[sanesecurity] Re: AW: Re: FP feedback from large sites

• From: Bill Landry <bill@xxxxxxxxxxx>
• To: sanesecurity@xxxxxxxxxxxxx
• Date: Sat, 10 Sep 2011 12:00:12 -0700

On 9/10/2011 4:25 AM, Steffen Heil (Mailinglisten) wrote:

Hi

Take INetMsg-SpamDomains-2m.ndb and jurlbla.ndb.... IF they both
contain the same host name... then the INetMsg-SpamDomains-2m.ndb
signature name WILL ALWAYS be given out ...because the database is
loaded by the clamav engine first.. that's why you see the
INetMsg-SpamDomains name more than the other databases, even if they
had found a detection too.

According to Tomasz Kojm (ClamAV Dev Team), this is not correct.
Signature are randomly selected and none are give any priority or another,
not even the official signatures.  See, for example:

Clamav may not apply any priority, yet it needs to test signatures one after
another. And it will report the first one found. So even without priorities,
signatures tested earlier will be reported more often. Order of testing will
probably not change while the daemon is running. It might even be always the
same, IF processing order equals load order and load order depends on
directory enumeration, which will usually stay the same on the same file
system...

Sounds like pure speculation to me. I'll admit that I have no idea about the inner workings of ClamAV, but I can show you this as proof, not speculation, from just one of many signatures I've found like this in the past week:

From clamd.log (note the log entry date and time stamps):

Mon Sep 5 04:39:08 2011 -> /var/spool/amavisd/tmp/amavis-20110905T013546-23450/parts/p001: Sanesecurity.Jurlbl.Auto.e92dad21f6edcf68520847bb488780a3.UNOFFICIAL FOUND

Mon Sep 5 04:39:11 2011 -> /var/spool/amavisd/tmp/amavis-20110905T025505-18748/parts/p001: Sanesecurity.Jurlbl.Auto.e92dad21f6edcf68520847bb488780a3.UNOFFICIAL FOUND

Mon Sep 5 05:32:20 2011 -> /var/spool/amavisd/tmp/amavis-20110905T050346-17500/parts/p001: Sanesecurity.Jurlbl.Auto.e92dad21f6edcf68520847bb488780a3.UNOFFICIAL FOUND

Mon Sep 5 09:23:20 2011 -> /var/spool/amavisd/tmp/amavis-20110905T063812-16103/parts/p001: Sanesecurity.Jurlbl.Auto.e92dad21f6edcf68520847bb488780a3.UNOFFICIAL FOUND

Wed Sep 7 09:36:26 2011 -> /var/spool/amavisd/tmp/amavis-20110907T070733-03900/parts/p001: Sanesecurity.Jurlbl.Auto.e92dad21f6edcf68520847bb488780a3.UNOFFICIAL FOUND

Wed Sep 7 09:36:42 2011 -> /var/spool/amavisd/tmp/amavis-20110907T072741-04527/parts/p001: Sanesecurity.Jurlbl.Auto.e92dad21f6edcf68520847bb488780a3.UNOFFICIAL FOUND

Wed Sep 7 09:36:43 2011 -> /var/spool/amavisd/tmp/amavis-20110907T083046-30572/parts/p001: Sanesecurity.Jurlbl.Auto.e92dad21f6edcf68520847bb488780a3.UNOFFICIAL FOUND

Wed Sep 7 10:30:24 2011 -> /var/spool/amavisd/tmp/amavis-20110907T083046-30572/parts/p001: Sanesecurity.Jurlbl.Auto.e92dad21f6edcf68520847bb488780a3.UNOFFICIAL FOUND

This signature decodes to (obscured this time to bypass signature detection): pharmacy(-)buyonline(.)com(.)ua

However, I have had this signature listed in the SpamDomain 2-week database since Aug 27, 2011, yet it has never been flagged by the SpamDomain signature database, only by the Jurlbl.Auto signature database. My script reloads all signature database whenever a change is detected, so if ClamAV loads signature databases in alphabetical order (as has also been speculated in the past), then the SpamDomain signature would have flagged all of these rather than Jurlbl.Auto.

But I just realize that this (only reporting ONE match) opens a security
hole:

IF a virus matches a REAL virus signature as well as a "spam only"
signature, and the host is setup to reject virus but only score spam, virus
mails might get passed trough, if the spam signature matched first.

Therefor I think it would be very helpful to report ALL matches or at least
prefer real virus sigantures.

Put in a feature request with ClamAV.

Is it currently possible to run two clamav instances in parallel ?

Hmmm, by the way you speak, I would have thought you were an expert on ClamAV and would know the answer to this very basic question. The answer of course is "Yes".

Please quit speculating and start providing proof of your theories going forward.

Bill

• References:
  • [sanesecurity] Re: Script update
    • From: Wolfgang Zeikat
  • [sanesecurity] Re: Script update
    • From: Bill Landry
  • [sanesecurity] FP feedback from large sites
    • From: Henrique de Moraes Holschuh
  • [sanesecurity] Re: FP feedback from large sites
    • From: Steve Basford
  • [sanesecurity] Re: FP feedback from large sites
    • From: Bill Landry
  • [sanesecurity] AW: Re: FP feedback from large sites
    • From: Steffen Heil (Mailinglisten)

Other related posts:

• » [sanesecurity] AW: Re: FP feedback from large sites- Steffen Heil (Mailinglisten)
• » [sanesecurity] Re: AW: Re: FP feedback from large sites- Bill Landry
• » [sanesecurity] Re: AW: Re: FP feedback from large sites - Bill Landry

1. Home
2. sanesecurity
3. Archive
4. 09-2011

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---