[sanesecurity] Re: FP feedback from large sites
- From: Steve Basford <steveb_clamav@xxxxxxxxxxxxxxxx>
- To: sanesecurity@xxxxxxxxxxxxx
- Date: Fri, 09 Sep 2011 15:42:06 +0100
On 09/09/2011 14:32, Henrique de Moraes Holschuh wrote:
Hmm, clamav logs can easily provide that information. If you'd really
appreciate more periodic feedback, I'd suggest getting someone to modify
mailgraph[1] to track clamav logs and create RRDs of the hit-rate of the
various databases.
One thing to point out about the ClamAV stats is that they only really
show that
something was detected by a single signature... whereas it could have
been detected
by multiple signature databases..
For example... scam.ndb looks for spam text and a few key spam
domains... junk.ndb look mainly
at spam text... jurlbl.ndb / jurlbla.ndb and
theINetMsg-SpamDomains-2m.ndb look at spam urls,
so ANY of the above sigs may match a spam... but it's the clamav engine
which decides the database/scanning
order of the detection and therefore the signature name.
Take INetMsg-SpamDomains-2m.ndb and jurlbla.ndb.... IF they both contain
the same host name... then the INetMsg-SpamDomains-2m.ndb
signature name WILL ALWAYS be given out ...because the database is
loaded by the clamav engine first.. that's why you see the
INetMsg-SpamDomains
name more than the other databases, even if they had found a detection too.
Slightly off toppic... but Ideally... INetMsg-SpamDomains-2w.ndb,
jurlbl.ndb and jurlbla.ndb should be merged into one database, it would
eliminate duplicates in the signature database,
and save a ton of memory and processing power for the engine... I'll
look into that shortly, out of curiosity to see how much savings could
be made.
All the third party dbs are doing a great job... my work system is
certainly a lot cleaner from spam with the dbs loaded :)
Cheers,
Steve
Sanesecurity
Other related posts:
