Crazy Thinker, > As per my understanding, Signature Based Scanner will never involve in > false postive/false negative results. But Heuristic scanner some times > gives false postive/false negative results.
Signature Based scanning can and will have false positive and false negative results. In fact, the high rate of False Negatives from Signature Based is the entire reason Heuristic scanning ( and run-time scanning ) is performed. A brand new, unknown threat, from a careful author, will be free of existing signatures. Similarly, a signature on a library only seen before in malicious software will cause a False Positive when a legitimate software begins using it. Large, exact signatures prevent False Positives, but can be trivially defeated. Flexible signatures with wildcards can identify larger blocks malicious content, but at the price of potential False Positives. The response from Maarten Broekman does a great job discussing the issues we are facing. Thank you for your choosing Clam AV. Helping protect you and your users is what keeps me happily getting to work each day. On Thu, May 11, 2017 at 9:54 AM, Arnaud Jacques / SecuriteInfo.com < webmas...@securiteinfo.com> wrote: > Hello, > > > is that a *technical* reason or do you *think* it's recommended for > > whatever reason > > It is technical : we avoid duplicate signatures in our databases. It means > everyday we remove samples already detected by Clamav. > > > - as example sanesecurity works just fine without the > > official stuff an dthe difference are hundrets of MB useless wasted RAM > > while i have not seen any relevant hit on our inbound MX caught by the > > official signatures which woul dhave slipped through sanesecurity > > In your example you are right. On mail filtering, sanesecurity and > spam_marketing.ndb from SecuriteInfo.com are good enough to protect > mailboxes, > because Win32 malwares are not spreaded by mail nowadays. > > In any other case (system protection, HTTP scanning, file hosting, etc...) > you > have to get Clamav official + 3rd party signatures for a maximum detection. > > -- > Best regards, > > Arnaud Jacques > SecuriteInfo.com > > Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 > Twitter : @SecuriteInfoCom > _______________________________________________ > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > -- Matthew Molyett Malware Researcher mmoly...@cisco.com Phone: (410) 309-4834 Mobile: (410) 674-2049 Cisco.com - http://www.cisco.com This email may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender by reply email and delete all copies of this message. For corporate legal information go to: http://www.cisco.com/web/about/doing_business/legal/cri/index.html _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
