On Tue, 02 Sep 2003 at 14:03:39 +0100, Antony Stone wrote:
> On Tuesday 02 September 2003 8:23 am, Graham Murray wrote:
> > Antony Stone <[EMAIL PROTECTED]> writes:
> > > However, from a non-technical person's point of view, it doesn't do
> > > ClamAV's reputation much good if they see some other antivirus product
> > > identify a file as "Sobig.F.dam" and ClamAV doesn't identify it at all.
> > > Such people are not necessarily interested in the finer details of
> > > whether the thing is actually dangerous or not - they just see that
> > > ClamAV didn't catch it (whatever it is), whereas antivirus product X did,
> > > therefore product X must be better :)
> >
> > On the contrary, if it is not dangerous and ClamAV does not detect it
> > and product X does, then ClamAV is superior as Product X has just
> > generated a false positive!
>
> Technically I agree with you, however this is not the way marketing people
> think, and it is not even necessarily the way the everyday user thinks.
>
> I certainly agree that false positives generated by files which are wanted
> must be avoided at all costs, however it's not as clear to me that blocking a
> broken virus sample is a false positive, since there's no good reason for
> sending such a file on to the end user anyway.
>
> When it comes down to it, if we can let the end users receive the files they
> want, and prevent them receiving the files they don't, that is a good result.
>
> Broken viruses in my opinion fall into the "files they don't want" category.
>
> Regards,
>
> Antony.
I'd like to thank Antony Stone, Graham Murray and Jeffrey Moskot
for their interesting discussion and insightful remarks.
Tomasz Kojm and me have decided to add the signature which matches
"broken" ("damaged") samples of Worm.Sobig.F.
We agree that - although not dangerous as viruses - these kinds of
Worm.Sobig.F are unwanted, so the simplest solution is detecting them
and blocking. The nuisance with explaining that they are harmless and
not real Worm.Sobig.F, also matters.
A technical note: as Tomasz Kojm has already written, with the
current structure of the database it is hard to prepare the signature
which would match broken samples *and* would *not* match real samples
(broken ones are simply truncated real ones). Thus, after adding
the additional signature, ClamAV does not distinguish between "real"
and "broken" samples of Worm.Sobig.F. If someone would really want to
stay technically precise, he could remove the new signature from
viruses.db2 file (the old one is still in viruses.db) for the time
being ;-) .
Regards
--
Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only
[EMAIL PROTECTED] http://www.lodz.tpsa.pl/ | ones and zeros.
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users
