[sanesecurity] Re: FP feedback from large sites

• From: Bill Landry <bill@xxxxxxxxxxx>
• To: sanesecurity@xxxxxxxxxxxxx
• Date: Fri, 09 Sep 2011 18:57:55 -0700

On 9/9/2011 7:42 AM, Steve Basford wrote:

On 09/09/2011 14:32, Henrique de Moraes Holschuh wrote:

Hmm, clamav logs can easily provide that information. If you'd really
appreciate more periodic feedback, I'd suggest getting someone to modify
mailgraph[1] to track clamav logs and create RRDs of the hit-rate of the
various databases.

One thing to point out about the ClamAV stats is that they only really
show that
something was detected by a single signature... whereas it could have
been detected
by multiple signature databases..

For example... scam.ndb looks for spam text and a few key spam
domains... junk.ndb look mainly
at spam text... jurlbl.ndb / jurlbla.ndb and
theINetMsg-SpamDomains-2m.ndb look at spam urls,
so ANY of the above sigs may match a spam... but it's the clamav engine
which decides the database/scanning
order of the detection and therefore the signature name.

Take INetMsg-SpamDomains-2m.ndb and jurlbla.ndb.... IF they both contain
the same host name... then the INetMsg-SpamDomains-2m.ndb
signature name WILL ALWAYS be given out ...because the database is
loaded by the clamav engine first.. that's why you see the
INetMsg-SpamDomains
name more than the other databases, even if they had found a detection too.

According to Tomasz Kojm (ClamAV Dev Team), this is not correct. Signature are randomly selected and none are give any priority or another, not even the official signatures. See, for example:

http://lists.clamav.net/lurker/message/20060228.010103.f023d2e1.hu.html

Slightly off toppic... but Ideally... INetMsg-SpamDomains-2w.ndb,
jurlbl.ndb and jurlbla.ndb should be merged into one database, it would
eliminate duplicates in the signature database,
and save a ton of memory and processing power for the engine... I'll
look into that shortly, out of curiosity to see how much savings could
be made.

We've had a few off-list discussions about this in the past, just haven't made it happen yet.

Bill

• Follow-Ups:
  • [sanesecurity] AW: Re: FP feedback from large sites
    • From: Steffen Heil (Mailinglisten)

• References:
  • [sanesecurity] Re: Script update
    • From: Wolfgang Zeikat
  • [sanesecurity] Re: Script update
    • From: Bill Landry
  • [sanesecurity] FP feedback from large sites
    • From: Henrique de Moraes Holschuh
  • [sanesecurity] Re: FP feedback from large sites
    • From: Steve Basford

Other related posts:

• » [sanesecurity] FP feedback from large sites- Henrique de Moraes Holschuh
• » [sanesecurity] Re: FP feedback from large sites- Steve Basford
• » [sanesecurity] Re: FP feedback from large sites- Henrique de Moraes Holschuh
• » [sanesecurity] Re: FP feedback from large sites- Bill Landry
• » [sanesecurity] Re: FP feedback from large sites - Bill Landry
• » [sanesecurity] Re: FP feedback from large sites- Dave Funk
• » [sanesecurity] Re: FP feedback from large sites- Henrique de Moraes Holschuh

1. Home
2. sanesecurity
3. Archive
4. 09-2011

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---