  only  Static Signatures (not Dynamic
>>> Signatures)  ?
>>> 2.Does  Heuristic Scanner uses only Dynamic Signatures for Malware
>>> Detection?
>>> 3. If Herusitc Scanner uses Behaviour Based Approach, why  Heuristic
>>> Scanner needs Virus Database?
>>> 4.To implement   Efficient AV Scanner, Can I go with Heuristic Scanning
>>> Approach and Excluding Signature Based Scanning Approach?
>>> 
>>> I would like to get help/suggestions from you guys...
>>> 
>>> 
>>> Kindly waiting for your reply!!!!
>>> 
>>> 
>>> Thanks,
>>> Crazy Thinker, Inc
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3569 bytes
Desc: not available
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20170509/9556b4f3/attachment.bin>

More information about the clamav-users mailing list