[sanesecurity] Re: Long DB refresh times

From: Emanuele Balla <clam@xxxxxxxxxxxx>
To: sanesecurity@xxxxxxxxxxxxx
Date: Wed, 25 Apr 2012 16:07:26 +0200

On 4/25/12 3:36 PM, TR Shaw wrote:

> I can't comment about ClamAV or some of the others that contribute to
> sanesecurity but I do know that skull's signatures are generated very
> shortly after detection as are my attachment and cracked sigs.

May I add, FWIW: several of the malware sigs refer to drive-by malware
infection schemes, and the URLs they target are used for only a few
hours in email.

So, if you run clamav on the mailserver during or immediately after the
SMTP transaction (in other words: milter or post-queue content filter),
updating the signatures once a day will render them completely useless:
after the run, the only thing they're useful for is client-side and/or
post-delivery mailbox scanning.

If you're using that DB at SMTP time and plan to update it once a day, I
suggest removing the DB completely, because it's simply not going to add
anything to you.

Even updating every hour is far from being optimal, IMHO (on my systems
those signatures are refreshed every 5 minutes directly from my own
repository)...

Follow-Ups:
- [sanesecurity] Re: Long DB refresh times
  - From: Alan Stern

References:
- [sanesecurity] Long DB refresh times
  - From: David Mayo
- [sanesecurity] Re: Long DB refresh times
  - From: micah anderson
- [sanesecurity] Re: Long DB refresh times
  - From: Richard Doyle
- [sanesecurity] Re: Long DB refresh times
  - From: Richard Doyle
- [sanesecurity] Re: Long DB refresh times
  - From: TR Shaw
- [sanesecurity] Re: Long DB refresh times
  - From: Gerard Seibert
- [sanesecurity] Re: Long DB refresh times
  - From: TR Shaw

Other related posts:

» [sanesecurity] Long DB refresh times- David Mayo
» [sanesecurity] Re: Long DB refresh times- Michael Orlitzky
» [sanesecurity] Re: Long DB refresh times- micah anderson
» [sanesecurity] Re: Long DB refresh times- Richard Doyle
» [sanesecurity] Re: Long DB refresh times- Robo Kupka
» [sanesecurity] Re: Long DB refresh times- Steve Basford
» [sanesecurity] Re: Long DB refresh times- micah anderson
» [sanesecurity] Re: Long DB refresh times- Henrik K
» [sanesecurity] Re: Long DB refresh times- TR Shaw
» [sanesecurity] Re: Long DB refresh times- Robo Kupka
» [sanesecurity] Re: Long DB refresh times- Gerard Seibert
» [sanesecurity] Re: Long DB refresh times- Richard Doyle
» [sanesecurity] Re: Long DB refresh times- TR Shaw
» [sanesecurity] Re: Long DB refresh times- Paul Enlund
» [sanesecurity] Re: Long DB refresh times- Severus
» [sanesecurity] Re: Long DB refresh times- Steve Basford
» [sanesecurity] Re: Long DB refresh times- Emanuele Balla (aka Skull)
» [sanesecurity] Re: Long DB refresh times- Severus
» [sanesecurity] Re: Long DB refresh times- David Mayo
» [sanesecurity] Re: Long DB refresh times- John Horne
» [sanesecurity] Re: Long DB refresh times- Steve Basford
» [sanesecurity] Re: Long DB refresh times- John Horne
» [sanesecurity] Re: Long DB refresh times- Paul Enlund
» [sanesecurity] Re: Long DB refresh times- Gerard Seibert
» [sanesecurity] Re: Long DB refresh times- Henrique de Moraes Holschuh
» [sanesecurity] Re: Long DB refresh times- Robo Kupka
» [sanesecurity] Re: Long DB refresh times- TR Shaw
» [sanesecurity] Re: Long DB refresh times - Emanuele Balla
» [sanesecurity] Re: Long DB refresh times- Steve Basford
» [sanesecurity] Re: Long DB refresh times- Robo Kupka
» [sanesecurity] Re: Long DB refresh times- Alan Stern
» [sanesecurity] Re: Long DB refresh times- Steve Basford
» [sanesecurity] Re: Long DB refresh times- Emanuele Balla
» [sanesecurity] Re: Long DB refresh times- Emanuele Balla
» [sanesecurity] Re: Long DB refresh times- Steve Basford
» [sanesecurity] Re: Long DB refresh times- Steve Basford
» [sanesecurity] Re: Long DB refresh times- Robo Kupka
» [sanesecurity] Re: Long DB refresh times- Cernohorsky Wolfgang
» [sanesecurity] Re: Long DB refresh times- Severus
» [sanesecurity] Re: Long DB refresh times- TR Shaw