Augh! Some hot-key combination just sent my email draft! Sorry! I was working on a list of the different distinct file formats we currently have, none of which are very easy to read. I'm hoping to illustrate that if we can consolidate this down to something user-friendly it will be a big improvement.
Basing the file structure on the KDL language is just my initial proposal. My teammate Scott is brainstorming some other ideas. We have yet to make any hard decisions. I agree with you about some sort of scoring. Some signatures might never indicate maliciousness and be very-weak indicators. Some might be very strong indicators; e.g. hash-based sigs for ransomware. I too would like to add some different levels. I don't know if a number-based scoring system makes sense, or if just a handful of different categories is sufficient. More research needed. Regards, Micah Micah Snyder ClamAV Development Talos Cisco Systems, Inc. ________________________________ From: Micah Snyder (micasnyd) <micas...@cisco.com> Sent: Wednesday, March 16, 2022 12:10 PM To: ClamAV users ML <clamav-users@lists.clamav.net>; Laurent S. <110ef9e3086d8405c2929e34be5b4...@protonmail.ch> Subject: Re: [clamav-users] human friendly signatures The goal for the new sig format would be to include all the existing signature features currently spread across the existing ClamAV-specific signature file formats. Right now we have different file formats for: * NDB * LDB * CDB * FTM * CRB * CFG * PDB,WDB, HDB, HSB, MDB, MSB, FP, SFP, IGN2, and PWDB). from multiple file formats that are hard to read, hard to write, and hard to extend. We would like to the new down into one format that is easier both for the signature authors and the developers. We want to make a sigtool feature that can transcode from the old to the new, though we have no plans to remove support for the old signature formats. We might say they're deprecated to encourage folks to develop new content in the new format, but they would continue to work for the foreseeable future. New signature features would only be added to the new signature format. The goal is not to do away with Yara rule support. We will continue to try to maintain the existing (limited) Yara rule support, and are still open to improving it. Micah Snyder ClamAV Development Talos Cisco Systems, Inc. ________________________________ From: clamav-users <clamav-users-boun...@lists.clamav.net> on behalf of Laurent S. via clamav-users <clamav-users@lists.clamav.net> Sent: Tuesday, March 15, 2022 3:42 AM To: ClamAV users ML <clamav-users@lists.clamav.net> Cc: Laurent S. <110ef9e3086d8405c2929e34be5b4...@protonmail.ch> Subject: Re: [clamav-users] human friendly signatures On Tuesday, March 15th, 2022 at 00:36, Micah Snyder (micasnyd) <micas...@cisco.com> wrote: > Starting with our own new language would let us maintain do that but make it > easier for new analysts to train up on ClamAV. I don't see at all the advantage of using a different, less used language. I don't know many people looking forward to learn a new language that is quite specific to one software and used more or less nowhere else. One big reason I like to use ClamAV is that it's possible to add other sources of signatures. Lots of people use the sanesecurity ones. I add a lot of my own. I suppose there's a big amount of people who would love to add more (ie YARA) sources. Is the goal for KDL to replace all of the existing ClamAV formats? I guess the transition would be a whole lot of effort from a LOT of people. > What would be every more cool would be to be able to have an archive alert > because we found weak indicators in several of the contained files. I love the idea of weak indicators. But then, I'd like to have a more fine grained result in case of a hit. Something less binary but more something like a score. So that the amount of false positives could be more chosen. This would mean my paranoid customers could be as happy as the ones jumping to the roof at the first FP. Best regards, Laurent S.
_______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
