[sanesecurity] Re: Long DB refresh times

  • From: Emanuele Balla <clam@xxxxxxxxxxxx>
  • To: sanesecurity@xxxxxxxxxxxxx
  • Date: Wed, 25 Apr 2012 16:07:26 +0200

On 4/25/12 3:36 PM, TR Shaw wrote:

> I can't comment about ClamAV or some of the others that contribute to
> sanesecurity but I do know that skull's signatures are generated very
> shortly after detection as are my attachment and cracked sigs.

May I add, FWIW: several of the malware sigs refer to drive-by malware
infection schemes, and the URLs they target are used for only a few
hours in email.

So, if you run clamav on the mailserver during or immediately after the
SMTP transaction (in other words: milter or post-queue content filter),
updating the signatures once a day will render them completely useless:
after the run, the only thing they're useful for is client-side and/or
post-delivery mailbox scanning.

If you're using that DB at SMTP time and plan to update it once a day, I
suggest removing the DB completely, because it's simply not going to add
anything to you.

Even updating every hour is far from being optimal, IMHO (on my systems
those signatures are refreshed every 5 minutes directly from my own

Other related posts: