[sanesecurity] AW: Re: FP feedback from large sites
- From: "Steffen Heil (Mailinglisten)" <lists@xxxxxxxxxxxxxxx>
- To: "sanesecurity@xxxxxxxxxxxxx" <sanesecurity@xxxxxxxxxxxxx>
- Date: Sat, 10 Sep 2011 11:25:27 +0000
Hi
> > Take INetMsg-SpamDomains-2m.ndb and jurlbla.ndb.... IF they both
> > contain the same host name... then the INetMsg-SpamDomains-2m.ndb
> > signature name WILL ALWAYS be given out ...because the database is
> > loaded by the clamav engine first.. that's why you see the
> > INetMsg-SpamDomains name more than the other databases, even if they
> > had found a detection too.
>
> According to Tomasz Kojm (ClamAV Dev Team), this is not correct.
> Signature are randomly selected and none are give any priority or another,
> not even the official signatures. See, for example:
Clamav may not apply any priority, yet it needs to test signatures one after
another. And it will report the first one found. So even without priorities,
signatures tested earlier will be reported more often. Order of testing will
probably not change while the daemon is running. It might even be always the
same, IF processing order equals load order and load order depends on
directory enumeration, which will usually stay the same on the same file
system...
But I just realize that this (only reporting ONE match) opens a security
hole:
IF a virus matches a REAL virus signature as well as a "spam only"
signature, and the host is setup to reject virus but only score spam, virus
mails might get passed trough, if the spam signature matched first.
Therefor I think it would be very helpful to report ALL matches or at least
prefer real virus sigantures.
Is it currently possible to run two clamav instances in parallel ?
Regards,
Steffen
Other related posts: