[clamav-users] Question about Heuristic Scanning and Signature Based Scanning

Al Varnell alvarnell at mac.com
Wed May 10 10:54:01 UTC 2017 

I would't know where to start.

-Al-

On Wed, May 10, 2017 at 03:41 AM, crazy thinker wrote:
> 
> @AI Varnell
> Yes, I have plans to rewrite it from scratch.. you willing to join me ?:)
> 
> On 9 May 2017 at 13:08, Al Varnell <alvarnell at mac.com> wrote:
> 
>> On Tue, May 09, 2017 at 12:29 AM, crazy thinker wrote:
>>> 
>>> Thanks for Reply.  How many Heuristic  Scan Engines ClamAV using Now?
>> 
>> I only know of one.
>> 
>> All the other heuristic approaches use the primary scanner along with
>> signatures designed to detect suspicious patterns in file names or coding.
>> 
>>> what
>>> are extensions of db files used by ClamAV  Heurisitci Engine?
>> 
>> As I told you on Friday...
>>> There's a heuristics engine that uses data from the .pdb and .sfp
>> sections of the database to detect messages from selected financial
>> institutions that appear to be phishing attempts.
>> 
>>> Can I
>>> Increase Heuristic Scan Engine  Count ?
>> 
>> I suspect you would have to write your own.
>> 
>> -Al-
>> 
>>> On 9 May 2017 at 12:21, Al Varnell wrote:
>>> 
>>>> I already answered most of these questions before and after reading "My
>>>> Understanding" which is totally wrong, it's obvious you have not read
>> the
>>>> signature.pdf documentation closely enough to understand an of this.
>>>> 
>>>> The way you have chosen to classify signatures is completely wrong,
>> which
>>>> means the questions you've asked don't make any sense. All signatures in
>>>> the database are static in that they only change when replaced by a more
>>>> accurate signature. There is nothing dynamic about any of them.
>>>> 
>>>> The signature based scanner uses both fixed and variable length
>> signatures.
>>>> 
>>>> As I told you before, the heuristics based scanner only checks a limited
>>>> list of financial institutions for phishing attempts. That only
>> represents
>>>> a tiny fraction of what could be considered behavior based malware
>>>> detection. And the database is used to define what financial
>> institutions
>>>> are included as well as the ability to whitelist certain behaviors that
>> are
>>>> known to not be a threat.
>>>> 
>>>> On Mon, May 08, 2017 at 10:49 PM, crazy thinker wrote:
>>>>> 
>>>>> Hi ClamAV Developers,Users
>>>>> 
>>>>> As per My Understnading , Virus Signatures are Classified into two
>> types
>>>>> 
>>>>> 1.Static Virus Signatures(short/fixed  length virus signatures)
>>>>> 2.Dynamic Virus Signatures(long length Signatures with Regular
>>>> Expression)
>>>>> 
>>>>> So  I guess, ClamAV performing both Signature Based Scanning and
>>>> Heuristic
>>>>> Based Scanning for Malware Detection Process
>>>>> 
>>>>> Please find below questions that in my mind
>>>>> 
>>>>> 1.Does Signature Based Scanner uses  only  Static Signatures (not
>> Dynamic
>>>>> Signatures)  ?
>>>>> 2.Does  Heuristic Scanner uses only Dynamic Signatures for Malware
>>>>> Detection?
>>>>> 3. If Herusitc Scanner uses Behaviour Based Approach, why  Heuristic
>>>>> Scanner needs Virus Database?
>>>>> 4.To implement   Efficient AV Scanner, Can I go with Heuristic Scanning
>>>>> Approach and Excluding Signature Based Scanning Approach?
>>>>> 
>>>>> I would like to get help/suggestions from you guys...
>>>>> 
>>>>> 
>>>>> Kindly waiting for your reply!!!!
>>>>> 
>>>>> 
>>>>> Thanks,
>>>>> Crazy Thinker, Inc
>> 
>> _______________________________________________
>> clamav-users mailing list
>> clamav-users at lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>> 
>> 
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>> 
>> http://www.clamav.net/contact.html#ml
>> 
> _______________________________________________
> clamav-users mailing list
> clamav-users at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

-Al-
-- 
Al Varnell
Mountain View, CA




-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3569 bytes
Desc: not available
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20170510/4f986a3d/attachment.bin>

More information about the clamav-users mailing list