"I'm convinced that [malware analysis] interval exceeds the delay due to sync problems by such a margin that the first interval needs as much focus as can be committed while the distribution issues are handled at a lower priority."
I mainly agree (and I much appreciate the efforts of the ClamAV team). What we found, unfortunately, was that after the switch to Cloudflare, the mirror sync problems observed by "stock" freshclam resulted in all the mirrors being blacklisted, causing future ClamAV virus updates to cease. This meant distribution issues became extremely important. The problem of malware. sadly, is far more complicated than file synchronization, partly because malware is open-ended and even ill-defined. And then there's the nasty fact that the "halting problem" makes program analysis theoretically impossible. P.S. Who would scan outbound mail? The originating machine? It might be totally compromised. The SMTP gateway of the originator's ISP? Don't many already do that? On Sun, 21 Oct 2018 17:15:51 -0700 Dennis Peterson <denni...@inetnw.com> wrote: > You should abandon the notion of first time perfect with these kinds > of things. There is a false sense of urgency that is imposing a > workload on a team that is providing a free produce and service. The > tools for correcting a moment zero malware exists in the tool for the > operator to use. The real problem is the discovery and validation and > that is why moment zero solutions will never be possible. > > There is a finite time required to receive a malware instance, > discover it is a malware, discover what it applies to, and to create > a signature that reasonably avoids false positives. I'm convinced > that interval exceeds the delay due to sync problems by such a margin > that the first interval needs as much focus as can be committed while > the distribution issues are handled at a lower priority. > > There are other probabilities - as an example, the probability that a > new malware is sufficiently in the wild to pose a threat to an > important number of recipients and which can be very low. Those can > be queued for release cutting down on the number of low-value > updates. And somebody has to decide what is an important number. > > Evidence of self-replication is recognizable by the rate of increase > of infestations and is data that can be used in setting priorities. > How to collect that? How to collect any metrics? So far it is largely > buzz generated by responders and which is largely anecdotal. > > To be honest, many problems would be solved if all outbound mail were > scanned in real time. > > dp > > On 10/20/18 8:10 AM, Paul Kosinski wrote: > > Yes, file synchronization is difficult. But we *started out* using > > the provided (i.e., standard) freshclam tool to update our > > daily.cvd (etc.). I only built our current non-standard tool > > (reading the file header) when the Cloudflare mirrors started > > serving out-of-date file versions which caused freshclam to fail > > and blacklist the mirror (which eventually resulted in all mirrors > > being blacklisted). > > > > This says to me that the old, "standard", DNS TXT approach built in > > to freshclam doesn't play well with Cloudflare (or similar > > mirrors?). > > _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
