Gentlemen. We get the point. We’re working on it. I had a conversation with the malware lead last week to see what we can do here.
-- Joel Esler Manager, Talos Group On Feb 22, 2016, at 12:06 PM, Groach <groachmail-stopspammin...@yahoo.com<mailto:groachmail-stopspammin...@yahoo.com>> wrote: I dont think there is any 'cause' to be had (that the unofficial signatures found threats and that the official ones didnt) other than ClamAV signatures are too few, too ineffective and more importantly too late. I ran AV for 3 years as an inline mail scanner and it didnt catch a single threat in my emails. Not one SINGLE one. In 3 years! (Although there were WAY too many false positives when scanning my hard drives (almost daily.) In November, after some testing, I decided on implementing and using Sane signatures and the difference was immediate within the FIRST HOUR of turning them on. Now we must have on average at least 5 of 6 emails DAILY with threats attached to them and they get caught immediately by the unofficial signatures. The daily threat of 'bad-macro' in Office documents (cryptolocking) was caught at retrieval and never got through to the users (thereby removing the risk of them stupidly opening it, enabling macros in Office, and wondering how pretty that red "you have been encrypted, send us your money" screen looks). These emails were always coming in almost daily before implementing Sane but ClamAV definitions just didnt have any clue (or urgency!) on dealing with them. In 3 months only 2 email threats managed to come in just before my hourly definition update and therefore got through. So I have no doubt, that even if ClamAV definitions took priority in the database, it wouldnt have mattered as they had the efficacy of wearing sandals for rain boots. On 22/02/2016 17:30, Dennis Peterson wrote: # grep FOUND /var/log/clamav/clamd.log* |grep -c UNOFFICIAL 80 # grep FOUND /var/log/clamav/clamd.log* |grep -v -c UNOFFICIAL 0 # grep FOUND /var/log/clamav/clamd.log* |grep -c -i sanesecurity 38 # grep FOUND /var/log/clamav/clamd.log* |grep -c -i winnow 42 My logs go back only to January, but this is a typical pattern for the last 7 years or so. Notice that official sigs have not found anything. Important too to know that because of cpu cost scanning is the last thing done to test mail and that most rejections happen prior and scanning isn't performed. In terms of effectiveness, proactive prevention using hosts.deny, iptables, sendmail access, j-chkmail milter (includes regex, urlbl, heuristics, spam traps), IP reputation, and reactive denial with deny-hosts utility, fail2ban, manual scanning of log reports. I've not looked at the code to see if ClamAV has a signature order (theirs first then "unofficial") but it is certainly possible that if Sane Security signatures were not installed that ClamAV signatures may get more hits. dp On 2/22/16 6:34 AM, Groach wrote: FWIW, if I may offer opinion: I would agree with Alex with the need to source out better unofficial databases (such as sanesecurity, securiteinfo etc): _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
