On 7 October 2019 15:25:41 "J.R. via clamav-users"
<[email protected]> wrote:
I don't know how the viruses are tracked, but maybe to reduce size (if
applicable) some of the more ancient viruses that only affect EOL
operating systems (or programs that should have long since been
patched) could be spun-off into a separate definition file (that could
be optionally disabled)? Seems like it would be quite a waste of
resources for most if there were like a million definitions that only
affected Windows XP or Office 2003 or something like that...
If you also take a peek at hashes:
Number of hashes:
36,49,543 main.hdb
23,657,708 daily.hdb
248,06,499 main.hsb
905,00,729 daily.hsb
file Size:
36,49,543 main.hdb
23,657,708 daily.hdb
24,806,499 main.hsb
905,00,729 daily.hsb
Example:
grep "130ae8f338cc705a26fa5fa635d8673a" daily.hsb
130ae8f338cc705a26fa5fa635d8673a:92160:Doc.Dropper.Agent-1453138:73
https://www.virustotal.com/gui/file/06f0af676b49d13c51b36e4d61f2d8751bd5ef5d5241a68e99691d68617c7415/detection
First Seen In The Wild ---> 2016-06-03 20:34:00
Last Submission ---> 2016-06-03 20:37:03
Document Name: Rotech AG_Faktur dot doc
So, is the above hash still relevant or should it moved into archived.hsb,
which by default doesn't load ?
Perhaps, daily.* are hashes up to a year old, main.* for hashes two years
old and everything else into archive.*
Or jsut drop document hashes over a year old ??
It's a difficult one to suit all uses of ClamAV I guess.
Cheers,
Steve
Twitter: @sanesecurity
_______________________________________________
clamav-users mailing list
[email protected]
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
