On Tue, May 24, 2016 12:23 pm, Groach wrote: > Out of interest, what does it matter? Why is it important that an > official CLAM definition stops the virus before the 3rd party definition > stops the same virus (if they both have the same criteria)? Surely a goal > is a goal and it doesnt matter who kicked the ball.
I have to agree :) a) if you *really* want to know what sigs matched a sample you can use clamscan -z, which gives you this sort of output... caution_lizr_587777.zip: Sanesecurity.Foxhole.JS_Zip_1.UNOFFICIAL FOUND caution_lizr_587777.zip: Sanesecurity.Foxhole.Zip_fs208.UNOFFICIAL FOUND Ok, so scanning will continue until ALL matches are found in official and 3rd party sigs, which would take a bit longer to scan... but at least you'd know. b) You can use clamscan --official-db-only=yes to only use official ones As for "removing" a 3rd party signature when official ones block it, well... overall... it wouldn't really be a good idea. Cheers, Steve Web : sanesecurity.com Twitter: @sanesecurity _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
