[clamav-users] No good deed goes unpunished, or, why CVD files don't work

Paul Kosinski clamav-users at iment.com
Thu Dec 20 23:31:04 EST 2018

When talking about averages, I agree. But what I am worried about is
the "worst case" malicious payload: for example, a brand new and
particularly effective piece of ransomware. It's like car, life or
medical insurance. The probability of needing it is low, but when you
do, you don't want your account to be in arrears.


On Thu, 20 Dec 2018 18:37:22 +0000 (GMT)
"G.W. Haywood" <clamav at jubileegroup.co.uk> wrote:

> Hi there,
> Attempting to bring some sort of perspective to all this...
> The number of updates per day (or hour or minute), and the currency or
> otherwise of the updated data are not, I think, the things that
> matter.
> Isn't what matters most the probability that some malicious payload
> will get past your scanner?
> So, what's the difference in this probability if one updates daily, or
> hourly, or even every minute?  Not terribly easy to estimate, but I'd
> suggest that for real-world payloads (as opposed to random selections
> from some population of known payloads), and for ClamAV, we're looking
> at a range of a few percent in a probability of no less than several
> tens of percent.
> I'm not saying that this exercise is pointless, but I am wondering if
> there might be better uses for the effort.

More information about the clamav-users mailing list