[clamav-users] Question about ClamAV
Dennis Peterson
dennispe at inetnw.com
Thu May 11 16:01:25 UTC 2017
I would consider a malware author that does not pass his/her new product through
several file scanners to be incompetent. There is little point in distributing
such files if it is commonly detectable. Scanners are one of the best quality
inspection tools a malware author has at their disposal. Conveniently, it can be
done cheaply at VirusTotal and other sites that do live scans using multiple
engines.
dp
On 5/11/17 8:21 AM, Matthew Molyett wrote:
> Crazy Thinker,
>
>> As per my understanding, Signature Based Scanner will never involve in
>> false postive/false negative results. But Heuristic scanner some times
>> gives false postive/false negative results.
> Signature Based scanning can and will have false positive and false
> negative results. In fact, the high rate of False Negatives from Signature
> Based is the entire reason Heuristic scanning ( and run-time scanning ) is
> performed. A brand new, unknown threat, from a careful author, will be free
> of existing signatures. Similarly, a signature on a library only seen
> before in malicious software will cause a False Positive when a legitimate
> software begins using it.
>
> Large, exact signatures prevent False Positives, but can be trivially
> defeated. Flexible signatures with wildcards can identify larger blocks
> malicious content, but at the price of potential False Positives.
>
> The response from Maarten Broekman does a great job discussing the issues
> we are facing.
>
> Thank you for your choosing Clam AV. Helping protect you and your users is
> what keeps me happily getting to work each day.
>
>
> On Thu, May 11, 2017 at 9:54 AM, Arnaud Jacques / SecuriteInfo.com <
> webmaster at securiteinfo.com> wrote:
>
>> Hello,
>>
>>> is that a *technical* reason or do you *think* it's recommended for
>>> whatever reason
>> It is technical : we avoid duplicate signatures in our databases. It means
>> everyday we remove samples already detected by Clamav.
>>
>>> - as example sanesecurity works just fine without the
>>> official stuff an dthe difference are hundrets of MB useless wasted RAM
>>> while i have not seen any relevant hit on our inbound MX caught by the
>>> official signatures which woul dhave slipped through sanesecurity
>> In your example you are right. On mail filtering, sanesecurity and
>> spam_marketing.ndb from SecuriteInfo.com are good enough to protect
>> mailboxes,
>> because Win32 malwares are not spreaded by mail nowadays.
>>
>> In any other case (system protection, HTTP scanning, file hosting, etc...)
>> you
>> have to get Clamav official + 3rd party signatures for a maximum detection.
>>
>> --
>> Best regards,
>>
>> Arnaud Jacques
>> SecuriteInfo.com
>>
>> Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286
>> Twitter : @SecuriteInfoCom
>> _______________________________________________
>> clamav-users mailing list
>> clamav-users at lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>>
>
>
More information about the clamav-users
mailing list