[clamav-users] disabling a database

[Al Varnell]

I could be wrong, but my impression has always been that ClamAV signatures target only Malware and Phishing, while Spam detection is all done using UNOFFICIAL sigs.

Sent from Janet's iPad

-Al-
-- 
Al Varnell
Mountain View, CA

On May 10, 2017, at 10:11 PM, nobs wrote:
> Hi,
> 
> Am 01.05.2017 um 19:19 schrieb Kris Deugau:
>> 
>> With third-party sets, you could walk through the signature names, and
>> build some local scripting to split the datasets as you please - I've
>> started to do this locally.
> 
> Basically that is what I tried. Maybe I just looked at the wrong places.
> Could you give me a hint where to put my fingers?
> 
> To get an idea what I currently do in my email-server:
> 
> 1) checking for spam with SpamAssassin, including some DNSBL and other
> external ressources for such things; so I am quite sure I catched
> everything "bad" from this perspective
> 
> 2) checking the hash of all attachments against VirusTotal; so I am
> quite sure I got all already known malware
> 
> 3) checking against a local instance of ClamAV and submit all reports to
> VirusTotal
> 
> The point is now: I don't like to report files with spam to VirusTotal
> because it is senseless and a wast of resources.
> 
> Here are the scripts I wrote for that purpose, just in case someone is
> interested:
> 
> https://github.com/nobswolf/procmail2virustotal
> 
> I just think it is a good thing to keep spam and viruses separated. So
> at least the databases of ClamAV should get a kind of "flag" whether
> they catch the one kind or the other. This would make it easier for
> post-processing scripts do decide what to do with the results.
> 
> What do you think?
> 
> nobs