[clamav-users] Question about Heuristic Scanning and Signature Based Scanning
Al Varnell
alvarnell at mac.com
Wed May 10 10:54:01 UTC 2017
I would't know where to start.
-Al-
On Wed, May 10, 2017 at 03:41 AM, crazy thinker wrote:
>
> @AI Varnell
> Yes, I have plans to rewrite it from scratch.. you willing to join me ?:)
>
> On 9 May 2017 at 13:08, Al Varnell <alvarnell at mac.com> wrote:
>
>> On Tue, May 09, 2017 at 12:29 AM, crazy thinker wrote:
>>>
>>> Thanks for Reply. How many Heuristic Scan Engines ClamAV using Now?
>>
>> I only know of one.
>>
>> All the other heuristic approaches use the primary scanner along with
>> signatures designed to detect suspicious patterns in file names or coding.
>>
>>> what
>>> are extensions of db files used by ClamAV Heurisitci Engine?
>>
>> As I told you on Friday...
>>> There's a heuristics engine that uses data from the .pdb and .sfp
>> sections of the database to detect messages from selected financial
>> institutions that appear to be phishing attempts.
>>
>>> Can I
>>> Increase Heuristic Scan Engine Count ?
>>
>> I suspect you would have to write your own.
>>
>> -Al-
>>
>>> On 9 May 2017 at 12:21, Al Varnell wrote:
>>>
>>>> I already answered most of these questions before and after reading "My
>>>> Understanding" which is totally wrong, it's obvious you have not read
>> the
>>>> signature.pdf documentation closely enough to understand an of this.
>>>>
>>>> The way you have chosen to classify signatures is completely wrong,
>> which
>>>> means the questions you've asked don't make any sense. All signatures in
>>>> the database are static in that they only change when replaced by a more
>>>> accurate signature. There is nothing dynamic about any of them.
>>>>
>>>> The signature based scanner uses both fixed and variable length
>> signatures.
>>>>
>>>> As I told you before, the heuristics based scanner only checks a limited
>>>> list of financial institutions for phishing attempts. That only
>> represents
>>>> a tiny fraction of what could be considered behavior based malware
>>>> detection. And the database is used to define what financial
>> institutions
>>>> are included as well as the ability to whitelist certain behaviors that
>> are
>>>> known to not be a threat.
>>>>
>>>> On Mon, May 08, 2017 at 10:49 PM, crazy thinker wrote:
>>>>>
>>>>> Hi ClamAV Developers,Users
>>>>>
>>>>> As per My Understnading , Virus Signatures are Classified into two
>> types
>>>>>
>>>>> 1.Static Virus Signatures(short/fixed length virus signatures)
>>>>> 2.Dynamic Virus Signatures(long length Signatures with Regular
>>>> Expression)
>>>>>
>>>>> So I guess, ClamAV performing both Signature Based Scanning and
>>>> Heuristic
>>>>> Based Scanning for Malware Detection Process
>>>>>
>>>>> Please find below questions that in my mind
>>>>>
>>>>> 1.Does Signature Based Scanner uses only Static Signatures (not
>> Dynamic
>>>>> Signatures) ?
>>>>> 2.Does Heuristic Scanner uses only Dynamic Signatures for Malware
>>>>> Detection?
>>>>> 3. If Herusitc Scanner uses Behaviour Based Approach, why Heuristic
>>>>> Scanner needs Virus Database?
>>>>> 4.To implement Efficient AV Scanner, Can I go with Heuristic Scanning
>>>>> Approach and Excluding Signature Based Scanning Approach?
>>>>>
>>>>> I would like to get help/suggestions from you guys...
>>>>>
>>>>>
>>>>> Kindly waiting for your reply!!!!
>>>>>
>>>>>
>>>>> Thanks,
>>>>> Crazy Thinker, Inc
>>
>> _______________________________________________
>> clamav-users mailing list
>> clamav-users at lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>>
> _______________________________________________
> clamav-users mailing list
> clamav-users at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
-Al-
--
Al Varnell
Mountain View, CA
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3569 bytes
Desc: not available
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20170510/4f986a3d/attachment.bin>
More information about the clamav-users
mailing list