On 9/9/2011 7:42 AM, Steve Basford wrote:
On 09/09/2011 14:32, Henrique de Moraes Holschuh wrote:Hmm, clamav logs can easily provide that information. If you'd really appreciate more periodic feedback, I'd suggest getting someone to modify mailgraph[1] to track clamav logs and create RRDs of the hit-rate of the various databases.One thing to point out about the ClamAV stats is that they only really show that something was detected by a single signature... whereas it could have been detected by multiple signature databases.. For example... scam.ndb looks for spam text and a few key spam domains... junk.ndb look mainly at spam text... jurlbl.ndb / jurlbla.ndb and theINetMsg-SpamDomains-2m.ndb look at spam urls, so ANY of the above sigs may match a spam... but it's the clamav engine which decides the database/scanning order of the detection and therefore the signature name. Take INetMsg-SpamDomains-2m.ndb and jurlbla.ndb.... IF they both contain the same host name... then the INetMsg-SpamDomains-2m.ndb signature name WILL ALWAYS be given out ...because the database is loaded by the clamav engine first.. that's why you see the INetMsg-SpamDomains name more than the other databases, even if they had found a detection too.
According to Tomasz Kojm (ClamAV Dev Team), this is not correct. Signature are randomly selected and none are give any priority or another, not even the official signatures. See, for example:
http://lists.clamav.net/lurker/message/20060228.010103.f023d2e1.hu.html
Slightly off toppic... but Ideally... INetMsg-SpamDomains-2w.ndb, jurlbl.ndb and jurlbla.ndb should be merged into one database, it would eliminate duplicates in the signature database, and save a ton of memory and processing power for the engine... I'll look into that shortly, out of curiosity to see how much savings could be made.
We've had a few off-list discussions about this in the past, just haven't made it happen yet.
Bill