Daniel J McDonald [EMAIL PROTECTED] wrote: > On Mon, 2004-11-15 at 18:00 +0100, Julian Mehnle wrote: > > What I don't understand is that no one seems to be willing to discuss > > my proposal of making the signature database modular, i.e. offer > > social engineering attack signatures separately from technical attack > > ones for download and installation. That would solve my and others' > > problem nicely, and would take _nothing_ away from those who don't > > care what ClamAV detects. > > Ah, then we would have all manner of classifications - is it social? Is > it Adware? Is it a trojan? Does it promulgate via IRC? or ...?
Is that a "we can't ever properly tell (colors) #112233 from #112234, so we should not try telling #112233 from #332211 either" kind of argument? ;-) > [...] instead of slamming out a sig to catch the latest mail worm that > just killed your network. Pardon me, but HTML.Phishing.Bank-12 will never kill my network. > And, that would require a new format for the signatures - starting off > by classifying all 28K legacy signatures No. Assuming we wanted to classify into "technical threat" and "social engineering threat", it is enough to sort out the "social engineering threat" sigs. 12345678901234567890123456789012345678901234567890123456789012345678901234 > creating a new format that allows people to select the classes they > want, going through a 2-month beta period and probably a one-year > "upgrade period" where they have to maintain two distinct formats... Why should a new format be necessary? Just split the database file into "main-technical.cvd" and "main-social.cvd" or whatever (and do the same for "daily.cvd"). > And the reason for this effort? So you can report e-mail as spam? You are turning things upside down. I argued out of principle all the time, the SpamCop thing is the least of my problems. Please read my messages again. > Because you have sophisticated users who like poking fun at phishers? Yeah, well. If the government decides there are no citizens who are interested in reading certain things, then that is it for you, right? > clamav kills bad things - that's good, and I'd like it to be able to > continue to kill bad things in the same expedient manner that it has in > the past. Ok, so why doesn't ClamAV also detect messages that are larger than 2MB? Those are bad things, too. Excuse me, but your reasoning is flawed. People consider vastly different things to be bad, so "bad" isn't a good criterion. ;-) _______________________________________________ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
