On 06/11/14 16:25, Steven Morgan wrote: > Hi Cedric, > > I have a few questions/points: - Are you writing your own zmd/rmd > signatures?
Yes. > - If so, have have you tried using .cdb signatures? I've noticed > in docs/signatures.pdf the zmd/rmd are annotated as "obsolete" and > the cdb format seems to subsume, although this may not accomplish > what you want it to do. I may have been referring to an older signatures.pdf and hadn't actually noticed the "(now obsolete)" comment. .zmd/.rmd still works on 0.98.4 (Debian wheezy). I have now converted all the sigs to .cdb, and found .cdb is tested first, then .zmd/.rmd, then the .hdb, .ndb and .cld. So unfortunately this does not help with the problem. > - Not the most elegant, but you could use sigtool and split up the > signature data base into a pattern/hash set and a container set and > filter through two ClamAV instances(or just eliminate the container > sigs and use a single ClamAV, if that works for your case) I think two instances with different configs would be very messy for what I want. It's a not a big enough problem to justify this (there's very little chance of a generic filename-based detection being scored low enough in Amavis to pass). I want to know if a detection already matches a specific sig in daily.cld or is novel malware that I want to report. I do want the container sigs. I could convert them to a SpamAssassin plugin rather than using ClamAV at all, but I would imagine the feature of testing files from most specific to most generic would be a useful enhancement for many users. > - Feel free to submit feature requests to bugzilla.clamav.net I think this is an RFE, so will do so. Thanks. CK > > Steve > > On Thu, Nov 6, 2014 at 5:27 AM, Cedric Knight <ced...@gn.apc.org> > wrote: > > Hi > > Like a lot of users I suspect, I use ClamAV to search within > archives for generic filename patterns (or other characteristics) > specified in a .zmd file. Like some, I use clamdscan through > amavis and rescore some types of hits that conceivably might be a > false positive as a number of spam points. Unfortunately the > .zmd/.rmd file appears to take precedence over particular > signatures, so the archive rules hit *instead of* detection of, for > example, a specific Zeus variant. > > I'm all for minimising CPU usage where possible, but actually in > combination with SpamAssassin this situation of having generic > detection first rather than an immediate quarantine can require > more CPU. Security is of course more of a priority, and also the > current behaviour makes it harder to find samples that aren't > detected by the current signatures. > > Is it possible to configure ClamAV to only do the archive > .zmd/.rmd tests after other more specific tests pass OK? I was > wondering whether to file this as a RFE. > > Thanks > > CK _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
