On Mon, May 23, 2016 at 06:39:41PM +0000, Dave McMurtrie wrote:
On Mon, 2016-05-23 at 19:52 +0200, C.D. Cochrane wrote:>> My 2 cents would be that rapid traditional signature updates are not a viable solution to this long term problem. >> I'm pretty sure the current generation of Locky, Dridex, Nemucod, etc. ransomware is generated using millions >> of tiny mutations so that almost every email attachment has a unique signature. There is no way to keep up with >> that. ClamAV got more than a million virus samples per day, last time I inquired. >> ...Chris > > As for they claim above about Dridex etc being too numerous to handle, > Sane Security seems to be doing just a fine job of it. (So its just a > lame response).I'm not sure what heuristic Sane Security uses. My original point was that a traditional signature (sigtool?) on the current generation of malware seems to be a non-scalable idea. One million new sigs per day is not realistic. ClamAV must evolve if it is going to remain useful. There has to be a better scheme to ID new malware than sigtool. Otherwise, groach is right. ClamAV is just a redundant way to scan for virus files from 2008 or see if your latest files can generate FPs.Are there any open-source alternatives that are better than ClamAV? We actually attempted to use the Sophos PureMessage AV component (since we're paying for it as part of our PureMessage license anyway). The memory footprint was such that it demolished our MTA servers, so we had to bag that idea. ClamAV is fast, free, easy to integrate with just about any MTA and it's actively developed. We've been running it for years, along with the SaneSecurity signatures and it's been working well for us. If there's a better alternative, I'd be interested in learning about it.
I'd be interested in shipping as much detection as we possibly can for ClamAV. This is a community, but I'd love to have an increase in the amount of signatures sent back to us. -- Joel Esler Manager, Threat Intelligence Team & Open Source Talos Group http://www.talosintel.com
signature.asc
Description: PGP signature
_______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
