I would consider a malware author that does not pass his/her new product through
several file scanners to be incompetent. There is little point in distributing
such files if it is commonly detectable. Scanners are one of the best quality
inspection tools a malware author has at their disposal. Conveniently, it can be
done cheaply at VirusTotal and other sites that do live scans using multiple
engines.
dp
On 5/11/17 8:21 AM, Matthew Molyett wrote:
Crazy Thinker,
As per my understanding, Signature Based Scanner will never involve in
false postive/false negative results. But Heuristic scanner some times
gives false postive/false negative results.
Signature Based scanning can and will have false positive and false
negative results. In fact, the high rate of False Negatives from Signature
Based is the entire reason Heuristic scanning ( and run-time scanning ) is
performed. A brand new, unknown threat, from a careful author, will be free
of existing signatures. Similarly, a signature on a library only seen
before in malicious software will cause a False Positive when a legitimate
software begins using it.
Large, exact signatures prevent False Positives, but can be trivially
defeated. Flexible signatures with wildcards can identify larger blocks
malicious content, but at the price of potential False Positives.
The response from Maarten Broekman does a great job discussing the issues
we are facing.
Thank you for your choosing Clam AV. Helping protect you and your users is
what keeps me happily getting to work each day.
On Thu, May 11, 2017 at 9:54 AM, Arnaud Jacques / SecuriteInfo.com <
webmas...@securiteinfo.com> wrote:
Hello,
is that a *technical* reason or do you *think* it's recommended for
whatever reason
It is technical : we avoid duplicate signatures in our databases. It means
everyday we remove samples already detected by Clamav.
- as example sanesecurity works just fine without the
official stuff an dthe difference are hundrets of MB useless wasted RAM
while i have not seen any relevant hit on our inbound MX caught by the
official signatures which woul dhave slipped through sanesecurity
In your example you are right. On mail filtering, sanesecurity and
spam_marketing.ndb from SecuriteInfo.com are good enough to protect
mailboxes,
because Win32 malwares are not spreaded by mail nowadays.
In any other case (system protection, HTTP scanning, file hosting, etc...)
you
have to get Clamav official + 3rd party signatures for a maximum detection.
--
Best regards,
Arnaud Jacques
SecuriteInfo.com
Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286
Twitter : @SecuriteInfoCom
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
