[sanesecurity] Re: Long DB refresh times

  • From: TR Shaw <tshaw@xxxxxxxx>
  • To: sanesecurity@xxxxxxxxxxxxx
  • Date: Wed, 25 Apr 2012 09:36:02 -0400

On Apr 25, 2012, at 8:07 AM, Gerard Seibert wrote:

> On Tue, 24 Apr 2012 18:11:00 -0400
> TR Shaw articulated:
>> On Apr 24, 2012, at 4:41 PM, Richard Doyle wrote:
>>> On 04/24/2012 09:29 AM, Richard Doyle wrote:
>>>> On 04/24/2012 09:13 AM, micah anderson wrote:
>>>>>> Has anyone else seen these kinds of delays? Is there any way to
>>>>>> get these databases to load faster or to allow ClamAV to continue
>>>>>> scanning when the database is being reloaded?
>>>>> I was noticing this as well, and it seemed like it was something
>>>>> that has only recently started to happen. I suspected a bug or
>>>>> something, but perhaps we reached some tipping point.
>>>> Me too. I'm moving to once-a-day updates.
>> Once a day updates defeats the purpose to detect early threats.  We
>> need to get this solved and IMHO I think that it is a bug ClamAV.
> I have used several commercial packages that download their signature
> files between once and 4 times per day. They have operated at the same
> level of efficiency as ClamAV. If ClamAV really needs to update its
> database on an hourly schedule, perhaps its "recognition heuristic"
> algorithm is defective. The only other possible conclusion is that the
> ClamAV team is considerable slower at releasing specific virus
> definitions; i.e. a virus discovered on Monday does not get a signature
> released until Friday. This is just a guess though. Has the ClamAV team
> ever released data as to their turn around time on virus discovery and
> the publishing of a specific signature signature for said virus?


I can't comment about ClamAV or some of the others that contribute to 
sanesecurity but I do know that skull's signatures are generated very shortly 
after detection as are my attachment and cracked sigs. Steve's rogue and many 
of my new malware sigs (after packed polymorphism is removed) are rolled out in 
near real time. So for those, at a minimum, update rates do matter. 


Other related posts: