[sanesecurity] Re: FP feedback from large sites

From: Henrique de Moraes Holschuh <henrique.holschuh@xxxxxxxxxxxxx>
To: sanesecurity@xxxxxxxxxxxxx
Date: Mon, 12 Sep 2011 09:30:48 -0300

On 10-09-2011 17:18, Dave Funk wrote:

That is exactly what I do. I have two clamav instances using seperate
config files, library directories, listening on different sockets.
The first runs just the official ClamAV supplied sigs, the second all
the various 3rd party sigs (SaneSecurity, etc).

Hmm, that works, but for it to work really well, one would also need tocull duplicated signatures of lesser "scoring priority", or have oneclamav instance per "scoring tier" to make sure a lower scoringsignature (e.g. one from a database with a higher FP ratio) does notshadow one from a higher scoring signature.


I think I will have to do that here, as well.  How annoying.

Still, enhancing clamav to return multiple results or to implementdatabase match priority did not look like anywhere close to a trivialeffort last time I checked :( So, using multiple clamd instances is thebest short-term bet.


--
Henrique de Moraes Holschuh <hmh@xxxxxxxxxxxxx>
IM@ - Informática de Municípios Associados
Engenharia de Telecomunicações
TEL +55-19-3755-6555/CEL +55-19-9293-9464

Antes de imprimir, lembre-se de seu compromisso com o Meio Ambiente
e do custo que você pode evitar.

References:
- [sanesecurity] Re: Script update
  - From: Wolfgang Zeikat
- [sanesecurity] Re: Script update
  - From: Bill Landry
- [sanesecurity] FP feedback from large sites
  - From: Henrique de Moraes Holschuh
- [sanesecurity] Re: FP feedback from large sites
  - From: Steve Basford
- [sanesecurity] Re: FP feedback from large sites
  - From: Bill Landry
- [sanesecurity] AW: Re: FP feedback from large sites
  - From: Steffen Heil (Mailinglisten)
- [sanesecurity] Re: FP feedback from large sites
  - From: Dave Funk

[sanesecurity] Re: FP feedback from large sites

Other related posts: