On Wed, Jan 23, 2013 at 9:56 PM, Al Varnell <alvarn...@mac.com> wrote:
> On 1/23/13 5:52 PM, "Kaushik Vaidyanathan" wrote: > > > I had a couple of basic questions: > > a) Of the different signature formats in the cvd file(like mdb, ldb, ndb) > > which format does clamav use? Does it pick a format(ldb, mdb, ndb > > etc.) depending on the nature of the file under inspection? > > > It uses all of them, but some are format dependant. > > > b) I guess ldb files are tough to create automatically. If thats true, > then > > is the ldb file as complete as the mdb file? > > > My impression is that there is little, if any automation involved in the > creation of a signature. I believe they are all done manually and then > checked thorough an automated process. > > > c) Which signature database(ldb or ndb or mdb etc.) is best tradeoff > > between size of database Vs false positives? > > > They serve different purposes, so I don't understand what sort of tradeoff > you would be interested in, if there are even statistics available to > determine the answer. > > Have you read through the documentation at > <http://www.clamav.net/doc/webinars/Webinar-Alain-2009-03-04.pdf> > and > <http://www.clamav.net/doc/latest/signatures.pdf>? > > > -Al- > > -- > Al Varnell > Mountain View, CA > > > > _______________________________________________ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://www.clamav.net/support/ml > ClamAV loads the entire CVD, with the possible exception of signatures which are only loaded if you turn on certain features (e.g. PUA scanning, phishing checks, etc.). The 3 filetypes you list are always loaded. What kind of signature is written to detect a malware is a choice the signature author makes. Knowing those things may change the way you think about your questions. So I agree with Al. The 2 references he is suggesting would probably be a helpful read. Dave R. -- --- Dave Raynor Sourcefire Vulnerability Research Team dray...@sourcefire.com _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
