[sanesecurity] Re: FP feedback from large sites

• From: Dave Funk <dbfunk@xxxxxxxxxxxxxxxxxxxxx>
• To: "sanesecurity@xxxxxxxxxxxxx" <sanesecurity@xxxxxxxxxxxxx>
• Date: Sat, 10 Sep 2011 15:18:10 -0500 (CDT)

On Sat, 10 Sep 2011, Steffen Heil (Mailinglisten) wrote:

Take INetMsg-SpamDomains-2m.ndb and jurlbla.ndb.... IF they both
contain the same host name... then the INetMsg-SpamDomains-2m.ndb
signature name WILL ALWAYS be given out ...because the database is
loaded by the clamav engine first.. that's why you see the
INetMsg-SpamDomains name more than the other databases, even if they
had found a detection too.

According to Tomasz Kojm (ClamAV Dev Team), this is not correct.
Signature are randomly selected and none are give any priority or another,
not even the official signatures.  See, for example:

Clamav may not apply any priority, yet it needs to test signatures one after
another. And it will report the first one found. So even without priorities,
signatures tested earlier will be reported more often. Order of testing will
probably not change while the daemon is running. It might even be always the
same, IF processing order equals load order and load order depends on
directory enumeration, which will usually stay the same on the same file
system...

But I just realize that this (only reporting ONE match) opens a security
hole:

IF a virus matches a REAL virus signature as well as a "spam only"
signature, and the host is setup to reject virus but only score spam, virus
mails might get passed trough, if the spam signature matched first.

Therefor I think it would be very helpful to report ALL matches or at least
prefer real virus sigantures.

Is it currently possible to run two clamav instances in parallel ?

That is exactly what I do. I have two clamav instances using seperate
config files, library directories, listening on different sockets.

The first runs just the official ClamAV supplied sigs, the second all the various 3rd party sigs (SaneSecurity, etc).

I have a milter hooked into my MTAs that uses the first clam instance and is set to SMTP reject on hits.

I have a clamav-plugin in my spamassassin that uses the second clam
instance and adds scores based upon signature hits.

At the expense of some resources (mostly RAM) this gives me the best
of both worlds.


--
Dave Funk                                  University of Iowa
<dbfunk (at) engineering.uiowa.edu>        College of Engineering
319/335-5751   FAX: 319/384-0549           1256 Seamans Center
Sys_admin/Postmaster/cell_admin            Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{

• Follow-Ups:
  • [sanesecurity] Re: FP feedback from large sites
    • From: Henrique de Moraes Holschuh

• References:
  • [sanesecurity] Re: Script update
    • From: Wolfgang Zeikat
  • [sanesecurity] Re: Script update
    • From: Bill Landry
  • [sanesecurity] FP feedback from large sites
    • From: Henrique de Moraes Holschuh
  • [sanesecurity] Re: FP feedback from large sites
    • From: Steve Basford
  • [sanesecurity] Re: FP feedback from large sites
    • From: Bill Landry
  • [sanesecurity] AW: Re: FP feedback from large sites
    • From: Steffen Heil (Mailinglisten)

Other related posts:

• » [sanesecurity] FP feedback from large sites- Henrique de Moraes Holschuh
• » [sanesecurity] Re: FP feedback from large sites- Steve Basford
• » [sanesecurity] Re: FP feedback from large sites- Henrique de Moraes Holschuh
• » [sanesecurity] Re: FP feedback from large sites- Bill Landry
• » [sanesecurity] Re: FP feedback from large sites- Bill Landry
• » [sanesecurity] Re: FP feedback from large sites - Dave Funk
• » [sanesecurity] Re: FP feedback from large sites- Henrique de Moraes Holschuh

1. Home
2. sanesecurity
3. Archive
4. 09-2011

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---