[sanesecurity] Re: FP feedback from large sites

• From: Henrique de Moraes Holschuh <henrique.holschuh@xxxxxxxxxxxxx>
• To: sanesecurity@xxxxxxxxxxxxx
• Date: Fri, 09 Sep 2011 13:41:11 -0300

On 09-09-2011 11:42, Steve Basford wrote:

On 09/09/2011 14:32, Henrique de Moraes Holschuh wrote:

Hmm, clamav logs can easily provide that information. If you'd
really appreciate more periodic feedback, I'd suggest getting
someone to modify mailgraph[1] to track clamav logs and create
RRDs of the hit-rate of the various databases.

One thing to point out about the ClamAV stats is that they only
really show that something was detected by a single signature...
whereas it could have been detected by multiple signature
databases..

Hmm, I just tried to find a way to disable exit-on-first-match, and
could not find one in the clamd.conf manpage, but I recall it being
possible.  Well, memory might be playing tricks on me.

Unfortunately I really don't have time to check for it in the clamav
source right now.  If clamav indeed always stop on first match, it would
be a worthwhile wishlist bug for upstream to support a find-all-matches
mode.

Slightly off toppic... but Ideally... INetMsg-SpamDomains-2w.ndb,
jurlbl.ndb and jurlbla.ndb should be merged into one database, it
would eliminate duplicates in the signature database, and save a ton
of memory and processing power for the engine... I'll look into that
shortly, out of curiosity to see how much savings could be made.

Should you do that, please retain the signature name of the database
with the LEAST probability of FP when the signature is present in more
than one database.

Otherwise, it will score lower on lots of systems out there (like those
I administer), and more spam will get through :p

For databases where the reasons why a signature got added are
orthogonal, it is better to just keep the signatures duplicated and try
to get clamav to report both matches.  The correct thing to do when a
signature is listed in different databases because of uncorrelated
reasons is to score it twice and give it a higher spam rating!

All the third party dbs are doing a great job... my work system is
certainly a lot cleaner from spam with the dbs loaded :)

Yes, they help a great deal indeed.

--
Henrique de Moraes Holschuh <hmh@xxxxxxxxxxxxx>
IM@ - Informática de Municípios Associados
Engenharia de Telecomunicações
TEL +55-19-3755-6555/CEL +55-19-9293-9464

Antes de imprimir, lembre-se de seu compromisso com o Meio Ambiente
e do custo que você pode evitar.

• References:
  • [sanesecurity] Re: Script update
    • From: Wolfgang Zeikat
  • [sanesecurity] Re: Script update
    • From: Bill Landry
  • [sanesecurity] FP feedback from large sites
    • From: Henrique de Moraes Holschuh
  • [sanesecurity] Re: FP feedback from large sites
    • From: Steve Basford

Other related posts:

• » [sanesecurity] FP feedback from large sites- Henrique de Moraes Holschuh
• » [sanesecurity] Re: FP feedback from large sites- Steve Basford
• » [sanesecurity] Re: FP feedback from large sites - Henrique de Moraes Holschuh
• » [sanesecurity] Re: FP feedback from large sites- Bill Landry
• » [sanesecurity] Re: FP feedback from large sites- Bill Landry
• » [sanesecurity] Re: FP feedback from large sites- Dave Funk
• » [sanesecurity] Re: FP feedback from large sites- Henrique de Moraes Holschuh

1. Home
2. sanesecurity
3. Archive
4. 09-2011

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---