[sanesecurity] Re: Long DB refresh times

  • From: Alan Stern <stern@xxxxxxxxxxxxxxxxxxx>
  • To: sanesecurity@xxxxxxxxxxxxx
  • Date: Wed, 25 Apr 2012 10:49:23 -0400 (EDT)

On Wed, 25 Apr 2012, Emanuele Balla wrote:

> May I add, FWIW: several of the malware sigs refer to drive-by malware
> infection schemes, and the URLs they target are used for only a few
> hours in email.

Which signature files are like that?

> So, if you run clamav on the mailserver during or immediately after the
> SMTP transaction (in other words: milter or post-queue content filter),
> updating the signatures once a day will render them completely useless:
> after the run, the only thing they're useful for is client-side and/or
> post-delivery mailbox scanning.
> 
> If you're using that DB at SMTP time and plan to update it once a day, I
> suggest removing the DB completely, because it's simply not going to add
> anything to you.
> 
> Even updating every hour is far from being optimal, IMHO (on my systems
> those signatures are refreshed every 5 minutes directly from my own
> repository)...

How do you update the repository?

Alan Stern


Other related posts: